Vendor import TrustedBSD OpenBSM 1.0 alpha 12, with the following change

history notes since the last import: OpenBSM 1.0 alpha 12 - Correct bug in auditreduce which prevented the -c option from working correctly when the user specifies to process successful or failed events. The problem stemmed from not having access to the return token at the time the initial preselection occurred, but now a second preselection process occurs while processing the return token. - getacfilesz(3) API added to read new audit_control(5) filesz setting, which auditd(8) now sets the kernel audit trail rotation size to. - auditreduce(1) now uses stdin if no file names are specified on the command line; this was the documented behavior previously, but it was not implemented. Be more specific in auditreduce(1)'s examples section about what might be done with the output of auditreduce. - Add audit_warn(5) closefile event so that administrators can hook termination of an audit trail file. For example, this might be used to compress the trail file after it is closed. - auditreduce(1) now uses regular expressions for pathname matching. Users can now supply one or more (comma delimited) regular expressions for searching the pathnames. If one of the regular expressions is prefixed with a tilde (~), and a path matches, it will be excluded from the search results. MFC after: 3 days Obtained from: TrustedBSD Project
svn path=/vendor/openbsm/dist/; revision=162621
2006-09-25 11:40:29 +00:00 · 2006-09-25 11:40:29 +00:00 · 4bd0c025f3 · 2020-12-20 02:59:44 +00:00
commit 4bd0c025f3
parent bb97b41819
19 changed files with 302 additions and 60 deletions
--- a/contrib/openbsm/HISTORY
+++ b/contrib/openbsm/HISTORY
@ -1,3 +1,24 @@
+OpenBSM 1.0 alpha 12
+
+- Correct bug in auditreduce which prevented the -c option from working
+  correctly when the user specifies to process successful or failed events.
+  The problem stemmed from not having access to the return token at the time
+  the initial preselection occurred, but now a second preselection process
+  occurs while processing the return token.
+- getacfilesz(3) API added to read new audit_control(5) filesz setting,
+  which auditd(8) now sets the kernel audit trail rotation size to.
+- auditreduce(1) now uses stdin if no file names are specified on the command
+  line; this was the documented behavior previously, but it was not
+  implemented.  Be more specific in auditreduce(1)'s examples section about
+  what might be done with the output of auditreduce.
+- Add audit_warn(5) closefile event so that administrators can hook
+  termination of an audit trail file.  For example, this might be used to
+  compress the trail file after it is closed.
+- auditreduce(1) now uses regular expressions for pathname matching. Users can
+  now supply one or more (comma delimited) regular expressions for searching
+  the pathnames. If one of the regular expressions is prefixed with a tilde
+  (~), and a path matches, it will be excluded from the search results.
+
 OpenBSM 1.0 alpha 11

 - Reclassify certain read/write operations as having no class rather than the
@ -243,4 +264,4 @@ OpenBSM 1.0 alpha 1
  to support reloading of kernel event table.
 - Allow comments in /etc/security configuration files.

-$P4: //depot/projects/trustedbsd/openbsm/HISTORY#33 $
+$P4: //depot/projects/trustedbsd/openbsm/HISTORY#39 $
--- a/contrib/openbsm/TODO
+++ b/contrib/openbsm/TODO
@ -17,10 +17,7 @@
  just at the beginning of a record.  This will make it easier to use
  praudit in test suites processing single-token files without header and
  trailer context.
- Teach auditd how to notify a script when it is done with trail files so
-  that the script can archive them, compress them, delete them, whatever.
-  It should walk any trail files found at startup also, assuming it
-  successfully registers.
 - Put hostname in trail file name.
+- Document audit_warn event arguments.

-$P4: //depot/projects/trustedbsd/openbsm/TODO#7 $
+$P4: //depot/projects/trustedbsd/openbsm/TODO#8 $
--- a/contrib/openbsm/VERSION
+++ b/contrib/openbsm/VERSION
@ -1 +1 @@
-OPENBSM_1_0_ALPHA_11
+OPENBSM_1_0_ALPHA_12
--- a/contrib/openbsm/bin/auditd/audit_warn.c
+++ b/contrib/openbsm/bin/auditd/audit_warn.c
@ -30,7 +30,7 @@
 *
 * @APPLE_BSD_LICENSE_HEADER_END@
 *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#6 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#7 $
 */

 #include <sys/types.h>
@ -124,6 +124,21 @@ audit_warn_auditoff(void)
 	return (auditwarnlog(args));
 }

+/*
+ * Indicate that a trail file has been closed, so can now be post-processed.
+ */
+int
+audit_warn_closefile(char *filename)
+{
+	char *args[3];
+
+	args[0] = CLOSEFILE_WARN;
+	args[1] = filename;
+	args[2] = NULL;
+
+	return (auditwarnlog(args));
+}
+
 /*
 * Indicates that the audit deammn is already running
 */
--- a/contrib/openbsm/bin/auditd/auditd.c
+++ b/contrib/openbsm/bin/auditd/auditd.c
@ -30,7 +30,7 @@
 *
 * @APPLE_BSD_LICENSE_HEADER_END@
 *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#21 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#23 $
 */

 #include <sys/types.h>
@ -163,9 +163,11 @@ close_lastfile(char *TS)
 				syslog(LOG_ERR,
 				    "Could not rename %s to %s: %m", oldname,
 				    lastfile);
-			else
+			else {
 				syslog(LOG_INFO, "renamed %s to %s",
 				    oldname, lastfile);
+				audit_warn_closefile(lastfile);
+			}
 		}
 		free(lastfile);
 		free(oldname);
@ -727,6 +729,8 @@ config_audit_controls(void)
 	char naeventstr[NA_EVENT_STR_SIZE];
 	char polstr[POL_STR_SIZE];
 	long policy;
+	au_fstat_t au_fstat;
+	size_t filesz;

 	/*
 	 * Process the audit event file, obtaining a class mapping for each
@ -806,6 +810,17 @@ config_audit_controls(void)
 			    "Failed to set default audit policy: %m");
 	}

+	/*
+	 * Set trail rotation size.
+	 */
+	if (getacfilesz(&filesz) == 0) {
+		bzero(&au_fstat, sizeof(au_fstat));
+		au_fstat.af_filesz = filesz;
+		if (auditon(A_SETFSIZE, &au_fstat, sizeof(au_fstat)) < 0)
+			syslog(LOG_ERR, "Failed to set filesz: %m");
+	} else
+		syslog(LOG_ERR, "Failed to obtain filesz: %m");
+
 	return (0);
 }

--- a/contrib/openbsm/bin/auditd/auditd.h
+++ b/contrib/openbsm/bin/auditd/auditd.h
@ -30,7 +30,7 @@
 *
 * @APPLE_BSD_LICENSE_HEADER_END@
 *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#6 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#7 $
 */

 #ifndef _AUDITD_H_
@ -62,6 +62,7 @@ struct dir_ent {
 #define	HARDLIM_ALL_WARN	"allhard"
 #define	SOFTLIM_ALL_WARN	"allsoft"
 #define	AUDITOFF_WARN		"auditoff"
+#define	CLOSEFILE_WARN		"closefile"
 #define	EBUSY_WARN		"ebusy"
 #define	GETACDIR_WARN		"getacdir"
 #define	HARDLIM_WARN		"hard"
@ -76,6 +77,7 @@ struct dir_ent {
 int	audit_warn_allhard(int count);
 int	audit_warn_allsoft(void);
 int	audit_warn_auditoff(void);
+int	audit_warn_closefile(char *filename);
 int	audit_warn_ebusy(void);
 int	audit_warn_getacdir(char *filename);
 int	audit_warn_hard(char *filename);
--- a/contrib/openbsm/bin/auditreduce/auditreduce.1
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.1
@ -25,7 +25,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#10 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $
 .\"
 .Dd January 24, 2004
 .Dt AUDITREDUCE 1
@ -105,12 +105,17 @@ for a description of audit event names and numbers.
 .It Fl o Ar object=value
 .Bl -tag -width Ds
 .It Nm file
-Select records containing the given path name.
-file="/usr" matches paths
-starting with
-.Pa usr .
-file="~/usr" matches paths not starting with
-.Pa usr .
+Select records containing path tokens, where the pathname matches
+one of the comma delimited extended regular expression contained in
+given specification.
+Regular expressions which are prefixed with a tilde (~) are excluded
+from the search results.
+These extended regular expressions are processed from left to right,
+and a path will either be selected or deslected based on the first match.
+.Pp
+Since commas are used to delimit the regular expressions, a backslash (\\)
+character should be used to escape the comma if it's a part of the search
+pattern.
 .It Nm msgqid
 Select records containing the given message queue id.
 .It Nm pid
@ -136,6 +141,30 @@ events from that log:
 .Pp
 .Nm
 -m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
+.Pp
+Output from the above command lines will typically be piped to a new trail
+file, or via standard output to the
+.Xr praudit 1
+command.
+.Pp
+Select all records containing a path token where the pathname contains
+.Pa /etc/master.passwd
+.Pp
+.Nm
+-ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634
+.Pp
+Select all records containing path tokens, where the pathname is a TTY
+device:
+.Pp
+.Nm
+-ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+.Pp
+Select all records containing path tokens, where the pathname is a TTY
+except for
+.Pa /dev/ttyp2
+.Pp
+.Nm
+-ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
 .Sh SEE ALSO
 .Xr praudit 1 ,
 .Xr audit_control 5 ,
--- a/contrib/openbsm/bin/auditreduce/auditreduce.c
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.c
@ -26,7 +26,7 @@
 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#14 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#18 $
 */

 /* 
@ -40,6 +40,13 @@
 * XXX the records present within the file and between the files themselves
 */ 

+#include <config/config.h>
+#ifdef HAVE_FULL_QUEUE_H
+#include <sys/queue.h>
+#else
+#include <compat/queue.h>
+#endif
+
 #include <bsm/libbsm.h>

 #include <err.h>
@ -51,9 +58,14 @@
 #include <string.h>
 #include <time.h>
 #include <unistd.h>
+#include <regex.h>
+#include <errno.h>

 #include "auditreduce.h"

+static TAILQ_HEAD(tailhead, re_entry) re_head =
+    TAILQ_HEAD_INITIALIZER(re_head);
+
 extern char		*optarg;
 extern int		 optind, optopt, opterr,optreset;

@ -80,11 +92,58 @@ static char	*p_sockobj = NULL;

 static uint32_t opttochk = 0;

+static void
+parse_regexp(char *re_string)
+{
+	char *orig, *copy, re_error[64];
+	struct re_entry *rep;
+	int error, nstrs, i, len;
+
+	copy = strdup(re_string);
+	orig = copy;
+	len = strlen(copy);
+	for (nstrs = 0, i = 0; i < len; i++) {
+		if (copy[i] == ',' && i > 0) {
+			if (copy[i - 1] == '\\')
+				strcpy(&copy[i - 1], &copy[i]);
+			else {
+				nstrs++;
+				copy[i] = '\0';
+			}
+		}
+	}
+	TAILQ_INIT(&re_head);
+	for (i = 0; i < nstrs + 1; i++) {
+		rep = calloc(1, sizeof(*rep));
+		if (rep == NULL) {
+			(void) fprintf(stderr, "calloc: %s\n",
+			    strerror(errno));
+			exit(1);
+		}
+		if (*copy == '~') {
+			copy++;
+			rep->re_negate = 1;
+		}
+		rep->re_pattern = strdup(copy);
+		error = regcomp(&rep->re_regexp, rep->re_pattern,
+		    REG_EXTENDED | REG_NOSUB);
+		if (error != 0) {
+			regerror(error, &rep->re_regexp, re_error, 64);
+			(void) fprintf(stderr, "regcomp: %s\n", re_error);
+			exit(1);
+		}
+		TAILQ_INSERT_TAIL(&re_head, rep, re_glue);
+		len = strlen(copy);
+		copy += len + 1;
+	}
+	free(orig);
+}
+
 static void
 usage(const char *msg)
 {
 	fprintf(stderr, "%s\n", msg);
-	fprintf(stderr, "Usage: auditreduce [options] audit-trail-file [....] \n");
+	fprintf(stderr, "Usage: auditreduce [options] [file ...]\n");
 	fprintf(stderr, "\tOptions are : \n");
 	fprintf(stderr, "\t-A : all records\n");
 	fprintf(stderr, "\t-a YYYYMMDD[HH[[MM[SS]]] : after date\n");
@ -258,23 +317,20 @@ select_ipcobj(u_char type, uint32_t id, uint32_t *optchkd)
 static int
 select_filepath(char *path, uint32_t *optchkd)
 {
-	char *loc;
+	struct re_entry *rep;
+	int match;

 	SETOPT((*optchkd), OPT_of);
+	match = 1;
 	if (ISOPTSET(opttochk, OPT_of)) {
-		if (p_fileobj[0] == '~') {
-			/* Object should not be in path. */
-			loc = strstr(path, p_fileobj + 1);
-			if ((loc != NULL) && (loc == path))
-				return (0);
-		} else {
-			/* Object should be in path. */
-			loc = strstr(path, p_fileobj);
-			if ((loc == NULL) || (loc != path))
-				return (0);
+		match = 0;
+		TAILQ_FOREACH(rep, &re_head, re_glue) {
+			if (regexec(&rep->re_regexp, path, 0, NULL,
+			    0) != REG_NOMATCH)
+				return (!rep->re_negate);
 		}
 	}
-	return (1);
+	return (match);
 }

 /*
@ -328,6 +384,24 @@ select_hdr32(tokenstr_t tok, uint32_t *optchkd)
 	return (1);
 }

+static int
+select_return32(tokenstr_t tok_ret32, tokenstr_t tok_hdr32, uint32_t *optchkd)
+{
+	int sorf;
+
+	SETOPT((*optchkd), (OPT_c));
+	if (tok_ret32.tt.ret32.status == 0)
+		sorf = AU_PRS_SUCCESS;
+	else
+		sorf = AU_PRS_FAILURE;
+	if (ISOPTSET(opttochk, OPT_c)) {
+		if (au_preselect(tok_hdr32.tt.hdr32.e_type, &maskp, sorf,
+		    AU_PRS_USECACHE) != 1)
+			return (0);
+	}
+	return (1);
+}
+
 /*
 * Return 1 if checks for the the following succeed
 * auid, 
@ -395,6 +469,7 @@ select_subj32(tokenstr_t tok, uint32_t *optchkd)
 static int
 select_records(FILE *fp)
 {
+	tokenstr_t tok_hdr32_copy;
 	u_char *buf;
 	tokenstr_t tok;
 	int reclen;
@ -423,6 +498,8 @@ select_records(FILE *fp)
 			case AU_HEADER_32_TOKEN:
 					selected = select_hdr32(tok,
 					    &optchkd);
+					bcopy(&tok, &tok_hdr32_copy,
+					    sizeof(tok));
 					break;

 			case AU_PROCESS_32_TOKEN:
@ -451,6 +528,11 @@ select_records(FILE *fp)
 					    tok.tt.path.path, &optchkd);
 					break;	

+			case AU_RETURN_32_TOKEN:
+				selected = select_return32(tok,
+				    tok_hdr32_copy, &optchkd);
+				break;
+
 			/* 
 			 * The following tokens dont have any relevant
 			 * attributes that we can select upon.
@ -465,7 +547,6 @@ select_records(FILE *fp)
 			case AU_IPCPERM_TOKEN:
 			case AU_IPORT_TOKEN:
 			case AU_OPAQUE_TOKEN:
-			case AU_RETURN_32_TOKEN:
 			case AU_SEQ_TOKEN:
 			case AU_TEXT_TOKEN:
 			case AU_ARB_TOKEN:
@ -500,6 +581,7 @@ parse_object_type(char *name, char *val)

 	if (!strcmp(name, FILEOBJ)) {
 		p_fileobj = val;
+		parse_regexp(val);
 		SETOPT(opttochk, OPT_of);
 	} else if (!strcmp(name, MSGQIDOBJ)) {
 		p_msgqobj = val;
@ -679,8 +761,12 @@ main(int argc, char **argv)
 	argv += optind;
 	argc -= optind;

-	if (argc == 0)
-		usage("Filename needed");
+	if (argc == 0) {
+		if (select_records(stdin) == -1)
+			errx(EXIT_FAILURE,
+			    "Couldn't select records from stdin");
+		exit(EXIT_SUCCESS);
+	}

 	/*
 	 * XXX: We should actually be merging records here.
--- a/contrib/openbsm/bin/auditreduce/auditreduce.h
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.h
@ -26,13 +26,20 @@
 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#4 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#5 $
 */

 #ifndef _AUDITREDUCE_H_
 #define _AUDITREDUCE_H_


+struct re_entry {
+	char		*re_pattern;
+	int		 re_negate;
+	regex_t		 re_regexp;
+	TAILQ_ENTRY(re_entry) re_glue;
+};
+
 #define OPT_a	0x00000001
 #define OPT_b	0x00000002
 #define OPT_c	0x00000004
--- a/contrib/openbsm/bsm/audit_kevents.h
+++ b/contrib/openbsm/bsm/audit_kevents.h
@ -30,7 +30,7 @@
 *
 * @APPLE_BSD_LICENSE_HEADER_END@
 *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#42 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#43 $
 */

 #ifndef _BSM_AUDIT_KEVENTS_H_
@ -470,6 +470,10 @@
 #define	AUE_KENV		43114	/* FreeBSD. */
 #define	AUE_JAIL_ATTACH		43115	/* FreeBSD. */
 #define	AUE_SYSCTL_WRITE	43116	/* FreeBSD. */
+#define	AUE_IOPERM		43117	/* Linux. */
+#define	AUE_READDIR		43118	/* Linux. */
+#define	AUE_IOPL		43119	/* Linux. */
+#define	AUE_VM86		43120	/* Linux. */

 /*
 * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
--- a/contrib/openbsm/bsm/libbsm.h
+++ b/contrib/openbsm/bsm/libbsm.h
@ -26,7 +26,7 @@
 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#29 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#30 $
 */

 #ifndef _LIBBSM_H_
@ -78,6 +78,7 @@

 #define	DIR_CONTROL_ENTRY	"dir"
 #define	MINFREE_CONTROL_ENTRY	"minfree"
+#define	FILESZ_CONTROL_ENTRY	"filesz"
 #define	FLAGS_CONTROL_ENTRY	"flags"
 #define	NA_CONTROL_ENTRY	"naflags"
 #define	POLICY_CONTROL_ENTRY	"policy"
@ -719,6 +720,7 @@ void			 setac(void);
 void			 endac(void);
 int			 getacdir(char *name, int len);
 int			 getacmin(int *min_val);
+int			 getacfilesz(size_t *size_val);
 int			 getacflg(char *auditstr, int len);
 int			 getacna(char *auditstr, int len);
 int			 getacpol(char *auditstr, size_t len);
--- a/contrib/openbsm/configure
+++ b/contrib/openbsm/configure
@ -1,7 +1,7 @@
 #! /bin/sh
-# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#31 .
+# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 .
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a11.
+# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a12.
 #
 # Report bugs to <trustedbsd-audit@TrustesdBSD.org>.
 #
@ -424,8 +424,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # Identity of this package.
 PACKAGE_NAME='OpenBSM'
 PACKAGE_TARNAME='openbsm'
-PACKAGE_VERSION='1.0a11'
-PACKAGE_STRING='OpenBSM 1.0a11'
+PACKAGE_VERSION='1.0a12'
+PACKAGE_STRING='OpenBSM 1.0a12'
 PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org'

 ac_unique_file="bin/auditreduce/auditreduce.c"
@ -955,7 +955,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures OpenBSM 1.0a11 to adapt to many kinds of systems.
+\`configure' configures OpenBSM 1.0a12 to adapt to many kinds of systems.

 Usage: $0 [OPTION]... [VAR=VALUE]...

@ -1021,7 +1021,7 @@ fi

 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of OpenBSM 1.0a11:";;
+     short | recursive ) echo "Configuration of OpenBSM 1.0a12:";;
   esac
  cat <<\_ACEOF

@ -1162,7 +1162,7 @@ fi
 test -n "$ac_init_help" && exit 0
 if $ac_init_version; then
  cat <<\_ACEOF
-OpenBSM configure 1.0a11
+OpenBSM configure 1.0a12
 generated by GNU Autoconf 2.59

 Copyright (C) 2003 Free Software Foundation, Inc.
@ -1176,7 +1176,7 @@ cat >&5 <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.

-It was created by OpenBSM $as_me 1.0a11, which was
+It was created by OpenBSM $as_me 1.0a12, which was
 generated by GNU Autoconf 2.59.  Invocation command line was

  $ $0 $@
@ -19278,7 +19278,7 @@ fi

 # Define the identity of the package.
 PACKAGE=OpenBSM
- VERSION=1.0a11
+ VERSION=1.0a12


 cat >>confdefs.h <<_ACEOF
@ -23479,7 +23479,7 @@ _ASBOX
 } >&5
 cat >&5 <<_CSEOF

-This file was extended by OpenBSM $as_me 1.0a11, which was
+This file was extended by OpenBSM $as_me 1.0a12, which was
 generated by GNU Autoconf 2.59.  Invocation command line was

  CONFIG_FILES    = $CONFIG_FILES
@ -23542,7 +23542,7 @@ _ACEOF

 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-OpenBSM config.status 1.0a11
+OpenBSM config.status 1.0a12
 configured by $0, generated by GNU Autoconf 2.59,
  with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"

--- a/contrib/openbsm/configure.ac
+++ b/contrib/openbsm/configure.ac
@ -2,8 +2,8 @@
 # Process this file with autoconf to produce a configure script.

 AC_PREREQ(2.59)
-AC_INIT([OpenBSM], [1.0a11], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
-AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#31 $])
+AC_INIT([OpenBSM], [1.0a12], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
+AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 $])
 AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c])
 AC_CONFIG_AUX_DIR(config)
 AC_CONFIG_HEADER([config/config.h])
--- a/contrib/openbsm/etc/audit_control
+++ b/contrib/openbsm/etc/audit_control
@ -1,8 +1,9 @@
 #
-# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#4 $
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#5 $
 #
 dir:/var/audit
 flags:lo
 minfree:20
 naflags:lo
 policy:cnt
+filesz:0
--- a/contrib/openbsm/etc/audit_event
+++ b/contrib/openbsm/etc/audit_event
@ -1,5 +1,5 @@
 #
-# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#15 $
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#16 $
 #
 0:AUE_NULL:indir system call:no
 1:AUE_EXIT:exit(2):pc
@ -418,6 +418,10 @@
 43114:AUE_KENV:kenv(8):ad
 43115:AUE_JAIL_ATTACH:jail_attach(2):ad
 43116:AUE_SYSCTL_WRITE:sysctl(3):ad
+43117:AUE_IOPERM:linux ioperm:ad
+43118:AUE_READDIR:readdir(3):no
+43119:AUE_IOPL:linux iopl:ad
+43120:AUE_VM86:linux vm86:pc
 #
 # User space system events.
 #
--- a/contrib/openbsm/libbsm/au_control.3
+++ b/contrib/openbsm/libbsm/au_control.3
@ -1,5 +1,5 @@
 .\"-
-.\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#4 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#5 $
 .\"
 .Dd April 19, 2005
 .Dt AU_CONTROL 3
@ -33,6 +33,7 @@
 .Nm endac ,
 .Nm getacdir ,
 .Nm getacmin ,
+.Nm getacfilesz ,
 .Nm getacflg ,
 .Nm getacna ,
 .Nm getacpol ,
@ -52,6 +53,8 @@
 .Ft int
 .Fn getacmin "int *min_val"
 .Ft int
+.Fn getacfilesz "size_t *size_val"
+.Ft int
 .Fn getacflg "char *auditstr" "int len"
 .Ft int
 .Fn getacna "char *auditstr" "int len"
@ -88,6 +91,10 @@ the passed
 .Va min_val
 variable.
 .Pp
+.Fn getacfilesz
+returns the audit trail rotation size in the passed size_t buffer
+.Fa size_val .
+.Pp
 .Fn getacflg
 returns the audit system flags via the the passed character buffer
 .Va auditstr
--- a/contrib/openbsm/libbsm/bsm_control.c
+++ b/contrib/openbsm/libbsm/bsm_control.c
@ -27,7 +27,7 @@
 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#15 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#16 $
 */

 #include <bsm/libbsm.h>
@ -395,6 +395,46 @@ getacmin(int *min_val)
 	return (0);
 }

+/*
+ * Return the desired trail rotation size from the audit control file.
+ */
+int
+getacfilesz(size_t *filesz_val)
+{
+	char *filesz, *dummy;
+	long long ll;
+
+	pthread_mutex_lock(&mutex);
+	setac_locked();
+	if (getstrfromtype_locked(FILESZ_CONTROL_ENTRY, &filesz) < 0) {
+		pthread_mutex_unlock(&mutex);
+		return (-2);
+	}
+	if (filesz == NULL) {
+		pthread_mutex_unlock(&mutex);
+		errno = EINVAL;
+		return (1);
+	}
+	ll = strtoll(filesz, &dummy, 10);
+	if (*dummy != '\0') {
+		pthread_mutex_unlock(&mutex);
+		errno = EINVAL;
+		return (-1);
+	}
+	/*
+	 * The file size must either be 0 or >= MIN_AUDIT_FILE_SIZE.  0
+	 * indicates no rotation size.
+	 */
+	if (ll < 0 || (ll > 0 && ll < MIN_AUDIT_FILE_SIZE)) {
+		pthread_mutex_unlock(&mutex);
+		errno = EINVAL;
+		return (-1);
+	}
+	*filesz_val = ll;
+	pthread_mutex_unlock(&mutex);
+	return (0);
+}
+
 /*
 * Return the system audit value from the audit contol file.
 */
--- a/contrib/openbsm/libbsm/libbsm.3
+++ b/contrib/openbsm/libbsm/libbsm.3
@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#8 $
 .\"
 .Dd April 19, 2005
 .Dt LIBBSM 3
@ -84,6 +84,7 @@ database:
 .Xr endac 3 ,
 .Xr setac 3 ,
 .Xr getacdir 3 ,
+.Xr getacfilesz 3 ,
 .Xr getacflg 3 ,
 .Xr getacmin 3 ,
 .Xr getacna 3 ,
--- a/contrib/openbsm/man/audit_control.5
+++ b/contrib/openbsm/man/audit_control.5
@ -1,4 +1,5 @@
 .\" Copyright (c) 2004 Apple Computer, Inc.
+.\" Copyright (c) 2006 Robert N. M. Watson
 .\" All rights reserved.
 .\" 
 .\" Redistribution and use in source and binary forms, with or without
@ -25,7 +26,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#11 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#13 $
 .\"
 .Dd January 4, 2006
 .Dt AUDIT_CONTROL 5
@ -66,6 +67,12 @@ Not currently used as the value of 20 percent is chosen by the kernel.
 .It Va policy
 A list of global audit policy flags specifying various behaviors, such as
 fail stop, auditing of paths and arguments, etc.
+.It Va filesz
+Maximum trail size in bytes; if set to a non-0 value, the audit daemon will
+rotate the audit trail file at around this size.
+Sizes less than the minimum trail size (default of 512K) will be rejected as
+invalid.
+If 0, trail files will not be automatically rotated based on file size.
 .El
 .Sh AUDIT FLAGS
 Audit flags are a comma-delimited list of audit classes as defined in the
@ -78,12 +85,14 @@ Event classes may be preceded by a prefix which changes their interpretation.
 The following prefixes may be used for each class:
 .Pp
 .Bl -tag -width Ds -compact -offset indent
+.It (none)
+Record both successful and failed events
 .It +
 Record successful events
 .It -
 Record failed events
 .It ^
-Record both successful and failed events
+Record neither successful nor failed events
 .It ^+
 Do not record successful events
 .It ^-
@ -146,6 +155,7 @@ flags:lo
 minfree:20
 naflags:lo
 policy:cnt
+filesz:0
 .Ed
 .Pp
 The
@ -156,7 +166,8 @@ The
 .Va policy
 parameter specifies that the system should neither fail stop nor suspend
 processes when the audit store fills.
-will be audited.
+The trail file will not be automatically rotated by the audit daemon based on
+file size.
 .Sh FILES
 .Bl -tag -width "/etc/security/audit_control" -compact
 .It Pa /etc/security/audit_control