From 00162c5badb2626b0950d7fbb71bb1fd432dfb4f Mon Sep 17 00:00:00 2001 From: aje220 Date: Fri, 13 Mar 2026 20:42:17 +0000 Subject: [PATCH 1/2] Add key option for explicit rules --- src/Daemon/Daemon.cpp | 6 ++- src/Library/RuleParser/Actions.hpp | 20 +++++++- src/Library/RuleParser/Grammar.hpp | 18 +++++++- src/Library/RulePrivate.cpp | 28 ++++++++++-- src/Library/RulePrivate.hpp | 7 ++- src/Library/public/usbguard/Audit.cpp | 18 ++++++++ src/Library/public/usbguard/Audit.hpp | 66 +++++++++++++++++++++++++++ src/Library/public/usbguard/Rule.cpp | 19 +++++++- src/Library/public/usbguard/Rule.hpp | 25 +++++++++- 9 files changed, 196 insertions(+), 11 deletions(-) diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp index e6c0c94c..7bbf54e1 100644 --- a/src/Daemon/Daemon.cpp +++ b/src/Daemon/Daemon.cpp @@ -861,7 +861,11 @@ namespace usbguard { USBGUARD_LOG(Trace) << "device_ptr=" << device.get() << " matched_rule_ptr=" << matched_rule.get(); - auto audit_event = _audit.policyEvent(device, device->getTarget(), matched_rule->getTarget()); + + auto audit_event = (matched_rule->isKey()) + ? _audit.policyEvent(device, device->getTarget(), matched_rule->getTarget(), matched_rule->getKey()) + : _audit.policyEvent(device, device->getTarget(), matched_rule->getTarget()); + const Rule::Target target_old = device->getTarget(); std::shared_ptr device_post = \ _dm->applyDevicePolicy(device->getID(), diff --git a/src/Library/RuleParser/Actions.hpp b/src/Library/RuleParser/Actions.hpp index bb3feb26..19e01467 100644 --- a/src/Library/RuleParser/Actions.hpp +++ b/src/Library/RuleParser/Actions.hpp @@ -91,7 +91,7 @@ namespace usbguard } } }; - + static const std::string stringValueFromRule(const std::string& value) { const std::string string_raw(value.substr(1, value.size() - 2)); @@ -523,6 +523,24 @@ namespace usbguard } } }; + + template + struct key_actions : tao::pegtl::nothing {}; + + template<> + struct key_actions { + template + static void apply(const Input& in, Rule& rule) + { + try { + rule.setKey(stringValueFromRule(in.string())); + } + catch (const std::exception& ex) { + throw tao::pegtl::parse_error(ex.what(), in); + } + } + }; + } /* namespace RuleParser */ } /* namespace usbguard */ diff --git a/src/Library/RuleParser/Grammar.hpp b/src/Library/RuleParser/Grammar.hpp index 5d7bdb40..c913e068 100644 --- a/src/Library/RuleParser/Grammar.hpp +++ b/src/Library/RuleParser/Grammar.hpp @@ -76,12 +76,14 @@ namespace usbguard struct str_match_all: TAO_PEGTL_STRING("match-all") {}; + struct str_key: TAO_PEGTL_STRING("key") {}; + /* * Generic rule attribute */ struct multiset_operator : sor {}; - + template struct attribute_value_multiset : seq>, @@ -91,7 +93,7 @@ namespace usbguard template struct rule_attribute - : seq, + : seq, sor, attribute_value_rule>> {}; @@ -225,6 +227,17 @@ namespace usbguard : seq, if_must, star, any>>>> {}; + /* + * Rule key + */ + struct key_logic + : action {}; + + struct key + : seq, + key_logic> {}; + /* * Rule */ @@ -232,6 +245,7 @@ namespace usbguard : seq, device_id>, opt, list>>, + opt, key>, opt, star> {}; diff --git a/src/Library/RulePrivate.cpp b/src/Library/RulePrivate.cpp index 337fdd44..a4b769ea 100644 --- a/src/Library/RulePrivate.cpp +++ b/src/Library/RulePrivate.cpp @@ -39,7 +39,8 @@ namespace usbguard _via_port("via-port"), _with_interface("with-interface"), _conditions("if"), - _label("label") + _label("label"), + _key("key") { _rule_id = Rule::DefaultID; _target = Rule::Target::Invalid; @@ -56,7 +57,8 @@ namespace usbguard _via_port("via-port"), _with_interface("with-interface"), _conditions("if"), - _label("label") + _label("label"), + _key("key") { *this = rhs; } @@ -263,6 +265,21 @@ namespace usbguard return _serial.get(); } + void RulePrivate::setKey(const std::string& value) + { + _key.set(value); + } + + const std::string& RulePrivate::getKey() const + { + return _key.get(); + } + + bool RulePrivate::isKey() const + { + return !_key.empty(); + } + const Rule::Attribute& RulePrivate::attributeSerial() const { return _serial; @@ -425,7 +442,7 @@ namespace usbguard return; } - std::string RulePrivate::toString(bool invalid, bool hide_pii) const + std::string RulePrivate::toString(bool invalid, bool hide_pii, bool hide_key) const { std::string rule_string; @@ -459,6 +476,11 @@ namespace usbguard toString_appendNonEmptyAttribute(rule_string, _conditions); toString_appendNonEmptyAttribute(rule_string, _with_connect_type); toString_appendNonEmptyAttribute(rule_string, _label); + + if (!hide_key) { + toString_appendNonEmptyAttribute(rule_string, _key); + } + return rule_string; } diff --git a/src/Library/RulePrivate.hpp b/src/Library/RulePrivate.hpp index 8a635c55..7fdaddc6 100644 --- a/src/Library/RulePrivate.hpp +++ b/src/Library/RulePrivate.hpp @@ -111,6 +111,10 @@ namespace usbguard const Rule::Attribute& attributeViaPort() const; Rule::Attribute& attributeViaPort(); + void setKey(const std::string& value); + const std::string& getKey() const; + bool isKey() const; + /* * Set/get for a single value isn't useful for the * with-interface attribute as it usualy contains @@ -123,7 +127,7 @@ namespace usbguard const Rule::Attribute& attributeConditions() const; Rule::Attribute& attributeConditions(); - std::string toString(bool invalid = false, bool hide_pii = false) const; + std::string toString(bool invalid = false, bool hide_pii = false, bool hide_key = true) const; MetaData& metadata(); const MetaData& metadata() const; @@ -146,6 +150,7 @@ namespace usbguard Rule::Attribute _with_interface; Rule::Attribute _conditions; Rule::Attribute _label; + Rule::Attribute _key; uint64_t _conditions_state; }; } diff --git a/src/Library/public/usbguard/Audit.cpp b/src/Library/public/usbguard/Audit.cpp index 796ef7b1..a976382f 100644 --- a/src/Library/public/usbguard/Audit.cpp +++ b/src/Library/public/usbguard/Audit.cpp @@ -190,6 +190,11 @@ namespace usbguard return policyEvent(_identity, device, old_target, new_target); } + AuditEvent Audit::policyEvent(std::shared_ptr device, Rule::Target old_target, Rule::Target new_target, std::string matched_rule_key) + { + return policyEvent(_identity, device, old_target, new_target, matched_rule_key); + } + AuditEvent Audit::deviceEvent(std::shared_ptr device, DeviceManager::EventType event) { return deviceEvent(_identity, device, event); @@ -241,6 +246,19 @@ namespace usbguard return event; } + AuditEvent Audit::policyEvent(const AuditIdentity& identity, std::shared_ptr device, Rule::Target old_target, + Rule::Target new_target, std::string matched_rule_key) + { + AuditEvent event(identity, _backend); + event.setKey("type", std::string("Policy.Device.") + Policy::eventTypeToString(Policy::EventType::Update)); + event.setKey("target.old", Rule::targetToString(old_target)); + event.setKey("target.new", Rule::targetToString(new_target)); + event.setKey("device.system_name", device->getSystemName()); + event.setKey("device.rule", device->getDeviceRule()->toString(false, _hide_pii)); + event.setKey("matched.rule.key", matched_rule_key); + return event; + } + AuditEvent Audit::deviceEvent(const AuditIdentity& identity, std::shared_ptr device, DeviceManager::EventType event_type) { diff --git a/src/Library/public/usbguard/Audit.hpp b/src/Library/public/usbguard/Audit.hpp index f5830976..7b9343f1 100644 --- a/src/Library/public/usbguard/Audit.hpp +++ b/src/Library/public/usbguard/Audit.hpp @@ -373,6 +373,38 @@ namespace usbguard */ AuditEvent policyEvent(std::shared_ptr device, Rule::Target old_target, Rule::Target new_target); + /** + * @brief Constructs new \link AuditEvent AuditEvent\endlink for given + * policy \link Policy::EventType event\endlink. + * + * Sets audit event keys: + * - type\=Policy\.Device\.Update + * - target\.old\=\ + * - target\.new\=\ + * - device\.system_name\= + * - device\.rule\=\ + * - matched\.rule\.key\=\ + * + * Audit policy changes: + * - rule append + * - rule remove + * - rule update + * - policy parameter change + * + * Audit data: + * - who: uid + pid + * - when: time + * - what: append, remove, update + * - update: old, new + * + * @param device Device where the rule target has changed. + * @param old_target Old rule target. + * @param new_target New rule target. + * @param matched_rule_key Key of the new rule. + * @return \link AuditEvent Audit event\endlink. + */ + AuditEvent policyEvent(std::shared_ptr device, Rule::Target old_target, Rule::Target new_target, std::string matched_rule_key); + /** * @brief Constructs new \link AuditEvent AuditEvent\endlink for given * device \link DeviceManager::EventType event\endlink. @@ -544,6 +576,40 @@ namespace usbguard AuditEvent policyEvent(const AuditIdentity& identity, std::shared_ptr device, Rule::Target old_target, Rule::Target new_target); + /** + * @brief Constructs new \link AuditEvent AuditEvent\endlink for given + * policy \link Policy::EventType event\endlink. + * + * Sets audit event keys: + * - type\=Policy\.Device\.Update + * - target\.old\=\ + * - target\.new\=\ + * - device\.system_name\=\ + * - device\.rule\=\ + * - matched\.rule\.key\=\ + * + * Audit policy changes: + * - rule append + * - rule remove + * - rule update + * - policy parameter change + * + * Audit data: + * - who: uid + pid + * - when: time + * - what: append, remove, update + * - update: old, new + * + * @param identity Audit identity. + * @param device Device where the rule target has changed. + * @param old_target Old rule target. + * @param new_target New rule target. + * @param matched_rule_key New rule key. + * @return \link AuditEvent Audit event\endlink. + */ + AuditEvent policyEvent(const AuditIdentity& identity, std::shared_ptr device, Rule::Target old_target, + Rule::Target new_target, std::string matched_rule_key); + /** * @brief Constructs new \link AuditEvent AuditEvent\endlink for given * device \link DeviceManager::EventType event\endlink. diff --git a/src/Library/public/usbguard/Rule.cpp b/src/Library/public/usbguard/Rule.cpp index 7f2f42b2..e8ba10f5 100644 --- a/src/Library/public/usbguard/Rule.cpp +++ b/src/Library/public/usbguard/Rule.cpp @@ -106,6 +106,21 @@ namespace usbguard return d_pointer->getSerial(); } + void Rule::setKey(const std::string& value) + { + d_pointer->setKey(value); + } + + const std::string& Rule::getKey() const + { + return d_pointer->getKey(); + } + + bool Rule::isKey() const + { + return d_pointer->isKey(); + } + const Rule::Attribute& Rule::attributeSerial() const { return d_pointer->attributeSerial(); @@ -284,9 +299,9 @@ namespace usbguard getTarget() == Target::Empty); } - std::string Rule::toString(bool invalid, bool hide_serial) const + std::string Rule::toString(bool invalid, bool hide_serial, bool hide_key) const { - return d_pointer->toString(invalid, hide_serial); + return d_pointer->toString(invalid, hide_serial, hide_key); } void Rule::updateMetaDataCounters(bool applied, bool evaluated) diff --git a/src/Library/public/usbguard/Rule.hpp b/src/Library/public/usbguard/Rule.hpp index 9305a860..d18763bc 100644 --- a/src/Library/public/usbguard/Rule.hpp +++ b/src/Library/public/usbguard/Rule.hpp @@ -819,6 +819,29 @@ namespace usbguard */ const std::string& getSerial() const; + /** + * @brief Sets key attribute. + * + * @param value Key to set. + * @see \link Attribute::set() set()\endlink + */ + void setKey(const std::string& value); + + /** + * @brief Returns key. + * + * @return Rule key. + * @see \link Attribute::get() get()\endlink + */ + const std::string& getKey() const; + + /** + * @brief Returns true if the Rule has a key. + * + * @return Rule key status. + */ + bool isKey() const; + /** * @brief Returns imutable serial number attribute. * @@ -1113,7 +1136,7 @@ namespace usbguard * identifiable information) will not be included in the string. * @return String representation of this rule. */ - std::string toString(bool invalid = false, bool hide_serial = false) const; + std::string toString(bool invalid = false, bool hide_serial = false, bool hide_key = true) const; /** * @brief Updates meta-data last applied and last evaluated counters. From d867e2c540389839271098b253bea2c180eb0ed0 Mon Sep 17 00:00:00 2001 From: aje220 Date: Mon, 30 Mar 2026 20:44:58 +0100 Subject: [PATCH 2/2] Add optional log entry for rule origin --- src/Daemon/Daemon.cpp | 43 +++++++- src/Daemon/Daemon.hpp | 4 + src/Library/RulePrivate.cpp | 8 +- src/Library/RulePrivate.hpp | 4 +- src/Library/public/usbguard/Audit.cpp | 48 ++++++++- src/Library/public/usbguard/Audit.hpp | 147 +++++++++++++++++++++++++- src/Library/public/usbguard/Rule.cpp | 8 +- src/Library/public/usbguard/Rule.hpp | 4 +- usbguard-daemon.conf.in | 9 ++ 9 files changed, 250 insertions(+), 25 deletions(-) diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp index 7bbf54e1..b2b64d8c 100644 --- a/src/Daemon/Daemon.cpp +++ b/src/Daemon/Daemon.cpp @@ -71,7 +71,8 @@ namespace usbguard "IPCAccessControlFiles", "AuditFilePath", "AuditBackend", - "HidePII" + "HidePII", + "RuleSourceLogging" }; static const std::vector> device_policy_method_strings = { @@ -125,6 +126,7 @@ namespace usbguard _inserted_device_policy_method = DevicePolicyMethod::ApplyPolicy; _device_rules_with_port = false; _restore_controller_device_state = false; + _rule_source = false; pid_fd = -1; } @@ -396,6 +398,22 @@ namespace usbguard } } + /* RuleSourceLogging */ + if (_config.hasSettingValue("RuleSourceLogging")) { + const std::string value = _config.getSettingValue("RuleSourceLogging"); + USBGUARD_LOG(Debug) << "Setting RuleSourceLogging to " << value; + + if (value == "true") { + _rule_source = true; + } + else if (value == "false") { + _rule_source = false; + } + else { + throw Exception("Configuration", "RuleSourceLogging", "Invalid value"); + } + } + USBGUARD_LOG(Info) << "Configuration loaded successfully."; } @@ -862,9 +880,26 @@ namespace usbguard USBGUARD_LOG(Trace) << "device_ptr=" << device.get() << " matched_rule_ptr=" << matched_rule.get(); - auto audit_event = (matched_rule->isKey()) - ? _audit.policyEvent(device, device->getTarget(), matched_rule->getTarget(), matched_rule->getKey()) - : _audit.policyEvent(device, device->getTarget(), matched_rule->getTarget()); + auto audit_event = [&]() { + if (_rule_source){ + if (matched_rule->getRuleID() == Rule::ImplicitID) { + return _audit.policyEventSource(device, device->getTarget(), matched_rule->getTarget(), RULE_TYPE_IMPLICIT); + } + + if (matched_rule->hasKey()){ + return _audit.policyEventSourceKey(device, device->getTarget(), matched_rule->getTarget(), RULE_TYPE_LOOKUP, matched_rule->getKey()); + } + + return _audit.policyEventSource(device, device->getTarget(), matched_rule->getTarget(), RULE_TYPE_LOOKUP); + } + + if (matched_rule->hasKey()){ + return _audit.policyEventKey(device, device->getTarget(), matched_rule->getTarget(), matched_rule->getKey()); + } + + return _audit.policyEvent(device, device->getTarget(), matched_rule->getTarget()); + + }(); const Rule::Target target_old = device->getTarget(); std::shared_ptr device_post = \ diff --git a/src/Daemon/Daemon.hpp b/src/Daemon/Daemon.hpp index a9681c65..b3606ae3 100644 --- a/src/Daemon/Daemon.hpp +++ b/src/Daemon/Daemon.hpp @@ -135,6 +135,10 @@ namespace usbguard bool _device_rules_with_port; bool _restore_controller_device_state; + bool _rule_source; + + static inline const std::string RULE_TYPE_LOOKUP = "lookup"; + static inline const std::string RULE_TYPE_IMPLICIT = "implicit"; AuditIdentity _audit_identity; Audit _audit; diff --git a/src/Library/RulePrivate.cpp b/src/Library/RulePrivate.cpp index a4b769ea..cd78dcad 100644 --- a/src/Library/RulePrivate.cpp +++ b/src/Library/RulePrivate.cpp @@ -275,7 +275,7 @@ namespace usbguard return _key.get(); } - bool RulePrivate::isKey() const + bool RulePrivate::hasKey() const { return !_key.empty(); } @@ -442,7 +442,7 @@ namespace usbguard return; } - std::string RulePrivate::toString(bool invalid, bool hide_pii, bool hide_key) const + std::string RulePrivate::toString(bool invalid, bool hide_pii) const { std::string rule_string; @@ -476,10 +476,6 @@ namespace usbguard toString_appendNonEmptyAttribute(rule_string, _conditions); toString_appendNonEmptyAttribute(rule_string, _with_connect_type); toString_appendNonEmptyAttribute(rule_string, _label); - - if (!hide_key) { - toString_appendNonEmptyAttribute(rule_string, _key); - } return rule_string; } diff --git a/src/Library/RulePrivate.hpp b/src/Library/RulePrivate.hpp index 7fdaddc6..14d8980f 100644 --- a/src/Library/RulePrivate.hpp +++ b/src/Library/RulePrivate.hpp @@ -113,7 +113,7 @@ namespace usbguard void setKey(const std::string& value); const std::string& getKey() const; - bool isKey() const; + bool hasKey() const; /* * Set/get for a single value isn't useful for the @@ -127,7 +127,7 @@ namespace usbguard const Rule::Attribute& attributeConditions() const; Rule::Attribute& attributeConditions(); - std::string toString(bool invalid = false, bool hide_pii = false, bool hide_key = true) const; + std::string toString(bool invalid = false, bool hide_pii = false) const; MetaData& metadata(); const MetaData& metadata() const; diff --git a/src/Library/public/usbguard/Audit.cpp b/src/Library/public/usbguard/Audit.cpp index a976382f..35d382ae 100644 --- a/src/Library/public/usbguard/Audit.cpp +++ b/src/Library/public/usbguard/Audit.cpp @@ -190,9 +190,22 @@ namespace usbguard return policyEvent(_identity, device, old_target, new_target); } - AuditEvent Audit::policyEvent(std::shared_ptr device, Rule::Target old_target, Rule::Target new_target, std::string matched_rule_key) + AuditEvent Audit::policyEventKey(std::shared_ptr device, Rule::Target old_target, Rule::Target new_target, + std::string matched_rule_key) { - return policyEvent(_identity, device, old_target, new_target, matched_rule_key); + return policyEventKey(_identity, device, old_target, new_target, matched_rule_key); + } + + AuditEvent Audit::policyEventSource(std::shared_ptr device, Rule::Target old_target, Rule::Target new_target, + std::string rule_source) + { + return policyEventSource(_identity, device, old_target, new_target, rule_source); + } + + AuditEvent Audit::policyEventSourceKey(std::shared_ptr device, Rule::Target old_target, Rule::Target new_target, + std::string rule_source, std::string matched_rule_key) + { + return policyEventSourceKey(_identity, device, old_target, new_target, rule_source, matched_rule_key); } AuditEvent Audit::deviceEvent(std::shared_ptr device, DeviceManager::EventType event) @@ -246,7 +259,7 @@ namespace usbguard return event; } - AuditEvent Audit::policyEvent(const AuditIdentity& identity, std::shared_ptr device, Rule::Target old_target, + AuditEvent Audit::policyEventKey(const AuditIdentity& identity, std::shared_ptr device, Rule::Target old_target, Rule::Target new_target, std::string matched_rule_key) { AuditEvent event(identity, _backend); @@ -255,7 +268,34 @@ namespace usbguard event.setKey("target.new", Rule::targetToString(new_target)); event.setKey("device.system_name", device->getSystemName()); event.setKey("device.rule", device->getDeviceRule()->toString(false, _hide_pii)); - event.setKey("matched.rule.key", matched_rule_key); + event.setKey("rule.key", matched_rule_key); + return event; + } + + AuditEvent Audit::policyEventSource(const AuditIdentity& identity, std::shared_ptr device, Rule::Target old_target, + Rule::Target new_target, std::string rule_source) + { + AuditEvent event(identity, _backend); + event.setKey("type", std::string("Policy.Device.") + Policy::eventTypeToString(Policy::EventType::Update)); + event.setKey("target.old", Rule::targetToString(old_target)); + event.setKey("target.new", Rule::targetToString(new_target)); + event.setKey("device.system_name", device->getSystemName()); + event.setKey("device.rule", device->getDeviceRule()->toString(false, _hide_pii)); + event.setKey("rule.source", rule_source); + return event; + } + + AuditEvent Audit::policyEventSourceKey(const AuditIdentity& identity, std::shared_ptr device, Rule::Target old_target, + Rule::Target new_target, std::string rule_source, std::string matched_rule_key) + { + AuditEvent event(identity, _backend); + event.setKey("type", std::string("Policy.Device.") + Policy::eventTypeToString(Policy::EventType::Update)); + event.setKey("target.old", Rule::targetToString(old_target)); + event.setKey("target.new", Rule::targetToString(new_target)); + event.setKey("device.system_name", device->getSystemName()); + event.setKey("device.rule", device->getDeviceRule()->toString(false, _hide_pii)); + event.setKey("rule.source", rule_source); + event.setKey("rule.key", matched_rule_key); return event; } diff --git a/src/Library/public/usbguard/Audit.hpp b/src/Library/public/usbguard/Audit.hpp index 7b9343f1..f8c3471d 100644 --- a/src/Library/public/usbguard/Audit.hpp +++ b/src/Library/public/usbguard/Audit.hpp @@ -383,7 +383,76 @@ namespace usbguard * - target\.new\=\ * - device\.system_name\= * - device\.rule\=\ - * - matched\.rule\.key\=\ + * - rule\.key\=\ + * + * Audit policy changes: + * - rule append + * - rule remove + * - rule update + * - policy parameter change + * + * Audit data: + * - who: uid + pid + * - when: time + * - what: append, remove, update + * - update: old, new + * + * @param device Device where the rule target has changed. + * @param old_target Old rule target. + * @param new_target New rule target. + * @param matched_rule_key Key of the new rule. + * @return \link AuditEvent Audit event\endlink. + */ + AuditEvent policyEventKey(std::shared_ptr device, Rule::Target old_target, Rule::Target new_target, + std::string matched_rule_key); + + + /** + * @brief Constructs new \link AuditEvent AuditEvent\endlink for given + * policy \link Policy::EventType event\endlink. + * + * Sets audit event keys: + * - type\=Policy\.Device\.Update + * - target\.old\=\ + * - target\.new\=\ + * - device\.system_name\= + * - device\.rule\=\ + * - rule\.source\=\ + * + * Audit policy changes: + * - rule append + * - rule remove + * - rule update + * - policy parameter change + * + * Audit data: + * - who: uid + pid + * - when: time + * - what: append, remove, update + * - update: old, new + * + * @param device Device where the rule target has changed. + * @param old_target Old rule target. + * @param new_target New rule target. + * @param rule_source From where the matched rule is defined. + * @return \link AuditEvent Audit event\endlink. + */ + AuditEvent policyEventSource(std::shared_ptr device, Rule::Target old_target, Rule::Target new_target, + std::string rule_source); + + + /** + * @brief Constructs new \link AuditEvent AuditEvent\endlink for given + * policy \link Policy::EventType event\endlink. + * + * Sets audit event keys: + * - type\=Policy\.Device\.Update + * - target\.old\=\ + * - target\.new\=\ + * - device\.system_name\= + * - device\.rule\=\ + * - rule\.source\=\ + * - rule\.key\=\ * * Audit policy changes: * - rule append @@ -400,10 +469,12 @@ namespace usbguard * @param device Device where the rule target has changed. * @param old_target Old rule target. * @param new_target New rule target. + * @param rule_source From where the matched rule is defined. * @param matched_rule_key Key of the new rule. * @return \link AuditEvent Audit event\endlink. */ - AuditEvent policyEvent(std::shared_ptr device, Rule::Target old_target, Rule::Target new_target, std::string matched_rule_key); + AuditEvent policyEventSourceKey(std::shared_ptr device, Rule::Target old_target, Rule::Target new_target, + std::string rule_source, std::string matched_rule_key); /** * @brief Constructs new \link AuditEvent AuditEvent\endlink for given @@ -607,9 +678,79 @@ namespace usbguard * @param matched_rule_key New rule key. * @return \link AuditEvent Audit event\endlink. */ - AuditEvent policyEvent(const AuditIdentity& identity, std::shared_ptr device, Rule::Target old_target, + AuditEvent policyEventKey(const AuditIdentity& identity, std::shared_ptr device, Rule::Target old_target, Rule::Target new_target, std::string matched_rule_key); + /** + * @brief Constructs new \link AuditEvent AuditEvent\endlink for given + * policy \link Policy::EventType event\endlink. + * + * Sets audit event keys: + * - type\=Policy\.Device\.Update + * - target\.old\=\ + * - target\.new\=\ + * - device\.system_name\= + * - device\.rule\=\ + * - rule\.source\=\ + * + * Audit policy changes: + * - rule append + * - rule remove + * - rule update + * - policy parameter change + * + * Audit data: + * - who: uid + pid + * - when: time + * - what: append, remove, update + * - update: old, new + * + * @param identity Audit identity. + * @param device Device where the rule target has changed. + * @param old_target Old rule target. + * @param new_target New rule target. + * @param rule_source From where the matched rule is defined. + * @return \link AuditEvent Audit event\endlink. + */ + AuditEvent policyEventSource(const AuditIdentity& identity, std::shared_ptr device, Rule::Target old_target, + Rule::Target new_target, std::string rule_source); + + /** + * @brief Constructs new \link AuditEvent AuditEvent\endlink for given + * policy \link Policy::EventType event\endlink. + * + * Sets audit event keys: + * - type\=Policy\.Device\.Update + * - target\.old\=\ + * - target\.new\=\ + * - device\.system_name\= + * - device\.rule\=\ + * - rule\.source\=\ + * - rule\.key\=\ + * + * Audit policy changes: + * - rule append + * - rule remove + * - rule update + * - policy parameter change + * + * Audit data: + * - who: uid + pid + * - when: time + * - what: append, remove, update + * - update: old, new + * + * @param identity Audit identity. + * @param device Device where the rule target has changed. + * @param old_target Old rule target. + * @param new_target New rule target. + * @param rule_source From where the matched rule is defined. + * @param matched_rule_key Key of the new rule. + * @return \link AuditEvent Audit event\endlink. + */ + AuditEvent policyEventSourceKey(const AuditIdentity& identity, std::shared_ptr device, Rule::Target old_target, + Rule::Target new_target, std::string rule_source, std::string matched_rule_key); + /** * @brief Constructs new \link AuditEvent AuditEvent\endlink for given * device \link DeviceManager::EventType event\endlink. diff --git a/src/Library/public/usbguard/Rule.cpp b/src/Library/public/usbguard/Rule.cpp index e8ba10f5..65ce31db 100644 --- a/src/Library/public/usbguard/Rule.cpp +++ b/src/Library/public/usbguard/Rule.cpp @@ -116,9 +116,9 @@ namespace usbguard return d_pointer->getKey(); } - bool Rule::isKey() const + bool Rule::hasKey() const { - return d_pointer->isKey(); + return d_pointer->hasKey(); } const Rule::Attribute& Rule::attributeSerial() const @@ -299,9 +299,9 @@ namespace usbguard getTarget() == Target::Empty); } - std::string Rule::toString(bool invalid, bool hide_serial, bool hide_key) const + std::string Rule::toString(bool invalid, bool hide_serial) const { - return d_pointer->toString(invalid, hide_serial, hide_key); + return d_pointer->toString(invalid, hide_serial); } void Rule::updateMetaDataCounters(bool applied, bool evaluated) diff --git a/src/Library/public/usbguard/Rule.hpp b/src/Library/public/usbguard/Rule.hpp index d18763bc..7f162ef4 100644 --- a/src/Library/public/usbguard/Rule.hpp +++ b/src/Library/public/usbguard/Rule.hpp @@ -840,7 +840,7 @@ namespace usbguard * * @return Rule key status. */ - bool isKey() const; + bool hasKey() const; /** * @brief Returns imutable serial number attribute. @@ -1136,7 +1136,7 @@ namespace usbguard * identifiable information) will not be included in the string. * @return String representation of this rule. */ - std::string toString(bool invalid = false, bool hide_serial = false, bool hide_key = true) const; + std::string toString(bool invalid = false, bool hide_serial = false) const; /** * @brief Updates meta-data last applied and last evaluated counters. diff --git a/usbguard-daemon.conf.in b/usbguard-daemon.conf.in index f53f03b0..42e04d1e 100644 --- a/usbguard-daemon.conf.in +++ b/usbguard-daemon.conf.in @@ -213,3 +213,12 @@ AuditFilePath=%localstatedir%/log/usbguard/usbguard-audit.log # hashes of descriptors (which include the serial number) from audit entries. # HidePII=false + +# +# When logging policy events, enable differentiation between implicit policy +# events and defined rules. +# +# * true - show rule source in logs +# * false - hide rule source in logs +# +RuleSourceLogging=false \ No newline at end of file