Extend audit detail via new key attribute in rule language. Add support for auditing implicit policy matches.

src/Daemon/Daemon.cpp

@@ -71,7 +71,8 @@ namespace usbguard
     "IPCAccessControlFiles",
     "AuditFilePath",
     "AuditBackend",
-    "HidePII"
+    "HidePII",
+    "RuleSourceLogging"
   };
 
   static const std::vector<std::pair<std::string, Daemon::DevicePolicyMethod>> device_policy_method_strings = {
@@ -125,6 +126,7 @@ namespace usbguard
     _inserted_device_policy_method = DevicePolicyMethod::ApplyPolicy;
     _device_rules_with_port = false;
     _restore_controller_device_state = false;
+    _rule_source = false;
     pid_fd = -1;
   }
 
@@ -396,6 +398,22 @@ namespace usbguard
       }
     }
 
+    /* RuleSourceLogging */
+    if (_config.hasSettingValue("RuleSourceLogging")) {
+      const std::string value = _config.getSettingValue("RuleSourceLogging");
+      USBGUARD_LOG(Debug) << "Setting RuleSourceLogging to " << value;
+
+      if (value == "true") {
+        _rule_source = true;
+      }
+      else if (value == "false") {
+        _rule_source = false;
+      }
+      else {
+        throw Exception("Configuration", "RuleSourceLogging", "Invalid value");
+      }
+    }
+
     USBGUARD_LOG(Info) << "Configuration loaded successfully.";
   }
 
@@ -861,7 +879,28 @@ namespace usbguard
   {
     USBGUARD_LOG(Trace) << "device_ptr=" << device.get()
       << " matched_rule_ptr=" << matched_rule.get();
-    auto audit_event = _audit.policyEvent(device, device->getTarget(), matched_rule->getTarget());
+
+    auto audit_event = [&]() {
+      if (_rule_source){
+        if (matched_rule->getRuleID() == Rule::ImplicitID) {
+          return _audit.policyEventSource(device, device->getTarget(), matched_rule->getTarget(), RULE_TYPE_IMPLICIT);
+        }
+
+        if (matched_rule->hasKey()){
+          return _audit.policyEventSourceKey(device, device->getTarget(), matched_rule->getTarget(), RULE_TYPE_LOOKUP, matched_rule->getKey());
+        }
+
+        return _audit.policyEventSource(device, device->getTarget(), matched_rule->getTarget(), RULE_TYPE_LOOKUP); 
+      }
+
+      if (matched_rule->hasKey()){
+        return _audit.policyEventKey(device, device->getTarget(), matched_rule->getTarget(), matched_rule->getKey());
+      }
+
+      return _audit.policyEvent(device, device->getTarget(), matched_rule->getTarget());  
+
+    }();
+
     const Rule::Target target_old = device->getTarget();
     std::shared_ptr<Device> device_post = \
       _dm->applyDevicePolicy(device->getID(),

src/Daemon/Daemon.hpp

@@ -135,6 +135,10 @@ namespace usbguard
 
     bool _device_rules_with_port;
     bool _restore_controller_device_state;
+    bool _rule_source;
+
+    static inline const std::string RULE_TYPE_LOOKUP = "lookup";
+    static inline const std::string RULE_TYPE_IMPLICIT = "implicit";
 
     AuditIdentity _audit_identity;
     Audit _audit;

src/Library/RuleParser/Actions.hpp

@@ -91,7 +91,7 @@ namespace usbguard
         }
       }
     };
-
+    
     static const std::string stringValueFromRule(const std::string& value)
     {
       const std::string string_raw(value.substr(1, value.size() - 2));
@@ -523,6 +523,24 @@ namespace usbguard
         }
       }
     };
+
+    template<typename Rule>
+    struct key_actions : tao::pegtl::nothing<Rule> {};
+
+    template<>
+    struct key_actions<string_value> {
+      template<typename Input>
+      static void apply(const Input& in, Rule& rule)
+      {
+        try {
+          rule.setKey(stringValueFromRule(in.string()));
+        }
+        catch (const std::exception& ex) {
+          throw tao::pegtl::parse_error(ex.what(), in);
+        }
+      }
+    };
+
   } /* namespace RuleParser */
 } /* namespace usbguard */
 

src/Library/RuleParser/Grammar.hpp

@@ -76,12 +76,14 @@ namespace usbguard
 
     struct str_match_all: TAO_PEGTL_STRING("match-all") {};
 
+    struct str_key: TAO_PEGTL_STRING("key") {};
+
     /*
      * Generic rule attribute
      */
     struct multiset_operator
       : sor<str_all_of, str_one_of, str_none_of, str_equals_ordered, str_equals, str_match_all> {};
-
+    
     template<class attribute_value_rule>
     struct attribute_value_multiset
       : seq<opt<multiset_operator, plus<ascii::blank>>,
@@ -91,7 +93,7 @@ namespace usbguard
 
     template<class attribute_identifier, class attribute_value_rule>
     struct rule_attribute
-      : seq<attribute_identifier, plus<ascii::blank>,
+      : seq<attribute_identifier, plus<ascii::blank>, 
         sor<attribute_value_multiset<attribute_value_rule>,
         attribute_value_rule>> {};
 
@@ -225,13 +227,25 @@ namespace usbguard
       : seq<star<ascii::blank>, if_must<one<'#'>,
         star<seq<not_at<eof>, any>>>> {};
 
+    /*
+     * Rule key
+     */
+    struct key_logic
+      : action<key_actions, string_value> {};
+
+    struct key
+      : seq<str_key,
+        plus<ascii::blank>,
+        key_logic> {};
+
     /*
      * Rule
      */
     struct rule
       : seq<target,
         opt<plus<ascii::blank>, device_id>,
         opt<plus<ascii::blank>, list<rule_attributes, plus<ascii::blank>>>,
+        opt<plus<ascii::blank>, key>,
         opt<comment>,
         star<ascii::blank>> {};
 

src/Library/RulePrivate.cpp

@@ -39,7 +39,8 @@ namespace usbguard
       _via_port("via-port"),
       _with_interface("with-interface"),
       _conditions("if"),
-      _label("label")
+      _label("label"),
+      _key("key")
   {
     _rule_id = Rule::DefaultID;
     _target = Rule::Target::Invalid;
@@ -56,7 +57,8 @@ namespace usbguard
       _via_port("via-port"),
       _with_interface("with-interface"),
       _conditions("if"),
-      _label("label")
+      _label("label"),
+      _key("key")
   {
     *this = rhs;
   }
@@ -263,6 +265,21 @@ namespace usbguard
     return _serial.get();
   }
 
+  void RulePrivate::setKey(const std::string& value)
+  {
+    _key.set(value);
+  }
+
+  const std::string& RulePrivate::getKey() const
+  {
+    return _key.get();
+  }
+
+  bool RulePrivate::hasKey() const
+  {
+    return !_key.empty();
+  }
+
   const Rule::Attribute<std::string>& RulePrivate::attributeSerial() const
   {
     return _serial;
@@ -459,6 +476,7 @@ namespace usbguard
     toString_appendNonEmptyAttribute(rule_string, _conditions);
     toString_appendNonEmptyAttribute(rule_string, _with_connect_type);
     toString_appendNonEmptyAttribute(rule_string, _label);
+
     return rule_string;
   }
 

src/Library/RulePrivate.hpp

@@ -111,6 +111,10 @@ namespace usbguard
     const Rule::Attribute<std::string>& attributeViaPort() const;
     Rule::Attribute<std::string>& attributeViaPort();
 
+    void setKey(const std::string& value);
+    const std::string& getKey() const;
+    bool hasKey() const;
+
     /*
      * Set/get for a single value isn't useful for the
      * with-interface attribute as it usualy contains
@@ -146,6 +150,7 @@ namespace usbguard
     Rule::Attribute<USBInterfaceType> _with_interface;
     Rule::Attribute<RuleCondition> _conditions;
     Rule::Attribute<std::string> _label;
+    Rule::Attribute<std::string> _key;
     uint64_t _conditions_state;
   };
 }

src/Library/public/usbguard/Audit.cpp

@@ -190,6 +190,24 @@ namespace usbguard
     return policyEvent(_identity, device, old_target, new_target);
   }
 
+  AuditEvent Audit::policyEventKey(std::shared_ptr<Device> device, Rule::Target old_target, Rule::Target new_target, 
+    std::string matched_rule_key)
+  {
+    return policyEventKey(_identity, device, old_target, new_target, matched_rule_key);
+  }
+
+  AuditEvent Audit::policyEventSource(std::shared_ptr<Device> device, Rule::Target old_target, Rule::Target new_target, 
+    std::string rule_source)
+  {
+    return policyEventSource(_identity, device, old_target, new_target, rule_source);
+  }
+
+  AuditEvent Audit::policyEventSourceKey(std::shared_ptr<Device> device, Rule::Target old_target, Rule::Target new_target, 
+    std::string rule_source, std::string matched_rule_key)
+  {
+    return policyEventSourceKey(_identity, device, old_target, new_target, rule_source, matched_rule_key);
+  }
+
   AuditEvent Audit::deviceEvent(std::shared_ptr<Device> device, DeviceManager::EventType event)
   {
     return deviceEvent(_identity, device, event);
@@ -241,6 +259,46 @@ namespace usbguard
     return event;
   }
 
+  AuditEvent Audit::policyEventKey(const AuditIdentity& identity, std::shared_ptr<Device> device, Rule::Target old_target,
+    Rule::Target new_target, std::string matched_rule_key)
+  {
+    AuditEvent event(identity, _backend);
+    event.setKey("type", std::string("Policy.Device.") + Policy::eventTypeToString(Policy::EventType::Update));
+    event.setKey("target.old", Rule::targetToString(old_target));
+    event.setKey("target.new", Rule::targetToString(new_target));
+    event.setKey("device.system_name", device->getSystemName());
+    event.setKey("device.rule", device->getDeviceRule()->toString(false, _hide_pii));
+    event.setKey("rule.key", matched_rule_key);
+    return event;
+  }
+
+  AuditEvent Audit::policyEventSource(const AuditIdentity& identity, std::shared_ptr<Device> device, Rule::Target old_target,
+    Rule::Target new_target, std::string rule_source)
+  {
+    AuditEvent event(identity, _backend);
+    event.setKey("type", std::string("Policy.Device.") + Policy::eventTypeToString(Policy::EventType::Update));
+    event.setKey("target.old", Rule::targetToString(old_target));
+    event.setKey("target.new", Rule::targetToString(new_target));
+    event.setKey("device.system_name", device->getSystemName());
+    event.setKey("device.rule", device->getDeviceRule()->toString(false, _hide_pii));
+    event.setKey("rule.source", rule_source);
+    return event;
+  }
+
+  AuditEvent Audit::policyEventSourceKey(const AuditIdentity& identity, std::shared_ptr<Device> device, Rule::Target old_target,
+    Rule::Target new_target, std::string rule_source, std::string matched_rule_key)
+  {
+    AuditEvent event(identity, _backend);
+    event.setKey("type", std::string("Policy.Device.") + Policy::eventTypeToString(Policy::EventType::Update));
+    event.setKey("target.old", Rule::targetToString(old_target));
+    event.setKey("target.new", Rule::targetToString(new_target));
+    event.setKey("device.system_name", device->getSystemName());
+    event.setKey("device.rule", device->getDeviceRule()->toString(false, _hide_pii));
+    event.setKey("rule.source", rule_source);
+    event.setKey("rule.key", matched_rule_key);
+    return event;
+  }
+
   AuditEvent Audit::deviceEvent(const AuditIdentity& identity, std::shared_ptr<Device> device,
     DeviceManager::EventType event_type)
   {