Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 Apr 2006 19:53:06 GMT
From:      Robert Watson <rwatson@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 96009 for review
Message-ID:  <200604241953.k3OJr6av077278@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=96009

Change 96009 by rwatson@rwatson_peppercorn on 2006/04/24 19:52:33

	Integrate trustedbsd_openbsm into trustedbsd_audit3:
	
	- au_close() arguments are now named constants
	- Man page for au_open() and friends.
	- AUR_* now broadened.
	- au_close_token() to produce a single token in memory.
	- au_to_file() accepts timeval.
	- au_to_header32_tm() accepts timeval.  Don't use time zone.
	- Don't reorder bytes for arguments to process/subject tokens.
	- IPs and ports assumed to be passed and returned in network byte
	  order.
	- OpenBSM test framework beginnings.
	- auditd assigns more appropriate syslog levels/facilities.
	- Audit filter API, dummy module, auditeventd.
	- audit_submit().

Affected files ...

.. //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/Makefile.am#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/Makefile.in#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/README#12 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#8 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#6 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/Makefile.am#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/Makefile.in#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#9 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditfilterd/Makefile.am#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditfilterd/Makefile.in#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditfilterd/auditfilterd.8#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditfilterd/auditfilterd.c#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditfilterd/auditfilterd.h#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditfilterd/auditfilterd_conf.c#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.c#7 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/Makefile.am#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/Makefile.in#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_filter.h#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_record.h#7 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#10 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/config/config.guess#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/config/config.h.in#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/config/config.sub#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/config/depcomp#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/config/install-sh#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/config/ltmain.sh#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/config/missing#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/configure#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_filter#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/Makefile.am#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/Makefile.in#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_open.3#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_token.3#5 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/audit_submit.3#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_audit.c#11 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_io.c#13 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_token.c#14 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_wrappers.c#11 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/libbsm.3#6 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/modules/Makefile.am#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/modules/Makefile.in#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/modules/auditfilter_noop/Makefile.am#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/modules/auditfilter_noop/Makefile.in#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/modules/auditfilter_noop/auditfilter_noop.c#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/Makefile.am#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/Makefile.in#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/bsm/Makefile.am#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/bsm/Makefile.in#1 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/bsm/generate.c#1 branch

Differences ...

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#3 (text+ko) ====

@@ -1,3 +1,44 @@
+OpenBSM 1.0 alpha 6
+
+- Use AU_TO_WRITE and AU_NO_TO_WRITE for the 'keep' argument to au_close();
+  previously we used hard-coded 0 and 1 values.
+- Add man page for au_open(), au_write(), au_close(), and
+  au_close_buffer().
+- Support a more complete range of data types for the arbitrary data token:
+  add AUR_CHAR (alias to AUR_BYTE), remove AUR_LONG, add AUR_INT32 (alias
+  to AUR_INT), add AUR_INT64.
+- Add au_close_token(), which allows writing a single token_t to a memory
+  buffer.  Not likely to be used much by applications, but useful for
+  writing test tools.
+- Modify au_to_file() so that it accepts a timeval in user space, not just
+  kernel -- this is not a Solaris BSM API so can be modified without
+  causing compatibility issues.
+- Define a new API, au_to_header32_tm(), which adds a struct timeval
+  argument to the ordinary au_to_header32(), which is now implemented by
+  wrapping au_to_header32_tm() and calling gettimeofday().  #ifndef KERNEL
+  the APIs that invoke gettimeofday(), rather than having a variable
+  definition.  Don't try to retrieve time zone information using
+  gettimeofday(), as it's not needed, and introduces possible failure
+  modes.
+- Don't perform byte order transformations on the addr/machine fields of
+  the terminal ID that appears in the process32/subject32 tokens.  These
+  are assumed to be IP addresses, and as such, to be in network byte
+  order.
+- Universally, APIs now assume that IP addresses and ports are provided
+  in network byte order.  APIs now generally provide these types in
+  network byte order when decoding.
+- Beginnings of an OpenBSM test framework can now be found in openbsm/test.
+  This code is not built or installed by default.
+- auditd now assigns more appropriate syslog levels to its debugging and
+  error information.
+- Support for audit filters introduced: audit filters are dynamically
+  loaded shared objects that run in the context of a new daemon,
+  auditfilterd.  The daemon reads from an audit pipe and feeds both BSM and
+  parsed versions of records to shared objects using a module API.  This
+  will provide a framework for the writing of intrusion detection services.
+- New utility API, audit_submit(), added to capture common elements of audit
+  record submission for many applications.
+
 OpenBSM 1.0 alpha 5
 
 - Update install notes to indicate /etc files are to be installed manually.
@@ -124,4 +165,4 @@
   to support reloading of kernel event table.
 - Allow comments in /etc/security configuration files.
 
-$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#2 $
+$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#3 $

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/Makefile.am#3 (text+ko) ====

@@ -1,12 +1,13 @@
 #
-# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/Makefile.am#2 $
+# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/Makefile.am#3 $
 #
 
 SUBDIRS =		\
 	bsm		\
 	libbsm		\
 	bin		\
-	man
+	man		\
+	modules
 
 EXTRA_DIST =		\
 	CHANGELOG	\

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/Makefile.in#3 (text+ko) ====

@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 #
-# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/Makefile.in#2 $
+# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/Makefile.in#3 $
 #
 srcdir = @srcdir@
 top_srcdir = @top_srcdir@
@@ -181,7 +181,8 @@
 	bsm		\
 	libbsm		\
 	bin		\
-	man
+	man		\
+	modules
 
 EXTRA_DIST = \
 	CHANGELOG	\

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/README#12 (text+ko) ====

@@ -27,7 +27,7 @@
 
 OpenBSM is currently built using autoconf and automake, which should allow
 for building on a range of operating systems, including FreeBSD, Mac OS X,
-and Linux.  Depending on the availability of audit facailities in the
+and Linux.  Depending on the availability of audit facilities in the
 underlying operating system, some components that depend on kernel audit
 support are built conditionally.  Typically, build will be performed using
 
@@ -95,4 +95,4 @@
 
     http://www.TrustedBSD.org/
 
-$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/README#11 $
+$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/README#12 $

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#8 (text+ko) ====

@@ -13,5 +13,9 @@
 - It might be desirable to be able to provide EOPNOTSUPP system call stubs
   on systems that don't have the necessary audit system calls; that would
   allow the full libbsm and tool set to build, just not run.
+- Teach praudit how to begin printing at any point in a token stream, not
+  just at the beginning of a record.  This will make it easier to use
+  praudit in test suites processing single-token files without header and
+  trailer context.
 
-$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#7 $
+$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#8 $

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#6 (text+ko) ====

@@ -1,1 +1,1 @@
-OPENBSM_1_0_ALPHA_3
+OPENBSM_1_0_ALPHA_6

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/Makefile.am#3 (text+ko) ====

@@ -1,8 +1,9 @@
 #
-# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/Makefile.am#2 $
+# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/Makefile.am#3 $
 #
 
 SUBDIRS =		\
+	auditfilterd	\
 	auditreduce	\
 	praudit
 

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/Makefile.in#3 (text+ko) ====

@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 #
-# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/Makefile.in#2 $
+# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/Makefile.in#3 $
 #
 srcdir = @srcdir@
 top_srcdir = @top_srcdir@
@@ -62,7 +62,7 @@
 	uninstall-recursive
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = auditreduce praudit audit auditd
+DIST_SUBDIRS = auditfilterd auditreduce praudit audit auditd
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMDEP_FALSE = @AMDEP_FALSE@
@@ -165,7 +165,7 @@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUBDIRS = auditreduce praudit $(am__append_1)
+SUBDIRS = auditfilterd auditreduce praudit $(am__append_1)
 all: all-recursive
 
 .SUFFIXES:

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#9 (text+ko) ====

@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#8 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#9 $
  */
 
 #include <sys/types.h>
@@ -44,6 +44,7 @@
 #include <bsm/audit_uevents.h>
 #include <bsm/libbsm.h>
 
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
@@ -63,6 +64,7 @@
 static char	*lastfile = NULL;
 static int	 allhardcount = 0;
 static int	 triggerfd = 0;
+static int	 sigchlds, sigchlds_handled;
 static int	 sighups, sighups_handled;
 static int	 sigterms, sigterms_handled;
 static long	 global_flags;
@@ -127,7 +129,7 @@
 	const char *sep = "/";
 
 	curdir = dirent->dirname;
-	syslog(LOG_INFO, "dir = %s\n", dirent->dirname);
+	syslog(LOG_DEBUG, "dir = %s", dirent->dirname);
 
 	fn = malloc(strlen(curdir) + strlen(sep) + (2 * POSTFIX_LEN) + 1);
 	if (fn == NULL)
@@ -158,10 +160,10 @@
 			*ptr = '.';
 			strcpy(ptr+1, TS);
 			if (rename(oldname, lastfile) != 0)
-				syslog(LOG_ERR, "Could not rename %s to %s \n",
+				syslog(LOG_ERR, "Could not rename %s to %s",
 				    oldname, lastfile);
 			else
-				syslog(LOG_INFO, "renamed %s to %s \n",
+				syslog(LOG_INFO, "renamed %s to %s",
 				    oldname, lastfile);
 		}
 		free(lastfile);
@@ -241,7 +243,7 @@
 	/* Try until we succeed. */
 	while ((dirent = TAILQ_FIRST(&dir_q))) {
 		if ((fn = affixdir(timestr, dirent)) == NULL) {
-			syslog(LOG_INFO, "Failed to swap log  at time %s\n",
+			syslog(LOG_INFO, "Failed to swap log at time %s",
 				timestr);
 			return (-1);
 		}
@@ -250,7 +252,7 @@
 		 * Create and open the file; then close and pass to the
 		 * kernel if all went well.
 		 */
-		syslog(LOG_INFO, "New audit file is %s\n", fn);
+		syslog(LOG_INFO, "New audit file is %s", fn);
 #ifdef AUDIT_REVIEW_GROUP
 		fd = open_trail(fn, uid, gid);
 #else
@@ -262,7 +264,7 @@
 			error = auditctl(fn);
 			if (error) {
 				syslog(LOG_ERR,
-				    "auditctl failed setting log file! : %s\n",
+				    "auditctl failed setting log file! : %s",
 				    strerror(errno));
 				close(fd);
 			} else {
@@ -284,7 +286,7 @@
 		free(dirent->dirname);
 		free(dirent);
 	}
-	syslog(LOG_INFO, "Log directories exhausted\n");
+	syslog(LOG_ERR, "Log directories exhausted\n");
 	return (-1);
 }
 
@@ -326,7 +328,7 @@
 
 	allhardcount = 0;
 	if (swap_audit_file() == -1) {
-		syslog(LOG_ERR, "Could not swap audit file\n");
+		syslog(LOG_ERR, "Could not swap audit file");
 		/*
 		 * XXX Faulty directory listing? - user should be given
 		 * XXX an opportunity to change the audit_control file
@@ -341,16 +343,16 @@
 	 * XXX is generated here?
 	 */
 	if (0 == (ret = getacmin(&minval))) {
-		syslog(LOG_INFO, "min free = %d\n", minval);
+		syslog(LOG_DEBUG, "min free = %d\n", minval);
 		if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
 			syslog(LOG_ERR,
-			    "could not get audit queue settings\n");
+			    "could not get audit queue settings");
 				return (-1);
 		}
 		qctrl.aq_minfree = minval;
 		if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
 			syslog(LOG_ERR,
-			    "could not set audit queue settings\n");
+			    "could not set audit queue settings");
 			return (-1);
 		}
 	}
@@ -372,20 +374,20 @@
 
 	/* Generate an audit record. */
 	if ((aufd = au_open()) == -1)
-		syslog(LOG_ERR, "Could not create audit shutdown event.\n");
+		syslog(LOG_ERR, "Could not create audit shutdown event.");
 	else {
 		if ((tok = au_to_text("auditd::Audit shutdown")) != NULL)
 			au_write(aufd, tok);
 		if (au_close(aufd, 1, AUE_audit_shutdown) == -1)
 			syslog(LOG_ERR,
-			    "Could not close audit shutdown event.\n");
+			    "Could not close audit shutdown event.");
 	}
 
 	/* Flush contents. */
 	cond = AUC_DISABLED;
 	err_ret = auditon(A_SETCOND, &cond, sizeof(cond));
 	if (err_ret != 0) {
-		syslog(LOG_ERR, "Disabling audit failed! : %s\n",
+		syslog(LOG_ERR, "Disabling audit failed! : %s",
 		    strerror(errno));
 		err_ret = 1;
 	}
@@ -396,15 +398,15 @@
 
 	free_dir_q();
 	if ((remove(AUDITD_PIDFILE) == -1) || err_ret) {
-		syslog(LOG_ERR, "Could not unregister\n");
+		syslog(LOG_ERR, "Could not unregister");
 		audit_warn_postsigterm();
 		return (1);
 	}
 	endac();
 
 	if (close(triggerfd) != 0)
-		syslog(LOG_ERR, "Error closing control file\n");
-	syslog(LOG_INFO, "Finished.\n");
+		syslog(LOG_ERR, "Error closing control file");
+	syslog(LOG_INFO, "Finished");
 	return (0);
 }
 
@@ -422,6 +424,8 @@
 		sighups++;
 	if (signal == SIGTERM)
 		sigterms++;
+	if (signal == SIGCHLD)
+		sigchlds++;
 }
 
 /*
@@ -437,23 +441,22 @@
 	/* Set up the signal hander. */
 	if (signal(SIGTERM, relay_signal) == SIG_ERR) {
 		syslog(LOG_ERR,
-		    "Could not set signal handler for SIGTERM\n");
+		    "Could not set signal handler for SIGTERM");
 		fail_exit();
 	}
 	if (signal(SIGCHLD, relay_signal) == SIG_ERR) {
 		syslog(LOG_ERR,
-		    "Could not set signal handler for SIGCHLD\n");
+		    "Could not set signal handler for SIGCHLD");
 		fail_exit();
 	}
 	if (signal(SIGHUP, relay_signal) == SIG_ERR) {
 		syslog(LOG_ERR,
-		    "Could not set signal handler for SIGHUP\n");
+		    "Could not set signal handler for SIGHUP");
 		fail_exit();
 	}
 
 	if ((pidfile = fopen(AUDITD_PIDFILE, "a")) == NULL) {
-		syslog(LOG_ERR,
-		    "Could not open PID file\n");
+		syslog(LOG_ERR, "Could not open PID file");
 		audit_warn_tmpfile();
 		return (-1);
 	}
@@ -462,7 +465,7 @@
 	fd = fileno(pidfile);
 	if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
 		syslog(LOG_ERR,
-		    "PID file is locked (is another auditd running?).\n");
+		    "PID file is locked (is another auditd running?).");
 		audit_warn_ebusy();
 		return (-1);
 	}
@@ -490,7 +493,6 @@
 	static int last_trigger;
 	static time_t last_time;
 	struct dir_ent *dirent;
-	int rc;
 
 	/*
 	 * Suppres duplicate messages from the kernel within the specified
@@ -516,7 +518,7 @@
 	switch(trigger) {
 
 	case AUDIT_TRIGGER_LOW_SPACE:
-		syslog(LOG_INFO, "Got low space trigger\n");
+		syslog(LOG_INFO, "Got low space trigger");
 		if (dirent && (dirent->softlim != 1)) {
 			TAILQ_REMOVE(&dir_q, dirent, dirs);
 				/* Add this node to the end of the list. */
@@ -526,7 +528,7 @@
 
 			if (TAILQ_NEXT(TAILQ_FIRST(&dir_q), dirs) != NULL &&
 			    swap_audit_file() == -1)
-				syslog(LOG_ERR, "Error swapping audit file\n");
+				syslog(LOG_ERR, "Error swapping audit file");
 
 			/*
 			 * Check if the next dir has already reached its soft
@@ -548,7 +550,7 @@
 		break;
 
 	case AUDIT_TRIGGER_NO_SPACE:
-		syslog(LOG_INFO, "Got no space trigger\n");
+		syslog(LOG_INFO, "Got no space trigger");
 
 		/* Delete current dir, go on to next. */
 		TAILQ_REMOVE(&dir_q, dirent, dirs);
@@ -557,7 +559,7 @@
 		free(dirent);
 
 		if (swap_audit_file() == -1)
-			syslog(LOG_ERR, "Error swapping audit file\n");
+			syslog(LOG_ERR, "Error swapping audit file");
 
 		/* We are out of log directories. */
 		audit_warn_allhard(++allhardcount);
@@ -568,21 +570,21 @@
 		 * Create a new file and swap with the one being used in
 		 * kernel
 		 */
-		syslog(LOG_INFO, "Got open new trigger\n");
+		syslog(LOG_INFO, "Got open new trigger");
 		if (swap_audit_file() == -1)
-			syslog(LOG_ERR, "Error swapping audit file\n");
+			syslog(LOG_ERR, "Error swapping audit file");
 		break;
 
 	case AUDIT_TRIGGER_READ_FILE:
-		syslog(LOG_INFO, "Got read file trigger\n");
+		syslog(LOG_INFO, "Got read file trigger");
 		if (read_control_file() == -1)
-			syslog(LOG_ERR, "Error in audit control file\n");
+			syslog(LOG_ERR, "Error in audit control file");
 		if (config_audit_controls() == -1)
-			syslog(LOG_ERR, "Error setting audit controls\n");
+			syslog(LOG_ERR, "Error setting audit controls");
 		break;
 
 	default:
-		syslog(LOG_ERR, "Got unknown trigger %d\n", trigger);
+		syslog(LOG_ERR, "Got unknown trigger %d", trigger);
 		break;
 	}
 }
@@ -596,10 +598,38 @@
 }
 
 /*
- * Read the control file for triggers and handle appropriately.
+ * Reap our children.
+ */
+static void
+reap_children(void)
+{
+	pid_t child;
+	int wstatus;
+
+	while ((child = waitpid(-1, &wstatus, WNOHANG)) > 0) {
+		if (!wstatus)
+			continue;
+		syslog(LOG_INFO, "warn process [pid=%d] %s %d.", child,
+		    ((WIFEXITED(wstatus)) ? "exited with non-zero status" :
+		    "exited as a result of signal"),
+		    ((WIFEXITED(wstatus)) ? WEXITSTATUS(wstatus) :
+		    WTERMSIG(wstatus)));
+	}
+}
+
+static void
+handle_sigchld(void)
+{
+
+	sigchlds_handled = sigchlds;
+	reap_children();
+}
+
+/*
+ * Read the control file for triggers/signals and handle appropriately.
  */
 static int
-wait_for_triggers(void)
+wait_for_events(void)
 {
 	int num;
 	unsigned int trigger;
@@ -607,24 +637,28 @@
 	for (;;) {
 		num = read(triggerfd, &trigger, sizeof(trigger));
 		if ((num == -1) && (errno != EINTR)) {
-			syslog(LOG_ERR, "%s: error %d\n", __FUNCTION__, errno);
+			syslog(LOG_ERR, "%s: error %d", __FUNCTION__, errno);
 			return (-1);
 		}
 		if (sigterms != sigterms_handled) {
-			syslog(LOG_INFO, "%s: SIGTERM", __FUNCTION__);
+			syslog(LOG_DEBUG, "%s: SIGTERM", __FUNCTION__);
 			break;
 		}
+		if (sigchlds != sigchlds_handled) {
+			syslog(LOG_DEBUG, "%s: SIGCHLD", __FUNCTION__);
+			handle_sigchld();
+		}
 		if (sighups != sighups_handled) {
-			syslog(LOG_INFO, "%s: SIGHUP", __FUNCTION__);
+			syslog(LOG_DEBUG, "%s: SIGHUP", __FUNCTION__);
 			handle_sighup();
 		}
 		if ((num == -1) && (errno == EINTR))
 			continue;
 		if (num == 0) {
-			syslog(LOG_INFO, "%s: read EOF\n", __FUNCTION__);
+			syslog(LOG_ERR, "%s: read EOF", __FUNCTION__);
 			return (-1);
 		}
-		syslog(LOG_INFO, "%s: read %d\n", __FUNCTION__, trigger);
+		syslog(LOG_DEBUG, "%s: read %d", __FUNCTION__, trigger);
 		if (trigger == AUDIT_TRIGGER_CLOSE_AND_DIE)
 			break;
 		else
@@ -634,26 +668,6 @@
 }
 
 /*
- * Reap our children.
- */
-static void
-reap_children(void)
-{
-	pid_t child;
-	int wstatus;
-
-	while ((child = waitpid(-1, &wstatus, WNOHANG)) > 0) {
-		if (!wstatus)
-			continue;
-		syslog(LOG_INFO, "warn process [pid=%d] %s %d.\n", child,
-		    ((WIFEXITED(wstatus)) ? "exited with non-zero status" :
-		    "exited as a result of signal"),
-		    ((WIFEXITED(wstatus)) ? WEXITSTATUS(wstatus) :
-		    WTERMSIG(wstatus)));
-	}
-}
-
-/*
  * Configure the audit controls in the kernel: the event to class mapping,
  * kernel preselection mask, etc.
  */
@@ -700,7 +714,7 @@
 	if (ctr == 0)
 		syslog(LOG_ERR, "No events to class mappings registered.");
 	else
-		syslog(LOG_INFO, "Registered %d event to class mappings.",
+		syslog(LOG_DEBUG, "Registered %d event to class mappings.",
 		    ctr);
 
 	/*
@@ -713,7 +727,7 @@
 			syslog(LOG_ERR,
 			    "Failed to register non-attributable event mask.");
 		else
-			syslog(LOG_INFO,
+			syslog(LOG_DEBUG,
 			    "Registered non-attributable event mask.");
 	} else
 		syslog(LOG_ERR,
@@ -731,35 +745,53 @@
 static void
 setup(void)
 {
+	auditinfo_t auinfo;
 	int aufd;
 	token_t *tok;
 
 	if ((triggerfd = open(AUDIT_TRIGGER_FILE, O_RDONLY, 0)) < 0) {
-		syslog(LOG_ERR, "Error opening trigger file\n");
+		syslog(LOG_ERR, "Error opening trigger file");
+		fail_exit();
+	}
+
+	/*
+	 * To provide event feedback cycles and avoid auditd becoming
+	 * stalled if auditing is suspended, auditd and its children run
+	 * without their events being audited.  We allow the uid, tid, and
+	 * mask fields to be implicitly set to zero, but do set the pid.  We
+	 * run this after opening the trigger device to avoid configuring
+	 * audit state without audit present in the system.
+	 *
+	 * XXXRW: Is there more to it than this?
+	 */
+	bzero(&auinfo, sizeof(auinfo));
+	auinfo.ai_asid = getpid();
+	if (setaudit(&auinfo) == -1) {
+		syslog(LOG_ERR, "Error setting audit stat");
 		fail_exit();
 	}
 
 	TAILQ_INIT(&dir_q);
 	if (read_control_file() == -1) {
-		syslog(LOG_ERR, "Error reading control file\n");
+		syslog(LOG_ERR, "Error reading control file");
 		fail_exit();
 	}
 
 	/* Generate an audit record. */
 	if ((aufd = au_open()) == -1)
-		syslog(LOG_ERR, "Could not create audit startup event.\n");
+		syslog(LOG_ERR, "Could not create audit startup event.");
 	else {
 		if ((tok = au_to_text("auditd::Audit startup")) != NULL)
 			au_write(aufd, tok);
 		if (au_close(aufd, 1, AUE_audit_startup) == -1)
 			syslog(LOG_ERR,
-			    "Could not close audit startup event.\n");
+			    "Could not close audit startup event.");
 	}
 
 	if (config_audit_controls() == 0)
-		syslog(LOG_INFO, "Audit controls init successful\n");
+		syslog(LOG_INFO, "Audit controls init successful");
 	else
-		syslog(LOG_INFO, "Audit controls init failed\n");
+		syslog(LOG_ERR, "Audit controls init failed");
 }
 
 int
@@ -800,22 +832,22 @@
 #else
 	openlog("auditd", LOG_CONS | LOG_PID, LOG_AUTH);
 #endif
-	syslog(LOG_INFO, "starting...\n");
+	syslog(LOG_INFO, "starting...");
 
 	if (debug == 0 && daemon(0, 0) == -1) {
-		syslog(LOG_ERR, "Failed to daemonize\n");
+		syslog(LOG_ERR, "Failed to daemonize");
 		exit(1);
 	}
 
 	if (register_daemon() == -1) {
-		syslog(LOG_ERR, "Could not register as daemon\n");
+		syslog(LOG_ERR, "Could not register as daemon");
 		exit(1);
 	}
 
 	setup();
 
-	rc = wait_for_triggers();
-	syslog(LOG_INFO, "auditd exiting.\n");
+	rc = wait_for_events();
+	syslog(LOG_INFO, "auditd exiting.");
 
 	exit(rc);
 }

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.c#7 (text+ko) ====

@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.c#6 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.c#7 $
  */
 
 /* 
@@ -42,11 +42,12 @@
 
 #include <bsm/libbsm.h>
 
+#include <err.h>
+#include <grp.h>
+#include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <sysexits.h>
-#include <grp.h>
-#include <pwd.h>
 #include <string.h>
 #include <time.h>
 #include <unistd.h>

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/Makefile.am#3 (text+ko) ====

@@ -1,11 +1,12 @@
 #
-# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/Makefile.am#2 $
+# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/Makefile.am#3 $
 #
 
 openbsmdir = $(includedir)/bsm
 
 openbsm_HEADERS =		\
 	audit.h			\
+	audit_filter.h		\
 	audit_internal.h	\
 	audit_kevents.h		\
 	audit_record.h		\

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/Makefile.in#3 (text+ko) ====

@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 #
-# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/Makefile.in#2 $
+# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/Makefile.in#3 $
 #
 
 srcdir = @srcdir@
@@ -168,6 +168,7 @@
 openbsmdir = $(includedir)/bsm
 openbsm_HEADERS = \
 	audit.h			\
+	audit_filter.h		\
 	audit_internal.h	\
 	audit_kevents.h		\
 	audit_record.h		\

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_record.h#7 (text+ko) ====

@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_record.h#6 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_record.h#7 $
  */
 
 #ifndef _BSM_AUDIT_RECORD_H_
@@ -187,13 +187,19 @@
 
 /* data-types for the arbitrary token */
 #define AUR_BYTE        0
+#define AUR_CHAR        AUR_BYTE
 #define AUR_SHORT       1
-#define AUR_LONG        2
+#define AUR_INT32       2
+#define AUR_INT         AUR_INT
+#define AUR_INT64       3
 
 /* ... and their sizes */
 #define AUR_BYTE_SIZE       sizeof(u_char)
+#define AUR_CHAR_SIZE       AUR_BYTE_SIZE
 #define AUR_SHORT_SIZE      sizeof(uint16_t)
-#define AUR_LONG_SIZE       sizeof(uint32_t)
+#define AUR_INT32_SIZE      sizeof(uint32_t)
+#define AUR_INT_SIZE        AUR_INT32_SIZE
+#define AUR_INT64_SIZE      sizeof(uint64_t)
 
 /* Modifiers for the header token */
 #define PAD_NOTATTR  0x4000   /* nonattributable event */
@@ -230,24 +236,18 @@
 int	 au_write(int d, token_t *m);
 int	 au_close(int d, int keep, short event);
 int	 au_close_buffer(int d, short event, u_char *buffer, size_t *buflen);
+int	 au_close_token(token_t *tok, u_char *buffer, size_t *buflen);
 
-#if defined(KERNEL) || defined(_KERNEL)
 token_t	*au_to_file(char *file, struct timeval tm);
-#else
-token_t	*au_to_file(char *file);
-#endif
 
-#if defined(KERNEL) || defined(_KERNEL)
-token_t	*au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod,
+token_t	*au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
 	    struct timeval tm);
-token_t	*au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod,
-	    struct timeval tm);
-#else
+#if !defined(KERNEL) && !defined(_KERNEL)
 token_t	*au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod);
 token_t	*au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod);
+token_t	*au_to_header64(int rec_size, au_event_t e_type, au_emod_t e_mod);
 #endif
 
-token_t	*au_to_header64(int rec_size, au_event_t e_type, au_emod_t e_mod);
 token_t	*au_to_me(void);
 token_t	*au_to_arg(char n, char *text, uint32_t v);
 token_t	*au_to_arg32(char n, char *text, uint32_t v);

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#10 (text+ko) ====

@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#9 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#10 $
  */
 
 #ifndef _LIBBSM_H_
@@ -695,6 +695,9 @@
 
 typedef struct tokenstr tokenstr_t;
 
+int			 audit_submit(short au_event, au_id_t auid,
+			    char status, int reterr, const char *fmt, ...);
+
 /*
  * Functions relating to querying audit class information.
  */

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/config/config.guess#3 (text+ko) ====


==== //depot/projects/trustedbsd/audit3/contrib/openbsm/config/config.h.in#3 (text+ko) ====

@@ -42,9 +42,6 @@
 /* Define if ipc_perm.__seq instead of seq */
 #undef HAVE_IPC_PERM___SEQ
 
-/* Define to 1 if you have the `bsm' library (-lbsm). */
-#undef HAVE_LIBBSM
-
 /* Define to 1 if you have the <machine/endian.h> header file. */
 #undef HAVE_MACHINE_ENDIAN_H
 

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/config/config.sub#3 (text+ko) ====


==== //depot/projects/trustedbsd/audit3/contrib/openbsm/config/depcomp#3 (text+ko) ====


==== //depot/projects/trustedbsd/audit3/contrib/openbsm/config/install-sh#3 (text+ko) ====


==== //depot/projects/trustedbsd/audit3/contrib/openbsm/config/ltmain.sh#3 (text+ko) ====


==== //depot/projects/trustedbsd/audit3/contrib/openbsm/config/missing#3 (text+ko) ====


==== //depot/projects/trustedbsd/audit3/contrib/openbsm/configure#3 (xtext) ====

@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#15 .
+# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#20 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59 for OpenBSM 1.0a5.
 #
@@ -19627,16 +19627,13 @@
 
 
 
-# Checks for libraries.
-# FIXME: Replace `main' with a function in `-lbsm':
-
-echo "$as_me:$LINENO: checking for main in -lbsm" >&5
-echo $ECHO_N "checking for main in -lbsm... $ECHO_C" >&6
-if test "${ac_cv_lib_bsm_main+set}" = set; then
+echo "$as_me:$LINENO: checking for library containing dlsym" >&5
+echo $ECHO_N "checking for library containing dlsym... $ECHO_C" >&6
+if test "${ac_cv_search_dlsym+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lbsm  $LIBS"
+  ac_func_search_save_LIBS=$LIBS
+ac_cv_search_dlsym=no
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -19644,11 +19641,72 @@
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dlsym ();
+int
+main ()
+{
+dlsym ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_search_dlsym="none required"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+if test "$ac_cv_search_dlsym" = no; then
+  for ac_lib in dl; do
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+    cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */

>>> TRUNCATED FOR MAIL (1000 lines) <<<



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604241953.k3OJr6av077278>