From 4bd0c025f38ae20e2ec54bfbe3f11a0847e87ffb Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Mon, 25 Sep 2006 11:40:29 +0000 Subject: [PATCH] Vendor import TrustedBSD OpenBSM 1.0 alpha 12, with the following change history notes since the last import: OpenBSM 1.0 alpha 12 - Correct bug in auditreduce which prevented the -c option from working correctly when the user specifies to process successful or failed events. The problem stemmed from not having access to the return token at the time the initial preselection occurred, but now a second preselection process occurs while processing the return token. - getacfilesz(3) API added to read new audit_control(5) filesz setting, which auditd(8) now sets the kernel audit trail rotation size to. - auditreduce(1) now uses stdin if no file names are specified on the command line; this was the documented behavior previously, but it was not implemented. Be more specific in auditreduce(1)'s examples section about what might be done with the output of auditreduce. - Add audit_warn(5) closefile event so that administrators can hook termination of an audit trail file. For example, this might be used to compress the trail file after it is closed. - auditreduce(1) now uses regular expressions for pathname matching. Users can now supply one or more (comma delimited) regular expressions for searching the pathnames. If one of the regular expressions is prefixed with a tilde (~), and a path matches, it will be excluded from the search results. MFC after: 3 days Obtained from: TrustedBSD Project --- contrib/openbsm/HISTORY | 23 +++- contrib/openbsm/TODO | 7 +- contrib/openbsm/VERSION | 2 +- contrib/openbsm/bin/auditd/audit_warn.c | 17 ++- contrib/openbsm/bin/auditd/auditd.c | 19 ++- contrib/openbsm/bin/auditd/auditd.h | 4 +- contrib/openbsm/bin/auditreduce/auditreduce.1 | 43 ++++++- contrib/openbsm/bin/auditreduce/auditreduce.c | 120 +++++++++++++++--- contrib/openbsm/bin/auditreduce/auditreduce.h | 9 +- contrib/openbsm/bsm/audit_kevents.h | 6 +- contrib/openbsm/bsm/libbsm.h | 4 +- contrib/openbsm/configure | 22 ++-- contrib/openbsm/configure.ac | 4 +- contrib/openbsm/etc/audit_control | 3 +- contrib/openbsm/etc/audit_event | 6 +- contrib/openbsm/libbsm/au_control.3 | 11 +- contrib/openbsm/libbsm/bsm_control.c | 42 +++++- contrib/openbsm/libbsm/libbsm.3 | 3 +- contrib/openbsm/man/audit_control.5 | 17 ++- 19 files changed, 302 insertions(+), 60 deletions(-) diff --git a/contrib/openbsm/HISTORY b/contrib/openbsm/HISTORY index e9093001a557..0b44df261e08 100644 --- a/contrib/openbsm/HISTORY +++ b/contrib/openbsm/HISTORY @@ -1,3 +1,24 @@ +OpenBSM 1.0 alpha 12 + +- Correct bug in auditreduce which prevented the -c option from working + correctly when the user specifies to process successful or failed events. + The problem stemmed from not having access to the return token at the time + the initial preselection occurred, but now a second preselection process + occurs while processing the return token. +- getacfilesz(3) API added to read new audit_control(5) filesz setting, + which auditd(8) now sets the kernel audit trail rotation size to. +- auditreduce(1) now uses stdin if no file names are specified on the command + line; this was the documented behavior previously, but it was not + implemented. Be more specific in auditreduce(1)'s examples section about + what might be done with the output of auditreduce. +- Add audit_warn(5) closefile event so that administrators can hook + termination of an audit trail file. For example, this might be used to + compress the trail file after it is closed. +- auditreduce(1) now uses regular expressions for pathname matching. Users can + now supply one or more (comma delimited) regular expressions for searching + the pathnames. If one of the regular expressions is prefixed with a tilde + (~), and a path matches, it will be excluded from the search results. + OpenBSM 1.0 alpha 11 - Reclassify certain read/write operations as having no class rather than the @@ -243,4 +264,4 @@ OpenBSM 1.0 alpha 1 to support reloading of kernel event table. - Allow comments in /etc/security configuration files. -$P4: //depot/projects/trustedbsd/openbsm/HISTORY#33 $ +$P4: //depot/projects/trustedbsd/openbsm/HISTORY#39 $ diff --git a/contrib/openbsm/TODO b/contrib/openbsm/TODO index 5e0b9c3ae318..696974340819 100644 --- a/contrib/openbsm/TODO +++ b/contrib/openbsm/TODO @@ -17,10 +17,7 @@ just at the beginning of a record. This will make it easier to use praudit in test suites processing single-token files without header and trailer context. -- Teach auditd how to notify a script when it is done with trail files so - that the script can archive them, compress them, delete them, whatever. - It should walk any trail files found at startup also, assuming it - successfully registers. - Put hostname in trail file name. +- Document audit_warn event arguments. -$P4: //depot/projects/trustedbsd/openbsm/TODO#7 $ +$P4: //depot/projects/trustedbsd/openbsm/TODO#8 $ diff --git a/contrib/openbsm/VERSION b/contrib/openbsm/VERSION index 12b10e099a6e..b27583b27697 100644 --- a/contrib/openbsm/VERSION +++ b/contrib/openbsm/VERSION @@ -1 +1 @@ -OPENBSM_1_0_ALPHA_11 +OPENBSM_1_0_ALPHA_12 diff --git a/contrib/openbsm/bin/auditd/audit_warn.c b/contrib/openbsm/bin/auditd/audit_warn.c index 7fa5eb927254..3239b67c7e3e 100644 --- a/contrib/openbsm/bin/auditd/audit_warn.c +++ b/contrib/openbsm/bin/auditd/audit_warn.c @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#6 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#7 $ */ #include @@ -124,6 +124,21 @@ audit_warn_auditoff(void) return (auditwarnlog(args)); } +/* + * Indicate that a trail file has been closed, so can now be post-processed. + */ +int +audit_warn_closefile(char *filename) +{ + char *args[3]; + + args[0] = CLOSEFILE_WARN; + args[1] = filename; + args[2] = NULL; + + return (auditwarnlog(args)); +} + /* * Indicates that the audit deammn is already running */ diff --git a/contrib/openbsm/bin/auditd/auditd.c b/contrib/openbsm/bin/auditd/auditd.c index 86cf2335c28f..7ca2123bdb56 100644 --- a/contrib/openbsm/bin/auditd/auditd.c +++ b/contrib/openbsm/bin/auditd/auditd.c @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#21 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#23 $ */ #include @@ -163,9 +163,11 @@ close_lastfile(char *TS) syslog(LOG_ERR, "Could not rename %s to %s: %m", oldname, lastfile); - else + else { syslog(LOG_INFO, "renamed %s to %s", oldname, lastfile); + audit_warn_closefile(lastfile); + } } free(lastfile); free(oldname); @@ -727,6 +729,8 @@ config_audit_controls(void) char naeventstr[NA_EVENT_STR_SIZE]; char polstr[POL_STR_SIZE]; long policy; + au_fstat_t au_fstat; + size_t filesz; /* * Process the audit event file, obtaining a class mapping for each @@ -806,6 +810,17 @@ config_audit_controls(void) "Failed to set default audit policy: %m"); } + /* + * Set trail rotation size. + */ + if (getacfilesz(&filesz) == 0) { + bzero(&au_fstat, sizeof(au_fstat)); + au_fstat.af_filesz = filesz; + if (auditon(A_SETFSIZE, &au_fstat, sizeof(au_fstat)) < 0) + syslog(LOG_ERR, "Failed to set filesz: %m"); + } else + syslog(LOG_ERR, "Failed to obtain filesz: %m"); + return (0); } diff --git a/contrib/openbsm/bin/auditd/auditd.h b/contrib/openbsm/bin/auditd/auditd.h index 11bf9d4ce176..9c5ae287c17b 100644 --- a/contrib/openbsm/bin/auditd/auditd.h +++ b/contrib/openbsm/bin/auditd/auditd.h @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#6 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#7 $ */ #ifndef _AUDITD_H_ @@ -62,6 +62,7 @@ struct dir_ent { #define HARDLIM_ALL_WARN "allhard" #define SOFTLIM_ALL_WARN "allsoft" #define AUDITOFF_WARN "auditoff" +#define CLOSEFILE_WARN "closefile" #define EBUSY_WARN "ebusy" #define GETACDIR_WARN "getacdir" #define HARDLIM_WARN "hard" @@ -76,6 +77,7 @@ struct dir_ent { int audit_warn_allhard(int count); int audit_warn_allsoft(void); int audit_warn_auditoff(void); +int audit_warn_closefile(char *filename); int audit_warn_ebusy(void); int audit_warn_getacdir(char *filename); int audit_warn_hard(char *filename); diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.1 b/contrib/openbsm/bin/auditreduce/auditreduce.1 index 9ae97263aa64..f590e35f0717 100644 --- a/contrib/openbsm/bin/auditreduce/auditreduce.1 +++ b/contrib/openbsm/bin/auditreduce/auditreduce.1 @@ -25,7 +25,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#10 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $ .\" .Dd January 24, 2004 .Dt AUDITREDUCE 1 @@ -105,12 +105,17 @@ for a description of audit event names and numbers. .It Fl o Ar object=value .Bl -tag -width Ds .It Nm file -Select records containing the given path name. -file="/usr" matches paths -starting with -.Pa usr . -file="~/usr" matches paths not starting with -.Pa usr . +Select records containing path tokens, where the pathname matches +one of the comma delimited extended regular expression contained in +given specification. +Regular expressions which are prefixed with a tilde (~) are excluded +from the search results. +These extended regular expressions are processed from left to right, +and a path will either be selected or deslected based on the first match. +.Pp +Since commas are used to delimit the regular expressions, a backslash (\\) +character should be used to escape the comma if it's a part of the search +pattern. .It Nm msgqid Select records containing the given message queue id. .It Nm pid @@ -136,6 +141,30 @@ events from that log: .Pp .Nm -m AUE_SETLOGIN /var/audit/20031016184719.20031017122634 +.Pp +Output from the above command lines will typically be piped to a new trail +file, or via standard output to the +.Xr praudit 1 +command. +.Pp +Select all records containing a path token where the pathname contains +.Pa /etc/master.passwd +.Pp +.Nm +-ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634 +.Pp +Select all records containing path tokens, where the pathname is a TTY +device: +.Pp +.Nm +-ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 +.Pp +Select all records containing path tokens, where the pathname is a TTY +except for +.Pa /dev/ttyp2 +.Pp +.Nm +-ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 .Sh SEE ALSO .Xr praudit 1 , .Xr audit_control 5 , diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.c b/contrib/openbsm/bin/auditreduce/auditreduce.c index 25a14ff453a5..31bd8922e41c 100644 --- a/contrib/openbsm/bin/auditreduce/auditreduce.c +++ b/contrib/openbsm/bin/auditreduce/auditreduce.c @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#14 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#18 $ */ /* @@ -40,6 +40,13 @@ * XXX the records present within the file and between the files themselves */ +#include +#ifdef HAVE_FULL_QUEUE_H +#include +#else +#include +#endif + #include #include @@ -51,9 +58,14 @@ #include #include #include +#include +#include #include "auditreduce.h" +static TAILQ_HEAD(tailhead, re_entry) re_head = + TAILQ_HEAD_INITIALIZER(re_head); + extern char *optarg; extern int optind, optopt, opterr,optreset; @@ -80,11 +92,58 @@ static char *p_sockobj = NULL; static uint32_t opttochk = 0; +static void +parse_regexp(char *re_string) +{ + char *orig, *copy, re_error[64]; + struct re_entry *rep; + int error, nstrs, i, len; + + copy = strdup(re_string); + orig = copy; + len = strlen(copy); + for (nstrs = 0, i = 0; i < len; i++) { + if (copy[i] == ',' && i > 0) { + if (copy[i - 1] == '\\') + strcpy(©[i - 1], ©[i]); + else { + nstrs++; + copy[i] = '\0'; + } + } + } + TAILQ_INIT(&re_head); + for (i = 0; i < nstrs + 1; i++) { + rep = calloc(1, sizeof(*rep)); + if (rep == NULL) { + (void) fprintf(stderr, "calloc: %s\n", + strerror(errno)); + exit(1); + } + if (*copy == '~') { + copy++; + rep->re_negate = 1; + } + rep->re_pattern = strdup(copy); + error = regcomp(&rep->re_regexp, rep->re_pattern, + REG_EXTENDED | REG_NOSUB); + if (error != 0) { + regerror(error, &rep->re_regexp, re_error, 64); + (void) fprintf(stderr, "regcomp: %s\n", re_error); + exit(1); + } + TAILQ_INSERT_TAIL(&re_head, rep, re_glue); + len = strlen(copy); + copy += len + 1; + } + free(orig); +} + static void usage(const char *msg) { fprintf(stderr, "%s\n", msg); - fprintf(stderr, "Usage: auditreduce [options] audit-trail-file [....] \n"); + fprintf(stderr, "Usage: auditreduce [options] [file ...]\n"); fprintf(stderr, "\tOptions are : \n"); fprintf(stderr, "\t-A : all records\n"); fprintf(stderr, "\t-a YYYYMMDD[HH[[MM[SS]]] : after date\n"); @@ -258,23 +317,20 @@ select_ipcobj(u_char type, uint32_t id, uint32_t *optchkd) static int select_filepath(char *path, uint32_t *optchkd) { - char *loc; + struct re_entry *rep; + int match; SETOPT((*optchkd), OPT_of); + match = 1; if (ISOPTSET(opttochk, OPT_of)) { - if (p_fileobj[0] == '~') { - /* Object should not be in path. */ - loc = strstr(path, p_fileobj + 1); - if ((loc != NULL) && (loc == path)) - return (0); - } else { - /* Object should be in path. */ - loc = strstr(path, p_fileobj); - if ((loc == NULL) || (loc != path)) - return (0); + match = 0; + TAILQ_FOREACH(rep, &re_head, re_glue) { + if (regexec(&rep->re_regexp, path, 0, NULL, + 0) != REG_NOMATCH) + return (!rep->re_negate); } } - return (1); + return (match); } /* @@ -328,6 +384,24 @@ select_hdr32(tokenstr_t tok, uint32_t *optchkd) return (1); } +static int +select_return32(tokenstr_t tok_ret32, tokenstr_t tok_hdr32, uint32_t *optchkd) +{ + int sorf; + + SETOPT((*optchkd), (OPT_c)); + if (tok_ret32.tt.ret32.status == 0) + sorf = AU_PRS_SUCCESS; + else + sorf = AU_PRS_FAILURE; + if (ISOPTSET(opttochk, OPT_c)) { + if (au_preselect(tok_hdr32.tt.hdr32.e_type, &maskp, sorf, + AU_PRS_USECACHE) != 1) + return (0); + } + return (1); +} + /* * Return 1 if checks for the the following succeed * auid, @@ -395,6 +469,7 @@ select_subj32(tokenstr_t tok, uint32_t *optchkd) static int select_records(FILE *fp) { + tokenstr_t tok_hdr32_copy; u_char *buf; tokenstr_t tok; int reclen; @@ -423,6 +498,8 @@ select_records(FILE *fp) case AU_HEADER_32_TOKEN: selected = select_hdr32(tok, &optchkd); + bcopy(&tok, &tok_hdr32_copy, + sizeof(tok)); break; case AU_PROCESS_32_TOKEN: @@ -451,6 +528,11 @@ select_records(FILE *fp) tok.tt.path.path, &optchkd); break; + case AU_RETURN_32_TOKEN: + selected = select_return32(tok, + tok_hdr32_copy, &optchkd); + break; + /* * The following tokens dont have any relevant * attributes that we can select upon. @@ -465,7 +547,6 @@ select_records(FILE *fp) case AU_IPCPERM_TOKEN: case AU_IPORT_TOKEN: case AU_OPAQUE_TOKEN: - case AU_RETURN_32_TOKEN: case AU_SEQ_TOKEN: case AU_TEXT_TOKEN: case AU_ARB_TOKEN: @@ -500,6 +581,7 @@ parse_object_type(char *name, char *val) if (!strcmp(name, FILEOBJ)) { p_fileobj = val; + parse_regexp(val); SETOPT(opttochk, OPT_of); } else if (!strcmp(name, MSGQIDOBJ)) { p_msgqobj = val; @@ -679,8 +761,12 @@ main(int argc, char **argv) argv += optind; argc -= optind; - if (argc == 0) - usage("Filename needed"); + if (argc == 0) { + if (select_records(stdin) == -1) + errx(EXIT_FAILURE, + "Couldn't select records from stdin"); + exit(EXIT_SUCCESS); + } /* * XXX: We should actually be merging records here. diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.h b/contrib/openbsm/bin/auditreduce/auditreduce.h index 698e27605b0f..f69dc16f8389 100644 --- a/contrib/openbsm/bin/auditreduce/auditreduce.h +++ b/contrib/openbsm/bin/auditreduce/auditreduce.h @@ -26,13 +26,20 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#4 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#5 $ */ #ifndef _AUDITREDUCE_H_ #define _AUDITREDUCE_H_ +struct re_entry { + char *re_pattern; + int re_negate; + regex_t re_regexp; + TAILQ_ENTRY(re_entry) re_glue; +}; + #define OPT_a 0x00000001 #define OPT_b 0x00000002 #define OPT_c 0x00000004 diff --git a/contrib/openbsm/bsm/audit_kevents.h b/contrib/openbsm/bsm/audit_kevents.h index ef0f47b01485..434452a3091a 100644 --- a/contrib/openbsm/bsm/audit_kevents.h +++ b/contrib/openbsm/bsm/audit_kevents.h @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#42 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#43 $ */ #ifndef _BSM_AUDIT_KEVENTS_H_ @@ -470,6 +470,10 @@ #define AUE_KENV 43114 /* FreeBSD. */ #define AUE_JAIL_ATTACH 43115 /* FreeBSD. */ #define AUE_SYSCTL_WRITE 43116 /* FreeBSD. */ +#define AUE_IOPERM 43117 /* Linux. */ +#define AUE_READDIR 43118 /* Linux. */ +#define AUE_IOPL 43119 /* Linux. */ +#define AUE_VM86 43120 /* Linux. */ /* * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the diff --git a/contrib/openbsm/bsm/libbsm.h b/contrib/openbsm/bsm/libbsm.h index 34d9dbc062f0..2d76c3993317 100644 --- a/contrib/openbsm/bsm/libbsm.h +++ b/contrib/openbsm/bsm/libbsm.h @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#29 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#30 $ */ #ifndef _LIBBSM_H_ @@ -78,6 +78,7 @@ #define DIR_CONTROL_ENTRY "dir" #define MINFREE_CONTROL_ENTRY "minfree" +#define FILESZ_CONTROL_ENTRY "filesz" #define FLAGS_CONTROL_ENTRY "flags" #define NA_CONTROL_ENTRY "naflags" #define POLICY_CONTROL_ENTRY "policy" @@ -719,6 +720,7 @@ void setac(void); void endac(void); int getacdir(char *name, int len); int getacmin(int *min_val); +int getacfilesz(size_t *size_val); int getacflg(char *auditstr, int len); int getacna(char *auditstr, int len); int getacpol(char *auditstr, size_t len); diff --git a/contrib/openbsm/configure b/contrib/openbsm/configure index 26af770f4151..d680c434032a 100755 --- a/contrib/openbsm/configure +++ b/contrib/openbsm/configure @@ -1,7 +1,7 @@ #! /bin/sh -# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#31 . +# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 . # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a11. +# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a12. # # Report bugs to . # @@ -424,8 +424,8 @@ SHELL=${CONFIG_SHELL-/bin/sh} # Identity of this package. PACKAGE_NAME='OpenBSM' PACKAGE_TARNAME='openbsm' -PACKAGE_VERSION='1.0a11' -PACKAGE_STRING='OpenBSM 1.0a11' +PACKAGE_VERSION='1.0a12' +PACKAGE_STRING='OpenBSM 1.0a12' PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org' ac_unique_file="bin/auditreduce/auditreduce.c" @@ -955,7 +955,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures OpenBSM 1.0a11 to adapt to many kinds of systems. +\`configure' configures OpenBSM 1.0a12 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1021,7 +1021,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of OpenBSM 1.0a11:";; + short | recursive ) echo "Configuration of OpenBSM 1.0a12:";; esac cat <<\_ACEOF @@ -1162,7 +1162,7 @@ fi test -n "$ac_init_help" && exit 0 if $ac_init_version; then cat <<\_ACEOF -OpenBSM configure 1.0a11 +OpenBSM configure 1.0a12 generated by GNU Autoconf 2.59 Copyright (C) 2003 Free Software Foundation, Inc. @@ -1176,7 +1176,7 @@ cat >&5 <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by OpenBSM $as_me 1.0a11, which was +It was created by OpenBSM $as_me 1.0a12, which was generated by GNU Autoconf 2.59. Invocation command line was $ $0 $@ @@ -19278,7 +19278,7 @@ fi # Define the identity of the package. PACKAGE=OpenBSM - VERSION=1.0a11 + VERSION=1.0a12 cat >>confdefs.h <<_ACEOF @@ -23479,7 +23479,7 @@ _ASBOX } >&5 cat >&5 <<_CSEOF -This file was extended by OpenBSM $as_me 1.0a11, which was +This file was extended by OpenBSM $as_me 1.0a12, which was generated by GNU Autoconf 2.59. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -23542,7 +23542,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -OpenBSM config.status 1.0a11 +OpenBSM config.status 1.0a12 configured by $0, generated by GNU Autoconf 2.59, with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\" diff --git a/contrib/openbsm/configure.ac b/contrib/openbsm/configure.ac index 8547245c0e44..a8428f97f282 100644 --- a/contrib/openbsm/configure.ac +++ b/contrib/openbsm/configure.ac @@ -2,8 +2,8 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.59) -AC_INIT([OpenBSM], [1.0a11], [trustedbsd-audit@TrustesdBSD.org],[openbsm]) -AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#31 $]) +AC_INIT([OpenBSM], [1.0a12], [trustedbsd-audit@TrustesdBSD.org],[openbsm]) +AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 $]) AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c]) AC_CONFIG_AUX_DIR(config) AC_CONFIG_HEADER([config/config.h]) diff --git a/contrib/openbsm/etc/audit_control b/contrib/openbsm/etc/audit_control index 2db3e1fa049e..a350e50cdc7d 100644 --- a/contrib/openbsm/etc/audit_control +++ b/contrib/openbsm/etc/audit_control @@ -1,8 +1,9 @@ # -# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#4 $ +# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#5 $ # dir:/var/audit flags:lo minfree:20 naflags:lo policy:cnt +filesz:0 diff --git a/contrib/openbsm/etc/audit_event b/contrib/openbsm/etc/audit_event index 346dff7a22af..fcc89fca8ec2 100644 --- a/contrib/openbsm/etc/audit_event +++ b/contrib/openbsm/etc/audit_event @@ -1,5 +1,5 @@ # -# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#15 $ +# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#16 $ # 0:AUE_NULL:indir system call:no 1:AUE_EXIT:exit(2):pc @@ -418,6 +418,10 @@ 43114:AUE_KENV:kenv(8):ad 43115:AUE_JAIL_ATTACH:jail_attach(2):ad 43116:AUE_SYSCTL_WRITE:sysctl(3):ad +43117:AUE_IOPERM:linux ioperm:ad +43118:AUE_READDIR:readdir(3):no +43119:AUE_IOPL:linux iopl:ad +43120:AUE_VM86:linux vm86:pc # # User space system events. # diff --git a/contrib/openbsm/libbsm/au_control.3 b/contrib/openbsm/libbsm/au_control.3 index 00a551eed2d9..0985825f4113 100644 --- a/contrib/openbsm/libbsm/au_control.3 +++ b/contrib/openbsm/libbsm/au_control.3 @@ -1,5 +1,5 @@ .\"- -.\" Copyright (c) 2005 Robert N. M. Watson +.\" Copyright (c) 2005-2006 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#4 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#5 $ .\" .Dd April 19, 2005 .Dt AU_CONTROL 3 @@ -33,6 +33,7 @@ .Nm endac , .Nm getacdir , .Nm getacmin , +.Nm getacfilesz , .Nm getacflg , .Nm getacna , .Nm getacpol , @@ -52,6 +53,8 @@ .Ft int .Fn getacmin "int *min_val" .Ft int +.Fn getacfilesz "size_t *size_val" +.Ft int .Fn getacflg "char *auditstr" "int len" .Ft int .Fn getacna "char *auditstr" "int len" @@ -88,6 +91,10 @@ the passed .Va min_val variable. .Pp +.Fn getacfilesz +returns the audit trail rotation size in the passed size_t buffer +.Fa size_val . +.Pp .Fn getacflg returns the audit system flags via the the passed character buffer .Va auditstr diff --git a/contrib/openbsm/libbsm/bsm_control.c b/contrib/openbsm/libbsm/bsm_control.c index ba643b2b9fde..dd901b76ca36 100644 --- a/contrib/openbsm/libbsm/bsm_control.c +++ b/contrib/openbsm/libbsm/bsm_control.c @@ -27,7 +27,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#15 $ + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#16 $ */ #include @@ -395,6 +395,46 @@ getacmin(int *min_val) return (0); } +/* + * Return the desired trail rotation size from the audit control file. + */ +int +getacfilesz(size_t *filesz_val) +{ + char *filesz, *dummy; + long long ll; + + pthread_mutex_lock(&mutex); + setac_locked(); + if (getstrfromtype_locked(FILESZ_CONTROL_ENTRY, &filesz) < 0) { + pthread_mutex_unlock(&mutex); + return (-2); + } + if (filesz == NULL) { + pthread_mutex_unlock(&mutex); + errno = EINVAL; + return (1); + } + ll = strtoll(filesz, &dummy, 10); + if (*dummy != '\0') { + pthread_mutex_unlock(&mutex); + errno = EINVAL; + return (-1); + } + /* + * The file size must either be 0 or >= MIN_AUDIT_FILE_SIZE. 0 + * indicates no rotation size. + */ + if (ll < 0 || (ll > 0 && ll < MIN_AUDIT_FILE_SIZE)) { + pthread_mutex_unlock(&mutex); + errno = EINVAL; + return (-1); + } + *filesz_val = ll; + pthread_mutex_unlock(&mutex); + return (0); +} + /* * Return the system audit value from the audit contol file. */ diff --git a/contrib/openbsm/libbsm/libbsm.3 b/contrib/openbsm/libbsm/libbsm.3 index 3d9aadd393e9..f87cf5574128 100644 --- a/contrib/openbsm/libbsm/libbsm.3 +++ b/contrib/openbsm/libbsm/libbsm.3 @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#7 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#8 $ .\" .Dd April 19, 2005 .Dt LIBBSM 3 @@ -84,6 +84,7 @@ database: .Xr endac 3 , .Xr setac 3 , .Xr getacdir 3 , +.Xr getacfilesz 3 , .Xr getacflg 3 , .Xr getacmin 3 , .Xr getacna 3 , diff --git a/contrib/openbsm/man/audit_control.5 b/contrib/openbsm/man/audit_control.5 index edd38bb72043..25cb2266822f 100644 --- a/contrib/openbsm/man/audit_control.5 +++ b/contrib/openbsm/man/audit_control.5 @@ -1,4 +1,5 @@ .\" Copyright (c) 2004 Apple Computer, Inc. +.\" Copyright (c) 2006 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -25,7 +26,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#11 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#13 $ .\" .Dd January 4, 2006 .Dt AUDIT_CONTROL 5 @@ -66,6 +67,12 @@ Not currently used as the value of 20 percent is chosen by the kernel. .It Va policy A list of global audit policy flags specifying various behaviors, such as fail stop, auditing of paths and arguments, etc. +.It Va filesz +Maximum trail size in bytes; if set to a non-0 value, the audit daemon will +rotate the audit trail file at around this size. +Sizes less than the minimum trail size (default of 512K) will be rejected as +invalid. +If 0, trail files will not be automatically rotated based on file size. .El .Sh AUDIT FLAGS Audit flags are a comma-delimited list of audit classes as defined in the @@ -78,12 +85,14 @@ Event classes may be preceded by a prefix which changes their interpretation. The following prefixes may be used for each class: .Pp .Bl -tag -width Ds -compact -offset indent +.It (none) +Record both successful and failed events .It + Record successful events .It - Record failed events .It ^ -Record both successful and failed events +Record neither successful nor failed events .It ^+ Do not record successful events .It ^- @@ -146,6 +155,7 @@ flags:lo minfree:20 naflags:lo policy:cnt +filesz:0 .Ed .Pp The @@ -156,7 +166,8 @@ The .Va policy parameter specifies that the system should neither fail stop nor suspend processes when the audit store fills. -will be audited. +The trail file will not be automatically rotated by the audit daemon based on +file size. .Sh FILES .Bl -tag -width "/etc/security/audit_control" -compact .It Pa /etc/security/audit_control