Date: Tue, 11 Nov 2008 19:27:43 GMT From: "Christian S.J. Peron" <csjp@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 152814 for review Message-ID: <200811111927.mABJRhvG052649@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=152814 Change 152814 by csjp@hvm02 on 2008/11/11 19:27:31 Add support for setting the audit kernel information. This information will be used when setting the host information for extended header tokens. The audit_control file now supports a "host" parameter which can be used by the auditing daemon to set this information. If this parameter is not used, the OpenBSM will default to the use of regular tokens. Reviewed by: rwatson, (sson, wsalamon (older version)) Affected files ... .. //depot/projects/trustedbsd/openbsm/NEWS#8 edit .. //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#38 edit .. //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#35 edit .. //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#15 edit .. //depot/projects/trustedbsd/openbsm/libbsm/bsm_audit.c#30 edit .. //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#23 edit .. //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#71 edit .. //depot/projects/trustedbsd/openbsm/man/audit_control.5#20 edit .. //depot/projects/trustedbsd/openbsm/sys/bsm/audit_internal.h#2 edit .. //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#3 edit Differences ... ==== //depot/projects/trustedbsd/openbsm/NEWS#8 (text+ko) ==== @@ -1,5 +1,11 @@ OpenBSM Version History +- Add support for setting the audit kernel information. This information + will be used when setting the host information for extended header tokens. + The audit_control file now supports a "host" parameter which can be used + by the auditing daemon to set this information. If this parameter is not + used, the OpenBSM will default to the use of regular tokens. + OpenBSM 1.1 alpha 2 - Include files in OpenBSM are now broken out into two parts: library builds @@ -341,4 +347,4 @@ to support reloading of kernel event table. - Allow comments in /etc/security configuration files. -$P4: //depot/projects/trustedbsd/openbsm/NEWS#7 $ +$P4: //depot/projects/trustedbsd/openbsm/NEWS#8 $ ==== //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#38 (text+ko) ==== @@ -26,7 +26,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#37 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#38 $ */ #include <sys/types.h> @@ -35,6 +35,8 @@ #include <sys/dirent.h> #include <sys/mman.h> +#include <sys/socket.h> +#include <sys/param.h> #ifdef HAVE_FULL_QUEUE_H #include <sys/queue.h> #else /* !HAVE_FULL_QUEUE_H */ @@ -47,6 +49,8 @@ #include <bsm/audit_uevents.h> #include <bsm/libbsm.h> +#include <netinet/in.h> + #include <err.h> #include <errno.h> #include <fcntl.h> @@ -58,6 +62,7 @@ #include <signal.h> #include <string.h> #include <syslog.h> +#include <netdb.h> #include "auditd.h" #ifdef USE_MACH_IPC @@ -766,6 +771,69 @@ config_audit_controls(); } +static int +config_audit_host(void) +{ + char hoststr[MAXHOSTNAMELEN]; + struct sockaddr_in6 *sin6; + struct sockaddr_in *sin; + struct addrinfo *res; + struct auditinfo_addr aia; + int error; + + if (getachost(hoststr, MAXHOSTNAMELEN) != 0) { + syslog(LOG_WARNING, + "warning: failed to read 'host' param in control file"); + /* + * To maintain reverse compatability with older audit_control + * files, simply drop a warning if the host parameter has not + * been set. However, we will explicitly disable the + * generation of extended audit header by passing in a zeroed + * termid structure. + */ + bzero(&aia, sizeof(aia)); + aia.ai_termid.at_type = AU_IPv4; + error = auditon(A_SETKAUDIT, &aia, sizeof(aia)); + if (error < 0 && errno == ENOSYS) + return (0); + else if (error < 0) { + syslog(LOG_ERR, + "Failed to set audit host info"); + return (-1); + } + return (0); + } + error = getaddrinfo(hoststr, NULL, NULL, &res); + if (error) { + syslog(LOG_ERR, "Failed to lookup hostname: %s", hoststr); + return (-1); + } + switch (res->ai_family) { + case PF_INET6: + sin6 = (struct sockaddr_in6 *) res->ai_addr; + bcopy(&sin6->sin6_addr.s6_addr, + &aia.ai_termid.at_addr[0], sizeof(struct in6_addr)); + aia.ai_termid.at_type = AU_IPv6; + break; + case PF_INET: + sin = (struct sockaddr_in *) res->ai_addr; + bcopy(&sin->sin_addr.s_addr, + &aia.ai_termid.at_addr[0], sizeof(struct in_addr)); + aia.ai_termid.at_type = AU_IPv4; + break; + default: + syslog(LOG_ERR, + "Un-supported address family in host parameter"); + return (-1); + } + if (auditon(A_SETKAUDIT, &aia, sizeof(aia)) < 0) { + syslog(LOG_ERR, + "auditon: failed to set audit host information"); + return (-1); + } + return (0); +} + /* * Reap our children. */ @@ -995,7 +1063,7 @@ } else syslog(LOG_ERR, "Failed to obtain filesz: %m"); - return (0); + return (config_audit_host()); } #ifdef USE_MACH_IPC ==== //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#35 (text+ko) ==== @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#34 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#35 $ */ #ifndef _LIBBSM_H_ @@ -82,6 +82,7 @@ #define FLAGS_CONTROL_ENTRY "flags" #define NA_CONTROL_ENTRY "naflags" #define POLICY_CONTROL_ENTRY "policy" +#define AUDIT_HOST_CONTROL_ENTRY "host" #define AU_CLASS_NAME_MAX 8 #define AU_CLASS_DESC_MAX 72 @@ -764,6 +765,7 @@ int getacflg(char *auditstr, int len); int getacna(char *auditstr, int len); int getacpol(char *auditstr, size_t len); +int getachost(char *auditstr, size_t len); int getauditflagsbin(char *auditstr, au_mask_t *masks); int getauditflagschar(char *auditstr, au_mask_t *masks, int verbose); ==== //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#15 (text+ko) ==== @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#14 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#15 $ .\" .Dd April 19, 2005 .Dt AU_TOKEN 3 @@ -72,6 +72,8 @@ .Nm au_to_header , .Nm au_to_header32 , .Nm au_to_header64 , +.Nm au_to_header_ex , +.Nm au_to_header32_ex , .Nm au_to_trailer , .Nm au_to_zonename .Nd "routines for generating BSM audit tokens" @@ -196,6 +198,10 @@ .Ft "token_t *" .Fn au_to_header64 "int rec_size" "au_event_t e_type" "au_emod_t e_mod" .Ft "token_t *" +.Fn au_to_header_ex "int rec_size" "au_event_t e_type" "au_emod_t e_mod" +.Ft "token_t *" +.Fn au_to_header32_ex "int rec_size" "au_event_t e_type" "au_emod_t e_mod" +.Ft "token_t *" .Fn au_to_trailer "int rec_size" .Ft "token_t *" .Fn au_to_zonename "const char *zonename" ==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_audit.c#30 (text+ko) ==== @@ -30,7 +30,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_audit.c#29 $ + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_audit.c#30 $ */ #include <sys/types.h> @@ -45,6 +45,8 @@ #include <bsm/audit_internal.h> #include <bsm/libbsm.h> +#include <netinet/in.h> + #include <errno.h> #include <pthread.h> #include <stdlib.h> @@ -204,12 +206,51 @@ au_assemble(au_record_t *rec, short event) { token_t *header, *tok, *trailer; - size_t tot_rec_size; + size_t tot_rec_size, hdrsize; u_char *dptr; + struct in6_addr *aptr; int error; + struct auditinfo_addr aia; + struct timeval tm; - tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE; - header = au_to_header32(tot_rec_size, event, 0); + /* + * Grab the size of the address family stored in the kernel's audit + * state. + */ + aia.ai_termid.at_type = AU_IPv4; + aia.ai_termid.at_addr[0] = INADDR_ANY; + if (auditon(A_GETKAUDIT, &aia, sizeof(aia)) < 0) { + if (errno != ENOSYS) + return (-1); + tot_rec_size = rec->len + AUDIT_HEADER_SIZE + + AUDIT_TRAILER_SIZE; + header = au_to_header(tot_rec_size, event, 0); + } else { + if (gettimeofday(&tm, NULL) < 0) + return (-1); + switch (aia.ai_termid.at_type) { + case AU_IPv4: + hdrsize = (aia.ai_termid.at_addr[0] == INADDR_ANY) ? + AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&aia); + break; + case AU_IPv6: + aptr = (struct in6_addr *)&aia.ai_termid.at_addr[0]; + hdrsize = + (IN6_IS_ADDR_UNSPECIFIED(aptr)) ? + AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&aia); + break; + } + tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE; + /* + * A header size greater then AUDIT_HEADER_SIZE means + * that we are using an extended header. + */ + if (hdrsize > AUDIT_HEADER_SIZE) + header = au_to_header32_ex_tm(tot_rec_size, event, + 0, tm, &aia); + else + header = au_to_header(tot_rec_size, event, 0); + } if (header == NULL) return (-1); @@ -285,7 +326,7 @@ goto cleanup; } - tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE; + tot_rec_size = rec->len + MAX_AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE; if (tot_rec_size > MAX_AUDIT_RECORD_SIZE) { /* @@ -335,7 +376,7 @@ } retval = 0; - tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE; + tot_rec_size = rec->len + MAX_AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE; if ((tot_rec_size > MAX_AUDIT_RECORD_SIZE) || (tot_rec_size > *buflen)) { /* ==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#23 (text+ko) ==== @@ -27,7 +27,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#22 $ + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#23 $ */ #include <config/config.h> @@ -519,3 +519,27 @@ pthread_mutex_unlock(&mutex); return (0); } + +int +getachost(char *auditstr, size_t len) +{ + char *str; + + pthread_mutex_lock(&mutex); + setac_locked(); + if (getstrfromtype_locked(AUDIT_HOST_CONTROL_ENTRY, &str) < 0) { + pthread_mutex_unlock(&mutex); + return (-2); + } + if (str == NULL) { + pthread_mutex_unlock(&mutex); + return (1); + } + if (strlen(str) >= len) { + pthread_mutex_unlock(&mutex); + return (-3); + } + strcpy(auditstr, str); + pthread_mutex_unlock(&mutex); + return (0); +} ==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#71 (text+ko) ==== @@ -30,7 +30,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#70 $ + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#71 $ */ #include <sys/types.h> @@ -1321,6 +1321,53 @@ return (t); } +/* + * token ID 1 byte + * record byte count 4 bytes + * version # 1 byte [2] + * event type 2 bytes + * event modifier 2 bytes + * address type/length 4 bytes + * machine address 4 bytes/16 bytes (IPv4/IPv6 address) + * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) + * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) + */ +token_t * +au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, + struct timeval tm, struct auditinfo_addr *aia) +{ + token_t *t; + u_char *dptr = NULL; + u_int32_t timems, hostid; + au_tid_addr_t *tid = &aia->ai_termid; + + if (tid->at_type != AU_IPv4 && tid->at_type != AU_IPv6) + return (NULL); + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + + sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 * + sizeof(u_int32_t) + tid->at_type); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_HEADER32_EX); + ADD_U_INT32(dptr, rec_size); + ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); + ADD_U_INT16(dptr, e_type); + ADD_U_INT16(dptr, e_mod); + + ADD_U_INT32(dptr, tid->at_type); + if (tid->at_type == AU_IPv6) + ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); + else + ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); + timems = tm.tv_usec/1000; + /* Add the timestamp */ + ADD_U_INT32(dptr, tm.tv_sec); + ADD_U_INT32(dptr, timems); /* We need time in ms. */ + + return (t); +} + token_t * au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, struct timeval tm) @@ -1350,6 +1397,22 @@ #if !defined(KERNEL) && !defined(_KERNEL) token_t * +au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) +{ + struct timeval tm; + struct auditinfo_addr aia; + + if (gettimeofday(&tm, NULL) == -1) + return (NULL); + if (auditon(A_GETKAUDIT, &aia, sizeof(aia)) < 0) { + if (errno != ENOSYS) + return (NULL); + return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); + } + return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia)); +} + +token_t * au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod) { struct timeval tm; @@ -1376,6 +1439,13 @@ return (au_to_header32(rec_size, e_type, e_mod)); } + +token_t * +au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) +{ + + return (au_to_header32_ex(rec_size, e_type, e_mod)); +} #endif /* ==== //depot/projects/trustedbsd/openbsm/man/audit_control.5#20 (text+ko) ==== @@ -26,7 +26,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#19 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#20 $ .\" .Dd January 4, 2006 .Dt AUDIT_CONTROL 5 @@ -57,6 +57,18 @@ .Xr audit_user 5 describes how to audit events for individual users. See the information below for the format of the audit flags. +.It Va host +Specify the hostname or IP address to be used when setting the local +systems's audit host information. +This hostname will be converted into an IP or IPv6 address and will +be included in the header of each audit record. +Due to the possibility of transient errors coupled with the +security issues in the DNS protocol itself, the use of DNS +should be avoided. +Instead, it is strongly recommended that the hostname be +specified in the /etc/hosts file. +For more information see +.Xr hosts 5 . .It Va naflags Contains the audit flags that define what classes of events are audited when an action cannot be attributed to a specific user. ==== //depot/projects/trustedbsd/openbsm/sys/bsm/audit_internal.h#2 (text+ko) ==== @@ -30,7 +30,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_internal.h#1 $ + * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_internal.h#2 $ */ #ifndef _AUDIT_INTERNAL_H @@ -71,7 +71,9 @@ * token structures may contain pointers of whose contents we do not know the * size (e.g text tokens). */ +#define AUDIT_HEADER_EX_SIZE(a) ((a)->ai_termid.at_type+18+sizeof(u_int32_t)) #define AUDIT_HEADER_SIZE 18 +#define MAX_AUDIT_HEADER_SIZE (5*sizeof(u_int32_t)+18) #define AUDIT_TRAILER_SIZE 7 /* ==== //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#3 (text+ko) ==== @@ -26,7 +26,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#2 $ + * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#3 $ */ #ifndef _BSM_AUDIT_RECORD_H_ @@ -199,10 +199,13 @@ token_t *au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, struct timeval tm); +token_t *au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, + struct timeval tm, struct auditinfo_addr *aia); token_t *au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, struct timeval tm); #if !defined(KERNEL) && !defined(_KERNEL) token_t *au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod); +token_t *au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod); token_t *au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod); token_t *au_to_header64(int rec_size, au_event_t e_type, au_emod_t e_mod); #endif
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200811111927.mABJRhvG052649>