From owner-trustedbsd-cvs@FreeBSD.ORG Mon Sep 18 14:59:32 2006 Return-Path: X-Original-To: trustedbsd-cvs@freebsd.org Delivered-To: trustedbsd-cvs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6486716A412 for ; Mon, 18 Sep 2006 14:59:32 +0000 (UTC) (envelope-from owner-perforce@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E21C43D67 for ; Mon, 18 Sep 2006 14:59:18 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by cyrus.watson.org (Postfix) with ESMTP id DD83246CD5 for ; Mon, 18 Sep 2006 10:59:16 -0400 (EDT) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id DED3114B86F; Mon, 18 Sep 2006 14:55:54 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id D69C216A415; Mon, 18 Sep 2006 14:55:54 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 957CE16A403 for ; Mon, 18 Sep 2006 14:55:54 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id E65A143D5A for ; Mon, 18 Sep 2006 14:55:53 +0000 (GMT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k8IEtrrN005687 for ; Mon, 18 Sep 2006 14:55:53 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k8IEtqUF005669 for perforce@freebsd.org; Mon, 18 Sep 2006 14:55:52 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Mon, 18 Sep 2006 14:55:52 GMT Message-Id: <200609181455.k8IEtqUF005669@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Cc: Subject: PERFORCE change 106293 for review X-BeenThere: trustedbsd-cvs@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD CVS and Perforce commit message list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Sep 2006 14:59:32 -0000 http://perforce.freebsd.org/chv.cgi?CH=106293 Change 106293 by rwatson@rwatson_zoo on 2006/09/18 14:55:17 Integrate TrustedBSD audit3 branch from TrustedBSD OpenBSM branch to bring in OpenBSM 1.0alpha11 changes of various sorts -- especially as relates to audit policy flags. Affected files ... .. //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#13 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#10 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#13 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/audit/audit.c#8 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.8#4 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#14 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#4 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit.h#17 branch .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_internal.h#12 branch .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_kevents.h#27 branch .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#17 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/configure#12 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#13 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#6 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#16 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#5 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#9 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_control.5#7 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/auditon.2#7 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/tools/audump.c#8 integrate Differences ... ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#13 (text+ko) ==== @@ -1,3 +1,31 @@ +OpenBSM 1.0 alpha 11 + +- Reclassify certain read/write operations as having no class rather than the + fr/fw class; our default classes audit intent (open) not operations (read, + write). +- Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads + and writes of sysctls as separate events. Add additional kernel + environment and jail events for FreeBSD. +- Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER + (issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued + by the kernel audit implementation) so that they can be distinguished. +- Disable rate limiting of rotate requests; as the kernel doesn't retransmit + a dropped request, the log file will otherwise grow indefinitely if the + trigger is dropped. +- Improve auditd debugging output. +- Fix a number of threading related bugs in audit_control file reading + routines. +- Add APIs au_poltostr() and au_strtopol() to convert between text + representations of audit_control policy flags and the flags passed to + auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY). +- Add API getacpol() to return the 'policy:' entry from audit_control, an + extension to the Solaris file format to allow specification of policy + persistent flags. +- Update audump to print the audit_control policy field. +- Update auditd to read the audit_control policy field and set the kernel + policy to match it when configuring/reconfiguring. Remove the -s and -h + arguments as these policies are now set via the configuration file. + OpenBSM 1.0 alpha 10 - auditd now generates complete audit records for its events, as required for @@ -209,4 +237,4 @@ to support reloading of kernel event table. - Allow comments in /etc/security configuration files. -$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#12 $ +$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#13 $ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#10 (text+ko) ==== @@ -17,5 +17,10 @@ just at the beginning of a record. This will make it easier to use praudit in test suites processing single-token files without header and trailer context. +- Teach auditd how to notify a script when it is done with trail files so + that the script can archive them, compress them, delete them, whatever. + It should walk any trail files found at startup also, assuming it + successfully registers. +- Put hostname in trail file name. -$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#9 $ +$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#10 $ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#13 (text+ko) ==== @@ -1,1 +1,1 @@ -OPENBSM_1_0_ALPHA_9 +OPENBSM_1_0_ALPHA_11 ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/audit/audit.c#8 (text+ko) ==== @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/audit/audit.c#7 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/audit/audit.c#8 $ */ /* * Program to trigger the audit daemon with a message that is either: @@ -75,7 +75,7 @@ switch(ch) { case 'n': - trigger = AUDIT_TRIGGER_OPEN_NEW; + trigger = AUDIT_TRIGGER_ROTATE_USER; break; case 's': ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.8#4 (text+ko) ==== @@ -29,7 +29,7 @@ .\" .\" @APPLE_BSD_LICENSE_HEADER_END@ .\" -.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.8#3 $ +.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.8#4 $ .\" .Dd January 24, 2004 .Dt AUDITD 8 @@ -51,14 +51,20 @@ .Bl -tag -width Ds .It Fl d Starts the daemon in debug mode - it will not daemonize. -.It Fl h -Specifies that if auditing cannot be performed as specified, the system should -halt (panic). Normally, the system will attempt to proceed - although individual -processes may be stopped (see the -s option). -.It Fl s -Specifies that individual processes should stop rather than perform operations -that may cause audit records to be lost due to log file full conditions .El +.Pp +The historical +.Fl h +and +.Fl s +flags are now configured using +.Xr audit_control 5 +policy flags +.Dv ahlt +and +.Dv cnt , +and are no longer available as arguments to +.Xr auditd 8 . .Sh NOTE .Pp To assure uninterrupted audit support, the ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#14 (text+ko) ==== @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#13 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#14 $ */ #include @@ -59,6 +59,7 @@ #include "auditd.h" #define NA_EVENT_STR_SIZE 25 +#define POL_STR_SIZE 128 static int ret, minval; static char *lastfile = NULL; @@ -67,7 +68,6 @@ static int sigchlds, sigchlds_handled; static int sighups, sighups_handled; static int sigterms, sigterms_handled; -static long global_flags; static TAILQ_HEAD(, dir_ent) dir_q; @@ -160,8 +160,9 @@ *ptr = '.'; strcpy(ptr+1, TS); if (rename(oldname, lastfile) != 0) - syslog(LOG_ERR, "Could not rename %s to %s", - oldname, lastfile); + syslog(LOG_ERR, + "Could not rename %s to %s: %m", oldname, + lastfile); else syslog(LOG_INFO, "renamed %s to %s", oldname, lastfile); @@ -286,7 +287,7 @@ free(dirent->dirname); free(dirent); } - syslog(LOG_ERR, "Log directories exhausted\n"); + syslog(LOG_ERR, "Log directories exhausted"); return (-1); } @@ -343,7 +344,7 @@ * XXX is generated here? */ if (0 == (ret = getacmin(&minval))) { - syslog(LOG_DEBUG, "min free = %d\n", minval); + syslog(LOG_DEBUG, "min free = %d", minval); if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) { syslog(LOG_ERR, "could not get audit queue settings"); @@ -494,31 +495,65 @@ } /* - * Suppress duplicate messages within a 30 second interval. This should be - * enough to time to rotate log files without thrashing from soft warnings - * generated before the log is actually rotated. + * Handle the audit trigger event. + * + * We suppress (ignore) duplicated triggers in close succession in order to + * try to avoid thrashing-like behavior. However, not all triggers can be + * ignored, as triggers generally represent edge triggers, not level + * triggers, and won't be retransmitted if the condition persists. Of + * specific concern is the rotate trigger -- if one is dropped, then it will + * not be retransmitted, and the log file will grow in an unbounded fashion. */ #define DUPLICATE_INTERVAL 30 static void handle_audit_trigger(int trigger) { - static int last_trigger; + static int last_trigger, last_warning; static time_t last_time; struct dir_ent *dirent; + struct timeval ts; + struct timezone tzp; + time_t tt; /* - * Suppres duplicate messages from the kernel within the specified + * Suppress duplicate messages from the kernel within the specified * interval. */ - struct timeval ts; - struct timezone tzp; - time_t tt; - if (gettimeofday(&ts, &tzp) == 0) { tt = (time_t)ts.tv_sec; - if ((trigger == last_trigger) && - (tt < (last_time + DUPLICATE_INTERVAL))) - return; + switch (trigger) { + case AUDIT_TRIGGER_LOW_SPACE: + case AUDIT_TRIGGER_NO_SPACE: + /* + * Triggers we can suppress. Of course, we also need + * to rate limit the warnings, so apply the same + * interval limit on syslog messages. + */ + if ((trigger == last_trigger) && + (tt < (last_time + DUPLICATE_INTERVAL))) { + if (tt >= (last_warning + DUPLICATE_INTERVAL)) + syslog(LOG_INFO, + "Suppressing duplicate trigger %d", + trigger); + return; + } + last_warning = tt; + break; + + case AUDIT_TRIGGER_ROTATE_KERNEL: + case AUDIT_TRIGGER_ROTATE_USER: + case AUDIT_TRIGGER_READ_FILE: + /* + * Triggers that we cannot suppress. + */ + break; + } + + /* + * Only update last_trigger after aborting due to a duplicate + * trigger, not before, or we will never allow that trigger + * again. + */ last_trigger = trigger; last_time = tt; } @@ -528,7 +563,6 @@ */ dirent = TAILQ_FIRST(&dir_q); switch(trigger) { - case AUDIT_TRIGGER_LOW_SPACE: syslog(LOG_INFO, "Got low space trigger"); if (dirent && (dirent->softlim != 1)) { @@ -554,7 +588,8 @@ } else { /* * Continue auditing to the current file. Also - * generate an allsoft warning. + * generate an allsoft warning. + * * XXX do we want to do this ? */ audit_warn_allsoft(); @@ -577,12 +612,14 @@ audit_warn_allhard(++allhardcount); break; - case AUDIT_TRIGGER_OPEN_NEW: + case AUDIT_TRIGGER_ROTATE_KERNEL: + case AUDIT_TRIGGER_ROTATE_USER: /* * Create a new file and swap with the one being used in * kernel */ - syslog(LOG_INFO, "Got open new trigger"); + syslog(LOG_INFO, "Got open new trigger from %s", trigger == + AUDIT_TRIGGER_ROTATE_KERNEL ? "kernel" : "user"); if (swap_audit_file() == -1) syslog(LOG_ERR, "Error swapping audit file"); break; @@ -656,10 +693,8 @@ syslog(LOG_DEBUG, "%s: SIGTERM", __FUNCTION__); break; } - if (sigchlds != sigchlds_handled) { - syslog(LOG_DEBUG, "%s: SIGCHLD", __FUNCTION__); + if (sigchlds != sigchlds_handled) handle_sigchld(); - } if (sighups != sighups_handled) { syslog(LOG_DEBUG, "%s: SIGHUP", __FUNCTION__); handle_sighup(); @@ -670,7 +705,6 @@ syslog(LOG_ERR, "%s: read EOF", __FUNCTION__); return (-1); } - syslog(LOG_DEBUG, "%s: read %d", __FUNCTION__, trigger); if (trigger == AUDIT_TRIGGER_CLOSE_AND_DIE) break; else @@ -691,10 +725,13 @@ au_mask_t aumask; int ctr = 0; char naeventstr[NA_EVENT_STR_SIZE]; + char polstr[POL_STR_SIZE]; + long policy; /* * Process the audit event file, obtaining a class mapping for each * event, and send that mapping into the kernel. + * * XXX There's a risk here that the BSM library will return NULL * for an event when it can't properly map it to a class. In that * case, we will not process any events beyond the one that failed, @@ -703,10 +740,17 @@ ev.ae_name = (char *)malloc(AU_EVENT_NAME_MAX); ev.ae_desc = (char *)malloc(AU_EVENT_DESC_MAX); if ((ev.ae_name == NULL) || (ev.ae_desc == NULL)) { + if (ev.ae_name != NULL) + free(ev.ae_name); syslog(LOG_ERR, "Memory allocation error when configuring audit controls."); return (-1); } + + /* + * XXXRW: Currently we have no way to remove mappings from the kernel + * when they are removed from the file-based mappings. + */ evp = &ev; setauevent(); while ((evp = getauevent_r(evp)) != NULL) { @@ -745,11 +789,12 @@ syslog(LOG_ERR, "Failed to obtain non-attributable event mask."); - /* - * Set the audit policy flags based on passed in parameter values. - */ - if (auditon(A_SETPOLICY, &global_flags, sizeof(global_flags))) - syslog(LOG_ERR, "Failed to set audit policy."); + if ((getacpol(polstr, POL_STR_SIZE) == 0) && + (au_strtopol(polstr, &policy) == 0)) { + if (auditon(A_SETPOLICY, &policy, sizeof(policy))) + syslog(LOG_ERR, "Failed to set audit policy."); + } else + syslog(LOG_ERR, "Failed to obtain policy flags."); return (0); } @@ -826,7 +871,6 @@ int debug = 0; int rc; - global_flags |= AUDIT_CNT; while ((ch = getopt(argc, argv, "dhs")) != -1) { switch(ch) { case 'd': @@ -834,20 +878,10 @@ debug = 1; break; - case 's': - /* Fail-stop option. */ - global_flags &= ~(AUDIT_CNT); - break; - - case 'h': - /* Halt-stop option. */ - global_flags |= AUDIT_AHLT; - break; - case '?': default: (void)fprintf(stderr, - "usage: auditd [-h | -s] [-d] \n"); + "usage: auditd [-d] \n"); exit(1); } } ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#4 (text+ko) ==== @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#3 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#4 $ */ #ifndef _AUDITD_H_ @@ -61,7 +61,7 @@ #define HARDLIM_ALL_WARN "allhard" #define SOFTLIM_ALL_WARN "allsoft" -#define AUDITOFF_WARN "aditoff" +#define AUDITOFF_WARN "auditoff" #define EBUSY_WARN "ebusy" #define GETACDIR_WARN "getacdir" #define HARDLIM_WARN "hard" ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#17 (text+ko) ==== @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#16 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#17 $ */ #ifndef _LIBBSM_H_ @@ -71,6 +71,7 @@ #define MINFREE_CONTROL_ENTRY "minfree" #define FLAGS_CONTROL_ENTRY "flags" #define NA_CONTROL_ENTRY "naflags" +#define POLICY_CONTROL_ENTRY "policy" #define AU_CLASS_NAME_MAX 8 #define AU_CLASS_DESC_MAX 72 @@ -711,11 +712,14 @@ int getacmin(int *min_val); int getacflg(char *auditstr, int len); int getacna(char *auditstr, int len); +int getacpol(char *auditstr, size_t len); int getauditflagsbin(char *auditstr, au_mask_t *masks); int getauditflagschar(char *auditstr, au_mask_t *masks, int verbose); int au_preselect(au_event_t event, au_mask_t *mask_p, int sorf, int flag); +ssize_t au_poltostr(long policy, size_t maxsize, char *buf); +int au_strtopol(const char *polstr, long *policy); /* * Functions relating to querying audit event information. ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/configure#12 (xtext) ==== @@ -1,7 +1,7 @@ #! /bin/sh -# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#28 . +# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#29 . # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a10. +# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a11. # # Report bugs to . # @@ -424,8 +424,8 @@ # Identity of this package. PACKAGE_NAME='OpenBSM' PACKAGE_TARNAME='openbsm' -PACKAGE_VERSION='1.0a10' -PACKAGE_STRING='OpenBSM 1.0a10' +PACKAGE_VERSION='1.0a11' +PACKAGE_STRING='OpenBSM 1.0a11' PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org' ac_unique_file="bin/auditreduce/auditreduce.c" @@ -955,7 +955,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures OpenBSM 1.0a10 to adapt to many kinds of systems. +\`configure' configures OpenBSM 1.0a11 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1021,7 +1021,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of OpenBSM 1.0a10:";; + short | recursive ) echo "Configuration of OpenBSM 1.0a11:";; esac cat <<\_ACEOF @@ -1162,7 +1162,7 @@ test -n "$ac_init_help" && exit 0 if $ac_init_version; then cat <<\_ACEOF -OpenBSM configure 1.0a10 +OpenBSM configure 1.0a11 generated by GNU Autoconf 2.59 Copyright (C) 2003 Free Software Foundation, Inc. @@ -1176,7 +1176,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by OpenBSM $as_me 1.0a10, which was +It was created by OpenBSM $as_me 1.0a11, which was generated by GNU Autoconf 2.59. Invocation command line was $ $0 $@ @@ -19278,7 +19278,7 @@ # Define the identity of the package. PACKAGE=OpenBSM - VERSION=1.0a10 + VERSION=1.0a11 cat >>confdefs.h <<_ACEOF @@ -23478,7 +23478,7 @@ } >&5 cat >&5 <<_CSEOF -This file was extended by OpenBSM $as_me 1.0a10, which was +This file was extended by OpenBSM $as_me 1.0a11, which was generated by GNU Autoconf 2.59. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -23541,7 +23541,7 @@ cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -OpenBSM config.status 1.0a10 +OpenBSM config.status 1.0a11 configured by $0, generated by GNU Autoconf 2.59, with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\" ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#13 (text+ko) ==== @@ -2,8 +2,8 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.59) -AC_INIT([OpenBSM], [1.0a10], [trustedbsd-audit@TrustesdBSD.org],[openbsm]) -AC_REVISION([$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#12 $]) +AC_INIT([OpenBSM], [1.0a11], [trustedbsd-audit@TrustesdBSD.org],[openbsm]) +AC_REVISION([$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#13 $]) AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c]) AC_CONFIG_AUX_DIR(config) AC_CONFIG_HEADER([config/config.h]) ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#6 (text+ko) ==== @@ -1,8 +1,9 @@ # -# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#5 $ +# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#6 $ # $FreeBSD: src/contrib/openbsm/etc/audit_control,v 1.2 2006/03/26 01:44:35 rwatson Exp $ # dir:/var/audit flags:lo minfree:20 naflags:lo +policy:cnt ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#16 (text+ko) ==== @@ -1,5 +1,5 @@ # -# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#15 $ +# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#16 $ # $FreeBSD: src/contrib/openbsm/etc/audit_event,v 1.3 2006/06/27 18:09:54 rwatson Exp $ # 0:AUE_NULL:indir system call:no @@ -118,8 +118,8 @@ 113:AUE_SYSTEMBOOT:system booted:na 114:AUE_ASYNC_DAEMON_EXIT:async_daemon(2) exited:ad 115:AUE_NFSSVC_EXIT:nfssvc(2) exited:ad -128:AUE_WRITEL:writel(2):fw -129:AUE_WRITEVL:writevl(2):fw +128:AUE_WRITEL:writel(2):no +129:AUE_WRITEVL:writevl(2):no 130:AUE_GETAUID:getauid(2):ad 131:AUE_SETAUID:setauid(2):ad 132:AUE_GETAUDIT:getaudit(2):ad @@ -266,7 +266,7 @@ 325:AUE_DARWIN_KDEBUGTRACE:system call:pc 326:AUE_DARWIN_FSTAT:fstat(2):fa 327:AUE_DARWIN_FPATHCONF:fpathconf(2):fa -328:AUE_DARWIN_GETDIRENTRIES:getdirentries(2):fr +328:AUE_DARWIN_GETDIRENTRIES:getdirentries(2):no 329:AUE_DARWIN_TRUNCATE:truncate(2):fw 330:AUE_DARWIN_FTRUNCATE:ftruncate(2):fw 331:AUE_DARWIN_SYSCTL:sysctl(3):ad @@ -322,8 +322,8 @@ 43017:AUE_KDEBUGTRACE:system call:pc 43018:AUE_FSTAT:fstat(2):fa 43019:AUE_FPATHCONF:fpathconf(2):fa -43020:AUE_GETDIRENTRIES:getdirentries(2):fr -43021:AUE_SYSCTL:sysctl(3):ad +43020:AUE_GETDIRENTRIES:getdirentries(2):no +43021:AUE_SYSCTL:sysctl(3):ot 43022:AUE_MLOCK:mlock(2):pc 43023:AUE_MUNLOCK:munlock(2):pc 43024:AUE_UNDELETE:undelete(2):fm @@ -416,6 +416,9 @@ 43111:AUE_EXTATTR_SET_LINK:extattr_set_link(2):fm 43112:AUE_EXTATTR_LIST_LINK:extattr_list_link(2):fa 43113:AUE_EXTATTR_DELETE_LINK:extattr_delete_link(2):fm +43114:AUE_KENV:kenv(8):ad +43115:AUE_JAIL_ATTACH:jail_attach(2):ad +43116:AUE_SYSCTL_WRITE:sysctl(3):ad # # User space system events. # ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#5 (text+ko) ==== @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#4 $ +.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#5 $ .\" .Dd April 19, 2005 .Dt AU_CONTROL 3 @@ -34,7 +34,10 @@ .Nm getacdir , .Nm getacmin , .Nm getacflg , -.Nm getacna +.Nm getacna , +.Nm getacpol , +.Nm au_poltostr +.Nm au_strtopol .Nd "Look up information from the audit_control database" .Sh LIBRARY .Lb libbsm @@ -52,6 +55,12 @@ .Fn getacflg "char *auditstr" "int len" .Ft int .Fn getacna "char *auditstr" "int len" +.Ft int +.Fn getacpol "char *auditstr" "size_t len" +.Ft ssize_t +.Fn au_poltostr "long policy" "size_t maxsize" "char *buf" +.Ft int +.Fn au_strtopol "const char *polstr" "long *policy" .Sh DESCRIPTION These interfaces may be used to look up information from the .Xr audit_control 5 @@ -90,15 +99,42 @@ .Va auditstr of length .Va len . +.Pp +.Fn getacpol +returns the audit policy flags via the passed character buffer +.Va auditstr +of length +.Va len . +.Pp +.Fn au_poltostr +converts a numeric audit policy mask, +.Va policy , +value to a string in the passed character buffer +.Va buf +of lenth +.Va maxsize . +.Pp +.Fn au_strtopol +converts an audit policy flags string, +.Va polstr , +to a numeric audit policy mask returned via +.Va policy . .Sh RETURN VALULES .Fn getacdir , .Fn getacmin , .Fn getacflg , +.Fn getacna , +.Fn getacpol , and -.Fn getacna +.Fn au_strtopol return 0 on success, or a negative value on failure, along with error information in .Va errno . +.Pp +.Fn au_poltostr +returns a string length of 0 or more on success, or a negative value on +if there is a failure. +.Pp Functions that return a string value will return a failure if there is insufficient room in the passed character buffer for the full string. .Sh SEE ALSO ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#9 (text+ko) ==== @@ -1,5 +1,6 @@ /* * Copyright (c) 2004 Apple Computer, Inc. + * Copyright (c) 2006 Robert N. M. Watson * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -26,7 +27,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#8 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#9 $ */ #include @@ -39,7 +40,7 @@ /* * Parse the contents of the audit_control file to return the audit control - * parameters. + * parameters. These static fields are protected by 'mutex'. */ static FILE *fp = NULL; static char linestr[AU_LINE_MAX]; @@ -98,21 +99,223 @@ } /* + * Convert a policy to a string. Return -1 on failure, or >= 0 representing + * the actual size of the string placed in the buffer (excluding terminating + * nul). + */ +ssize_t +au_poltostr(long policy, size_t maxsize, char *buf) +{ + int first; + + if (maxsize < 1) + return (-1); + first = 1; + buf[0] = '\0'; + + if (policy & AUDIT_CNT) { + if (strlcat(buf, "cnt", maxsize) >= maxsize) + return (-1); + first = 0; + } + if (policy & AUDIT_AHLT) { + if (!first) { + if (strlcat(buf, ",", maxsize) >= maxsize) + return (-1); + } + if (strlcat(buf, "ahlt", maxsize) >= maxsize) + return (-1); + first = 0; + } + if (policy & AUDIT_ARGV) { + if (!first) { + if (strlcat(buf, ",", maxsize) >= maxsize) + return (-1); + } + if (strlcat(buf, "argv", maxsize) >= maxsize) + return (-1); + first = 0; + } + if (policy & AUDIT_ARGE) { + if (!first) { + if (strlcat(buf, ",", maxsize) >= maxsize) + return (-1); + } + if (strlcat(buf, "arge", maxsize) >= maxsize) + return (-1); + first = 0; + } + if (policy & AUDIT_SEQ) { + if (!first) { + if (strlcat(buf, ",", maxsize) >= maxsize) + return (-1); + } + if (strlcat(buf, "seq", maxsize) >= maxsize) + return (-1); + first = 0; + } + if (policy & AUDIT_WINDATA) { + if (!first) { + if (strlcat(buf, ",", maxsize) >= maxsize) + return (-1); + } + if (strlcat(buf, "windata", maxsize) >= maxsize) + return (-1); + first = 0; + } + if (policy & AUDIT_USER) { + if (!first) { + if (strlcat(buf, ",", maxsize) >= maxsize) + return (-1); + } + if (strlcat(buf, "user", maxsize) >= maxsize) + return (-1); + first = 0; + } + if (policy & AUDIT_GROUP) { + if (!first) { + if (strlcat(buf, ",", maxsize) >= maxsize) + return (-1); + } + if (strlcat(buf, "group", maxsize) >= maxsize) + return (-1); + first = 0; + } + if (policy & AUDIT_TRAIL) { + if (!first) { + if (strlcat(buf, ",", maxsize) >= maxsize) + return (-1); + } + if (strlcat(buf, "trail", maxsize) >= maxsize) + return (-1); + first = 0; + } + if (policy & AUDIT_PATH) { + if (!first) { + if (strlcat(buf, ",", maxsize) >= maxsize) + return (-1); + } + if (strlcat(buf, "path", maxsize) >= maxsize) + return (-1); + first = 0; + } + if (policy & AUDIT_SCNT) { + if (!first) { + if (strlcat(buf, ",", maxsize) >= maxsize) + return (-1); + } + if (strlcat(buf, "scnt", maxsize) >= maxsize) + return (-1); + first = 0; + } + if (policy & AUDIT_PUBLIC) { + if (!first) { + if (strlcat(buf, ",", maxsize) >= maxsize) + return (-1); + } + if (strlcat(buf, "public", maxsize) >= maxsize) + return (-1); + first = 0; + } + if (policy & AUDIT_ZONENAME) { + if (!first) { + if (strlcat(buf, ",", maxsize) >= maxsize) + return (-1); + } + if (strlcat(buf, "zonename", maxsize) >= maxsize) + return (-1); + first = 0; + } + if (policy & AUDIT_PERZONE) { + if (!first) { + if (strlcat(buf, ",", maxsize) >= maxsize) + return (-1); + } + if (strlcat(buf, "perzone", maxsize) >= maxsize) + return (-1); + first = 0; + } + return (strlen(buf)); +} + +/* + * Convert a string to a policy. Return -1 on failure (with errno EINVAL, + * ENOMEM) or 0 on success. + */ +int +au_strtopol(const char *polstr, long *policy) +{ + char *bufp, *string; + char *buffer; + + *policy = 0; + buffer = strdup(polstr); + if (buffer == NULL) + return (-1); + + bufp = buffer; + while ((string = strsep(&bufp, ",")) != NULL) { + if (strcmp(string, "cnt") == 0) + *policy |= AUDIT_CNT; + else if (strcmp(string, "ahlt") == 0) + *policy |= AUDIT_AHLT; + else if (strcmp(string, "argv") == 0) + *policy |= AUDIT_ARGV; + else if (strcmp(string, "arge") == 0) + *policy |= AUDIT_ARGE; + else if (strcmp(string, "seq") == 0) + *policy |= AUDIT_SEQ; + else if (strcmp(string, "winau_fstat") == 0) + *policy |= AUDIT_WINDATA; + else if (strcmp(string, "user") == 0) + *policy |= AUDIT_USER; + else if (strcmp(string, "group") == 0) + *policy |= AUDIT_GROUP; + else if (strcmp(string, "trail") == 0) + *policy |= AUDIT_TRAIL; + else if (strcmp(string, "path") == 0) + *policy |= AUDIT_PATH; + else if (strcmp(string, "scnt") == 0) + *policy |= AUDIT_SCNT; + else if (strcmp(string, "public") == 0) + *policy |= AUDIT_PUBLIC; + else if (strcmp(string, "zonename") == 0) + *policy |= AUDIT_ZONENAME; + else if (strcmp(string, "perzone") == 0) + *policy |= AUDIT_PERZONE; + else { + free(buffer); + errno = EINVAL; + return (-1); + } + } + free(buffer); + return (0); +} + +/* * Rewind the file pointer to beginning. */ +static void +setac_locked(void) +{ + + ptrmoved = 1; + if (fp != NULL) + fseek(fp, 0, SEEK_SET); +} + void setac(void) { pthread_mutex_lock(&mutex); - ptrmoved = 1; - if (fp != NULL) - fseek(fp, 0, SEEK_SET); + setac_locked(); pthread_mutex_unlock(&mutex); } /* - * Close the audit_control file + * Close the audit_control file. */ void endac(void) @@ -136,72 +339,54 @@ char *dir; int ret = 0; - if (name == NULL) { - errno = EINVAL; - return (-2); - } - - pthread_mutex_lock(&mutex); - /* - * Check if another function was called between - * successive calls to getacdir + * Check if another function was called between successive calls to + * getacdir. */ >>> TRUNCATED FOR MAIL (1000 lines) <<<