From bbc921c2dd3e96bb81c067024e65fd8ca1adb8b0 Mon Sep 17 00:00:00 2001
From: Vijay Nadella <vnadella@microsoft.com>
Date: Wed, 31 Jan 2024 10:42:06 -0600
Subject: [PATCH 1/7] Make changes based on abstraction

---
 UserDB.cpp                            | 25 ++++++++++++++++++++++++-
 auoms.cpp                             |  0
 build/docker/auoms-build32/Dockerfile |  6 +++---
 3 files changed, 27 insertions(+), 4 deletions(-)
 mode change 100644 => 100755 UserDB.cpp
 mode change 100644 => 100755 auoms.cpp

diff --git a/UserDB.cpp b/UserDB.cpp
old mode 100644
new mode 100755
index 106b31a..20cc6ac
--- a/UserDB.cpp
+++ b/UserDB.cpp
@@ -21,6 +21,8 @@
 #include <cstring>
 #include <fstream>
 
+#include <pwd.h>
+
 extern "C" {
 #include <unistd.h>
 #include <sys/inotify.h>
@@ -29,8 +31,29 @@ extern "C" {
 
 std::string UserDB::GetUserName(int uid)
 {
+    Logger::Info("To retrieve details for UID = %d", uid);
     std::lock_guard<std::mutex> lock(_lock);
 
+    char* buffer = NULL;
+	struct passwd pwent;
+	struct passwd* pwentp;
+    long size = sysconf(_SC_GETPW_R_SIZE_MAX);
+	if (size == -1) {
+		size = BUFSIZ;
+	}
+    buffer = new char[size];
+
+    Logger::Info("Calling NSS kernel module");
+    getpwuid_r(uid, &pwent, buffer, size, &pwentp);
+    if (pwent.pw_name != NULL) {
+        free(buffer);
+        Logger::Info("Return from NSS module for UID = %d - User = %s", uid, pwent.pw_name);
+        return pwent.pw_name;
+    }
+    Logger::Info("Return from NSS module for UID = %d - User = %s", uid, pwent.pw_name);
+    Logger::Info("Return from NSS module for UID = %d - User = %s", uid, pwentp->pw_name);
+
+    Logger::Info("NSS returned null, getting from pwd file");
     auto it = _users.find(uid);
     if (it != _users.end()) {
         return it->second;
@@ -290,4 +313,4 @@ int UserDB::GroupNameToGid(const std::string& name) {
         return -1;
     }
     return -1;
-}
+}
\ No newline at end of file
diff --git a/auoms.cpp b/auoms.cpp
old mode 100644
new mode 100755
diff --git a/build/docker/auoms-build32/Dockerfile b/build/docker/auoms-build32/Dockerfile
index 47a785c..7d3a6d8 100644
--- a/build/docker/auoms-build32/Dockerfile
+++ b/build/docker/auoms-build32/Dockerfile
@@ -3,10 +3,10 @@ MAINTAINER Tad Glines taglines@microsoft.com
 
 # Install initial dev env
 RUN sed -i 's/$basearch/i386/' /etc/yum.repos.d/*
-ADD https://copr.fedorainfracloud.org/coprs/mlampe/devtoolset-7/repo/epel-6/mlampe-devtoolset-7-epel-6.repo /etc/yum.repos.d/mlampe-devtoolset-7-epel-6.repo
+# ADD https://copr.fedorainfracloud.org/coprs/mlampe/devtoolset-7/repo/epel-6/mlampe-devtoolset-7-epel-6.repo /etc/yum.repos.d/mlampe-devtoolset-7-epel-6.repo
 RUN yum install -y util-linux-ng.i686 \
- && linux32 yum install -y devtoolset-7-toolchain \
- && linux32 yum update -y && yum install -y epel-release \
+#  && linux32 yum install -y devtoolset-7-toolchain \
+#  && linux32 yum update -y && yum install -y epel-release \
  && linux32 yum install -y \
     sudo \
     lsof \

From 7d0799d72de463f160dcd92aba3f2af73608a2a8 Mon Sep 17 00:00:00 2001
From: Vijay Nadella <vnadella@microsoft.com>
Date: Thu, 28 Mar 2024 06:48:11 -0500
Subject: [PATCH 2/7] Add checks for audit enabled and running

---
 CollectionMonitor.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/CollectionMonitor.cpp b/CollectionMonitor.cpp
index bd366aa..42cc52a 100644
--- a/CollectionMonitor.cpp
+++ b/CollectionMonitor.cpp
@@ -192,7 +192,10 @@ void CollectionMonitor::signal_collector(int sig) {
 }
 
 bool CollectionMonitor::is_auditd_present() {
-    return PathExists(_auditd_path);
+    int auditd_present = std::system("which auditd > /dev/null 2>&1");
+    int auditd_enabled = std::system("systemctl is-enabled auditd.service > /dev/null 2>&1");
+    int auditd_active = std::system("systemctl is-active auditd.service > /dev/null 2>&1");
+    return (PathExists(_auditd_path) && (auditd_present == 0) && (auditd_enabled == 0) && (auditd_active == 0));
 }
 
 bool CollectionMonitor::is_collector_alive() {

From eabec0dc979a0402a825688d7fabddefc7b035ff Mon Sep 17 00:00:00 2001
From: Vijay Nadella <vnadella@microsoft.com>
Date: Thu, 28 Mar 2024 06:53:30 -0500
Subject: [PATCH 3/7] Add header

---
 CollectionMonitor.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CollectionMonitor.cpp b/CollectionMonitor.cpp
index 42cc52a..8eec124 100644
--- a/CollectionMonitor.cpp
+++ b/CollectionMonitor.cpp
@@ -32,6 +32,7 @@
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <fcntl.h>
+#include <cstdlib>
 
 
 void CollectionMonitor::run() {

From 8754d87c02efba2db99c7cd795d08053d2d10b7d Mon Sep 17 00:00:00 2001
From: Vijay Nadella <vnadella@microsoft.com>
Date: Thu, 28 Mar 2024 07:01:47 -0500
Subject: [PATCH 4/7] Revert debug changes

---
 UserDB.cpp                            | 23 -----------------------
 build/docker/auoms-build32/Dockerfile |  8 ++++----
 2 files changed, 4 insertions(+), 27 deletions(-)
 mode change 100755 => 100644 UserDB.cpp

diff --git a/UserDB.cpp b/UserDB.cpp
old mode 100755
new mode 100644
index 20cc6ac..2bb8c44
--- a/UserDB.cpp
+++ b/UserDB.cpp
@@ -21,8 +21,6 @@
 #include <cstring>
 #include <fstream>
 
-#include <pwd.h>
-
 extern "C" {
 #include <unistd.h>
 #include <sys/inotify.h>
@@ -31,29 +29,8 @@ extern "C" {
 
 std::string UserDB::GetUserName(int uid)
 {
-    Logger::Info("To retrieve details for UID = %d", uid);
     std::lock_guard<std::mutex> lock(_lock);
 
-    char* buffer = NULL;
-	struct passwd pwent;
-	struct passwd* pwentp;
-    long size = sysconf(_SC_GETPW_R_SIZE_MAX);
-	if (size == -1) {
-		size = BUFSIZ;
-	}
-    buffer = new char[size];
-
-    Logger::Info("Calling NSS kernel module");
-    getpwuid_r(uid, &pwent, buffer, size, &pwentp);
-    if (pwent.pw_name != NULL) {
-        free(buffer);
-        Logger::Info("Return from NSS module for UID = %d - User = %s", uid, pwent.pw_name);
-        return pwent.pw_name;
-    }
-    Logger::Info("Return from NSS module for UID = %d - User = %s", uid, pwent.pw_name);
-    Logger::Info("Return from NSS module for UID = %d - User = %s", uid, pwentp->pw_name);
-
-    Logger::Info("NSS returned null, getting from pwd file");
     auto it = _users.find(uid);
     if (it != _users.end()) {
         return it->second;
diff --git a/build/docker/auoms-build32/Dockerfile b/build/docker/auoms-build32/Dockerfile
index 7d3a6d8..2845f95 100644
--- a/build/docker/auoms-build32/Dockerfile
+++ b/build/docker/auoms-build32/Dockerfile
@@ -3,10 +3,10 @@ MAINTAINER Tad Glines taglines@microsoft.com
 
 # Install initial dev env
 RUN sed -i 's/$basearch/i386/' /etc/yum.repos.d/*
-# ADD https://copr.fedorainfracloud.org/coprs/mlampe/devtoolset-7/repo/epel-6/mlampe-devtoolset-7-epel-6.repo /etc/yum.repos.d/mlampe-devtoolset-7-epel-6.repo
+ADD https://copr.fedorainfracloud.org/coprs/mlampe/devtoolset-7/repo/epel-6/mlampe-devtoolset-7-epel-6.repo /etc/yum.repos.d/mlampe-devtoolset-7-epel-6.repo
 RUN yum install -y util-linux-ng.i686 \
-#  && linux32 yum install -y devtoolset-7-toolchain \
-#  && linux32 yum update -y && yum install -y epel-release \
+ && linux32 yum install -y devtoolset-7-toolchain \
+ && linux32 yum update -y && yum install -y epel-release \
  && linux32 yum install -y \
     sudo \
     lsof \
@@ -32,4 +32,4 @@ RUN yum install -y util-linux-ng.i686 \
 RUN sed -i '/requiretty/d' /etc/sudoers \
     && echo "build ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
 
-ENTRYPOINT ["/usr/bin/linux32"]
\ No newline at end of file
+ENTRYPOINT ["/usr/bin/linux32"]

From 7956db8abda51b941800ed4d94e68330df5094c2 Mon Sep 17 00:00:00 2001
From: Vijay Nadella <vnadella@microsoft.com>
Date: Thu, 28 Mar 2024 07:05:26 -0500
Subject: [PATCH 5/7] Revert file perm changes

---
 UserDB.cpp | 2 +-
 auoms.cpp  | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 mode change 100755 => 100644 auoms.cpp

diff --git a/UserDB.cpp b/UserDB.cpp
index 2bb8c44..106b31a 100644
--- a/UserDB.cpp
+++ b/UserDB.cpp
@@ -290,4 +290,4 @@ int UserDB::GroupNameToGid(const std::string& name) {
         return -1;
     }
     return -1;
-}
\ No newline at end of file
+}
diff --git a/auoms.cpp b/auoms.cpp
old mode 100755
new mode 100644

From 1038dac868566f414c967a726e901c7a78e4ef0b Mon Sep 17 00:00:00 2001
From: Vijay Nadella <vnadella@microsoft.com>
Date: Fri, 29 Mar 2024 10:45:04 -0500
Subject: [PATCH 6/7] Add support from sysv and upstart

---
 CollectionMonitor.cpp | 42 ++++++++++++++++++++++++++++++++++++++----
 CollectionMonitor.h   |  3 +++
 2 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/CollectionMonitor.cpp b/CollectionMonitor.cpp
index 8eec124..a4b7327 100644
--- a/CollectionMonitor.cpp
+++ b/CollectionMonitor.cpp
@@ -33,6 +33,7 @@
 #include <sys/time.h>
 #include <fcntl.h>
 #include <cstdlib>
+#include <fstream>
 
 
 void CollectionMonitor::run() {
@@ -192,11 +193,44 @@ void CollectionMonitor::signal_collector(int sig) {
     }
 }
 
+bool CollectionMonitor::is_auditd_enabled_systemd() {
+    int isEnabledStatus = std::system("systemctl is-enabled auditd.service > /dev/null 2>&1");
+    int isActiveStatus = std::system("systemctl is-active auditd.service > /dev/null 2>&1");
+    return (PathExists(_auditd_path) && (isEnabledStatus == 0) && (isActiveStatus == 0));
+}
+
+bool CollectionMonitor::is_auditd_enabled_sysv() {
+    int isEnabledStatus = std::system("chkconfig --list auditd | grep -q ':on' > /dev/null 2>&1");
+    int isActiveStatus = std::system("service auditd status | grep 'running' > /dev/null 2>&1");
+    return ((isEnabledStatus == 0) && (isActiveStatus == 0));
+}
+
+bool CollectionMonitor::is_auditd_enabled_upstart() {
+    int isEnabledStatus = 0;
+    std::ifstream file("/etc/init/auditd.conf");
+    if (!file.is_open()) {
+        return false;
+    }
+
+    std::string line;
+    while (std::getline(file, line)) {
+        // Check if the line contains 'start on' indicating service is enabled
+        if (line.find("start on") != std::string::npos) {
+            file.close();
+            isEnabledStatus = 1;
+        }
+    }
+    file.close();
+
+    int isActiveStatus = std::system("initctl status auditd | grep 'running' > /dev/null 2>&1");
+    return (isEnabledStatus && (isActiveStatus == 0));
+}
+
 bool CollectionMonitor::is_auditd_present() {
-    int auditd_present = std::system("which auditd > /dev/null 2>&1");
-    int auditd_enabled = std::system("systemctl is-enabled auditd.service > /dev/null 2>&1");
-    int auditd_active = std::system("systemctl is-active auditd.service > /dev/null 2>&1");
-    return (PathExists(_auditd_path) && (auditd_present == 0) && (auditd_enabled == 0) && (auditd_active == 0));
+    if (is_auditd_enabled_systemd() || is_auditd_enabled_sysv() || is_auditd_enabled_upstart()) {
+        return true;
+    }
+    return false;
 }
 
 bool CollectionMonitor::is_collector_alive() {
diff --git a/CollectionMonitor.h b/CollectionMonitor.h
index e648c30..9c121b3 100644
--- a/CollectionMonitor.h
+++ b/CollectionMonitor.h
@@ -61,6 +61,9 @@ class CollectionMonitor: public RunBase {
     bool is_auditd_present();
     bool is_collector_alive();
     void send_audit_pid_report(int pid);
+    bool is_auditd_enabled_systemd();
+    bool is_auditd_enabled_sysv();
+    bool is_auditd_enabled_upstart();
 
     Netlink _netlink;
     EventBuilder _builder;

From 810c245483cf4c3d4ae7d80d68d3808b9dec1ce9 Mon Sep 17 00:00:00 2001
From: Vijay Nadella <vnadella@microsoft.com>
Date: Fri, 29 Mar 2024 13:41:39 -0500
Subject: [PATCH 7/7] Resolve cr comments

---
 CollectionMonitor.cpp                 | 2 +-
 build/docker/auoms-build32/Dockerfile | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CollectionMonitor.cpp b/CollectionMonitor.cpp
index a4b7327..a6a8a09 100644
--- a/CollectionMonitor.cpp
+++ b/CollectionMonitor.cpp
@@ -216,8 +216,8 @@ bool CollectionMonitor::is_auditd_enabled_upstart() {
     while (std::getline(file, line)) {
         // Check if the line contains 'start on' indicating service is enabled
         if (line.find("start on") != std::string::npos) {
-            file.close();
             isEnabledStatus = 1;
+            break;
         }
     }
     file.close();
diff --git a/build/docker/auoms-build32/Dockerfile b/build/docker/auoms-build32/Dockerfile
index 2845f95..47a785c 100644
--- a/build/docker/auoms-build32/Dockerfile
+++ b/build/docker/auoms-build32/Dockerfile
@@ -32,4 +32,4 @@ RUN yum install -y util-linux-ng.i686 \
 RUN sed -i '/requiretty/d' /etc/sudoers \
     && echo "build ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
 
-ENTRYPOINT ["/usr/bin/linux32"]
+ENTRYPOINT ["/usr/bin/linux32"]
\ No newline at end of file