Vendor import of OpenBSM 1.0 alpha 11, with the following change history
notes since the last import: OpenBSM 1.0 alpha 11 - Reclassify certain read/write operations as having no class rather than the fr/fw class; our default classes audit intent (open) not operations (read, write). - Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads and writes of sysctls as separate events. Add additional kernel environment and jail events for FreeBSD. - Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER (issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued by the kernel audit implementation) so that they can be distinguished. - Disable rate limiting of rotate requests; as the kernel doesn't retransmit a dropped request, the log file will otherwise grow indefinitely if the trigger is dropped. - Improve auditd debugging output. - Fix a number of threading related bugs in audit_control file reading routines. - Add APIs au_poltostr() and au_strtopol() to convert between text representations of audit_control policy flags and the flags passed to auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY). - Add API getacpol() to return the 'policy:' entry from audit_control, an extension to the Solaris file format to allow specification of policy persistent flags. - Update audump to print the audit_control policy field. - Update auditd to read the audit_control policy field and set the kernel policy to match it when configuring/reconfiguring. Remove the -s and -h arguments as these policies are now set via the configuration file. If a policy line is not found in the configuration file, continue with the current default of setting AUDIT_CNT. - Fix bugs in the parsing of large execve(2) arguments and environmental variable tokens; increase maximum parsed argument and variable count. - configure now detects strlcat(), used by policy-related functions. - Reference token and record sample files added to test tree. Obtained from: TrustedBSD Project
This commit is contained in:
parent
fdb4472c92
commit
bb97b41819
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/vendor/openbsm/dist/; revision=162503
@ -1,3 +1,37 @@
|
||||
OpenBSM 1.0 alpha 11
|
||||
|
||||
- Reclassify certain read/write operations as having no class rather than the
|
||||
fr/fw class; our default classes audit intent (open) not operations (read,
|
||||
write).
|
||||
- Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads
|
||||
and writes of sysctls as separate events. Add additional kernel
|
||||
environment and jail events for FreeBSD.
|
||||
- Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER
|
||||
(issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued
|
||||
by the kernel audit implementation) so that they can be distinguished.
|
||||
- Disable rate limiting of rotate requests; as the kernel doesn't retransmit
|
||||
a dropped request, the log file will otherwise grow indefinitely if the
|
||||
trigger is dropped.
|
||||
- Improve auditd debugging output.
|
||||
- Fix a number of threading related bugs in audit_control file reading
|
||||
routines.
|
||||
- Add APIs au_poltostr() and au_strtopol() to convert between text
|
||||
representations of audit_control policy flags and the flags passed to
|
||||
auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY).
|
||||
- Add API getacpol() to return the 'policy:' entry from audit_control, an
|
||||
extension to the Solaris file format to allow specification of policy
|
||||
persistent flags.
|
||||
- Update audump to print the audit_control policy field.
|
||||
- Update auditd to read the audit_control policy field and set the kernel
|
||||
policy to match it when configuring/reconfiguring. Remove the -s and -h
|
||||
arguments as these policies are now set via the configuration file. If a
|
||||
policy line is not found in the configuration file, continue with the
|
||||
current default of setting AUDIT_CNT.
|
||||
- Fix bugs in the parsing of large execve(2) arguments and environmental
|
||||
variable tokens; increase maximum parsed argument and variable count.
|
||||
- configure now detects strlcat(), used by policy-related functions.
|
||||
- Reference token and record sample files added to test tree.
|
||||
|
||||
OpenBSM 1.0 alpha 10
|
||||
|
||||
- auditd now generates complete audit records for its events, as required for
|
||||
@ -209,4 +243,4 @@ OpenBSM 1.0 alpha 1
|
||||
to support reloading of kernel event table.
|
||||
- Allow comments in /etc/security configuration files.
|
||||
|
||||
$P4: //depot/projects/trustedbsd/openbsm/HISTORY#26 $
|
||||
$P4: //depot/projects/trustedbsd/openbsm/HISTORY#33 $
|
||||
|
@ -17,5 +17,10 @@
|
||||
just at the beginning of a record. This will make it easier to use
|
||||
praudit in test suites processing single-token files without header and
|
||||
trailer context.
|
||||
- Teach auditd how to notify a script when it is done with trail files so
|
||||
that the script can archive them, compress them, delete them, whatever.
|
||||
It should walk any trail files found at startup also, assuming it
|
||||
successfully registers.
|
||||
- Put hostname in trail file name.
|
||||
|
||||
$P4: //depot/projects/trustedbsd/openbsm/TODO#6 $
|
||||
$P4: //depot/projects/trustedbsd/openbsm/TODO#7 $
|
||||
|
@ -1 +1 @@
|
||||
OPENBSM_1_0_ALPHA_9
|
||||
OPENBSM_1_0_ALPHA_11
|
||||
|
@ -30,7 +30,7 @@
|
||||
*
|
||||
* @APPLE_BSD_LICENSE_HEADER_END@
|
||||
*
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#6 $
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#7 $
|
||||
*/
|
||||
/*
|
||||
* Program to trigger the audit daemon with a message that is either:
|
||||
@ -75,7 +75,7 @@ main(int argc, char **argv)
|
||||
switch(ch) {
|
||||
|
||||
case 'n':
|
||||
trigger = AUDIT_TRIGGER_OPEN_NEW;
|
||||
trigger = AUDIT_TRIGGER_ROTATE_USER;
|
||||
break;
|
||||
|
||||
case 's':
|
||||
|
@ -29,7 +29,7 @@
|
||||
.\"
|
||||
.\" @APPLE_BSD_LICENSE_HEADER_END@
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#8 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#9 $
|
||||
.\"
|
||||
.Dd January 24, 2004
|
||||
.Dt AUDITD 8
|
||||
@ -51,14 +51,20 @@ The options are as follows:
|
||||
.Bl -tag -width Ds
|
||||
.It Fl d
|
||||
Starts the daemon in debug mode - it will not daemonize.
|
||||
.It Fl h
|
||||
Specifies that if auditing cannot be performed as specified, the system should
|
||||
halt (panic). Normally, the system will attempt to proceed - although individual
|
||||
processes may be stopped (see the -s option).
|
||||
.It Fl s
|
||||
Specifies that individual processes should stop rather than perform operations
|
||||
that may cause audit records to be lost due to log file full conditions
|
||||
.El
|
||||
.Pp
|
||||
The historical
|
||||
.Fl h
|
||||
and
|
||||
.Fl s
|
||||
flags are now configured using
|
||||
.Xr audit_control 5
|
||||
policy flags
|
||||
.Dv ahlt
|
||||
and
|
||||
.Dv cnt ,
|
||||
and are no longer available as arguments to
|
||||
.Xr auditd 8 .
|
||||
.Sh NOTE
|
||||
.Pp
|
||||
To assure uninterrupted audit support, the
|
||||
|
@ -30,7 +30,7 @@
|
||||
*
|
||||
* @APPLE_BSD_LICENSE_HEADER_END@
|
||||
*
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#18 $
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#21 $
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
@ -59,6 +59,7 @@
|
||||
#include "auditd.h"
|
||||
|
||||
#define NA_EVENT_STR_SIZE 25
|
||||
#define POL_STR_SIZE 128
|
||||
|
||||
static int ret, minval;
|
||||
static char *lastfile = NULL;
|
||||
@ -67,7 +68,6 @@ static int triggerfd = 0;
|
||||
static int sigchlds, sigchlds_handled;
|
||||
static int sighups, sighups_handled;
|
||||
static int sigterms, sigterms_handled;
|
||||
static long global_flags;
|
||||
|
||||
static TAILQ_HEAD(, dir_ent) dir_q;
|
||||
|
||||
@ -160,8 +160,9 @@ close_lastfile(char *TS)
|
||||
*ptr = '.';
|
||||
strcpy(ptr+1, TS);
|
||||
if (rename(oldname, lastfile) != 0)
|
||||
syslog(LOG_ERR, "Could not rename %s to %s",
|
||||
oldname, lastfile);
|
||||
syslog(LOG_ERR,
|
||||
"Could not rename %s to %s: %m", oldname,
|
||||
lastfile);
|
||||
else
|
||||
syslog(LOG_INFO, "renamed %s to %s",
|
||||
oldname, lastfile);
|
||||
@ -286,7 +287,7 @@ swap_audit_file(void)
|
||||
free(dirent->dirname);
|
||||
free(dirent);
|
||||
}
|
||||
syslog(LOG_ERR, "Log directories exhausted\n");
|
||||
syslog(LOG_ERR, "Log directories exhausted");
|
||||
return (-1);
|
||||
}
|
||||
|
||||
@ -343,7 +344,7 @@ read_control_file(void)
|
||||
* XXX is generated here?
|
||||
*/
|
||||
if (0 == (ret = getacmin(&minval))) {
|
||||
syslog(LOG_DEBUG, "min free = %d\n", minval);
|
||||
syslog(LOG_DEBUG, "min free = %d", minval);
|
||||
if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
|
||||
syslog(LOG_ERR,
|
||||
"could not get audit queue settings");
|
||||
@ -494,31 +495,65 @@ register_daemon(void)
|
||||
}
|
||||
|
||||
/*
|
||||
* Suppress duplicate messages within a 30 second interval. This should be
|
||||
* enough to time to rotate log files without thrashing from soft warnings
|
||||
* generated before the log is actually rotated.
|
||||
* Handle the audit trigger event.
|
||||
*
|
||||
* We suppress (ignore) duplicated triggers in close succession in order to
|
||||
* try to avoid thrashing-like behavior. However, not all triggers can be
|
||||
* ignored, as triggers generally represent edge triggers, not level
|
||||
* triggers, and won't be retransmitted if the condition persists. Of
|
||||
* specific concern is the rotate trigger -- if one is dropped, then it will
|
||||
* not be retransmitted, and the log file will grow in an unbounded fashion.
|
||||
*/
|
||||
#define DUPLICATE_INTERVAL 30
|
||||
static void
|
||||
handle_audit_trigger(int trigger)
|
||||
{
|
||||
static int last_trigger;
|
||||
static int last_trigger, last_warning;
|
||||
static time_t last_time;
|
||||
struct dir_ent *dirent;
|
||||
|
||||
/*
|
||||
* Suppres duplicate messages from the kernel within the specified
|
||||
* interval.
|
||||
*/
|
||||
struct timeval ts;
|
||||
struct timezone tzp;
|
||||
time_t tt;
|
||||
|
||||
/*
|
||||
* Suppress duplicate messages from the kernel within the specified
|
||||
* interval.
|
||||
*/
|
||||
if (gettimeofday(&ts, &tzp) == 0) {
|
||||
tt = (time_t)ts.tv_sec;
|
||||
if ((trigger == last_trigger) &&
|
||||
(tt < (last_time + DUPLICATE_INTERVAL)))
|
||||
return;
|
||||
switch (trigger) {
|
||||
case AUDIT_TRIGGER_LOW_SPACE:
|
||||
case AUDIT_TRIGGER_NO_SPACE:
|
||||
/*
|
||||
* Triggers we can suppress. Of course, we also need
|
||||
* to rate limit the warnings, so apply the same
|
||||
* interval limit on syslog messages.
|
||||
*/
|
||||
if ((trigger == last_trigger) &&
|
||||
(tt < (last_time + DUPLICATE_INTERVAL))) {
|
||||
if (tt >= (last_warning + DUPLICATE_INTERVAL))
|
||||
syslog(LOG_INFO,
|
||||
"Suppressing duplicate trigger %d",
|
||||
trigger);
|
||||
return;
|
||||
}
|
||||
last_warning = tt;
|
||||
break;
|
||||
|
||||
case AUDIT_TRIGGER_ROTATE_KERNEL:
|
||||
case AUDIT_TRIGGER_ROTATE_USER:
|
||||
case AUDIT_TRIGGER_READ_FILE:
|
||||
/*
|
||||
* Triggers that we cannot suppress.
|
||||
*/
|
||||
break;
|
||||
}
|
||||
|
||||
/*
|
||||
* Only update last_trigger after aborting due to a duplicate
|
||||
* trigger, not before, or we will never allow that trigger
|
||||
* again.
|
||||
*/
|
||||
last_trigger = trigger;
|
||||
last_time = tt;
|
||||
}
|
||||
@ -528,7 +563,6 @@ handle_audit_trigger(int trigger)
|
||||
*/
|
||||
dirent = TAILQ_FIRST(&dir_q);
|
||||
switch(trigger) {
|
||||
|
||||
case AUDIT_TRIGGER_LOW_SPACE:
|
||||
syslog(LOG_INFO, "Got low space trigger");
|
||||
if (dirent && (dirent->softlim != 1)) {
|
||||
@ -554,7 +588,8 @@ handle_audit_trigger(int trigger)
|
||||
} else {
|
||||
/*
|
||||
* Continue auditing to the current file. Also
|
||||
* generate an allsoft warning.
|
||||
* generate an allsoft warning.
|
||||
*
|
||||
* XXX do we want to do this ?
|
||||
*/
|
||||
audit_warn_allsoft();
|
||||
@ -577,12 +612,14 @@ handle_audit_trigger(int trigger)
|
||||
audit_warn_allhard(++allhardcount);
|
||||
break;
|
||||
|
||||
case AUDIT_TRIGGER_OPEN_NEW:
|
||||
case AUDIT_TRIGGER_ROTATE_KERNEL:
|
||||
case AUDIT_TRIGGER_ROTATE_USER:
|
||||
/*
|
||||
* Create a new file and swap with the one being used in
|
||||
* kernel
|
||||
*/
|
||||
syslog(LOG_INFO, "Got open new trigger");
|
||||
syslog(LOG_INFO, "Got open new trigger from %s", trigger ==
|
||||
AUDIT_TRIGGER_ROTATE_KERNEL ? "kernel" : "user");
|
||||
if (swap_audit_file() == -1)
|
||||
syslog(LOG_ERR, "Error swapping audit file");
|
||||
break;
|
||||
@ -656,10 +693,8 @@ wait_for_events(void)
|
||||
syslog(LOG_DEBUG, "%s: SIGTERM", __FUNCTION__);
|
||||
break;
|
||||
}
|
||||
if (sigchlds != sigchlds_handled) {
|
||||
syslog(LOG_DEBUG, "%s: SIGCHLD", __FUNCTION__);
|
||||
if (sigchlds != sigchlds_handled)
|
||||
handle_sigchld();
|
||||
}
|
||||
if (sighups != sighups_handled) {
|
||||
syslog(LOG_DEBUG, "%s: SIGHUP", __FUNCTION__);
|
||||
handle_sighup();
|
||||
@ -670,7 +705,6 @@ wait_for_events(void)
|
||||
syslog(LOG_ERR, "%s: read EOF", __FUNCTION__);
|
||||
return (-1);
|
||||
}
|
||||
syslog(LOG_DEBUG, "%s: read %d", __FUNCTION__, trigger);
|
||||
if (trigger == AUDIT_TRIGGER_CLOSE_AND_DIE)
|
||||
break;
|
||||
else
|
||||
@ -691,10 +725,13 @@ config_audit_controls(void)
|
||||
au_mask_t aumask;
|
||||
int ctr = 0;
|
||||
char naeventstr[NA_EVENT_STR_SIZE];
|
||||
char polstr[POL_STR_SIZE];
|
||||
long policy;
|
||||
|
||||
/*
|
||||
* Process the audit event file, obtaining a class mapping for each
|
||||
* event, and send that mapping into the kernel.
|
||||
*
|
||||
* XXX There's a risk here that the BSM library will return NULL
|
||||
* for an event when it can't properly map it to a class. In that
|
||||
* case, we will not process any events beyond the one that failed,
|
||||
@ -703,10 +740,17 @@ config_audit_controls(void)
|
||||
ev.ae_name = (char *)malloc(AU_EVENT_NAME_MAX);
|
||||
ev.ae_desc = (char *)malloc(AU_EVENT_DESC_MAX);
|
||||
if ((ev.ae_name == NULL) || (ev.ae_desc == NULL)) {
|
||||
if (ev.ae_name != NULL)
|
||||
free(ev.ae_name);
|
||||
syslog(LOG_ERR,
|
||||
"Memory allocation error when configuring audit controls.");
|
||||
return (-1);
|
||||
}
|
||||
|
||||
/*
|
||||
* XXXRW: Currently we have no way to remove mappings from the kernel
|
||||
* when they are removed from the file-based mappings.
|
||||
*/
|
||||
evp = &ev;
|
||||
setauevent();
|
||||
while ((evp = getauevent_r(evp)) != NULL) {
|
||||
@ -746,10 +790,21 @@ config_audit_controls(void)
|
||||
"Failed to obtain non-attributable event mask.");
|
||||
|
||||
/*
|
||||
* Set the audit policy flags based on passed in parameter values.
|
||||
* If a policy is configured in audit_control(5), implement the
|
||||
* policy. However, if one isn't defined, set AUDIT_CNT to avoid
|
||||
* leaving the system in a fragile state.
|
||||
*/
|
||||
if (auditon(A_SETPOLICY, &global_flags, sizeof(global_flags)))
|
||||
syslog(LOG_ERR, "Failed to set audit policy.");
|
||||
if ((getacpol(polstr, POL_STR_SIZE) == 0) &&
|
||||
(au_strtopol(polstr, &policy) == 0)) {
|
||||
if (auditon(A_SETPOLICY, &policy, sizeof(policy)))
|
||||
syslog(LOG_ERR, "Failed to set audit policy: %m");
|
||||
} else {
|
||||
syslog(LOG_ERR, "Failed to obtain policy flags: %m");
|
||||
policy = AUDIT_CNT;
|
||||
if (auditon(A_SETPOLICY, &policy, sizeof(policy)))
|
||||
syslog(LOG_ERR,
|
||||
"Failed to set default audit policy: %m");
|
||||
}
|
||||
|
||||
return (0);
|
||||
}
|
||||
@ -826,7 +881,6 @@ main(int argc, char **argv)
|
||||
int debug = 0;
|
||||
int rc;
|
||||
|
||||
global_flags |= AUDIT_CNT;
|
||||
while ((ch = getopt(argc, argv, "dhs")) != -1) {
|
||||
switch(ch) {
|
||||
case 'd':
|
||||
@ -834,20 +888,10 @@ main(int argc, char **argv)
|
||||
debug = 1;
|
||||
break;
|
||||
|
||||
case 's':
|
||||
/* Fail-stop option. */
|
||||
global_flags &= ~(AUDIT_CNT);
|
||||
break;
|
||||
|
||||
case 'h':
|
||||
/* Halt-stop option. */
|
||||
global_flags |= AUDIT_AHLT;
|
||||
break;
|
||||
|
||||
case '?':
|
||||
default:
|
||||
(void)fprintf(stderr,
|
||||
"usage: auditd [-h | -s] [-d] \n");
|
||||
"usage: auditd [-d] \n");
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
@ -30,7 +30,7 @@
|
||||
*
|
||||
* @APPLE_BSD_LICENSE_HEADER_END@
|
||||
*
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#5 $
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#6 $
|
||||
*/
|
||||
|
||||
#ifndef _AUDITD_H_
|
||||
@ -61,7 +61,7 @@ struct dir_ent {
|
||||
|
||||
#define HARDLIM_ALL_WARN "allhard"
|
||||
#define SOFTLIM_ALL_WARN "allsoft"
|
||||
#define AUDITOFF_WARN "aditoff"
|
||||
#define AUDITOFF_WARN "auditoff"
|
||||
#define EBUSY_WARN "ebusy"
|
||||
#define GETACDIR_WARN "getacdir"
|
||||
#define HARDLIM_WARN "hard"
|
||||
|
@ -30,7 +30,7 @@
|
||||
*
|
||||
* @APPLE_BSD_LICENSE_HEADER_END@
|
||||
*
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#19 $
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#21 $
|
||||
*/
|
||||
|
||||
#ifndef _BSM_AUDIT_H
|
||||
@ -46,18 +46,19 @@
|
||||
* Triggers for the audit daemon.
|
||||
*/
|
||||
#define AUDIT_TRIGGER_MIN 1
|
||||
#define AUDIT_TRIGGER_LOW_SPACE 1
|
||||
#define AUDIT_TRIGGER_OPEN_NEW 2
|
||||
#define AUDIT_TRIGGER_READ_FILE 3
|
||||
#define AUDIT_TRIGGER_CLOSE_AND_DIE 4
|
||||
#define AUDIT_TRIGGER_NO_SPACE 5
|
||||
#define AUDIT_TRIGGER_MAX 5
|
||||
#define AUDIT_TRIGGER_LOW_SPACE 1 /* Below low watermark. */
|
||||
#define AUDIT_TRIGGER_ROTATE_KERNEL 2 /* Kernel requests rotate. */
|
||||
#define AUDIT_TRIGGER_READ_FILE 3 /* Re-read config file. */
|
||||
#define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */
|
||||
#define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */
|
||||
#define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests roate. */
|
||||
#define AUDIT_TRIGGER_MAX 6
|
||||
|
||||
/*
|
||||
* Special file that will be read for trigger events from the kernel
|
||||
* (FreeBSD).
|
||||
* The special device filename (FreeBSD).
|
||||
*/
|
||||
#define AUDIT_TRIGGER_FILE "/dev/audit"
|
||||
#define AUDITDEV_FILENAME "audit"
|
||||
#define AUDIT_TRIGGER_FILE ("/dev/" AUDITDEV_FILENAME)
|
||||
|
||||
/*
|
||||
* Pre-defined audit IDs
|
||||
@ -164,12 +165,12 @@
|
||||
#define AUDIT_PERZONE 0x2000
|
||||
|
||||
/*
|
||||
* Audit queue control parameters.
|
||||
* Default audit queue control parameters.
|
||||
*/
|
||||
#define AQ_HIWATER 100
|
||||
#define AQ_MAXHIGH 10000
|
||||
#define AQ_LOWATER 10
|
||||
#define AQ_BUFSZ 1024
|
||||
#define AQ_BUFSZ MAXAUDITDATA
|
||||
#define AQ_MAXBUFSZ 1048576
|
||||
|
||||
/*
|
||||
|
@ -30,7 +30,7 @@
|
||||
*
|
||||
* @APPLE_BSD_LICENSE_HEADER_END@
|
||||
*
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#40 $
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#42 $
|
||||
*/
|
||||
|
||||
#ifndef _BSM_AUDIT_KEVENTS_H_
|
||||
@ -467,6 +467,9 @@
|
||||
#define AUE_EXTATTR_SET_LINK 43111 /* FreeBSD. */
|
||||
#define AUE_EXTATTR_LIST_LINK 43112 /* FreeBSD. */
|
||||
#define AUE_EXTATTR_DELETE_LINK 43113 /* FreeBSD. */
|
||||
#define AUE_KENV 43114 /* FreeBSD. */
|
||||
#define AUE_JAIL_ATTACH 43115 /* FreeBSD. */
|
||||
#define AUE_SYSCTL_WRITE 43116 /* FreeBSD. */
|
||||
|
||||
/*
|
||||
* Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
|
||||
|
@ -26,7 +26,7 @@
|
||||
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#27 $
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#29 $
|
||||
*/
|
||||
|
||||
#ifndef _LIBBSM_H_
|
||||
@ -37,9 +37,6 @@
|
||||
* solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
|
||||
*/
|
||||
|
||||
#define AUDIT_MAX_ARGS 10
|
||||
#define AUDIT_MAX_ENV 10
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/cdefs.h>
|
||||
|
||||
@ -55,13 +52,25 @@
|
||||
#include <mach/mach.h> /* audit_token_t */
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Size parsed token vectors for execve(2) arguments and environmental
|
||||
* variables. Note: changing these sizes affects the ABI of the token
|
||||
* structure, and as the token structure is often placed in the caller stack,
|
||||
* this is undesirable.
|
||||
*/
|
||||
#define AUDIT_MAX_ARGS 128
|
||||
#define AUDIT_MAX_ENV 128
|
||||
|
||||
/*
|
||||
* Arguments to au_preselect(3).
|
||||
*/
|
||||
#define AU_PRS_USECACHE 0
|
||||
#define AU_PRS_REREAD 1
|
||||
|
||||
#define AU_PRS_SUCCESS 1
|
||||
#define AU_PRS_FAILURE 2
|
||||
#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)
|
||||
|
||||
#define AU_PRS_USECACHE 0
|
||||
#define AU_PRS_REREAD 1
|
||||
|
||||
#define AUDIT_EVENT_FILE "/etc/security/audit_event"
|
||||
#define AUDIT_CLASS_FILE "/etc/security/audit_class"
|
||||
#define AUDIT_CONTROL_FILE "/etc/security/audit_control"
|
||||
@ -71,6 +80,7 @@
|
||||
#define MINFREE_CONTROL_ENTRY "minfree"
|
||||
#define FLAGS_CONTROL_ENTRY "flags"
|
||||
#define NA_CONTROL_ENTRY "naflags"
|
||||
#define POLICY_CONTROL_ENTRY "policy"
|
||||
|
||||
#define AU_CLASS_NAME_MAX 8
|
||||
#define AU_CLASS_DESC_MAX 72
|
||||
@ -711,11 +721,14 @@ int getacdir(char *name, int len);
|
||||
int getacmin(int *min_val);
|
||||
int getacflg(char *auditstr, int len);
|
||||
int getacna(char *auditstr, int len);
|
||||
int getacpol(char *auditstr, size_t len);
|
||||
int getauditflagsbin(char *auditstr, au_mask_t *masks);
|
||||
int getauditflagschar(char *auditstr, au_mask_t *masks,
|
||||
int verbose);
|
||||
int au_preselect(au_event_t event, au_mask_t *mask_p,
|
||||
int sorf, int flag);
|
||||
ssize_t au_poltostr(long policy, size_t maxsize, char *buf);
|
||||
int au_strtopol(const char *polstr, long *policy);
|
||||
|
||||
/*
|
||||
* Functions relating to querying audit event information.
|
||||
|
66
contrib/openbsm/compat/strlcat.h
Normal file
66
contrib/openbsm/compat/strlcat.h
Normal file
@ -0,0 +1,66 @@
|
||||
/*
|
||||
* Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote products
|
||||
* derived from this software without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
||||
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
|
||||
* THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
||||
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
||||
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
||||
* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
||||
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
||||
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
||||
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
* dollar OpenBSD: strlcat.c,v 1.2 1999/06/17 16:28:58 millert Exp dollar
|
||||
*/
|
||||
|
||||
/*
|
||||
* Appends src to string dst of size siz (unlike strncat, siz is the
|
||||
* full size of dst, not space left). At most siz-1 characters
|
||||
* will be copied. Always NUL terminates (unless siz <= strlen(dst)).
|
||||
* Returns strlen(src) + MIN(siz, strlen(initial dst)).
|
||||
* If retval >= siz, truncation occurred.
|
||||
*/
|
||||
static size_t
|
||||
strlcat(dst, src, siz)
|
||||
char *dst;
|
||||
const char *src;
|
||||
size_t siz;
|
||||
{
|
||||
char *d = dst;
|
||||
const char *s = src;
|
||||
size_t n = siz;
|
||||
size_t dlen;
|
||||
|
||||
/* Find the end of dst and adjust bytes left but don't go past end */
|
||||
while (n-- != 0 && *d != '\0')
|
||||
d++;
|
||||
dlen = d - dst;
|
||||
n = siz - dlen;
|
||||
|
||||
if (n == 0)
|
||||
return(dlen + strlen(s));
|
||||
while (*s != '\0') {
|
||||
if (n != 1) {
|
||||
*d++ = *s;
|
||||
n--;
|
||||
}
|
||||
s++;
|
||||
}
|
||||
*d = '\0';
|
||||
|
||||
return(dlen + (s - src)); /* count does not include NUL */
|
||||
}
|
@ -86,6 +86,9 @@
|
||||
/* Define to 1 if you have the <string.h> header file. */
|
||||
#undef HAVE_STRING_H
|
||||
|
||||
/* Define to 1 if you have the `strlcat' function. */
|
||||
#undef HAVE_STRLCAT
|
||||
|
||||
/* Define to 1 if you have the `strrchr' function. */
|
||||
#undef HAVE_STRRCHR
|
||||
|
||||
|
25
contrib/openbsm/configure
vendored
25
contrib/openbsm/configure
vendored
@ -1,7 +1,7 @@
|
||||
#! /bin/sh
|
||||
# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#28 .
|
||||
# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#31 .
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a10.
|
||||
# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a11.
|
||||
#
|
||||
# Report bugs to <trustedbsd-audit@TrustesdBSD.org>.
|
||||
#
|
||||
@ -424,8 +424,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
|
||||
# Identity of this package.
|
||||
PACKAGE_NAME='OpenBSM'
|
||||
PACKAGE_TARNAME='openbsm'
|
||||
PACKAGE_VERSION='1.0a10'
|
||||
PACKAGE_STRING='OpenBSM 1.0a10'
|
||||
PACKAGE_VERSION='1.0a11'
|
||||
PACKAGE_STRING='OpenBSM 1.0a11'
|
||||
PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org'
|
||||
|
||||
ac_unique_file="bin/auditreduce/auditreduce.c"
|
||||
@ -955,7 +955,7 @@ if test "$ac_init_help" = "long"; then
|
||||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures OpenBSM 1.0a10 to adapt to many kinds of systems.
|
||||
\`configure' configures OpenBSM 1.0a11 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
@ -1021,7 +1021,7 @@ fi
|
||||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of OpenBSM 1.0a10:";;
|
||||
short | recursive ) echo "Configuration of OpenBSM 1.0a11:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
@ -1162,7 +1162,7 @@ fi
|
||||
test -n "$ac_init_help" && exit 0
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
OpenBSM configure 1.0a10
|
||||
OpenBSM configure 1.0a11
|
||||
generated by GNU Autoconf 2.59
|
||||
|
||||
Copyright (C) 2003 Free Software Foundation, Inc.
|
||||
@ -1176,7 +1176,7 @@ cat >&5 <<_ACEOF
|
||||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by OpenBSM $as_me 1.0a10, which was
|
||||
It was created by OpenBSM $as_me 1.0a11, which was
|
||||
generated by GNU Autoconf 2.59. Invocation command line was
|
||||
|
||||
$ $0 $@
|
||||
@ -19278,7 +19278,7 @@ fi
|
||||
|
||||
# Define the identity of the package.
|
||||
PACKAGE=OpenBSM
|
||||
VERSION=1.0a10
|
||||
VERSION=1.0a11
|
||||
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
@ -22834,7 +22834,8 @@ done
|
||||
|
||||
|
||||
|
||||
for ac_func in bzero clock_gettime ftruncate gettimeofday inet_ntoa memset strchr strerror strrchr strstr strtol strtoul
|
||||
|
||||
for ac_func in bzero clock_gettime ftruncate gettimeofday inet_ntoa memset strchr strerror strlcat strrchr strstr strtol strtoul
|
||||
do
|
||||
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
||||
echo "$as_me:$LINENO: checking for $ac_func" >&5
|
||||
@ -23478,7 +23479,7 @@ _ASBOX
|
||||
} >&5
|
||||
cat >&5 <<_CSEOF
|
||||
|
||||
This file was extended by OpenBSM $as_me 1.0a10, which was
|
||||
This file was extended by OpenBSM $as_me 1.0a11, which was
|
||||
generated by GNU Autoconf 2.59. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
@ -23541,7 +23542,7 @@ _ACEOF
|
||||
|
||||
cat >>$CONFIG_STATUS <<_ACEOF
|
||||
ac_cs_version="\\
|
||||
OpenBSM config.status 1.0a10
|
||||
OpenBSM config.status 1.0a11
|
||||
configured by $0, generated by GNU Autoconf 2.59,
|
||||
with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
|
||||
|
||||
|
@ -2,8 +2,8 @@
|
||||
# Process this file with autoconf to produce a configure script.
|
||||
|
||||
AC_PREREQ(2.59)
|
||||
AC_INIT([OpenBSM], [1.0a10], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
|
||||
AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#29 $])
|
||||
AC_INIT([OpenBSM], [1.0a11], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
|
||||
AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#31 $])
|
||||
AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c])
|
||||
AC_CONFIG_AUX_DIR(config)
|
||||
AC_CONFIG_HEADER([config/config.h])
|
||||
@ -56,7 +56,7 @@ AC_FUNC_MKTIME
|
||||
AC_TYPE_SIGNAL
|
||||
AC_FUNC_STAT
|
||||
AC_FUNC_STRFTIME
|
||||
AC_CHECK_FUNCS([bzero clock_gettime ftruncate gettimeofday inet_ntoa memset strchr strerror strrchr strstr strtol strtoul])
|
||||
AC_CHECK_FUNCS([bzero clock_gettime ftruncate gettimeofday inet_ntoa memset strchr strerror strlcat strrchr strstr strtol strtoul])
|
||||
|
||||
# sys/queue.h exists on most systems, but its capabilities vary a great deal.
|
||||
# test for LIST_FIRST and TAILQ_FOREACH_SAFE, which appears to not exist in
|
||||
|
@ -1,7 +1,8 @@
|
||||
#
|
||||
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#3 $
|
||||
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#4 $
|
||||
#
|
||||
dir:/var/audit
|
||||
flags:lo
|
||||
minfree:20
|
||||
naflags:lo
|
||||
policy:cnt
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#12 $
|
||||
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#15 $
|
||||
#
|
||||
0:AUE_NULL:indir system call:no
|
||||
1:AUE_EXIT:exit(2):pc
|
||||
@ -117,8 +117,8 @@
|
||||
113:AUE_SYSTEMBOOT:system booted:na
|
||||
114:AUE_ASYNC_DAEMON_EXIT:async_daemon(2) exited:ad
|
||||
115:AUE_NFSSVC_EXIT:nfssvc(2) exited:ad
|
||||
128:AUE_WRITEL:writel(2):fw
|
||||
129:AUE_WRITEVL:writevl(2):fw
|
||||
128:AUE_WRITEL:writel(2):no
|
||||
129:AUE_WRITEVL:writevl(2):no
|
||||
130:AUE_GETAUID:getauid(2):ad
|
||||
131:AUE_SETAUID:setauid(2):ad
|
||||
132:AUE_GETAUDIT:getaudit(2):ad
|
||||
@ -265,7 +265,7 @@
|
||||
325:AUE_DARWIN_KDEBUGTRACE:system call:pc
|
||||
326:AUE_DARWIN_FSTAT:fstat(2):fa
|
||||
327:AUE_DARWIN_FPATHCONF:fpathconf(2):fa
|
||||
328:AUE_DARWIN_GETDIRENTRIES:getdirentries(2):fr
|
||||
328:AUE_DARWIN_GETDIRENTRIES:getdirentries(2):no
|
||||
329:AUE_DARWIN_TRUNCATE:truncate(2):fw
|
||||
330:AUE_DARWIN_FTRUNCATE:ftruncate(2):fw
|
||||
331:AUE_DARWIN_SYSCTL:sysctl(3):ad
|
||||
@ -321,8 +321,8 @@
|
||||
43017:AUE_KDEBUGTRACE:system call:pc
|
||||
43018:AUE_FSTAT:fstat(2):fa
|
||||
43019:AUE_FPATHCONF:fpathconf(2):fa
|
||||
43020:AUE_GETDIRENTRIES:getdirentries(2):fr
|
||||
43021:AUE_SYSCTL:sysctl(3):ad
|
||||
43020:AUE_GETDIRENTRIES:getdirentries(2):no
|
||||
43021:AUE_SYSCTL:sysctl(3):ot
|
||||
43022:AUE_MLOCK:mlock(2):pc
|
||||
43023:AUE_MUNLOCK:munlock(2):pc
|
||||
43024:AUE_UNDELETE:undelete(2):fm
|
||||
@ -415,6 +415,9 @@
|
||||
43111:AUE_EXTATTR_SET_LINK:extattr_set_link(2):fm
|
||||
43112:AUE_EXTATTR_LIST_LINK:extattr_list_link(2):fa
|
||||
43113:AUE_EXTATTR_DELETE_LINK:extattr_delete_link(2):fm
|
||||
43114:AUE_KENV:kenv(8):ad
|
||||
43115:AUE_JAIL_ATTACH:jail_attach(2):ad
|
||||
43116:AUE_SYSCTL_WRITE:sysctl(3):ad
|
||||
#
|
||||
# User space system events.
|
||||
#
|
||||
|
@ -23,7 +23,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#3 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#4 $
|
||||
.\"
|
||||
.Dd April 19, 2005
|
||||
.Dt AU_CONTROL 3
|
||||
@ -34,7 +34,10 @@
|
||||
.Nm getacdir ,
|
||||
.Nm getacmin ,
|
||||
.Nm getacflg ,
|
||||
.Nm getacna
|
||||
.Nm getacna ,
|
||||
.Nm getacpol ,
|
||||
.Nm au_poltostr
|
||||
.Nm au_strtopol
|
||||
.Nd "Look up information from the audit_control database"
|
||||
.Sh LIBRARY
|
||||
.Lb libbsm
|
||||
@ -52,6 +55,12 @@
|
||||
.Fn getacflg "char *auditstr" "int len"
|
||||
.Ft int
|
||||
.Fn getacna "char *auditstr" "int len"
|
||||
.Ft int
|
||||
.Fn getacpol "char *auditstr" "size_t len"
|
||||
.Ft ssize_t
|
||||
.Fn au_poltostr "long policy" "size_t maxsize" "char *buf"
|
||||
.Ft int
|
||||
.Fn au_strtopol "const char *polstr" "long *policy"
|
||||
.Sh DESCRIPTION
|
||||
These interfaces may be used to look up information from the
|
||||
.Xr audit_control 5
|
||||
@ -90,15 +99,42 @@ returns the non-attributable flags via the passed character buffer
|
||||
.Va auditstr
|
||||
of length
|
||||
.Va len .
|
||||
.Pp
|
||||
.Fn getacpol
|
||||
returns the audit policy flags via the passed character buffer
|
||||
.Va auditstr
|
||||
of length
|
||||
.Va len .
|
||||
.Pp
|
||||
.Fn au_poltostr
|
||||
converts a numeric audit policy mask,
|
||||
.Va policy ,
|
||||
value to a string in the passed character buffer
|
||||
.Va buf
|
||||
of lenth
|
||||
.Va maxsize .
|
||||
.Pp
|
||||
.Fn au_strtopol
|
||||
converts an audit policy flags string,
|
||||
.Va polstr ,
|
||||
to a numeric audit policy mask returned via
|
||||
.Va policy .
|
||||
.Sh RETURN VALULES
|
||||
.Fn getacdir ,
|
||||
.Fn getacmin ,
|
||||
.Fn getacflg ,
|
||||
.Fn getacna ,
|
||||
.Fn getacpol ,
|
||||
and
|
||||
.Fn getacna
|
||||
.Fn au_strtopol
|
||||
return 0 on success, or a negative value on failure, along with error
|
||||
information in
|
||||
.Va errno .
|
||||
.Pp
|
||||
.Fn au_poltostr
|
||||
returns a string length of 0 or more on success, or a negative value on
|
||||
if there is a failure.
|
||||
.Pp
|
||||
Functions that return a string value will return a failure if there is
|
||||
insufficient room in the passed character buffer for the full string.
|
||||
.Sh SEE ALSO
|
||||
|
@ -23,16 +23,17 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_open.3#4 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_open.3#5 $
|
||||
.\"
|
||||
.Dd March 4, 2006
|
||||
.Dt AU_OPEN 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm au_open ,
|
||||
.Nm au_write ,
|
||||
.Nm au_close ,
|
||||
.Nm au_close_buffer
|
||||
.Nm au_close_buffer ,
|
||||
.Nm au_close_token ,
|
||||
.Nm au_open ,
|
||||
.Nm au_write
|
||||
.Nd "Create and commit audit records"
|
||||
.Sh LIBRARY
|
||||
.Lb libbsm
|
||||
@ -120,6 +121,7 @@ return 0 on success, or a negative value on failure, along with error
|
||||
information in
|
||||
.Va errno .
|
||||
.Sh SEE ALSO
|
||||
.Xr audit_submit 3 ,
|
||||
.Xr libbsm 3
|
||||
.Sh AUTHORS
|
||||
This software was created by Robert Watson, Wayne Salamon, and Suresh
|
||||
|
@ -1,5 +1,6 @@
|
||||
/*
|
||||
* Copyright (c) 2004 Apple Computer, Inc.
|
||||
* Copyright (c) 2006 Robert N. M. Watson
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
@ -26,7 +27,7 @@
|
||||
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#13 $
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#15 $
|
||||
*/
|
||||
|
||||
#include <bsm/libbsm.h>
|
||||
@ -37,9 +38,14 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <config/config.h>
|
||||
#ifndef HAVE_STRLCAT
|
||||
#include <compat/strlcat.h>
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Parse the contents of the audit_control file to return the audit control
|
||||
* parameters.
|
||||
* parameters. These static fields are protected by 'mutex'.
|
||||
*/
|
||||
static FILE *fp = NULL;
|
||||
static char linestr[AU_LINE_MAX];
|
||||
@ -97,22 +103,224 @@ getstrfromtype_locked(char *name, char **str)
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Convert a policy to a string. Return -1 on failure, or >= 0 representing
|
||||
* the actual size of the string placed in the buffer (excluding terminating
|
||||
* nul).
|
||||
*/
|
||||
ssize_t
|
||||
au_poltostr(long policy, size_t maxsize, char *buf)
|
||||
{
|
||||
int first;
|
||||
|
||||
if (maxsize < 1)
|
||||
return (-1);
|
||||
first = 1;
|
||||
buf[0] = '\0';
|
||||
|
||||
if (policy & AUDIT_CNT) {
|
||||
if (strlcat(buf, "cnt", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
first = 0;
|
||||
}
|
||||
if (policy & AUDIT_AHLT) {
|
||||
if (!first) {
|
||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
}
|
||||
if (strlcat(buf, "ahlt", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
first = 0;
|
||||
}
|
||||
if (policy & AUDIT_ARGV) {
|
||||
if (!first) {
|
||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
}
|
||||
if (strlcat(buf, "argv", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
first = 0;
|
||||
}
|
||||
if (policy & AUDIT_ARGE) {
|
||||
if (!first) {
|
||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
}
|
||||
if (strlcat(buf, "arge", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
first = 0;
|
||||
}
|
||||
if (policy & AUDIT_SEQ) {
|
||||
if (!first) {
|
||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
}
|
||||
if (strlcat(buf, "seq", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
first = 0;
|
||||
}
|
||||
if (policy & AUDIT_WINDATA) {
|
||||
if (!first) {
|
||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
}
|
||||
if (strlcat(buf, "windata", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
first = 0;
|
||||
}
|
||||
if (policy & AUDIT_USER) {
|
||||
if (!first) {
|
||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
}
|
||||
if (strlcat(buf, "user", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
first = 0;
|
||||
}
|
||||
if (policy & AUDIT_GROUP) {
|
||||
if (!first) {
|
||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
}
|
||||
if (strlcat(buf, "group", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
first = 0;
|
||||
}
|
||||
if (policy & AUDIT_TRAIL) {
|
||||
if (!first) {
|
||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
}
|
||||
if (strlcat(buf, "trail", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
first = 0;
|
||||
}
|
||||
if (policy & AUDIT_PATH) {
|
||||
if (!first) {
|
||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
}
|
||||
if (strlcat(buf, "path", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
first = 0;
|
||||
}
|
||||
if (policy & AUDIT_SCNT) {
|
||||
if (!first) {
|
||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
}
|
||||
if (strlcat(buf, "scnt", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
first = 0;
|
||||
}
|
||||
if (policy & AUDIT_PUBLIC) {
|
||||
if (!first) {
|
||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
}
|
||||
if (strlcat(buf, "public", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
first = 0;
|
||||
}
|
||||
if (policy & AUDIT_ZONENAME) {
|
||||
if (!first) {
|
||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
}
|
||||
if (strlcat(buf, "zonename", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
first = 0;
|
||||
}
|
||||
if (policy & AUDIT_PERZONE) {
|
||||
if (!first) {
|
||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
}
|
||||
if (strlcat(buf, "perzone", maxsize) >= maxsize)
|
||||
return (-1);
|
||||
first = 0;
|
||||
}
|
||||
return (strlen(buf));
|
||||
}
|
||||
|
||||
/*
|
||||
* Convert a string to a policy. Return -1 on failure (with errno EINVAL,
|
||||
* ENOMEM) or 0 on success.
|
||||
*/
|
||||
int
|
||||
au_strtopol(const char *polstr, long *policy)
|
||||
{
|
||||
char *bufp, *string;
|
||||
char *buffer;
|
||||
|
||||
*policy = 0;
|
||||
buffer = strdup(polstr);
|
||||
if (buffer == NULL)
|
||||
return (-1);
|
||||
|
||||
bufp = buffer;
|
||||
while ((string = strsep(&bufp, ",")) != NULL) {
|
||||
if (strcmp(string, "cnt") == 0)
|
||||
*policy |= AUDIT_CNT;
|
||||
else if (strcmp(string, "ahlt") == 0)
|
||||
*policy |= AUDIT_AHLT;
|
||||
else if (strcmp(string, "argv") == 0)
|
||||
*policy |= AUDIT_ARGV;
|
||||
else if (strcmp(string, "arge") == 0)
|
||||
*policy |= AUDIT_ARGE;
|
||||
else if (strcmp(string, "seq") == 0)
|
||||
*policy |= AUDIT_SEQ;
|
||||
else if (strcmp(string, "winau_fstat") == 0)
|
||||
*policy |= AUDIT_WINDATA;
|
||||
else if (strcmp(string, "user") == 0)
|
||||
*policy |= AUDIT_USER;
|
||||
else if (strcmp(string, "group") == 0)
|
||||
*policy |= AUDIT_GROUP;
|
||||
else if (strcmp(string, "trail") == 0)
|
||||
*policy |= AUDIT_TRAIL;
|
||||
else if (strcmp(string, "path") == 0)
|
||||
*policy |= AUDIT_PATH;
|
||||
else if (strcmp(string, "scnt") == 0)
|
||||
*policy |= AUDIT_SCNT;
|
||||
else if (strcmp(string, "public") == 0)
|
||||
*policy |= AUDIT_PUBLIC;
|
||||
else if (strcmp(string, "zonename") == 0)
|
||||
*policy |= AUDIT_ZONENAME;
|
||||
else if (strcmp(string, "perzone") == 0)
|
||||
*policy |= AUDIT_PERZONE;
|
||||
else {
|
||||
free(buffer);
|
||||
errno = EINVAL;
|
||||
return (-1);
|
||||
}
|
||||
}
|
||||
free(buffer);
|
||||
return (0);
|
||||
}
|
||||
|
||||
/*
|
||||
* Rewind the file pointer to beginning.
|
||||
*/
|
||||
static void
|
||||
setac_locked(void)
|
||||
{
|
||||
|
||||
ptrmoved = 1;
|
||||
if (fp != NULL)
|
||||
fseek(fp, 0, SEEK_SET);
|
||||
}
|
||||
|
||||
void
|
||||
setac(void)
|
||||
{
|
||||
|
||||
pthread_mutex_lock(&mutex);
|
||||
ptrmoved = 1;
|
||||
if (fp != NULL)
|
||||
fseek(fp, 0, SEEK_SET);
|
||||
setac_locked();
|
||||
pthread_mutex_unlock(&mutex);
|
||||
}
|
||||
|
||||
/*
|
||||
* Close the audit_control file
|
||||
* Close the audit_control file.
|
||||
*/
|
||||
void
|
||||
endac(void)
|
||||
@ -136,72 +344,54 @@ getacdir(char *name, int len)
|
||||
char *dir;
|
||||
int ret = 0;
|
||||
|
||||
if (name == NULL) {
|
||||
errno = EINVAL;
|
||||
return (-2);
|
||||
}
|
||||
|
||||
pthread_mutex_lock(&mutex);
|
||||
|
||||
/*
|
||||
* Check if another function was called between
|
||||
* successive calls to getacdir
|
||||
* Check if another function was called between successive calls to
|
||||
* getacdir.
|
||||
*/
|
||||
pthread_mutex_lock(&mutex);
|
||||
if (inacdir && ptrmoved) {
|
||||
ptrmoved = 0;
|
||||
if (fp != NULL)
|
||||
fseek(fp, 0, SEEK_SET);
|
||||
ret = 2;
|
||||
}
|
||||
|
||||
|
||||
if (getstrfromtype_locked(DIR_CONTROL_ENTRY, &dir) < 0) {
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (-2);
|
||||
}
|
||||
|
||||
pthread_mutex_unlock(&mutex);
|
||||
|
||||
if (dir == NULL)
|
||||
if (dir == NULL) {
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (-1);
|
||||
|
||||
if (strlen(dir) >= len)
|
||||
}
|
||||
if (strlen(dir) >= len) {
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (-3);
|
||||
|
||||
}
|
||||
strcpy(name, dir);
|
||||
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (ret);
|
||||
}
|
||||
|
||||
/*
|
||||
* Return the minimum free diskspace value from the audit control file
|
||||
* Return the minimum free diskspace value from the audit control file.
|
||||
*/
|
||||
int
|
||||
getacmin(int *min_val)
|
||||
{
|
||||
char *min;
|
||||
|
||||
setac();
|
||||
|
||||
if (min_val == NULL) {
|
||||
errno = EINVAL;
|
||||
return (-2);
|
||||
}
|
||||
|
||||
pthread_mutex_lock(&mutex);
|
||||
|
||||
setac_locked();
|
||||
if (getstrfromtype_locked(MINFREE_CONTROL_ENTRY, &min) < 0) {
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (-2);
|
||||
}
|
||||
|
||||
pthread_mutex_unlock(&mutex);
|
||||
|
||||
if (min == NULL)
|
||||
if (min == NULL) {
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (1);
|
||||
|
||||
}
|
||||
*min_val = atoi(min);
|
||||
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -213,30 +403,22 @@ getacflg(char *auditstr, int len)
|
||||
{
|
||||
char *str;
|
||||
|
||||
setac();
|
||||
|
||||
if (auditstr == NULL) {
|
||||
errno = EINVAL;
|
||||
return (-2);
|
||||
}
|
||||
|
||||
pthread_mutex_lock(&mutex);
|
||||
|
||||
setac_locked();
|
||||
if (getstrfromtype_locked(FLAGS_CONTROL_ENTRY, &str) < 0) {
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (-2);
|
||||
}
|
||||
|
||||
pthread_mutex_unlock(&mutex);
|
||||
|
||||
if (str == NULL)
|
||||
if (str == NULL) {
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (1);
|
||||
|
||||
if (strlen(str) >= len)
|
||||
}
|
||||
if (strlen(str) >= len) {
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (-3);
|
||||
|
||||
}
|
||||
strcpy(auditstr, str);
|
||||
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -248,28 +430,47 @@ getacna(char *auditstr, int len)
|
||||
{
|
||||
char *str;
|
||||
|
||||
setac();
|
||||
|
||||
if (auditstr == NULL) {
|
||||
errno = EINVAL;
|
||||
return (-2);
|
||||
}
|
||||
|
||||
pthread_mutex_lock(&mutex);
|
||||
|
||||
setac_locked();
|
||||
if (getstrfromtype_locked(NA_CONTROL_ENTRY, &str) < 0) {
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (-2);
|
||||
}
|
||||
pthread_mutex_unlock(&mutex);
|
||||
|
||||
if (str == NULL)
|
||||
if (str == NULL) {
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (1);
|
||||
|
||||
if (strlen(str) >= len)
|
||||
}
|
||||
if (strlen(str) >= len) {
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (-3);
|
||||
|
||||
}
|
||||
strcpy(auditstr, str);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
/*
|
||||
* Return the policy field from the audit control file.
|
||||
*/
|
||||
int
|
||||
getacpol(char *auditstr, size_t len)
|
||||
{
|
||||
char *str;
|
||||
|
||||
pthread_mutex_lock(&mutex);
|
||||
setac_locked();
|
||||
if (getstrfromtype_locked(POLICY_CONTROL_ENTRY, &str) < 0) {
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (-2);
|
||||
}
|
||||
if (str == NULL) {
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (-1);
|
||||
}
|
||||
if (strlen(str) >= len) {
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (-3);
|
||||
}
|
||||
strcpy(auditstr, str);
|
||||
pthread_mutex_unlock(&mutex);
|
||||
return (0);
|
||||
}
|
||||
|
@ -31,7 +31,7 @@
|
||||
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#40 $
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#41 $
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
@ -1190,7 +1190,8 @@ fetch_execarg_tok(tokenstr_t *tok, char *buf, int len)
|
||||
|
||||
for (i = 0; i < tok->tt.execarg.count; i++) {
|
||||
bptr = buf + tok->len;
|
||||
tok->tt.execarg.text[i] = bptr;
|
||||
if (i < AUDIT_MAX_ARGS)
|
||||
tok->tt.execarg.text[i] = bptr;
|
||||
|
||||
/* Look for a null terminated string. */
|
||||
while (bptr && (*bptr != '\0')) {
|
||||
@ -1202,6 +1203,8 @@ fetch_execarg_tok(tokenstr_t *tok, char *buf, int len)
|
||||
return (-1);
|
||||
tok->len++; /* \0 character */
|
||||
}
|
||||
if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
|
||||
tok->tt.execarg.count = AUDIT_MAX_ARGS;
|
||||
|
||||
return (0);
|
||||
}
|
||||
@ -1235,9 +1238,10 @@ fetch_execenv_tok(tokenstr_t *tok, char *buf, int len)
|
||||
if (err)
|
||||
return (-1);
|
||||
|
||||
for (i = 0; i< tok->tt.execenv.count; i++) {
|
||||
for (i = 0; i < tok->tt.execenv.count; i++) {
|
||||
bptr = buf + tok->len;
|
||||
tok->tt.execenv.text[i] = bptr;
|
||||
if (i < AUDIT_MAX_ENV)
|
||||
tok->tt.execenv.text[i] = bptr;
|
||||
|
||||
/* Look for a null terminated string. */
|
||||
while (bptr && (*bptr != '\0')) {
|
||||
@ -1249,6 +1253,8 @@ fetch_execenv_tok(tokenstr_t *tok, char *buf, int len)
|
||||
return (-1);
|
||||
tok->len++; /* \0 character */
|
||||
}
|
||||
if (tok->tt.execenv.count > AUDIT_MAX_ENV)
|
||||
tok->tt.execenv.count = AUDIT_MAX_ENV;
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
@ -30,7 +30,7 @@
|
||||
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#51 $
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#52 $
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
@ -71,7 +71,6 @@
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/socketvar.h>
|
||||
|
||||
#include <bsm/audit_internal.h>
|
||||
#include <bsm/libbsm.h>
|
||||
|
@ -23,7 +23,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#5 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#7 $
|
||||
.\"
|
||||
.Dd April 19, 2005
|
||||
.Dt LIBBSM 3
|
||||
@ -55,15 +55,18 @@ These are described respectively in the
|
||||
.Xr au_notify 3 ,
|
||||
.Xr au_stream 3 ,
|
||||
.Xr au_token 3 ,
|
||||
and
|
||||
.Xr au_user 3
|
||||
man pages.
|
||||
manual pages.
|
||||
.Ss Audit Event Stream Interfaces
|
||||
Audit event stream interfaces support interaction with file-backed audit
|
||||
event streams:
|
||||
.Xr au_close 3 .
|
||||
.Xr au_close 3 ,
|
||||
.Xr au_close_buffer 3 ,
|
||||
.Xr au_free_token 3 ,
|
||||
.Xr au_open 3 ,
|
||||
.Xr au_write 3 ,
|
||||
.Xr audit_submit 3 .
|
||||
.Ss Audit Class Interfaces
|
||||
Audit class interfaces support the look up of information from the
|
||||
.Xr audit_class 5
|
||||
@ -83,7 +86,10 @@ database:
|
||||
.Xr getacdir 3 ,
|
||||
.Xr getacflg 3 ,
|
||||
.Xr getacmin 3 ,
|
||||
.Xr getacna 3 .
|
||||
.Xr getacna 3 ,
|
||||
.Xr getacpol 3 ,
|
||||
.Xr au_poltostr 3 ,
|
||||
.Xr au_strtopol 3 .
|
||||
.Ss Audit Event Interfaces
|
||||
Audit event interfaces support the look up of information from the
|
||||
.Xr audit_event 5
|
||||
@ -188,6 +194,7 @@ database:
|
||||
.Xr au_stream 3 ,
|
||||
.Xr au_token 3 ,
|
||||
.Xr au_user 3 ,
|
||||
.Xr audit_submit 3 ,
|
||||
.Xr audit_class 5 ,
|
||||
.Xr audit_control 5
|
||||
.Sh AUTHORS
|
||||
|
@ -25,7 +25,7 @@
|
||||
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#9 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#11 $
|
||||
.\"
|
||||
.Dd January 4, 2006
|
||||
.Dt AUDIT_CONTROL 5
|
||||
@ -63,6 +63,9 @@ an action cannot be attributed to a specific user.
|
||||
The minimum free space required on the file system audit logs are being written to.
|
||||
When the free space falls below this limit a warning will be issued.
|
||||
Not currently used as the value of 20 percent is chosen by the kernel.
|
||||
.It Va policy
|
||||
A list of global audit policy flags specifying various behaviors, such as
|
||||
fail stop, auditing of paths and arguments, etc.
|
||||
.El
|
||||
.Sh AUDIT FLAGS
|
||||
Audit flags are a comma-delimited list of audit classes as defined in the
|
||||
@ -86,6 +89,53 @@ Do not record successful events
|
||||
.It ^-
|
||||
Do not record failed events
|
||||
.El
|
||||
.Sh AUDIT POLICY FLAGS
|
||||
The policy flags field is a comma-delimited list of policy flags from the
|
||||
following list:
|
||||
.Pp
|
||||
.Bl -tag -width zonename -compact -offset indent
|
||||
.It cnt
|
||||
Allow processes to continue running even though events are not being audited.
|
||||
If not set, processes will be suspended when the audit store space is
|
||||
exhausted.
|
||||
Currently, this is not a recoverable state.
|
||||
.It ahlt
|
||||
Fail stop the system if unable to audit an event--this consists of first
|
||||
draining pending records to disk, and then halting the operating system.
|
||||
.It argv
|
||||
Audit command line arguments to
|
||||
.Xr execve 2 .
|
||||
.It arge
|
||||
Audit environmental variable arguments to
|
||||
.Xr execve 2 .
|
||||
.It seq
|
||||
Include a unique audit sequence number token in generated audit records (not
|
||||
implemented on FreeBSD or Darwin).
|
||||
.It group
|
||||
Include supplementary groups list in generated audit records (not implemented
|
||||
on FreeBSD or Darwin; supplementary groups are never included in records on
|
||||
these systems).
|
||||
.It trail
|
||||
Append a trailer token to each audit record (not implemented on FreeBSD or
|
||||
Darwin; trailers are always included in records on these systems).
|
||||
.It path
|
||||
Include secondary file paths in audit records (not implemented on FreeBSD or
|
||||
Darwin; secondary paths are never included in records on these systems).
|
||||
.It zonename
|
||||
Include a zone ID token with each audit record (not implemented on FreeBSD or
|
||||
Darwin; FreeBSD audit records do not currently include the jail ID or name.)
|
||||
.It perzone
|
||||
Enable auditing for each local zone (not implemented on FreeBSD or Darwin; on
|
||||
FreeBSD, audit records are collected from all jails and placed in a single
|
||||
global trail, and only limited audit controls are permitted within a jail.)
|
||||
.El
|
||||
.Pp
|
||||
It is recommended that installations set the
|
||||
.Dv cnt
|
||||
flag but not
|
||||
.Dv ahlt
|
||||
flag unless it is intended that audit logs exceeding available disk space
|
||||
halt the system.
|
||||
.Sh DEFAULT
|
||||
The following settings appear in the default
|
||||
.Nm
|
||||
@ -95,12 +145,18 @@ dir:/var/audit
|
||||
flags:lo
|
||||
minfree:20
|
||||
naflags:lo
|
||||
policy:cnt
|
||||
.Ed
|
||||
.Pp
|
||||
The
|
||||
.Va flags
|
||||
parameter above specifies the system-wide mask corresponding to login/logout
|
||||
events.
|
||||
The
|
||||
.Va policy
|
||||
parameter specifies that the system should neither fail stop nor suspend
|
||||
processes when the audit store fills.
|
||||
will be audited.
|
||||
.Sh FILES
|
||||
.Bl -tag -width "/etc/security/audit_control" -compact
|
||||
.It Pa /etc/security/audit_control
|
||||
|
@ -25,7 +25,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#7 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#8 $
|
||||
.\"
|
||||
.Dd April 19, 2005
|
||||
.Dt AUDITON 2
|
||||
@ -192,7 +192,7 @@ structure. The
|
||||
field will be set to the maximum audit log file size.
|
||||
A value of 0 indicates no limit to the size.
|
||||
The
|
||||
.Ft af_filesz
|
||||
.Ft af_currsz
|
||||
will be set to the current audit log file size.
|
||||
.It Dv A_GETCWD
|
||||
.\" [COMMENTED OUT]: Valid description, not yet implemented.
|
||||
|
BIN
contrib/openbsm/test/reference/arg32_record
Normal file
BIN
contrib/openbsm/test/reference/arg32_record
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/arg32_token
Normal file
BIN
contrib/openbsm/test/reference/arg32_token
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/data_record
Normal file
BIN
contrib/openbsm/test/reference/data_record
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/data_token
Normal file
BIN
contrib/openbsm/test/reference/data_token
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/file_record
Normal file
BIN
contrib/openbsm/test/reference/file_record
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/file_token
Normal file
BIN
contrib/openbsm/test/reference/file_token
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/header32_token
Normal file
BIN
contrib/openbsm/test/reference/header32_token
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/in_addr_record
Normal file
BIN
contrib/openbsm/test/reference/in_addr_record
Normal file
Binary file not shown.
1
contrib/openbsm/test/reference/in_addr_token
Normal file
1
contrib/openbsm/test/reference/in_addr_token
Normal file
@ -0,0 +1 @@
|
||||
*<2A><>d
|
BIN
contrib/openbsm/test/reference/ip_record
Normal file
BIN
contrib/openbsm/test/reference/ip_record
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/ip_token
Normal file
BIN
contrib/openbsm/test/reference/ip_token
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/ipc_record
Normal file
BIN
contrib/openbsm/test/reference/ipc_record
Normal file
Binary file not shown.
1
contrib/openbsm/test/reference/ipc_token
Normal file
1
contrib/openbsm/test/reference/ipc_token
Normal file
@ -0,0 +1 @@
|
||||
"4Vx
|
BIN
contrib/openbsm/test/reference/iport_record
Normal file
BIN
contrib/openbsm/test/reference/iport_record
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/iport_token
Normal file
BIN
contrib/openbsm/test/reference/iport_token
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/opaque_record
Normal file
BIN
contrib/openbsm/test/reference/opaque_record
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/opaque_token
Normal file
BIN
contrib/openbsm/test/reference/opaque_token
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/path_record
Normal file
BIN
contrib/openbsm/test/reference/path_record
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/path_token
Normal file
BIN
contrib/openbsm/test/reference/path_token
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/process32_record
Normal file
BIN
contrib/openbsm/test/reference/process32_record
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/process32_token
Normal file
BIN
contrib/openbsm/test/reference/process32_token
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/process32ex_record
Normal file
BIN
contrib/openbsm/test/reference/process32ex_record
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/process32ex_token
Normal file
BIN
contrib/openbsm/test/reference/process32ex_token
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/return32_record
Normal file
BIN
contrib/openbsm/test/reference/return32_record
Normal file
Binary file not shown.
1
contrib/openbsm/test/reference/return32_token
Normal file
1
contrib/openbsm/test/reference/return32_token
Normal file
@ -0,0 +1 @@
|
||||
'<27>4Vx
|
BIN
contrib/openbsm/test/reference/seq_record
Normal file
BIN
contrib/openbsm/test/reference/seq_record
Normal file
Binary file not shown.
1
contrib/openbsm/test/reference/seq_token
Normal file
1
contrib/openbsm/test/reference/seq_token
Normal file
@ -0,0 +1 @@
|
||||
/4Vx
|
BIN
contrib/openbsm/test/reference/subject32_record
Normal file
BIN
contrib/openbsm/test/reference/subject32_record
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/subject32_token
Normal file
BIN
contrib/openbsm/test/reference/subject32_token
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/subject32ex_record
Normal file
BIN
contrib/openbsm/test/reference/subject32ex_record
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/subject32ex_token-IPv4
Normal file
BIN
contrib/openbsm/test/reference/subject32ex_token-IPv4
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/subject32ex_token-IPv6
Normal file
BIN
contrib/openbsm/test/reference/subject32ex_token-IPv6
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/text_record
Normal file
BIN
contrib/openbsm/test/reference/text_record
Normal file
Binary file not shown.
BIN
contrib/openbsm/test/reference/text_token
Normal file
BIN
contrib/openbsm/test/reference/text_token
Normal file
Binary file not shown.
1
contrib/openbsm/test/reference/trailer_token
Normal file
1
contrib/openbsm/test/reference/trailer_token
Normal file
@ -0,0 +1 @@
|
||||
<13>4Vx
|
BIN
contrib/openbsm/test/samples/execve-long-args.trail
Normal file
BIN
contrib/openbsm/test/samples/execve-long-args.trail
Normal file
Binary file not shown.
@ -1,5 +1,5 @@
|
||||
/*-
|
||||
* Copyright (c) 2005 Robert N. M. Watson
|
||||
* Copyright (c) 2005-2006 Robert N. M. Watson
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
@ -23,7 +23,7 @@
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#5 $
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#6 $
|
||||
*/
|
||||
|
||||
#include <bsm/libbsm.h>
|
||||
@ -77,8 +77,9 @@ audump_class_r(void)
|
||||
static void
|
||||
audump_control(void)
|
||||
{
|
||||
char string[PATH_MAX];
|
||||
char string[PATH_MAX], string2[PATH_MAX];
|
||||
int ret, val;
|
||||
long policy;
|
||||
|
||||
ret = getacflg(string, PATH_MAX);
|
||||
if (ret == -2)
|
||||
@ -116,6 +117,15 @@ audump_control(void)
|
||||
printf("dir:%s\n", string);
|
||||
|
||||
} while (ret == 0);
|
||||
|
||||
ret = getacpol(string, PATH_MAX);
|
||||
if (ret != 0)
|
||||
err(-1, "getacpol");
|
||||
if (au_strtopol(string, &policy) < 0)
|
||||
err(-1, "au_strtopol");
|
||||
if (au_poltostr(policy, string2, PATH_MAX) < 0)
|
||||
err(-1, "au_poltostr");
|
||||
printf("policy:%s\n", string2);
|
||||
}
|
||||
|
||||
static void
|
||||
|
Loading…
Reference in New Issue
Block a user