d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial vendor import of the TrustedBSD OpenBSM distribution, version

Browse Source 
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems.  Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs.  This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.

This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.

This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>.  The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.

Many thanks to:	wsalamon, trhodes
Obtained from:	TrustedBSD Project
This commit is contained in:
Robert Watson 2006-01-31 19:40:12 +00:00
commit ca0716f571
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/vendor/openbsm/dist/; revision=155131
svn path=/vendor/openbsm/1.0-ALPHA-1/; revision=155133; tag=vendor/openbsm/1.0-ALPHA-1
72 changed files with 15884 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
contrib/openbsm/CHANGELOG Normal file
View File

@ -0,0 +1,69 @@
OpenBSM 1.0
- Import of Darwin74 BSM drop
- Use 'syslog' for audit log warnings, rather than echoing to a file in
audit_warn.
- Compile using BSD make infrastructure.
- Integrate bsm/ include files from Darwin74 XNU drop into OpenBSM.
- Narrow set of symbols and defines that are exposed in user space: don't
compile in code relying on kernel-only types such as 'struct socket'.
- Add README, including basic build documentation.
- Compilation of Apple-specific notify and Machroutines now #ifdef __APPLE__.
- Staticize libbsm global variables to avoid leakage into application.
- Add free_au_user_ent() so that au_user_ent's don't have to be leaked.
- Clean up bogus nul-termination checks in libbsm.
- Add libbsm API man pages: au_class.3 au_control.3 au_event.3
au_free_token.3 au_io.3 au_mask.3 au_token.3 au_user.3 libbsm.3.
- Add man pages for BSM system calls: audit.2 auditctl.2 auditon.2 getaudit.2
getauid.2 setaudit.2 setauid.2
- Modify various libbsm interfaces to more consistently return 'errno' values
on failure.
- Break out au_close() into constituent parts, allowing records to be written
to memory as well as files.
- Prefix various defines with 'BSM_' to reduce name space pollution.
- Added audit_internal.h, which can be used by a kernel audit implementation
wanting to rely on libbsm components.
- Build with warnings, and eliminate warnings.
- Make libbsm endian-independent, storing and reading BSM are big endian
(network byte order) rather than native byte order. More consistently
print IP addresses using the IP address print routine. These changes
make use of sys/endian.h from *BSD; since this isn't present on Darwin,
add it to OpenBSM as compat/endian.h, which is used only on Darwin.
- Import of Darwin80 BSM drop, including 64-bit file IDs, better
documentation of private APIs, and bug fixes.
- White space cleanup.
- Add audit.log.5, a first cut at a man page documenting the BSM file format.
- Teach au_read_rec() to recognize stand-alone file tokens, which are present
at the beginning and end of Solaris audit trails. Technically, these
appear to violate the high level BSM spec, which suggests that all tokens
are present in records, but need to be supported.
- Implement HEADER64, ATTR64, SUBJECT64 token types, which make it possible
to run praudit(1) on basic Solaris BSM streams.
- Switched to Solaris spelling of token names; Darwin spellings are now
deprecated and will be removed in a future version of OpenBSM.
- Adopt Solaris model for representing IPv4 and IPv6 addresses.
- Prefer C99 types.
- Attempt to universally adopt the BSD style(9) coding style for
consistency.
- auditreduce(1) now has a usage message.
- Update support for auditctl(2) system call to support FreeBSD.
- Add support for /dev/audit as the trigger source on FreeBSD.
- Add additional event types for Darwin, FreeBSD, and Solaris. Annotate
conflicts (there are a few, unfortunately). Correct spellings, comment,
sort, etc. These include {get,set}res[ug]id(), sendfile(), lchflags(),
eaccess(), kqueue(), kevent(), poll(), lchmod().
- Relicensed under a BSD license, many thanks to Apple, Inc!
- Many bug fixes, cleanups, thread safety in the class, control, event,
and user system audit databases. Annotate some persisting atomicity
bugs associated with the API and implementation.
- Add audump test tool.
- Adopt OpenSolaris BSM API memory semantics: caller allocates memory,
or static memory is returned for non-_r() versions of API calls.
_free() calls dropped as a result, and source code compatibility with
OpenSolaris improved significantly.
- Annotate BSM events with origin OS and compatibility information.
- auditd(8), audit(8) added to the OpenBSM distribution. auditd extended
to support reloading of kernel event table.
- Allow comments in /etc/security configuration files.
$P4: //depot/projects/trustedbsd/openbsm/CHANGELOG#6 $

33
contrib/openbsm/LICENSE Normal file
View File

@ -0,0 +1,33 @@
OpenBSM is covered by a number of copyrights, with licenses being either two
or three clause BSD licenses. Individual file headers should be consulted
for specific copyrights on specific components. The TrustedBSD Project would
appreciate the contribution of fixes and enhancements under identical or
substantially similar licenses:
* Copyright (c) <year> <copyright holder>
* All rights reserved.
*
* <any additional comments or credits>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
$P4: //depot/projects/trustedbsd/openbsm/LICENSE#4 $

9
contrib/openbsm/Makefile Normal file
View File

@ -0,0 +1,9 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/Makefile#2 $
#
SUBDIR= bsm \
libbsm \
bin
.include <bsd.subdir.mk>

86
contrib/openbsm/README Normal file
View File

@ -0,0 +1,86 @@
OpenBSM 1.0
Introduction
OpenBSM provides an open source implementation of Sun's BSM Audit API.
Originally created under contract to Apple Computer by McAfee Research,
this implementation is now maintained by volunteers and the generous
contribution of several organizations. Coupled with a kernel audit
implementation, OpenBSM can be used to maintain system audit streams, and
is a foundation for an Audit-enabled system.
Contents
OpenBSM consists of several directories:
bin/ Audit-related command line tools
bsm/ System include files for BSM
etc/ Sample /etc/security configuration files
libbsm/ Implementation of BSM library interfaces and man pages
man/ System call and configuration file man pages
OpenBSM currently builds on FreeBSD and Darwin. With Makefile adjustment
and minor tweaks, it should build without problems on a broad range of
POSIX-like systems.
Building
OpenBSM is currently built using a series of BSD make files which should
work on both FreeBSD and Darwin. One known issue is that versions of
Darwin prior to 10.3.8 have a nested include of "sys/audit.h" from
"sys/proc.h", which can result in type definition conflicts. If running
with include files from an earlier version of Darwin, the nested include
must be manually removed in order that libbsm can be built, due to
potentially conflicting types resulting from an include of "sys/sysctl.h"
by that file. On Darwin, the use of BSD make must be specified explicitly
by using "bsdmake" rather than "make", which on Darwin refers to GNU make.
Typical invocations from the OpenBSM tree root:
FreeBSD
% make
# make install
Darwin
% bsdmake
# bsdmake install
Credits
The following organizations and individuals have contributed substantially
to the development of OpenBSM:
Apple Computer, Inc.
McAfee Research, McAfee, Inc.
SPARTA, Inc.
Robert Watson
Wayne Salamon
Suresh Krishnaswamy
Kevin Van Vechten
Tom Rhodes
Wojciech Koszek
Chunyang Yuan
Poul-Henning Kamp
In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
Software's FlexeLint tool were used to identify a number of bugs in the
OpenBSM implementation.
Contributions
The TrustedBSD Project would appreciate the contribution of bug fixes,
enhancements, etc, under identically or substantially similar licenses to
those present on the remainder of the OpenBSM source code.
Location
Information on OpenBSM may be found on the OpenBSM home page:
http://www.OpenBSM.org/
Information on TrustedBSD may be found on the TrustedBSD home page:
http://www.TrustedBSD.org/
$P4: //depot/projects/trustedbsd/openbsm/README#11 $

12
contrib/openbsm/TODO Normal file
View File

@ -0,0 +1,12 @@
- Teach praudit how to general XML format BSM streams.
- Teach libbsm about any additional 64-bit token types that are present
in more recent Solaris versions.
- Build a regression test suite for libbsm that generates each token
type and then compares the results with known good data. Make sure to
test that things work properly with respect to endianness of the local
platform.
- Document contents of libbsm "public" data structures in libbsm man pages.
- The audit.log.5 man page is incomplete, as it does not describe all
token types.
$P4: //depot/projects/trustedbsd/openbsm/TODO#4 $

1
contrib/openbsm/VERSION Normal file
View File

@ -0,0 +1 @@
OPENBSM_1_0_ALPHA_1

10
contrib/openbsm/bin/Makefile Normal file
View File

@ -0,0 +1,10 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/bin/Makefile#4 $
#
SUBDIR= audit \
auditd \
auditreduce \
praudit
.include <bsd.subdir.mk>

12
contrib/openbsm/bin/audit/Makefile Normal file
View File

@ -0,0 +1,12 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile#2 $
#
CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I.
PROG= audit
MAN= audit.8
DPADD= /usr/lib/libbsm.a
LDADD= -lbsm
BINDIR= /usr/sbin
.include <bsd.prog.mk>

86
contrib/openbsm/bin/audit/audit.8 Normal file
View File

@ -0,0 +1,86 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
.\"
.\" @APPLE_BSD_LICENSE_HEADER_START@
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
.\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" @APPLE_BSD_LICENSE_HEADER_END@
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#2 $
.\"
.Dd Jan 24, 2004
.Dt AUDIT 8
.Os
.Sh NAME
.Nm audit
.Nd audit management utility
.Sh SYNOPSIS
.Nm audit
.Op Fl nst
.Op Ar file
.Sh DESCRIPTION
The
.Nm
utility controls the state of auditing system. The optional
.Ar file
operand specifies the location of the audit control input file (default
/etc/security/audit_control).
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl n
Forces the audit system to close the existing audit log file and rotate to
a new log file in a location specified in the audit control file.
.It Fl s
Specifies that the audit system should [re]synchronize its
configuration from the audit control file. A new log file will be
created.
.It Fl t
Specifies that the audit system should terminate. Log files are closed
and renamed to indicate the time of the shutdown.
.El
.Sh NOTES
The auditd(8) daemon must already be running.
.Sh FILES
.Bl -tag -width "/etc/security/audit_control" -compact
.It Pa /etc/security/audit_control
Default audit policy file used to configure the auditing system.
.El
.Sh SEE ALSO
.Xr auditd 8
.Xr audit_control 5
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.

102
contrib/openbsm/bin/audit/audit.c Normal file
View File

@ -0,0 +1,102 @@
/*
* Copyright (c) 2005 Apple Computer, Inc.
* All rights reserved.
*
* @APPLE_BSD_LICENSE_HEADER_START@
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#2 $
*/
/*
* Program to trigger the audit daemon with a message that is either:
* - Open a new audit log file
* - Read the audit control file and take action on it
* - Close the audit log file and exit
*
*/
#include <sys/queue.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <bsm/audit.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
static void
usage(void)
{
(void)fprintf(stderr, "Usage: audit -n | -s | -t \n");
exit(-1);
}
/*
* Main routine to process command line options.
*/
int
main(int argc, char **argv)
{
char ch;
unsigned int trigger = 0;
if (argc != 2)
usage();
while ((ch = getopt(argc, argv, "nst")) != -1) {
switch(ch) {
case 'n':
trigger = AUDIT_TRIGGER_OPEN_NEW;
break;
case 's':
trigger = AUDIT_TRIGGER_READ_FILE;
break;
case 't':
trigger = AUDIT_TRIGGER_CLOSE_AND_DIE;
break;
case '?':
default:
usage();
break;
}
}
if (auditon(A_SENDTRIGGER, &trigger, sizeof(trigger)) < 0) {
perror("Error sending trigger");
exit(-1);
} else {
printf("Trigger sent.\n");
exit (0);
}
}

13
contrib/openbsm/bin/auditd/Makefile Normal file
View File

@ -0,0 +1,13 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile#2 $
#
CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I.
PROG= auditd
SRCS= audit_warn.c auditd.c
MAN= auditd.8
DPADD= /usr/lib/libbsm.a
LDADD= -lbsm
BINDIR= /usr/sbin
.include <bsd.prog.mk>

230
contrib/openbsm/bin/auditd/audit_warn.c Normal file
View File

@ -0,0 +1,230 @@
/*
* Copyright (c) 2005 Apple Computer, Inc.
* All rights reserved.
*
* @APPLE_BSD_LICENSE_HEADER_START@
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#5 $
*/
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include "auditd.h"
/*
* Write an audit-related error to the system log via syslog(3).
*/
static int
auditwarnlog(char *args[])
{
char *loc_args[9];
pid_t pid;
int i;
loc_args[0] = AUDITWARN_SCRIPT;
for (i = 0; args[i] != NULL && i < 8; i++)
loc_args[i+1] = args[i];
loc_args[i+1] = NULL;
pid = fork();
if (pid == -1)
return (-1);
if (pid == 0) {
/*
* Child.
*/
execv(AUDITWARN_SCRIPT, loc_args);
syslog(LOG_ERR, "Could not exec %s (%m)\n",
AUDITWARN_SCRIPT);
exit(1);
}
/*
* Parent.
*/
return (0);
}
/*
* Indicates that the hard limit for all filesystems has been exceeded count
* times.
*/
int
audit_warn_allhard(int count)
{
char intstr[12];
char *args[3];
snprintf(intstr, 12, "%d", count);
args[0] = HARDLIM_ALL_WARN;
args[1] = intstr;
args[2] = NULL;
return (auditwarnlog(args));
}
/*
* Indicates that the soft limit for all filesystems has been exceeded.
*/
int
audit_warn_allsoft(void)
{
char *args[2];
args[0] = SOFTLIM_ALL_WARN;
args[1] = NULL;
return (auditwarnlog(args));
}
/*
* Indicates that someone other than the audit daemon turned off auditing.
* XXX Its not clear at this point how this function will be invoked.
*
* XXXRW: This function is not used.
*/
int
audit_warn_auditoff(void)
{
char *args[2];
args[0] = AUDITOFF_WARN;
args[1] = NULL;
return (auditwarnlog(args));
}
/*
* Indicates that the audit deammn is already running
*/
int
audit_warn_ebusy(void)
{
char *args[2];
args[0] = EBUSY_WARN;
args[1] = NULL;
return (auditwarnlog(args));
}
/*
* Indicates that there is a problem getting the directory from
* audit_control.
*
* XXX Note that we take the filename instead of a count as the argument here
* (different from BSM).
*/
int
audit_warn_getacdir(char *filename)
{
char *args[3];
args[0] = GETACDIR_WARN;
args[1] = filename;
args[2] = NULL;
return (auditwarnlog(args));
}
/*
* Indicates that the hard limit for this file has been exceeded.
*/
int
audit_warn_hard(char *filename)
{
char *args[3];
args[0] = HARDLIM_WARN;
args[1] = filename;
args[2] = NULL;
return (auditwarnlog(args));
}
/*
* Indicates that auditing could not be started.
*/
int
audit_warn_nostart(void)
{
char *args[2];
args[0] = NOSTART_WARN;
args[1] = NULL;
return (auditwarnlog(args));
}
/*
* Indicaes that an error occrred during the orderly shutdown of the audit
* daemon.
*/
int
audit_warn_postsigterm(void)
{
char *args[2];
args[0] = POSTSIGTERM_WARN;
args[1] = NULL;
return (auditwarnlog(args));
}
/*
* Indicates that the soft limit for this file has been exceeded.
*/
int
audit_warn_soft(char *filename)
{
char *args[3];
args[0] = SOFTLIM_WARN;
args[1] = filename;
args[2] = NULL;
return (auditwarnlog(args));
}
/*
* Indicates that the temporary audit file already exists indicating a fatal
* error.
*/
int
audit_warn_tmpfile(void)
{
char *args[2];
args[0] = TMPFILE_WARN;
args[1] = NULL;
return (auditwarnlog(args));
}

94
contrib/openbsm/bin/auditd/auditd.8 Normal file
View File

@ -0,0 +1,94 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
.\"
.\" @APPLE_BSD_LICENSE_HEADER_START@
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
.\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" @APPLE_BSD_LICENSE_HEADER_END@
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#6 $
.\"
.Dd Jan 24, 2004
.Dt AUDITD 8
.Os
.Sh NAME
.Nm auditd
.Nd audit log management daemon
.Sh SYNOPSIS
.Nm auditd
.Op Fl dhs
.Sh DESCRIPTION
The
.Nm
daemon responds to requests from the audit(1) utility and notifications
from the kernel. It manages the resulting audit log files and specified
log file locations.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl d
Starts the daemon in debug mode - it will not daemonize.
.It Fl h
Specifies that if auditing cannot be performed as specified, the system should
halt (panic). Normally, the system will attempt to proceed - although individual
processes may be stopped (see the -s option).
.It Fl s
Specifies that individual processes should stop rather than perform operations
that may cause audit records to be lost due to log file full conditions
.El
.Sh NOTE
.Pp
To assure uninterrupted audit support, the
.Nm auditd
daemon should not be started and stopped manually. Instead, the audit(1) command
should be used to inform the daemon to change state/configuration after altering
the audit_control file.
.Pp
.\" Sending a SIGHUP to a running
.\" .Nm auditd
.\" daemon will force it to exit.
Sending a SIGTERM to a running
.Nm auditd
daemon will force it to exit.
.Sh FILES
.Bl -tag -width "/var/audit" -compact
.It Pa /var/audit
Default directory for storing audit log files.
.El
.Sh SEE ALSO
.Xr audit 8
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.

760
contrib/openbsm/bin/auditd/auditd.c Normal file
View File

@ -0,0 +1,760 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
* All rights reserved.
*
* @APPLE_BSD_LICENSE_HEADER_START@
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#8 $
*/
#include <sys/dirent.h>
#include <sys/mman.h>
#include <sys/queue.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <bsm/audit.h>
#include <bsm/audit_uevents.h>
#include <bsm/libbsm.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <unistd.h>
#include <signal.h>
#include <string.h>
#include <syslog.h>
#include "auditd.h"
#define NA_EVENT_STR_SIZE 25
static int ret, minval;
static char *lastfile = NULL;
static int allhardcount = 0;
static int triggerfd = 0;
static int sighups, sighups_handled;
static int sigterms, sigterms_handled;
static long global_flags;
static TAILQ_HEAD(, dir_ent) dir_q;
static int config_audit_controls(void);
/*
* Error starting auditd
*/
static void
fail_exit(void)
{
audit_warn_nostart();
exit(1);
}
/*
* Free our local list of directory names.
*/
static void
free_dir_q()
{
struct dir_ent *dirent;
while ((dirent = TAILQ_FIRST(&dir_q))) {
TAILQ_REMOVE(&dir_q, dirent, dirs);
free(dirent->dirname);
free(dirent);
}
}
/*
* Generate the timestamp string.
*/
static int
getTSstr(char *buf, int len)
{
struct timeval ts;
struct timezone tzp;
time_t tt;
if (gettimeofday(&ts, &tzp) != 0)
return (-1);
tt = (time_t)ts.tv_sec;
if (!strftime(buf, len, "%Y%m%d%H%M%S", gmtime(&tt)))
return (-1);
return (0);
}
/*
* Concat the directory name to the given file name.
* XXX We should affix the hostname also
*/
static char *
affixdir(char *name, struct dir_ent *dirent)
{
char *fn;
char *curdir;
const char *sep = "/";
curdir = dirent->dirname;
syslog(LOG_INFO, "dir = %s\n", dirent->dirname);
fn = malloc(strlen(curdir) + strlen(sep) + (2 * POSTFIX_LEN) + 1);
if (fn == NULL)
return (NULL);
strcpy(fn, curdir);
strcat(fn, sep);
strcat(fn, name);
return (fn);
}
/*
* Close the previous audit trail file.
*/
static int
close_lastfile(char *TS)
{
char *ptr;
char *oldname;
if (lastfile != NULL) {
oldname = (char *)malloc(strlen(lastfile) + 1);
if (oldname == NULL)
return (-1);
strcpy(oldname, lastfile);
/* Rename the last file -- append timestamp. */
if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) {
*ptr = '.';
strcpy(ptr+1, TS);
if (rename(oldname, lastfile) != 0)
syslog(LOG_ERR, "Could not rename %s to %s \n",
oldname, lastfile);
else
syslog(LOG_INFO, "renamed %s to %s \n",
oldname, lastfile);
}
free(lastfile);
free(oldname);
lastfile = NULL;
}
return (0);
}
/*
* Create the new file name, swap with existing audit file.
*/
static int
swap_audit_file(void)
{
char timestr[2 * POSTFIX_LEN];
char *fn;
char TS[POSTFIX_LEN];
struct dir_ent *dirent;
int fd;
if (getTSstr(TS, POSTFIX_LEN) != 0)
return (-1);
strcpy(timestr, TS);
strcat(timestr, NOT_TERMINATED);
/* Try until we succeed. */
while ((dirent = TAILQ_FIRST(&dir_q))) {
if ((fn = affixdir(timestr, dirent)) == NULL) {
syslog(LOG_INFO, "Failed to swap log at time %s\n",
timestr);
return (-1);
}
/*
* Create and open the file; then close and pass to the
* kernel if all went well.
*/
syslog(LOG_INFO, "New audit file is %s\n", fn);
fd = open(fn, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP);
if (fd < 0)
perror("File open");
else if (auditctl(fn) != 0) {
syslog(LOG_ERR,
"auditctl failed setting log file! : %s\n",
strerror(errno));
close(fd);
} else {
/* Success. */
close_lastfile(TS);
lastfile = fn;
close(fd);
return (0);
}
/*
* Tell the administrator about lack of permissions for dir.
*/
audit_warn_getacdir(dirent->dirname);
/* Try again with a different directory. */
TAILQ_REMOVE(&dir_q, dirent, dirs);
free(dirent->dirname);
free(dirent);
}
syslog(LOG_INFO, "Log directories exhausted\n");
return (-1);
}
/*
* Read the audit_control file contents.
*/
static int
read_control_file(void)
{
char cur_dir[MAXNAMLEN];
struct dir_ent *dirent;
au_qctrl_t qctrl;
/*
* Clear old values. Force a re-read of the file the next time.
*/
free_dir_q();
endac();
/*
* Read the list of directories into a local linked list.
*
* XXX We should use the reentrant interfaces once they are
* available.
*/
while (getacdir(cur_dir, MAXNAMLEN) >= 0) {
dirent = (struct dir_ent *) malloc(sizeof(struct dir_ent));
if (dirent == NULL)
return (-1);
dirent->softlim = 0;
dirent->dirname = (char *) malloc(MAXNAMLEN);
if (dirent->dirname == NULL) {
free(dirent);
return (-1);
}
strcpy(dirent->dirname, cur_dir);
TAILQ_INSERT_TAIL(&dir_q, dirent, dirs);
}
allhardcount = 0;
if (swap_audit_file() == -1) {
syslog(LOG_ERR, "Could not swap audit file\n");
/*
* XXX Faulty directory listing? - user should be given
* XXX an opportunity to change the audit_control file
* XXX switch to a reduced mode of auditing?
*/
return (-1);
}
/*
* XXX There are synchronization problems here
* XXX what should we do if a trigger for the earlier limit
* XXX is generated here?
*/
if (0 == (ret = getacmin(&minval))) {
syslog(LOG_INFO, "min free = %d\n", minval);
if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
syslog(LOG_ERR,
"could not get audit queue settings\n");
return (-1);
}
qctrl.aq_minfree = minval;
if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
syslog(LOG_ERR,
"could not set audit queue settings\n");
return (-1);
}
}
return (0);
}
/*
* Close all log files, control files, and tell the audit system.
*/
static int
close_all(void)
{
int err_ret = 0;
char TS[POSTFIX_LEN];
int aufd;
token_t *tok;
long cond;
/* Generate an audit record. */
if ((aufd = au_open()) == -1)
syslog(LOG_ERR, "Could not create audit shutdown event.\n");
else {
if ((tok = au_to_text("auditd::Audit shutdown")) != NULL)
au_write(aufd, tok);
if (au_close(aufd, 1, AUE_audit_shutdown) == -1)
syslog(LOG_ERR,
"Could not close audit shutdown event.\n");
}
/* Flush contents. */
cond = AUC_DISABLED;
err_ret = auditon(A_SETCOND, &cond, sizeof(cond));
if (err_ret != 0) {
syslog(LOG_ERR, "Disabling audit failed! : %s\n",
strerror(errno));
err_ret = 1;
}
if (getTSstr(TS, POSTFIX_LEN) == 0)
close_lastfile(TS);
if (lastfile != NULL)
free(lastfile);
free_dir_q();
if ((remove(AUDITD_PIDFILE) == -1) || err_ret) {
syslog(LOG_ERR, "Could not unregister\n");
audit_warn_postsigterm();
return (1);
}
endac();
if (close(triggerfd) != 0)
syslog(LOG_ERR, "Error closing control file\n");
syslog(LOG_INFO, "Finished.\n");
return (0);
}
/*
* When we get a signal, we are often not at a clean point. So, little can
* be done in the signal handler itself. Instead, we send a message to the
* main servicing loop to do proper handling from a non-signal-handler
* context.
*/
static void
relay_signal(int signal)
{
if (signal == SIGHUP)
sighups++;
if (signal == SIGTERM)
sigterms++;
}
/*
* Registering the daemon.
*/
static int
register_daemon(void)
{
FILE * pidfile;
int fd;
pid_t pid;
/* Set up the signal hander. */
if (signal(SIGTERM, relay_signal) == SIG_ERR) {
syslog(LOG_ERR,
"Could not set signal handler for SIGTERM\n");
fail_exit();
}
if (signal(SIGCHLD, relay_signal) == SIG_ERR) {
syslog(LOG_ERR,
"Could not set signal handler for SIGCHLD\n");
fail_exit();
}
if (signal(SIGHUP, relay_signal) == SIG_ERR) {
syslog(LOG_ERR,
"Could not set signal handler for SIGHUP\n");
fail_exit();
}
if ((pidfile = fopen(AUDITD_PIDFILE, "a")) == NULL) {
syslog(LOG_ERR,
"Could not open PID file\n");
audit_warn_tmpfile();
return (-1);
}
/* Attempt to lock the pid file; if a lock is present, exit. */
fd = fileno(pidfile);
if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
syslog(LOG_ERR,
"PID file is locked (is another auditd running?).\n");
audit_warn_ebusy();
return (-1);
}
pid = getpid();
ftruncate(fd, 0);
if (fprintf(pidfile, "%u\n", pid) < 0) {
/* Should not start the daemon. */
fail_exit();
}
fflush(pidfile);
return (0);
}
/*
* Suppress duplicate messages within a 30 second interval. This should be
* enough to time to rotate log files without thrashing from soft warnings
* generated before the log is actually rotated.
*/
#define DUPLICATE_INTERVAL 30
static void
handle_audit_trigger(int trigger)
{
static int last_trigger;
static time_t last_time;
struct dir_ent *dirent;
int rc;
/*
* Suppres duplicate messages from the kernel within the specified
* interval.
*/
struct timeval ts;
struct timezone tzp;
time_t tt;
if (gettimeofday(&ts, &tzp) == 0) {
tt = (time_t)ts.tv_sec;
if ((trigger == last_trigger) &&
(tt < (last_time + DUPLICATE_INTERVAL)))
return;
last_trigger = trigger;
last_time = tt;
}
/*
* Message processing is done here.
*/
dirent = TAILQ_FIRST(&dir_q);
switch(trigger) {
case AUDIT_TRIGGER_LOW_SPACE:
syslog(LOG_INFO, "Got low space trigger\n");
if (dirent && (dirent->softlim != 1)) {
TAILQ_REMOVE(&dir_q, dirent, dirs);
/* Add this node to the end of the list. */
TAILQ_INSERT_TAIL(&dir_q, dirent, dirs);
audit_warn_soft(dirent->dirname);
dirent->softlim = 1;
if (TAILQ_NEXT(TAILQ_FIRST(&dir_q), dirs) != NULL &&
swap_audit_file() == -1)
syslog(LOG_ERR, "Error swapping audit file\n");
/*
* Check if the next dir has already reached its soft
* limit.
*/
dirent = TAILQ_FIRST(&dir_q);
if (dirent->softlim == 1) {
/* All dirs have reached their soft limit. */
audit_warn_allsoft();
}
} else {
/*
* Continue auditing to the current file. Also
* generate an allsoft warning.
* XXX do we want to do this ?
*/
audit_warn_allsoft();
}
break;
case AUDIT_TRIGGER_NO_SPACE:
syslog(LOG_INFO, "Got no space trigger\n");
/* Delete current dir, go on to next. */
TAILQ_REMOVE(&dir_q, dirent, dirs);
audit_warn_hard(dirent->dirname);
free(dirent->dirname);
free(dirent);
if (swap_audit_file() == -1)
syslog(LOG_ERR, "Error swapping audit file\n");
/* We are out of log directories. */
audit_warn_allhard(++allhardcount);
break;
case AUDIT_TRIGGER_OPEN_NEW:
/*
* Create a new file and swap with the one being used in
* kernel
*/
syslog(LOG_INFO, "Got open new trigger\n");
if (swap_audit_file() == -1)
syslog(LOG_ERR, "Error swapping audit file\n");
break;
case AUDIT_TRIGGER_READ_FILE:
syslog(LOG_INFO, "Got read file trigger\n");
if (read_control_file() == -1)
syslog(LOG_ERR, "Error in audit control file\n");
if (config_audit_controls() == -1)
syslog(LOG_ERR, "Error setting audit controls\n");
break;
default:
syslog(LOG_ERR, "Got unknown trigger %d\n", trigger);
break;
}
}
static void
handle_sighup(void)
{
sighups_handled = sighups;
config_audit_controls();
}
/*
* Read the control file for triggers and handle appropriately.
*/
static int
wait_for_triggers(void)
{
int num;
unsigned int trigger;
for (;;) {
num = read(triggerfd, &trigger, sizeof(trigger));
if ((num == -1) && (errno != EINTR)) {
syslog(LOG_ERR, "%s: error %d\n", __FUNCTION__, errno);
return (-1);
}
if (sigterms != sigterms_handled) {
syslog(LOG_INFO, "%s: SIGTERM", __FUNCTION__);
break;
}
if (sighups != sighups_handled) {
syslog(LOG_INFO, "%s: SIGHUP", __FUNCTION__);
handle_sighup();
}
if ((num == -1) && (errno == EINTR))
continue;
if (num == 0) {
syslog(LOG_INFO, "%s: read EOF\n", __FUNCTION__);
return (-1);
}
syslog(LOG_INFO, "%s: read %d\n", __FUNCTION__, trigger);
if (trigger == AUDIT_TRIGGER_CLOSE_AND_DIE)
break;
else
handle_audit_trigger(trigger);
}
return (close_all());
}
/*
* Reap our children.
*/
static void
reap_children(void)
{
pid_t child;
int wstatus;
while ((child = waitpid(-1, &wstatus, WNOHANG)) > 0) {
if (!wstatus)
continue;
syslog(LOG_INFO, "warn process [pid=%d] %s %d.\n", child,
((WIFEXITED(wstatus)) ? "exited with non-zero status" :
"exited as a result of signal"),
((WIFEXITED(wstatus)) ? WEXITSTATUS(wstatus) :
WTERMSIG(wstatus)));
}
}
/*
* Configure the audit controls in the kernel: the event to class mapping,
* kernel preselection mask, etc.
*/
static int
config_audit_controls(void)
{
au_event_ent_t ev, *evp;
au_evclass_map_t evc_map;
au_mask_t aumask;
int ctr = 0;
char naeventstr[NA_EVENT_STR_SIZE];
/*
* Process the audit event file, obtaining a class mapping for each
* event, and send that mapping into the kernel.
* XXX There's a risk here that the BSM library will return NULL
* for an event when it can't properly map it to a class. In that
* case, we will not process any events beyond the one that failed,
* but should. We need a way to get a count of the events.
*/
ev.ae_name = (char *)malloc(AU_EVENT_NAME_MAX);
ev.ae_desc = (char *)malloc(AU_EVENT_DESC_MAX);
if ((ev.ae_name == NULL) || (ev.ae_desc == NULL)) {
syslog(LOG_ERR,
"Memory allocation error when configuring audit controls.");
return (-1);
}
evp = &ev;
setauevent();
while ((evp = getauevent_r(evp)) != NULL) {
evc_map.ec_number = evp->ae_number;
evc_map.ec_class = evp->ae_class;
if (auditon(A_SETCLASS, &evc_map, sizeof(au_evclass_map_t))
!= 0)
syslog(LOG_ERR,
"Failed to register class mapping for event %s",
evp->ae_name);
else
ctr++;
}
endauevent();
free(ev.ae_name);
free(ev.ae_desc);
if (ctr == 0)
syslog(LOG_ERR, "No events to class mappings registered.");
else
syslog(LOG_INFO, "Registered %d event to class mappings.",
ctr);
/*
* Get the non-attributable event string and set the kernel mask from
* that.
*/
if ((getacna(naeventstr, NA_EVENT_STR_SIZE) == 0) &&
(getauditflagsbin(naeventstr, &aumask) == 0)) {
if (auditon(A_SETKMASK, &aumask, sizeof(au_mask_t)))
syslog(LOG_ERR,
"Failed to register non-attributable event mask.");
else
syslog(LOG_INFO,
"Registered non-attributable event mask.");
} else
syslog(LOG_ERR,
"Failed to obtain non-attributable event mask.");
/*
* Set the audit policy flags based on passed in parameter values.
*/
if (auditon(A_SETPOLICY, &global_flags, sizeof(global_flags)))
syslog(LOG_ERR, "Failed to set audit policy.");
return (0);
}
static void
setup(void)
{
int aufd;
token_t *tok;
if ((triggerfd = open(AUDIT_TRIGGER_FILE, O_RDONLY, 0)) < 0) {
syslog(LOG_ERR, "Error opening trigger file\n");
fail_exit();
}
TAILQ_INIT(&dir_q);
if (read_control_file() == -1) {
syslog(LOG_ERR, "Error reading control file\n");
fail_exit();
}
/* Generate an audit record. */
if ((aufd = au_open()) == -1)
syslog(LOG_ERR, "Could not create audit startup event.\n");
else {
if ((tok = au_to_text("auditd::Audit startup")) != NULL)
au_write(aufd, tok);
if (au_close(aufd, 1, AUE_audit_startup) == -1)
syslog(LOG_ERR,
"Could not close audit startup event.\n");
}
if (config_audit_controls() == 0)
syslog(LOG_INFO, "Audit controls init successful\n");
else
syslog(LOG_INFO, "Audit controls init failed\n");
}
int
main(int argc, char **argv)
{
char ch;
int debug = 0;
int rc;
global_flags |= AUDIT_CNT;
while ((ch = getopt(argc, argv, "dhs")) != -1) {
switch(ch) {
case 'd':
/* Debug option. */
debug = 1;
break;
case 's':
/* Fail-stop option. */
global_flags &= ~(AUDIT_CNT);
break;
case 'h':
/* Halt-stop option. */
global_flags |= AUDIT_AHLT;
break;
case '?':
default:
(void)fprintf(stderr,
"usage: auditd [-h | -s] [-d] \n");
exit(1);
}
}
openlog("auditd", LOG_CONS | LOG_PID, LOG_SECURITY);
syslog(LOG_INFO, "starting...\n");
if (debug == 0 && daemon(0, 0) == -1) {
syslog(LOG_ERR, "Failed to daemonize\n");
exit(1);
}
if (register_daemon() == -1) {
syslog(LOG_ERR, "Could not register as daemon\n");
exit(1);
}
setup();
rc = wait_for_triggers();
syslog(LOG_INFO, "auditd exiting.\n");
exit(rc);
}

80
contrib/openbsm/bin/auditd/auditd.h Normal file
View File

@ -0,0 +1,80 @@
/*
* Copyright (c) 2005 Apple Computer, Inc.
* All rights reserved.
*
* @APPLE_BSD_LICENSE_HEADER_START@
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#4 $
*/
#ifndef _AUDITD_H_
#define _AUDITD_H_
#include <sys/types.h>
#include <sys/queue.h>
#include <syslog.h>
#define MAX_DIR_SIZE 255
#define AUDITD_NAME "auditd"
#define POSTFIX_LEN 16
#define NOT_TERMINATED ".not_terminated"
struct dir_ent {
char *dirname;
char softlim;
TAILQ_ENTRY(dir_ent) dirs;
};
#define HARDLIM_ALL_WARN "allhard"
#define SOFTLIM_ALL_WARN "allsoft"
#define AUDITOFF_WARN "aditoff"
#define EBUSY_WARN "ebusy"
#define GETACDIR_WARN "getacdir"
#define HARDLIM_WARN "hard"
#define NOSTART_WARN "nostart"
#define POSTSIGTERM_WARN "postsigterm"
#define SOFTLIM_WARN "soft"
#define TMPFILE_WARN "tmpfile"
#define AUDITWARN_SCRIPT "/etc/security/audit_warn"
#define AUDITD_PIDFILE "/var/run/auditd.pid"
int audit_warn_allhard(int count);
int audit_warn_allsoft(void);
int audit_warn_auditoff(void);
int audit_warn_ebusy(void);
int audit_warn_getacdir(char *filename);
int audit_warn_hard(char *filename);
int audit_warn_nostart(void);
int audit_warn_postsigterm(void);
int audit_warn_soft(char *filename);
int audit_warn_tmpfile(void);
#endif /* !_AUDITD_H_ */

12
contrib/openbsm/bin/auditreduce/Makefile Normal file
View File

@ -0,0 +1,12 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/Makefile#4 $
#
CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I.
PROG= auditreduce
MAN= auditreduce.1
DPADD= /usr/lib/libbsm.a
LDADD= -lbsm
BINDIR= /usr/sbin
.include <bsd.prog.mk>

153
contrib/openbsm/bin/auditreduce/auditreduce.1 Normal file
View File

@ -0,0 +1,153 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#6 $
.\"
.Dd Jan 24, 2004
.Dt AUDITREDUCE 1
.Os
.Sh NAME
.Nm auditreduce
.Nd "select records from audit trail files"
.Sh SYNOPSIS
.Nm auditreduce
.Op Fl A
.Op Fl a Ar YYYYMMDD[HH[MM[SS]]]
.Op Fl b Ar YYYYMMDD[HH[MM[SS]]]
.Op Fl c Ar flags
.Op Fl d Ar YYYYMMDD
.Op Fl e Ar euid
.Op Fl f Ar egid
.Op Fl g Ar rgid
.Op Fl r Ar ruid
.Op Fl u Ar auid
.Op Fl j Ar id
.Op Fl m Ar event
.Op Fl o Ar object=value
.Op Ar file ...
.Sh DESCRIPTION
The
.Nm
utility selects records from the audit trail files based on the specified
criteria.
Matching audit records are printed to the standard output in
their raw binary form.
If no filename is specified, the standard input is used
by default.
Use the
.Nm praudit
utility to print the selected audit records in human-readable form.
See
.Xr praudit 1
for more information.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl A
Select all records.
.It Fl a Ar YYYYMMDD[HH[MM[SS]]]
Select records that occurred after or on the given datetime.
.It Fl b Ar YYYYMMDD[HH[MM[SS]]]
Select records that occurred before the given datetime.
.It Fl c Ar flags
Select records matching the given audit classes specified as a comma
separated list of audit flags.
See
.Xr audit_control 5
for a description of audit flags.
.It Fl d Ar YYYYMMDD
Select records that occurred on a given date.
This option cannot be used with
.Fl a
or
.Fl b
.It Fl e Ar euid
Select records with the given effective user id or name.
.It Fl f Ar egid
Select records with the given effective group id or name.
.It Fl g Ar rgid
Select records with the given real group id or name.
.It Fl r Ar ruid
Select records with the given real user id or name.
.It Fl u Ar auid
Select records with the given audit id.
.It Fl j Ar id
Select records having a subject token with matching ID.
.It Fl m Ar event
Select records with the given event name or number.
See
.Xr audit_event 5
for a description of audit event names and numbers.
.It Fl o Ar object=value
.Bl -tag -width Ds
.It Nm file
Select records containing the given path name.
file="/usr" matches paths
starting with
.Pa usr .
file="~/usr" matches paths not starting with
.Pa usr .
.It Nm msgqid
Select records containing the given message queue id.
.It Nm pid
Select records containing the given process id.
.It Nm semid
Select records containing the given semaphore id.
.It Nm shmid
Select records containing the given shared memory id.
.El
.El
.Sh Examples
.Pp
To select all records associated with effective user ID root from the audit
log /var/audit/20031016184719.20031017122634:
.Pp
.Nm
-e root /var/audit/20031016184719.20031017122634
.Pp
To select all
.Xr setlogin 2
events from that log:
.Pp
.Nm
-m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
.Sh SEE ALSO
.Xr audit_control 5 ,
.Xr audit_event 5 ,
.Xr praudit 1
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.

699
contrib/openbsm/bin/auditreduce/auditreduce.c Normal file
View File

@ -0,0 +1,699 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#11 $
*/
/*
* Tool used to merge and select audit records from audit trail files
*/
/*
* XXX Currently we do not support merging of records from multiple
* XXX audit trail files
* XXX We assume that records are sorted chronologically - both wrt to
* XXX the records present within the file and between the files themselves
*/
#include <bsm/libbsm.h>
#include <stdio.h>
#include <stdlib.h>
#include <sysexits.h>
#include <grp.h>
#include <pwd.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#include "auditreduce.h"
extern char *optarg;
extern int optind, optopt, opterr,optreset;
static au_mask_t maskp; /* Class. */
static time_t p_atime; /* Created after this time. */
static time_t p_btime; /* Created before this time. */
static uint16_t p_evtype; /* Event that we are searching for. */
static int p_auid; /* Audit id. */
static int p_euid; /* Effective user id. */
static int p_egid; /* Effective group id. */
static int p_rgid; /* Real group id. */
static int p_ruid; /* Real user id. */
static int p_subid; /* Subject id. */
/*
* Following are the objects (-o option) that we can select upon.
*/
static char *p_fileobj = NULL;
static char *p_msgqobj = NULL;
static char *p_pidobj = NULL;
static char *p_semobj = NULL;
static char *p_shmobj = NULL;
static char *p_sockobj = NULL;
static uint32_t opttochk = 0;
static void
usage(const char *msg)
{
fprintf(stderr, "%s\n", msg);
fprintf(stderr, "Usage: auditreduce [options] audit-trail-file [....] \n");
fprintf(stderr, "\tOptions are : \n");
fprintf(stderr, "\t-A : all records\n");
fprintf(stderr, "\t-a YYYYMMDD[HH[[MM[SS]]] : after date\n");
fprintf(stderr, "\t-b YYYYMMDD[HH[[MM[SS]]] : before date\n");
fprintf(stderr, "\t-c <flags> : matching class\n");
fprintf(stderr, "\t-d YYYYMMDD : on date\n");
fprintf(stderr, "\t-e <uid|name> : effective user\n");
fprintf(stderr, "\t-f <gid|group> : effective group\n");
fprintf(stderr, "\t-g <gid|group> : real group\n");
fprintf(stderr, "\t-j <pid> : subject id \n");
fprintf(stderr, "\t-m <evno|evname> : matching event\n");
fprintf(stderr, "\t-o objecttype=objectvalue\n");
fprintf(stderr, "\t\t file=<pathname>\n");
fprintf(stderr, "\t\t msgqid=<ID>\n");
fprintf(stderr, "\t\t pid=<ID>\n");
fprintf(stderr, "\t\t semid=<ID>\n");
fprintf(stderr, "\t\t shmid=<ID>\n");
fprintf(stderr, "\t-r <uid|name> : real user\n");
fprintf(stderr, "\t-u <uid|name> : audit user\n");
exit(EX_USAGE);
}
/*
* Check if the given auid matches the selection criteria.
*/
static int
select_auid(int au)
{
/* Check if we want to select on auid. */
if (ISOPTSET(opttochk, OPT_u)) {
if (au != p_auid)
return (0);
}
return (1);
}
/*
* Check if the given euid matches the selection criteria.
*/
static int
select_euid(int euser)
{
/* Check if we want to select on euid. */
if (ISOPTSET(opttochk, OPT_e)) {
if (euser != p_euid)
return (0);
}
return (1);
}
/*
* Check if the given egid matches the selection criteria.
*/
static int
select_egid(int egrp)
{
/* Check if we want to select on egid. */
if (ISOPTSET(opttochk, OPT_f)) {
if (egrp != p_egid)
return (0);
}
return (1);
}
/*
* Check if the given rgid matches the selection criteria.
*/
static int
select_rgid(int grp)
{
/* Check if we want to select on rgid. */
if (ISOPTSET(opttochk, OPT_g)) {
if (grp != p_rgid)
return (0);
}
return (1);
}
/*
* Check if the given ruid matches the selection criteria.
*/
static int
select_ruid(int user)
{
/* Check if we want to select on rgid. */
if (ISOPTSET(opttochk, OPT_r)) {
if (user != p_ruid)
return (0);
}
return (1);
}
/*
* Check if the given subject id (pid) matches the selection criteria.
*/
static int
select_subid(int subid)
{
/* Check if we want to select on subject uid. */
if (ISOPTSET(opttochk, OPT_j)) {
if (subid != p_subid)
return (0);
}
return (1);
}
/*
* Check if object's pid maches the given pid.
*/
static int
select_pidobj(uint32_t pid)
{
if (ISOPTSET(opttochk, OPT_op)) {
if (pid != strtol(p_pidobj, (char **)NULL, 10))
return (0);
}
return (1);
}
/*
* Check if the given ipc object with the given type matches the selection
* criteria.
*/
static int
select_ipcobj(u_char type, uint32_t id, uint32_t *optchkd)
{
if (type == AT_IPC_MSG) {
SETOPT((*optchkd), OPT_om);
if (ISOPTSET(opttochk, OPT_om)) {
if (id != strtol(p_msgqobj, (char **)NULL, 10))
return (0);
}
return (1);
} else if (type == AT_IPC_SEM) {
SETOPT((*optchkd), OPT_ose);
if (ISOPTSET(opttochk, OPT_ose)) {
if (id != strtol(p_semobj, (char **)NULL, 10))
return (0);
}
return (1);
} else if (type == AT_IPC_SHM) {
SETOPT((*optchkd), OPT_osh);
if (ISOPTSET(opttochk, OPT_osh)) {
if (id != strtol(p_shmobj, (char **)NULL, 10))
return (0);
}
return (1);
}
/* Unknown type -- filter if *any* ipc filtering is required. */
if (ISOPTSET(opttochk, OPT_om) || ISOPTSET(opttochk, OPT_ose)
|| ISOPTSET(opttochk, OPT_osh))
return (0);
return (1);
}
/*
* Check if the file name matches selection criteria.
*/
static int
select_filepath(char *path, uint32_t *optchkd)
{
char *loc;
SETOPT((*optchkd), OPT_of);
if (ISOPTSET(opttochk, OPT_of)) {
if (p_fileobj[0] == '~') {
/* Object should not be in path. */
loc = strstr(path, p_fileobj + 1);
if ((loc != NULL) && (loc == path))
return (0);
} else {
/* Object should be in path. */
loc = strstr(path, p_fileobj);
if ((loc == NULL) || (loc != path))
return (0);
}
}
return (1);
}
/*
* Returns 1 if the following pass the selection rules:
*
* before-time,
* after time,
* date,
* class,
* event
*/
static int
select_hdr32(tokenstr_t tok, uint32_t *optchkd)
{
SETOPT((*optchkd), (OPT_A | OPT_a | OPT_b | OPT_c | OPT_m));
/* The A option overrides a, b and d. */
if (!ISOPTSET(opttochk, OPT_A)) {
if (ISOPTSET(opttochk, OPT_a)) {
if (difftime((time_t)tok.tt.hdr32.s, p_atime) < 0) {
/* Record was created before p_atime. */
return (0);
}
}
if (ISOPTSET(opttochk, OPT_b)) {
if (difftime(p_btime, (time_t)tok.tt.hdr32.s) < 0) {
/* Record was created after p_btime. */
return (0);
}
}
}
if (ISOPTSET(opttochk, OPT_c)) {
/*
* Check if the classes represented by the event matches
* given class.
*/
if (au_preselect(tok.tt.hdr32.e_type, &maskp, AU_PRS_BOTH,
AU_PRS_USECACHE) != 1)
return (0);
}
/* Check if event matches. */
if (ISOPTSET(opttochk, OPT_m)) {
if (tok.tt.hdr32.e_type != p_evtype)
return (0);
}
return (1);
}
/*
* Return 1 if checks for the the following succeed
* auid,
* euid,
* egid,
* rgid,
* ruid,
* process id
*/
static int
select_proc32(tokenstr_t tok, uint32_t *optchkd)
{
SETOPT((*optchkd), (OPT_u | OPT_e | OPT_f | OPT_g | OPT_r | OPT_op));
if (!select_auid(tok.tt.proc32.auid))
return (0);
if (!select_euid(tok.tt.proc32.euid))
return (0);
if (!select_egid(tok.tt.proc32.egid))
return (0);
if (!select_rgid(tok.tt.proc32.rgid))
return (0);
if (!select_ruid(tok.tt.proc32.ruid))
return (0);
if (!select_pidobj(tok.tt.proc32.pid))
return (0);
return (1);
}
/*
* Return 1 if checks for the the following succeed
* auid,
* euid,
* egid,
* rgid,
* ruid,
* subject id
*/
static int
select_subj32(tokenstr_t tok, uint32_t *optchkd)
{
SETOPT((*optchkd), (OPT_u | OPT_e | OPT_f | OPT_g | OPT_r | OPT_j));
if (!select_auid(tok.tt.subj32.auid))
return (0);
if (!select_euid(tok.tt.subj32.euid))
return (0);
if (!select_egid(tok.tt.subj32.egid))
return (0);
if (!select_rgid(tok.tt.subj32.rgid))
return (0);
if (!select_ruid(tok.tt.subj32.ruid))
return (0);
if (!select_subid(tok.tt.subj32.pid))
return (0);
return (1);
}
/*
* Read each record from the audit trail. Check if it is selected after
* passing through each of the options
*/
static int
select_records(FILE *fp)
{
u_char *buf;
tokenstr_t tok;
int reclen;
int bytesread;
int selected;
uint32_t optchkd;
int err = 0;
while ((reclen = au_read_rec(fp, &buf)) != -1) {
optchkd = 0;
bytesread = 0;
selected = 1;
while ((selected == 1) && (bytesread < reclen)) {
if (-1 == au_fetch_tok(&tok, buf + bytesread,
reclen - bytesread)) {
/* Is this an incomplete record? */
err = 1;
break;
}
/*
* For each token type we have have different
* selection criteria.
*/
switch(tok.id) {
case AU_HEADER_32_TOKEN:
selected = select_hdr32(tok,
&optchkd);
break;
case AU_PROCESS_32_TOKEN:
selected = select_proc32(tok,
&optchkd);
break;
case AU_SUBJECT_32_TOKEN:
selected = select_subj32(tok,
&optchkd);
break;
case AU_IPC_TOKEN:
selected = select_ipcobj(
tok.tt.ipc.type, tok.tt.ipc.id,
&optchkd);
break;
case AU_FILE_TOKEN:
selected = select_filepath(
tok.tt.file.name, &optchkd);
break;
case AU_PATH_TOKEN:
selected = select_filepath(
tok.tt.path.path, &optchkd);
break;
/*
* The following tokens dont have any relevant
* attributes that we can select upon.
*/
case AU_TRAILER_TOKEN:
case AU_ARG32_TOKEN:
case AU_ATTR32_TOKEN:
case AU_EXIT_TOKEN:
case AU_NEWGROUPS_TOKEN:
case AU_IN_ADDR_TOKEN:
case AU_IP_TOKEN:
case AU_IPCPERM_TOKEN:
case AU_IPORT_TOKEN:
case AU_OPAQUE_TOKEN:
case AU_RETURN_32_TOKEN:
case AU_SEQ_TOKEN:
case AU_TEXT_TOKEN:
case AU_ARB_TOKEN:
case AU_SOCK_TOKEN:
default:
break;
}
bytesread += tok.len;
}
if ((selected == 1) && (!err)) {
/* Check if all the options were matched. */
if (!(opttochk & ~optchkd)) {
/* XXX Write this record to the output file. */
/* default to stdout */
fwrite(buf, 1, reclen, stdout);
}
}
free(buf);
}
return (0);
}
/*
* The -o option has the form object_type=object_value. Identify the object
* components.
*/
void
parse_object_type(char *name, char *val)
{
if (val == NULL)
return;
if (!strcmp(name, FILEOBJ)) {
p_fileobj = val;
SETOPT(opttochk, OPT_of);
} else if (!strcmp(name, MSGQIDOBJ)) {
p_msgqobj = val;
SETOPT(opttochk, OPT_om);
} else if (!strcmp(name, PIDOBJ)) {
p_pidobj = val;
SETOPT(opttochk, OPT_op);
} else if (!strcmp(name, SEMIDOBJ)) {
p_semobj = val;
SETOPT(opttochk, OPT_ose);
} else if (!strcmp(name, SHMIDOBJ)) {
p_shmobj = val;
SETOPT(opttochk, OPT_osh);
} else if (!strcmp(name, SOCKOBJ)) {
p_sockobj = val;
SETOPT(opttochk, OPT_oso);
} else
usage("unknown value for -o");
}
int
main(int argc, char **argv)
{
struct group *grp;
struct passwd *pw;
struct tm tm;
au_event_t *n;
FILE *fp;
int i;
char *objval, *converr;
char ch;
char timestr[128];
char *fname;
converr = NULL;
while ((ch = getopt(argc, argv, "Aa:b:c:d:e:f:g:j:m:o:r:u:")) != -1) {
switch(ch) {
case 'A':
SETOPT(opttochk, OPT_A);
break;
case 'a':
if (ISOPTSET(opttochk, OPT_a)) {
usage("d is exclusive with a and b");
}
SETOPT(opttochk, OPT_a);
strptime(optarg, "%Y%m%d%H%M%S", &tm);
strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S",
&tm);
/* fprintf(stderr, "Time converted = %s\n", timestr); */
p_atime = mktime(&tm);
break;
case 'b':
if (ISOPTSET(opttochk, OPT_b)) {
usage("d is exclusive with a and b");
}
SETOPT(opttochk, OPT_b);
strptime(optarg, "%Y%m%d%H%M%S", &tm);
strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S",
&tm);
/* fprintf(stderr, "Time converted = %s\n", timestr); */
p_btime = mktime(&tm);
break;
case 'c':
if (0 != getauditflagsbin(optarg, &maskp)) {
/* Incorrect class */
usage("Incorrect class");
}
SETOPT(opttochk, OPT_c);
break;
case 'd':
if (ISOPTSET(opttochk, OPT_b) || ISOPTSET(opttochk,
OPT_a))
usage("'d' is exclusive with 'a' and 'b'");
SETOPT(opttochk, OPT_d);
strptime(optarg, "%Y%m%d", &tm);
strftime(timestr, sizeof(timestr), "%Y%m%d", &tm);
/* fprintf(stderr, "Time converted = %s\n", timestr); */
p_atime = mktime(&tm);
tm.tm_hour = 23;
tm.tm_min = 59;
tm.tm_sec = 59;
strftime(timestr, sizeof(timestr), "%Y%m%d", &tm);
/* fprintf(stderr, "Time converted = %s\n", timestr); */
p_btime = mktime(&tm);
break;
case 'e':
p_euid = strtol(optarg, &converr, 10);
if (*converr != '\0') {
/* Try the actual name */
if ((pw = getpwnam(optarg)) == NULL)
break;
p_euid = pw->pw_uid;
}
SETOPT(opttochk, OPT_e);
break;
case 'f':
p_egid = strtol(optarg, &converr, 10);
if (*converr != '\0') {
/* Try actual group name. */
if ((grp = getgrnam(optarg)) == NULL)
break;
p_egid = grp->gr_gid;
}
SETOPT(opttochk, OPT_f);
break;
case 'g':
p_rgid = strtol(optarg, &converr, 10);
if (*converr != '\0') {
/* Try actual group name. */
if ((grp = getgrnam(optarg)) == NULL)
break;
p_rgid = grp->gr_gid;
}
SETOPT(opttochk, OPT_g);
break;
case 'j':
p_subid = strtol(optarg, (char **)NULL, 10);
SETOPT(opttochk, OPT_j);
break;
case 'm':
p_evtype = strtol(optarg, (char **)NULL, 10);
if (p_evtype == 0) {
/* Could be the string representation. */
n = getauevnonam(optarg);
if (n == NULL)
usage("Incorrect event name");
p_evtype = *n;
free(n);
}
SETOPT(opttochk, OPT_m);
break;
case 'o':
objval = strchr(optarg, '=');
if (objval != NULL) {
*objval = '\0';
objval += 1;
parse_object_type(optarg, objval);
}
break;
case 'r':
p_ruid = strtol(optarg, &converr, 10);
if (*converr != '\0') {
if ((pw = getpwnam(optarg)) == NULL)
break;
p_ruid = pw->pw_uid;
}
SETOPT(opttochk, OPT_r);
break;
case 'u':
p_auid = strtol(optarg, &converr, 10);
if (*converr != '\0') {
if ((pw = getpwnam(optarg)) == NULL)
break;
p_auid = pw->pw_uid;
}
SETOPT(opttochk, OPT_u);
break;
case '?':
default:
usage("Unknown option");
}
}
argv += optind;
argc -= optind;
if (argc == 0)
usage("Filename needed");
/*
* XXX: We should actually be merging records here.
*/
for (i = 0; i < argc; i++) {
fname = argv[i];
fp = fopen(fname, "r");
if (fp == NULL)
errx(EXIT_FAILURE, "Couldn't open %s", fname);
if (select_records(fp) == -1) {
errx(EXIT_FAILURE, "Couldn't select records %s",
fname);
}
fclose(fp);
}
exit(EXIT_SUCCESS);
}

67
contrib/openbsm/bin/auditreduce/auditreduce.h Normal file
View File

@ -0,0 +1,67 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#4 $
*/
#ifndef _AUDITREDUCE_H_
#define _AUDITREDUCE_H_
#define OPT_a 0x00000001
#define OPT_b 0x00000002
#define OPT_c 0x00000004
#define OPT_d (OPT_a | OPT_b)
#define OPT_e 0x00000010
#define OPT_f 0x00000020
#define OPT_g 0x00000040
#define OPT_j 0x00000080
#define OPT_m 0x00000100
#define OPT_of 0x00000200
#define OPT_om 0x00000400
#define OPT_op 0x00000800
#define OPT_ose 0x00001000
#define OPT_osh 0x00002000
#define OPT_oso 0x00004000
#define OPT_r 0x00008000
#define OPT_u 0x00010000
#define OPT_A 0x00020000
#define FILEOBJ "file"
#define MSGQIDOBJ "msgqid"
#define PIDOBJ "pid"
#define SEMIDOBJ "semid"
#define SHMIDOBJ "shmid"
#define SOCKOBJ "sock"
#define SETOPT(optmask, bit) (optmask |= bit)
#define ISOPTSET(optmask, bit) (optmask & bit)
#endif /* !_AUDITREDUCE_H_ */

12
contrib/openbsm/bin/praudit/Makefile Normal file
View File

@ -0,0 +1,12 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/Makefile#4 $
#
CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I.
PROG= praudit
MAN= praudit.1
DPADD= /usr/lib/libbsm.a
LDADD= -lbsm
BINDIR= /usr/sbin
.include <bsd.prog.mk>

97
contrib/openbsm/bin/praudit/praudit.1 Normal file
View File

@ -0,0 +1,97 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#7 $
.\"
.Dd Jan 24, 2004
.Dt PRAUDIT 1
.Os
.Sh NAME
.Nm praudit
.Nd "print the contents of audit trail files"
.Sh SYNOPSIS
.Nm praudit
.Op Fl lrs
.Op Fl d Ar del
.Op Ar file ...
.Sh DESCRIPTION
The
.Nm
utility prints the contents of the audit trail files to the standard output in
human-readable form.
If no filename is specified, the standard input is used
by default.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl l
Prints the entire record on the same line.
If this option is not specified,
every token is displayed on a different line.
.It Fl r
Prints the records in their raw, numeric form.
This option is exclusive from
.Fl s
.It Fl s
Prints the tokens in their short form.
Short text representations for
record and event type are displayed.
This option is exclusive from
.Fl r
.It Fl d Ar del
Specifies the delimiter.
The default delimiter is the comma.
.El
.Pp
If the raw or short forms are not specified, the default is to print the tokens
in their long form.
Events are displayed as per their descriptions given in
.Pa /etc/security/audit_event ;
uids and gids are expanded to their names;
dates and times are displayed in human-readable format.
.Sh FILES
.Bl -tag -width "/etc/security/audit_control" -compact
.It Pa /etc/security/audit_class
Descriptions of audit event classes
.It Pa /etc/security/audit_event
Descriptions of audit events
.El
.Sh SEE ALSO
.Xr audit_class 5 ,
.Xr audit_event 5
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.

157
contrib/openbsm/bin/praudit/praudit.c Normal file
View File

@ -0,0 +1,157 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#7 $
*/
/*
* Tool used to parse audit records conforming to the BSM structure.
*/
/*
* praudit [-lrs] [-ddel] [filenames]
*/
#include <bsm/libbsm.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
extern char *optarg;
extern int optind, optopt, opterr,optreset;
static char *del = ","; /* Default delimiter. */
static int oneline = 0;
static int raw = 0;
static int shortfrm = 0;
static int partial = 0;
static void
usage()
{
fprintf(stderr, "Usage: praudit [-lrs] [-ddel] [filenames]\n");
exit(1);
}
/*
* Token printing for each token type .
*/
static int
print_tokens(FILE *fp)
{
u_char *buf;
tokenstr_t tok;
int reclen;
int bytesread;
/* Allow tail -f | praudit to work. */
if (partial) {
u_char type = 0;
/* Record must begin with a header token. */
do {
type = fgetc(fp);
} while(type != AU_HEADER_32_TOKEN);
ungetc(type, fp);
}
while ((reclen = au_read_rec(fp, &buf)) != -1) {
bytesread = 0;
while (bytesread < reclen) {
/* Is this an incomplete record? */
if (-1 == au_fetch_tok(&tok, buf + bytesread,
reclen - bytesread))
break;
au_print_tok(stdout, &tok, del, raw, shortfrm);
bytesread += tok.len;
if (oneline)
printf("%s", del);
else
printf("\n");
}
free(buf);
if (oneline)
printf("\n");
}
return (0);
}
int
main(int argc, char **argv)
{
char ch;
int i;
FILE *fp;
while ((ch = getopt(argc, argv, "lprsd:")) != -1) {
switch(ch) {
case 'l':
oneline = 1;
break;
case 'r':
if (shortfrm)
usage(); /* Exclusive from shortfrm. */
raw = 1;
break;
case 's':
if (raw)
usage(); /* Exclusive from raw. */
shortfrm = 1;
break;
case 'd':
del = optarg;
break;
case 'p':
partial = 1;
break;
case '?':
default:
usage();
}
}
/* For each of the files passed as arguments dump the contents. */
if (optind == argc) {
print_tokens(stdin);
return (1);
}
for (i = optind; i < argc; i++) {
fp = fopen(argv[i], "r");
if ((fp == NULL) || (print_tokens(fp) == -1))
perror(argv[i]);
if (fp != NULL)
fclose(fp);
}
return (1);
}

22
contrib/openbsm/bsm/Makefile Normal file
View File

@ -0,0 +1,22 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/bsm/Makefile#7 $
#
INCS= audit.h \
audit_internal.h \
audit_kevents.h \
audit_record.h \
audit_uevents.h \
libbsm.h
TARGET= ${DESTDIR}/usr/include/bsm
all:
default:
depend:
clean:
install:
mkdir -p -m 0755 ${TARGET}
install -o root -g wheel -m 0644 ${INCS} ${TARGET}

327
contrib/openbsm/bsm/audit.h Normal file
View File

@ -0,0 +1,327 @@
/*
* Copyright (c) 2005 Apple Computer, Inc.
* All rights reserved.
*
* @APPLE_BSD_LICENSE_HEADER_START@
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#14 $
*/
#ifndef _BSM_AUDIT_H
#define _BSM_AUDIT_H
#define AUDIT_RECORD_MAGIC 0x828a0f1b
#define MAX_AUDIT_RECORDS 20
#define MAX_AUDIT_RECORD_SIZE 4096
#define MIN_AUDIT_FILE_SIZE (512 * 1024)
/*
* Triggers for the audit daemon
*/
#define AUDIT_TRIGGER_MIN 1
#define AUDIT_TRIGGER_LOW_SPACE 1
#define AUDIT_TRIGGER_OPEN_NEW 2
#define AUDIT_TRIGGER_READ_FILE 3
#define AUDIT_TRIGGER_CLOSE_AND_DIE 4
#define AUDIT_TRIGGER_NO_SPACE 5
#define AUDIT_TRIGGER_MAX 5
/*
* File that will be read for trigger events from the kernel
*/
#define AUDIT_TRIGGER_FILE "/dev/audit"
/*
* Pre-defined audit IDs
*/
#define AU_DEFAUDITID -1
/*
* Define the masks for the classes of audit events.
*/
#define AU_NULL 0x00000000
#define AU_FREAD 0x00000001
#define AU_FWRITE 0x00000002
#define AU_FACCESS 0x00000004
#define AU_FMODIFY 0x00000008
#define AU_FCREATE 0x00000010
#define AU_FDELETE 0x00000020
#define AU_CLOSE 0x00000040
#define AU_PROCESS 0x00000080
#define AU_NET 0x00000100
#define AU_IPC 0x00000200
#define AU_NONAT 0x00000400
#define AU_ADMIN 0x00000800
#define AU_LOGIN 0x00001000
#define AU_TFM 0x00002000
#define AU_APPL 0x00004000
#define AU_SETL 0x00008000
#define AU_IFLOAT 0x00010000
#define AU_PRIV 0x00020000
#define AU_MAC_RW 0x00040000
#define AU_XCONN 0x00080000
#define AU_XCREATE 0x00100000
#define AU_XDELETE 0x00200000
#define AU_XIFLOAT 0x00400000
#define AU_XPRIVS 0x00800000
#define AU_XPRIVF 0x01000000
#define AU_XMOVE 0x02000000
#define AU_XDACF 0x04000000
#define AU_XMACF 0x08000000
#define AU_XSECATTR 0x10000000
#define AU_IOCTL 0x20000000
#define AU_EXEC 0x40000000
#define AU_OTHER 0x80000000
#define AU_ALL 0xffffffff
/*
* IPC types
*/
#define AT_IPC_MSG ((u_char)1) /* Message IPC id. */
#define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */
#define AT_IPC_SHM ((u_char)3) /* Shared mem IPC id. */
/*
* Audit conditions.
*/
#define AUC_UNSET 0
#define AUC_AUDITING 1
#define AUC_NOAUDIT 2
#define AUC_DISABLED -1
/*
* auditon(2) commands.
*/
#define A_GETPOLICY 2
#define A_SETPOLICY 3
#define A_GETKMASK 4
#define A_SETKMASK 5
#define A_GETQCTRL 6
#define A_SETQCTRL 7
#define A_GETCWD 8
#define A_GETCAR 9
#define A_GETSTAT 12
#define A_SETSTAT 13
#define A_SETUMASK 14
#define A_SETSMASK 15
#define A_GETCOND 20
#define A_SETCOND 21
#define A_GETCLASS 22
#define A_SETCLASS 23
#define A_GETPINFO 24
#define A_SETPMASK 25
#define A_SETFSIZE 26
#define A_GETFSIZE 27
#define A_GETPINFO_ADDR 28
#define A_GETKAUDIT 29
#define A_SETKAUDIT 30
#define A_SENDTRIGGER 31
/*
* Audit policy controls.
*/
#define AUDIT_CNT 0x0001
#define AUDIT_AHLT 0x0002
#define AUDIT_ARGV 0x0004
#define AUDIT_ARGE 0x0008
#define AUDIT_PASSWD 0x0010
#define AUDIT_SEQ 0x0020
#define AUDIT_WINDATA 0x0040
#define AUDIT_USER 0x0080
#define AUDIT_GROUP 0x0100
#define AUDIT_TRAIL 0x0200
#define AUDIT_PATH 0x0400
/*
* Audit queue control parameters
*/
#define AQ_HIWATER 100
#define AQ_MAXHIGH 10000
#define AQ_LOWATER 10
#define AQ_BUFSZ 1024
#define AQ_MAXBUFSZ 1048576
/*
* Default minimum percentage free space on file system.
*/
#define AU_FS_MINFREE 20
/*
* Type definitions used indicating the length of variable length addresses
* in tokens containing addresses, such as header fields.
*/
#define AU_IPv4 4
#define AU_IPv6 16
__BEGIN_DECLS
typedef uid_t au_id_t;
typedef pid_t au_asid_t;
typedef u_int16_t au_event_t;
typedef u_int16_t au_emod_t;
typedef u_int32_t au_class_t;
struct au_tid {
dev_t port;
u_int32_t machine;
};
typedef struct au_tid au_tid_t;
struct au_tid_addr {
dev_t at_port;
u_int32_t at_type;
u_int32_t at_addr[4];
};
typedef struct au_tid_addr au_tid_addr_t;
struct au_mask {
unsigned int am_success; /* Success bits. */
unsigned int am_failure; /* Failure bits. */
};
typedef struct au_mask au_mask_t;
struct auditinfo {
au_id_t ai_auid; /* Audit user ID. */
au_mask_t ai_mask; /* Audit masks. */
au_tid_t ai_termid; /* Terminal ID. */
au_asid_t ai_asid; /* Audit session ID. */
};
typedef struct auditinfo auditinfo_t;
struct auditinfo_addr {
au_id_t ai_auid; /* Audit user ID. */
au_mask_t ai_mask; /* Audit masks. */
au_tid_addr_t ai_termid; /* Terminal ID. */
au_asid_t ai_asid; /* Audit session ID. */
};
typedef struct auditinfo_addr auditinfo_addr_t;
struct auditpinfo {
pid_t ap_pid; /* ID of target process. */
au_id_t ap_auid; /* Audit user ID. */
au_mask_t ap_mask; /* Audit masks. */
au_tid_t ap_termid; /* Terminal ID. */
au_asid_t ap_asid; /* Audit session ID. */
};
typedef struct auditpinfo auditpinfo_t;
struct auditpinfo_addr {
pid_t ap_pid; /* ID of target process. */
au_id_t ap_auid; /* Audit user ID. */
au_mask_t ap_mask; /* Audit masks. */
au_tid_addr_t ap_termid; /* Terminal ID. */
au_asid_t ap_asid; /* Audit session ID. */
};
typedef struct auditpinfo_addr auditpinfo_addr_t;
/* Token and record structures. */
struct au_token {
u_char *t_data;
size_t len;
TAILQ_ENTRY(au_token) tokens;
};
typedef struct au_token token_t;
struct au_record {
char used; /* Record currently in use? */
int desc; /* Descriptor for record. */
TAILQ_HEAD(, au_token) token_q; /* Queue of BSM tokens. */
u_char *data;
size_t len;
LIST_ENTRY(au_record) au_rec_q;
};
typedef struct au_record au_record_t;
/*
* Kernel audit queue control parameters.
*/
struct au_qctrl {
size_t aq_hiwater;
size_t aq_lowater;
size_t aq_bufsz;
clock_t aq_delay;
int aq_minfree; /* Minimum filesystem percent free space. */
};
typedef struct au_qctrl au_qctrl_t;
/*
* Structure for the audit statistics.
*/
struct audit_stat {
unsigned int as_version;
unsigned int as_numevent;
int as_generated;
int as_nonattring;
int as_kernel;
int as_audit;
int as_auditctl;
int as_enqueu;
int as_written;
int as_wblocked;
int as_rblocked;
int as_dropped;
int as_totalsize;
unsigned int as_memused;
};
typedef struct audit_stat au_stat_t;
/*
* Structure for the audit file statistics.
*/
struct audit_fstat {
u_quad_t af_filesz;
u_quad_t af_currsz;
};
typedef struct audit_fstat au_fstat_t;
/*
* Audit to event class mapping.
*/
struct au_evclass_map {
au_event_t ec_number;
au_class_t ec_class;
};
typedef struct au_evclass_map au_evclass_map_t;
#if !defined(_KERNEL) && !defined(KERNEL)
int audit(const void *, int);
int auditon(int, void *, int);
int auditctl(const char *);
int getauid(au_id_t *);
int setauid(const au_id_t *);
int getaudit(struct auditinfo *);
int setaudit(const struct auditinfo *);
int getaudit_addr(struct auditinfo_addr *, int);
int setaudit_addr(const struct auditinfo_addr *, int);
#endif /* defined(_KERNEL) || defined(KERNEL) */
__END_DECLS
#endif /* !_BSM_AUDIT_H */

99
contrib/openbsm/bsm/audit_internal.h Normal file
View File

@ -0,0 +1,99 @@
/*
* Copyright (c) 2005 Apple Computer, Inc.
* Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
*
* This code was developed in part by Robert N. M. Watson, Senior Principal
* Scientist, SPARTA, Inc.
*
* @APPLE_BSD_LICENSE_HEADER_START@
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_internal.h#7 $
*/
#ifndef _LIBBSM_INTERNAL_H
#define _LIBBSM_INTERNAL_H
/*
* audit_internal.h contains private interfaces that are shared by user space
* and the kernel for the purposes of assembling audit records. Applications
* should not include this file or use the APIs found within, or it may be
* broken with future releases of OpenBSM, which may delete, modify, or
* otherwise break these interfaces or the assumptions they rely on.
*/
/* We could determined the header and trailer sizes by
* defining appropriate structures. We hold off that approach
* till we have a consistant way of using structures for all tokens.
* This is not straightforward since these token structures may
* contain pointers of whose contents we dont know the size
* (e.g text tokens)
*/
#define BSM_HEADER_SIZE 18
#define BSM_TRAILER_SIZE 7
/*
* BSM token streams store fields in big endian byte order, so as to be
* portable; when encoding and decoding, we must convert byte orders for
* typed values.
*/
#define ADD_U_CHAR(loc, val) \
do { \
*(loc) = (val); \
(loc) += sizeof(u_char); \
} while(0)
#define ADD_U_INT16(loc, val) \
do { \
be16enc((loc), (val)); \
(loc) += sizeof(u_int16_t); \
} while(0)
#define ADD_U_INT32(loc, val) \
do { \
be32enc((loc), (val)); \
(loc) += sizeof(u_int32_t); \
} while(0)
#define ADD_U_INT64(loc, val) \
do { \
be64enc((loc), (val)); \
(loc) += sizeof(u_int64_t); \
} while(0)
#define ADD_MEM(loc, data, size) \
do { \
memcpy((loc), (data), (size)); \
(loc) += size; \
} while(0)
#define ADD_STRING(loc, data, size) ADD_MEM(loc, data, size)
#endif /* !_LIBBSM_INTERNAL_H_ */

494
contrib/openbsm/bsm/audit_kevents.h Normal file
View File

@ -0,0 +1,494 @@
/*
* Copyright (c) 2005 Apple Computer, Inc.
* All rights reserved.
*
* @APPLE_BSD_LICENSE_HEADER_START@
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#29 $
*/
#ifndef _BSM_AUDIT_KEVENTS_H_
#define _BSM_AUDIT_KEVENTS_H_
/*
* Values marked as AUE_NULL are not required to be audited as per CAPP.
*
* Some conflicts exist in the assignment of name to event number mappings
* between BSM implementations. In general, we prefer the OpenSolaris
* definition as we consider Solaris BSM to be authoritative. _DARWIN_ has
* been inserted for the Darwin variants. If necessary, other tags will be
* added in the future.
*/
#define AUE_NULL 0
#define AUE_EXIT 1
#define AUE_FORK 2
#define AUE_OPEN 3
#define AUE_CREAT 4
#define AUE_LINK 5
#define AUE_UNLINK 6
#define AUE_DELETE AUE_UNLINK
#define AUE_EXEC 7
#define AUE_CHDIR 8
#define AUE_MKNOD 9
#define AUE_CHMOD 10
#define AUE_CHOWN 11
#define AUE_UMOUNT 12
#define AUE_JUNK 13 /* Solaris-specific. */
#define AUE_ACCESS 14
#define AUE_CHECKUSERACCESS AUE_ACCESS
#define AUE_KILL 15
#define AUE_STAT 16
#define AUE_LSTAT 17
#define AUE_ACCT 18
#define AUE_MCTL 19 /* Solaris-specific. */
#define AUE_REBOOT 20 /* XXX: Darwin conflict. */
#define AUE_SYMLINK 21
#define AUE_READLINK 22
#define AUE_EXECVE 23
#define AUE_CHROOT 24
#define AUE_VFORK 25
#define AUE_SETGROUPS 26
#define AUE_SETPGRP 27
#define AUE_SWAPON 28
#define AUE_SETHOSTNAME 29 /* XXX: Darwin conflict. */
#define AUE_FCNTL 30
#define AUE_SETPRIORITY 31 /* XXX: Darwin conflict. */
#define AUE_CONNECT 32
#define AUE_ACCEPT 33
#define AUE_BIND 34
#define AUE_SETSOCKOPT 35
#define AUE_VTRACE 36 /* Solaris-specific. */
#define AUE_SETTIMEOFDAY 37 /* XXX: Darwin conflict. */
#define AUE_FCHOWN 38
#define AUE_FCHMOD 39
#define AUE_SETREUID 40
#define AUE_SETREGID 41
#define AUE_RENAME 42
#define AUE_TRUNCATE 43 /* XXX: Darwin conflict. */
#define AUE_FTRUNCATE 44 /* XXX: Darwin conflict. */
#define AUE_FLOCK 45 /* XXX: Darwin conflict. */
#define AUE_SHUTDOWN 46
#define AUE_MKDIR 47
#define AUE_RMDIR 48
#define AUE_UTIMES 49
#define AUE_ADJTIME 50
#define AUE_SETRLIMIT 51
#define AUE_KILLPG 52
#define AUE_NFS_SVC 53 /* XXX: Darwin conflict. */
#define AUE_STATFS 54
#define AUE_FSTATFS 55
#define AUE_UNMOUNT 56 /* XXX: Darwin conflict. */
#define AUE_ASYNC_DAEMON 57
#define AUE_NFS_GETFH 58 /* XXX: Darwin conflict. */
#define AUE_SETDOMAINNAME 59
#define AUE_QUOTACTL 60 /* XXX: Darwin conflict. */
#define AUE_EXPORTFS 61
#define AUE_MOUNT 62
#define AUE_SEMSYS 63
#define AUE_MSGSYS 64
#define AUE_SHMSYS 65
#define AUE_BSMSYS 66 /* Solaris-specific. */
#define AUE_RFSSYS 67 /* Solaris-specific. */
#define AUE_FCHDIR 68
#define AUE_FCHROOT 69
#define AUE_VPIXSYS 70 /* Solaris-specific. */
#define AUE_PATHCONF 71
#define AUE_OPEN_R 72
#define AUE_OPEN_RC 73
#define AUE_OPEN_RT 74
#define AUE_OPEN_RTC 75
#define AUE_OPEN_W 76
#define AUE_OPEN_WC 77
#define AUE_OPEN_WT 78
#define AUE_OPEN_WTC 79
#define AUE_OPEN_RW 80
#define AUE_OPEN_RWC 81
#define AUE_OPEN_RWT 82
#define AUE_OPEN_RWTC 83
#define AUE_MSGCTL 84
#define AUE_MSGCTL_RMID 85
#define AUE_MSGCTL_SET 86
#define AUE_MSGCTL_STAT 87
#define AUE_MSGGET 88
#define AUE_MSGRCV 89
#define AUE_MSGSND 90
#define AUE_SHMCTL 91
#define AUE_SHMCTL_RMID 92
#define AUE_SHMCTL_SET 93
#define AUE_SHMCTL_STAT 94
#define AUE_SHMGET 95
#define AUE_SHMAT 96
#define AUE_SHMDT 97
#define AUE_SEMCTL 98
#define AUE_SEMCTL_RMID 99
#define AUE_SEMCTL_SET 100
#define AUE_SEMCTL_STAT 101
#define AUE_SEMCTL_GETNCNT 102
#define AUE_SEMCTL_GETPID 103
#define AUE_SEMCTL_GETVAL 104
#define AUE_SEMCTL_GETALL 105
#define AUE_SEMCTL_GETZCNT 106
#define AUE_SEMCTL_SETVAL 107
#define AUE_SEMCTL_SETALL 108
#define AUE_SEMGET 109
#define AUE_SEMOP 110
#define AUE_CORE 111 /* Solaris-specific, currently. */
#define AUE_CLOSE 112
#define AUE_SYSTEMBOOT 113
#define AUE_ASYNC_DAEMON_EXIT 114 /* Solaris-specific. */
#define AUE_NFSSVC_EXIT 115 /* Solaris-specific. */
#define AUE_WRITEL 128 /* Solaris-specific. */
#define AUE_WRITEVL 129 /* Solaris-specific. */
#define AUE_GETAUID 130
#define AUE_SETAUID 131
#define AUE_GETAUDIT 132
#define AUE_SETAUDIT 133
#define AUE_GETUSERAUDIT 134 /* Solaris-specific. */
#define AUE_SETUSERAUDIT 135 /* Solaris-specific. */
#define AUE_AUDITSVC 136 /* Solaris-specific. */
#define AUE_AUDITUSER 137 /* Solaris-specific. */
#define AUE_AUDITON 138
#define AUE_AUDITON_GTERMID 139 /* Solaris-specific. */
#define AUE_AUDITON_STERMID 140 /* Solaris-specific. */
#define AUE_AUDITON_GPOLICY 141
#define AUE_AUDITON_SPOLICY 142
#define AUE_AUDITON_GQCTRL 145
#define AUE_AUDITON_SQCTRL 146
#define AUE_GETKERNSTATE 147 /* Solaris-specific. */
#define AUE_SETKERNSTATE 148 /* Solaris-specific. */
#define AUE_GETPORTAUDIT 149 /* Solaris-specific. */
#define AUE_AUDISTAT 150 /* Solaris-specific. */
#define AUE_ENTERPROM 153 /* Solaris-specific. */
#define AUE_EXITPROM 154 /* Solaris-specific. */
#define AUE_IOCTL 158
#define AUE_SOCKET 183
#define AUE_SENDTO 184
#define AUE_PIPE 185
#define AUE_SOCKETPAIR 186 /* XXX: Darwin conflict. */
#define AUE_SEND 187
#define AUE_SENDMSG 188
#define AUE_RECV 189
#define AUE_RECVMSG 190
#define AUE_RECVFROM 191
#define AUE_READ 192
#define AUE_LSEEK 194
#define AUE_WRITE 195
#define AUE_WRITEV 196
#define AUE_NFS 197 /* Solaris-specific. */
#define AUE_READV 198
/* XXXRW: XXX Solaris old stat()? */
#define AUE_SETUID 200 /* XXXRW: Solaris old setuid? */
#define AUE_STIME 201 /* XXXRW: Solaris old stime? */
#define AUE_UTIME 202 /* XXXRW: Solaris old utime? */
#define AUE_NICE 203 /* XXXRW: Solaris old nice? */
/* XXXRW: Solaris old setpgrp? */
#define AUE_SETGID 205 /* XXXRW: Solaris old setgid? */
/* XXXRW: Solaris readl? */
/* XXXRW: Solaris readvl()? */
#define AUE_DUP2 209
#define AUE_MMAP 210
#define AUE_AUDIT 211
#define AUE_PRIOCNTLSYS 212
#define AUE_MUNMAP 213
#define AUE_SETEGID 214
#define AUE_SETEUID 215
#define AUE_PUTMSG 216
#define AUE_GETMSG 217 /* Solaris-specific. */
#define AUE_PUTPMSG 218 /* Solaris-specific. */
#define AUE_GETPMSG 219 /* Solaris-specific. */
#define AUE_AUDITSYS 220 /* Solaris-specific. */
#define AUE_AUDITON_GETKMASK 221
#define AUE_AUDITON_SETKMASK 222
#define AUE_AUDITON_GETCWD 223
#define AUE_AUDITON_GETCAR 224
#define AUE_AUDITON_GETSTAT 225
#define AUE_AUDITON_SETSTAT 226
#define AUE_AUDITON_SETUMASK 227
#define AUE_AUDITON_SETSMASK 228
#define AUE_AUDITON_GETCOND 229
#define AUE_AUDITON_SETCOND 230
#define AUE_AUDITON_GETCLASS 231
#define AUE_AUDITON_SETCLASS 232
#define AUE_UTSSYS 233 /* Solaris-specific. */
#define AUE_STATVFS 234
#define AUE_XSTAT 235
#define AUE_LXSTAT 236
#define AUE_LCHOWN 237
#define AUE_MEMCNTL 238 /* Solaris-specific. */
#define AUE_SYSINFO 239 /* Solaris-specific. */
#define AUE_XMKNOD 240 /* Solaris-specific. */
#define AUE_FORK1 241
/* XXXRW: Solaris modctl()? */
#define AUE_MODLOAD 243
#define AUE_MODUNLOAD 244
#define AUE_MODCONFIG 245 /* Solaris-specific. */
#define AUE_MODADDMAJ 246 /* Solaris-specific. */
#define AUE_SOCKACCEPT 247
#define AUE_SOCKCONNECT 248
#define AUE_SOCKSEND 249
#define AUE_SOCKRECEIVE 250
#define AUE_ACLSET 251
#define AUE_FACLSET 252
#define AUE_DOORFS_DOOR_CALL 254 /* Solaris-specific. */
#define AUE_DOORFS_DOOR_RETURN 255 /* Solaris-specific. */
#define AUE_DOORFS_DOOR_CREATE 256 /* Solaris-specific. */
#define AUE_DOORFS_DOOR_REVOKE 257 /* Solaris-specific. */
#define AUE_DOORFS_DOOR_INFO 258 /* Solaris-specific. */
#define AUE_DOORFS_DOOR_CRED 259 /* Solaris-specific. */
#define AUE_DOORFS_DOOR_BIND 260 /* Solaris-specific. */
#define AUE_DOORFS_DOOR_UNBIND 261 /* Solaris-specific. */
#define AUE_P_ONLINE 262 /* Solaris-specific. */
#define AUE_PROCESSOR_BIND 263 /* Solaris-specific. */
#define AUE_INST_SYNC 264 /* Solaris-specific. */
#define AUE_SOCK_CONFIG 265 /* Solaris-specific. */
#define AUE_SETAUDIT_ADDR 266
#define AUE_GETAUDIT_ADDR 267
#define AUE_CLOCK_SETTIME 287
#define AUE_NTP_ADJTIME 288
/*
* Events not present in OpenSolaris BSM, generally derived from Apple Darwin
* BSM or added in OpenBSM. This start a little too close to the top end of
* the OpenSolaris event list for my comfort.
*/
#define AUE_GETFSSTAT 301
#define AUE_PTRACE 302
#define AUE_CHFLAGS 303
#define AUE_FCHFLAGS 304
#define AUE_PROFILE 305
#define AUE_KTRACE 306
#define AUE_SETLOGIN 307
#define AUE_DARWIN_REBOOT 308 /* XXX: See AUE_REBOOT. */
#define AUE_REVOKE 309
#define AUE_UMASK 310
#define AUE_MPROTECT 311
#define AUE_DARWIN_SETPRIORITY 312 /* XXX: See AUE_SETPRIORITY. */
#define AUE_DARWIN_SETTIMEOFDAY 313 /* XXX: See AUE_SETTIMEOFDAY. */
#define AUE_DARWIN_FLOCK 314 /* XXX: See AUE_FLOCK. */
#define AUE_MKFIFO 315
#define AUE_POLL 316
#define AUE_DARWIN_SOCKETPAIR 317 /* XXXRW: See AUE_SOCKETPAIR. */
#define AUE_FUTIMES 318
#define AUE_SETSID 319
#define AUE_SETPRIVEXEC 320 /* Darwin-specific. */
#define AUE_DARWIN_NFSSVC 321 /* XXX: See AUE_NFS_SVC. */
#define AUE_DARWIN_GETFH 322 /* XXX: See AUE_NFS_GETFH. */
#define AUE_DARWIN_QUOTACTL 323 /* XXX: See AUE_QUOTACTL. */
#define AUE_ADDPROFILE 324 /* Darwin-specific. */
#define AUE_KDEBUGTRACE 325 /* Darwin-specific. */
#define AUE_KDBUGTRACE AUE_KDEBUGTRACE
#define AUE_FSTAT 326
#define AUE_FPATHCONF 327
#define AUE_GETDIRENTRIES 328
#define AUE_DARWIN_TRUNCATE 329 /* XXX: See AUE_TRUNCATE. */
#define AUE_DARWIN_FTRUNCATE 330 /* XXX: See AUE_FTRUNCATE. */
#define AUE_SYSCTL 331
#define AUE_MLOCK 332
#define AUE_MUNLOCK 333
#define AUE_UNDELETE 334
#define AUE_GETATTRLIST 335 /* Darwin-specific. */
#define AUE_SETATTRLIST 336 /* Darwin-specific. */
#define AUE_GETDIRENTRIESATTR 337 /* Darwin-specific. */
#define AUE_EXCHANGEDATA 338 /* Darwin-specific. */
#define AUE_SEARCHFS 339 /* Darwin-specific. */
#define AUE_MINHERIT 340
#define AUE_SEMCONFIG 341
#define AUE_SEMOPEN 342
#define AUE_SEMCLOSE 343
#define AUE_SEMUNLINK 344
#define AUE_SHMOPEN 345
#define AUE_SHMUNLINK 346
#define AUE_LOADSHFILE 347 /* Darwin-specific. */
#define AUE_RESETSHFILE 348 /* Darwin-specific. */
#define AUE_NEWSYSTEMSHREG 349 /* Darwin-specific. */
#define AUE_PTHREADKILL 350 /* Darwin-specific. */
#define AUE_PTHREADSIGMASK 351 /* Darwin-specific. */
#define AUE_AUDITCTL 352
#define AUE_RFORK 353
#define AUE_LCHMOD 354
#define AUE_SWAPOFF 355
#define AUE_INITPROCESS 356 /* Darwin-specific. */
#define AUE_MAPFD 357 /* Darwin-specific. */
#define AUE_TASKFORPID 358 /* Darwin-specific. */
#define AUE_PIDFORTASK 359 /* Darwin-specific. */
#define AUE_SYSCTL_NONADMIN 360
#define AUE_COPYFILE 361 /* Darwin-specific. */
#define AUE_LUTIMES 362
#define AUE_LCHFLAGS 363 /* FreeBSD-specific. */
#define AUE_SENDFILE 364 /* BSD/Linux-specific. */
#define AUE_USELIB 365 /* Linux-specific. */
#define AUE_GETRESUID 366
#define AUE_SETRESUID 367
#define AUE_GETRESGID 368
#define AUE_SETRESGID 369
#define AUE_WAIT4 370 /* FreeBSD-specific. */
#define AUE_LGETFH 371 /* FreeBSD-specific. */
#define AUE_FHSTATFS 372 /* FreeBSD-specific. */
#define AUE_FHOPEN 373 /* FreeBSD-specific. */
#define AUE_FHSTAT 374 /* FreeBSD-specific. */
#define AUE_JAIL 375 /* FreeBSD-specific. */
#define AUE_EACCESS 376 /* FreeBSD-specific. */
#define AUE_KQUEUE 377 /* FreeBSD-specific. */
#define AUE_KEVENT 378 /* FreeBSD-specific. */
#define AUE_FSYNC 379
#define AUE_NMOUNT 380 /* FreeBSD-specific. */
/*
* Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
* normal Solaris BSM identifiers. _O_ refers to it being an old, or compat
* interface. In most cases, Darwin has never implemented these system calls
* but picked up the fields in their system call table from their FreeBSD
* import. Happily, these have different names than the AUE_O* definitions
* in Solaris BSM.
*/
#define AUE_O_CREAT AUE_OPEN_RWTC /* Darwin */
#define AUE_O_EXECVE AUE_NULL /* Darwin */
#define AUE_O_SBREAK AUE_NULL /* Darwin */
#define AUE_O_LSEEK AUE_NULL /* Darwin */
#define AUE_O_MOUNT AUE_NULL /* Darwin */
#define AUE_O_UMOUNT AUE_NULL /* Darwin */
#define AUE_O_STAT AUE_STAT /* Darwin */
#define AUE_O_LSTAT AUE_LSTAT /* Darwin */
#define AUE_O_FSTAT AUE_FSTAT /* Darwin */
#define AUE_O_GETPAGESIZE AUE_NULL /* Darwin */
#define AUE_O_VREAD AUE_NULL /* Darwin */
#define AUE_O_VWRITE AUE_NULL /* Darwin */
#define AUE_O_MMAP AUE_MMAP /* Darwin */
#define AUE_O_VADVISE AUE_NULL /* Darwin */
#define AUE_O_VHANGUP AUE_NULL /* Darwin */
#define AUE_O_VLIMIT AUE_NULL /* Darwin */
#define AUE_O_WAIT AUE_NULL /* Darwin */
#define AUE_O_GETHOSTNAME AUE_NULL /* Darwin */
#define AUE_O_SETHOSTNAME AUE_SYSCTL /* Darwin */
#define AUE_O_GETDOPT AUE_NULL /* Darwin */
#define AUE_O_SETDOPT AUE_NULL /* Darwin */
#define AUE_O_ACCEPT AUE_NULL /* Darwin */
#define AUE_O_SEND AUE_SENDMSG /* Darwin */
#define AUE_O_RECV AUE_RECVMSG /* Darwin */
#define AUE_O_VTIMES AUE_NULL /* Darwin */
#define AUE_O_SIGVEC AUE_NULL /* Darwin */
#define AUE_O_SIGBLOCK AUE_NULL /* Darwin */
#define AUE_O_SIGSETMASK AUE_NULL /* Darwin */
#define AUE_O_SIGSTACK AUE_NULL /* Darwin */
#define AUE_O_RECVMSG AUE_RECVMSG /* Darwin */
#define AUE_O_SENDMSG AUE_SENDMSG /* Darwin */
#define AUE_O_VTRACE AUE_NULL /* Darwin */
#define AUE_O_RESUBA AUE_NULL /* Darwin */
#define AUE_O_RECVFROM AUE_RECVFROM /* Darwin */
#define AUE_O_SETREUID AUE_SETREUID /* Darwin */
#define AUE_O_SETREGID AUE_SETREGID /* Darwin */
#define AUE_O_TRUNCATE AUE_TRUNCATE /* Darwin */
#define AUE_O_FTRUNCATE AUE_FTRUNCATE /* Darwin */
#define AUE_O_GETPEERNAME AUE_NULL /* Darwin */
#define AUE_O_GETHOSTID AUE_NULL /* Darwin */
#define AUE_O_SETHOSTID AUE_NULL /* Darwin */
#define AUE_O_GETRLIMIT AUE_NULL /* Darwin */
#define AUE_O_SETRLIMIT AUE_SETRLIMIT /* Darwin */
#define AUE_O_KILLPG AUE_KILL /* Darwin */
#define AUE_O_SETQUOTA AUE_NULL /* Darwin */
#define AUE_O_QUOTA AUE_NULL /* Darwin */
#define AUE_O_GETSOCKNAME AUE_NULL /* Darwin */
#define AUE_O_GETDIREENTRIES AUE_GETDIREENTRIES /* Darwin */
#define AUE_O_ASYNCDAEMON AUE_NULL /* Darwin */
#define AUE_O_GETDOMAINNAME AUE_NULL /* Darwin */
#define AUE_O_SETDOMAINNAME AUE_SYSCTL /* Darwin */
#define AUE_O_PCFS_MOUNT AUE_NULL /* Darwin */
#define AUE_O_EXPORTFS AUE_NULL /* Darwin */
#define AUE_O_USTATE AUE_NULL /* Darwin */
#define AUE_O_WAIT3 AUE_NULL /* Darwin */
#define AUE_O_RPAUSE AUE_NULL /* Darwin */
#define AUE_O_GETDENTS AUE_NULL /* Darwin */
/*
* Possible desired future values based on review of BSD/Darwin system calls.
*/
#define AUE_DUP AUE_NULL
#define AUE_FSCTL AUE_NULL
#define AUE_FSTATV AUE_NULL
#define AUE_GCCONTROL AUE_NULL
#define AUE_GETDTABLESIZE AUE_NULL
#define AUE_GETEGID AUE_NULL
#define AUE_GETEUID AUE_NULL
#define AUE_GETGID AUE_NULL
#define AUE_GETGROUPS AUE_NULL
#define AUE_GETITIMER AUE_NULL
#define AUE_GETLOGIN AUE_NULL
#define AUE_GETPEERNAME AUE_NULL
#define AUE_GETPGID AUE_NULL
#define AUE_GETPGRP AUE_NULL
#define AUE_GETPID AUE_NULL
#define AUE_GETPPID AUE_NULL
#define AUE_GETPRIORITY AUE_NULL
#define AUE_GETRLIMIT AUE_NULL
#define AUE_GETRUSAGE AUE_NULL
#define AUE_GETSID AUE_NULL
#define AUE_GETSOCKNAME AUE_NULL
#define AUE_GETTIMEOFDAY AUE_NULL
#define AUE_GETUID AUE_NULL
#define AUE_GETSOCKOPT AUE_NULL
#define AUE_GTSOCKOPT AUE_GETSOCKOPT /* XXX: Typo in Darwin. */
#define AUE_ISSETUGID AUE_NULL
#define AUE_LISTEN AUE_NULL
#define AUE_LSTATV AUE_NULL
#define AUE_MADVISE AUE_NULL
#define AUE_MINCORE AUE_NULL
#define AUE_MKCOMPLEX AUE_NULL
#define AUE_MLOCKALL AUE_NULL
#define AUE_MODWATCH AUE_NULL
#define AUE_MSGCL AUE_NULL
#define AUE_MSYNC AUE_NULL
#define AUE_MUNLOCKALL AUE_NULL
#define AUE_PREAD AUE_NULL
#define AUE_PWRITE AUE_NULL
#define AUE_SBRK AUE_NULL
#define AUE_SELECT AUE_NULL
#define AUE_SEMDESTROY AUE_NULL
#define AUE_SEMGETVALUE AUE_NULL
#define AUE_SEMINIT AUE_NULL
#define AUE_SEMPOST AUE_NULL
#define AUE_SEMTRYWAIT AUE_NULL
#define AUE_SEMWAIT AUE_NULL
#define AUE_SETITIMER AUE_NULL
#define AUE_SIGACTION AUE_NULL
#define AUE_SIGALTSTACK AUE_NULL
#define AUE_SIGPENDING AUE_NULL
#define AUE_SIGPROCMASK AUE_NULL
#define AUE_SIGRETURN AUE_NULL
#define AUE_SIGSUSPEND AUE_NULL
#define AUE_SIGWAIT AUE_NULL
#define AUE_SSTK AUE_NULL
#define AUE_STATV AUE_NULL
#define AUE_SYNC AUE_NULL
#define AUE_SYSCALL AUE_NULL
#define AUE_TABLE AUE_NULL
#define AUE_WAITEVENT AUE_NULL
#define AUE_WATCHEVENT AUE_NULL
#endif /* !_BSM_AUDIT_KEVENTS_H_ */

325
contrib/openbsm/bsm/audit_record.h Normal file
View File

@ -0,0 +1,325 @@
/*
* Copyright (c) 2005 Apple Computer, Inc.
* All rights reserved.
*
* @APPLE_BSD_LICENSE_HEADER_START@
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_record.h#14 $
*/
#ifndef _BSM_AUDIT_RECORD_H_
#define _BSM_AUDIT_RECORD_H_
/* Various token id types */
/*
* Values inside the comments are not documented in the BSM pages and
* have been picked up from the header files
*/
/*
* Values marked as XXX do not have a value defined in the BSM header files
*/
#define AUT_INVALID 0x00
#define AUT_OTHER_FILE32 0x11
#define AUT_OHEADER 0x12
#define AUT_TRAILER 0x13
#define AUT_HEADER32 0x14
#define AUT_HEADER32_EX 0x15
#define AUT_DATA 0x21
#define AUT_IPC 0x22
#define AUT_PATH 0x23
#define AUT_SUBJECT32 0x24
#define AUT_SERVER32 0x25
#define AUT_PROCESS32 0x26
#define AUT_RETURN32 0x27
#define AUT_TEXT 0x28
#define AUT_OPAQUE 0x29
#define AUT_IN_ADDR 0x2a
#define AUT_IP 0x2b
#define AUT_IPORT 0x2c
#define AUT_ARG32 0x2d
#define AUT_SOCKET 0x2e
#define AUT_SEQ 0x2f
#define AUT_ACL 0x30
#define AUT_ATTR 0x31
#define AUT_IPC_PERM 0x32
#define AUT_LABEL 0x33
#define AUT_GROUPS 0x34
#define AUT_ILABEL 0x35
#define AUT_SLABEL 0x36
#define AUT_CLEAR 0x37
#define AUT_PRIV 0x38
#define AUT_UPRIV 0x39
#define AUT_LIAISON 0x3a
#define AUT_NEWGROUPS 0x3b
#define AUT_EXEC_ARGS 0x3c
#define AUT_EXEC_ENV 0x3d
#define AUT_ATTR32 0x3e
/* #define AUT_???? 0x3f */
#define AUT_XATOM 0x40
#define AUT_XOBJ 0x41
#define AUT_XPROTO 0x42
#define AUT_XSELECT 0x43
/* XXXRW: Additional X11 tokens not defined? */
#define AUT_CMD 0x51
#define AUT_EXIT 0x52
/* XXXRW: OpenBSM AUT_HOST 0x70? */
#define AUT_ARG64 0x71
#define AUT_RETURN64 0x72
#define AUT_ATTR64 0x73
#define AUT_HEADER64 0x74
#define AUT_SUBJECT64 0x75
#define AUT_SERVER64 0x76
#define AUT_PROCESS64 0x77
#define AUT_OTHER_FILE64 0x78
#define AUT_HEADER64_EX 0x79
#define AUT_SUBJECT32_EX 0x7a
#define AUT_PROCESS32_EX 0x7b
#define AUT_SUBJECT64_EX 0x7c
#define AUT_PROCESS64_EX 0x7d
#define AUT_IN_ADDR_EX 0x7e
#define AUT_SOCKET_EX 0x7f
/*
* Pre-64-bit BSM, 32-bit tokens weren't explicitly named as '32'. We have
* compatibility defines.
*/
#define AUT_HEADER AUT_HEADER32
#define AUT_ARG AUT_ARG32
#define AUT_RETURN AUT_RETURN32
#define AUT_SUBJECT AUT_SUBJECT32
#define AUT_SERVER AUT_SERVER32
#define AUT_PROCESS AUT_PROCESS32
#define AUT_OTHER_FILE AUT_OTHER_FILE32
/*
* Darwin's bsm distribution uses the following non-BSM token name defines.
* We provide them for a single OpenBSM release for compatibility reasons.
*/
#define AU_FILE_TOKEN AUT_OTHER_FILE32
#define AU_TRAILER_TOKEN AUT_TRAILER
#define AU_HEADER_32_TOKEN AUT_HEADER32
#define AU_DATA_TOKEN AUT_DATA
#define AU_ARB_TOKEN AUT_DATA
#define AU_IPC_TOKEN AUT_IPC
#define AU_PATH_TOKEN AUT_PATH
#define AU_SUBJECT_32_TOKEN AUT_SUBJECT32
#define AU_PROCESS_32_TOKEN AUT_PROCESS32
#define AU_RETURN_32_TOKEN AUT_RETURN32
#define AU_TEXT_TOKEN AUT_TEXT
#define AU_OPAQUE_TOKEN AUT_OPAQUE
#define AU_IN_ADDR_TOKEN AUT_IN_ADDR
#define AU_IP_TOKEN AUT_IP
#define AU_IPORT_TOKEN AUT_IPORT
#define AU_ARG32_TOKEN AUT_ARG32
#define AU_SOCK_TOKEN AUT_SOCKET
#define AU_SEQ_TOKEN AUT_SEQ
#define AU_ATTR_TOKEN AUT_ATTR
#define AU_IPCPERM_TOKEN AUT_IPC_PERM
#define AU_NEWGROUPS_TOKEN AUT_NEWGROUPS
#define AU_EXEC_ARG_TOKEN AUT_EXEC_ARGS
#define AU_EXEC_ENV_TOKEN AUT_EXEC_ENV
#define AU_ATTR32_TOKEN AUT_ATTR32
#define AU_CMD_TOKEN AUT_CMD
#define AU_EXIT_TOKEN AUT_EXIT
#define AU_ARG64_TOKEN AUT_ARG64
#define AU_RETURN_64_TOKEN AUT_RETURN64
#define AU_ATTR64_TOKEN AUT_ATTR64
#define AU_HEADER_64_TOKEN AUT_HEADER64
#define AU_SUBJECT_64_TOKEN AUT_SUBJECT64
#define AU_PROCESS_64_TOKEN AUT_PROCESS64
#define AU_HEADER_64_EX_TOKEN AUT_HEADER64_EX
#define AU_SUBJECT_32_EX_TOKEN AUT_SUBJECT32_EX
#define AU_PROCESS_32_EX_TOKEN AUT_PROCESS32_EX
#define AU_SUBJECT_64_EX_TOKEN AUT_SUBJECT64_EX
#define AU_PROCESS_64_EX_TOKEN AUT_PROCESS64_EX
#define AU_IN_ADDR_EX_TOKEN AUT_IN_ADDR_EX
#define AU_SOCK_32_EX_TOKEN AUT_SOCKET_EX
/*
* The values for the following token ids are not defined by BSM.
*
* XXXRW: Not sure how to handle these in OpenBSM yet, but I'll give them
* names more consistent with Sun's BSM. These originally came from Apple's
* BSM.
*/
#define AUT_SOCKINET32 0x80 /* XXX */
#define AUT_SOCKINET128 0x81 /* XXX */
#define AUT_SOCKUNIX 0x82 /* XXX */
#define AU_SOCK_INET_32_TOKEN AUT_SOCKINET32
#define AU_SOCK_INET_128_TOKEN AUT_SOCKINET128
#define AU_SOCK_UNIX_TOKEN AUT_SOCKUNIX
/* print values for the arbitrary token */
#define AUP_BINARY 0
#define AUP_OCTAL 1
#define AUP_DECIMAL 2
#define AUP_HEX 3
#define AUP_STRING 4
/* data-types for the arbitrary token */
#define AUR_BYTE 0
#define AUR_SHORT 1
#define AUR_LONG 2
/* ... and their sizes */
#define AUR_BYTE_SIZE sizeof(u_char)
#define AUR_SHORT_SIZE sizeof(uint16_t)
#define AUR_LONG_SIZE sizeof(uint32_t)
/* Modifiers for the header token */
#define PAD_NOTATTR 0x4000 /* nonattributable event */
#define PAD_FAILURE 0x8000 /* fail audit event */
#define BSM_MAX_GROUPS 16
#define HEADER_VERSION 1
/*
* BSM define is AUT_TRAILER_MAGIC; Apple BSM define is TRAILER_PAD_MAGIC; we
* split the difference, will remove the Apple define for the next release.
*/
#define AUT_TRAILER_MAGIC 0xb105
#define TRAILER_PAD_MAGIC AUT_TRAILER_MAGIC
/* BSM library calls */
__BEGIN_DECLS
struct in_addr;
struct in6_addr;
struct ip;
struct ipc_perm;
struct kevent;
struct sockaddr_in;
struct sockaddr_in6;
struct sockaddr_un;
#if defined(_KERNEL) || defined(KERNEL)
struct vnode_au_info;
#endif
int au_open(void);
int au_write(int d, token_t *m);
int au_close(int d, int keep, short event);
int au_close_buffer(int d, short event, u_char *buffer, size_t *buflen);
#if defined(KERNEL) || defined(_KERNEL)
token_t *au_to_file(char *file, struct timeval tm);
#else
token_t *au_to_file(char *file);
#endif
#if defined(KERNEL) || defined(_KERNEL)
token_t *au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod,
struct timeval tm);
token_t *au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod,
struct timeval tm);
#else
token_t *au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod);
token_t *au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod);
#endif
token_t *au_to_header64(int rec_size, au_event_t e_type, au_emod_t e_mod);
token_t *au_to_me(void);
token_t *au_to_arg(char n, char *text, uint32_t v);
token_t *au_to_arg32(char n, char *text, uint32_t v);
token_t *au_to_arg64(char n, char *text, uint64_t v);
#if defined(_KERNEL) || defined(KERNEL)
token_t *au_to_attr(struct vnode_au_info *vni);
token_t *au_to_attr32(struct vnode_au_info *vni);
token_t *au_to_attr64(struct vnode_au_info *vni);
#endif
token_t *au_to_data(char unit_print, char unit_type, char unit_count,
char *p);
token_t *au_to_exit(int retval, int err);
token_t *au_to_groups(int *groups);
token_t *au_to_newgroups(uint16_t n, gid_t *groups);
token_t *au_to_in_addr(struct in_addr *internet_addr);
token_t *au_to_in_addr_ex(struct in6_addr *internet_addr);
token_t *au_to_ip(struct ip *ip);
token_t *au_to_ipc(char type, int id);
token_t *au_to_ipc_perm(struct ipc_perm *perm);
token_t *au_to_iport(uint16_t iport);
token_t *au_to_opaque(char *data, uint16_t bytes);
token_t *au_to_path(char *path);
token_t *au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
token_t *au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
token_t *au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
token_t *au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
token_t *au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid,
uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
au_tid_addr_t *tid);
token_t *au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
token_t *au_to_return(char status, uint32_t ret);
token_t *au_to_return32(char status, uint32_t ret);
token_t *au_to_return64(char status, uint64_t ret);
token_t *au_to_seq(long audit_count);
#if defined(_KERNEL) || defined(KERNEL)
token_t *au_to_socket(struct socket *so);
token_t *au_to_socket_ex_32(uint16_t lp, uint16_t rp, struct sockaddr *la,
struct sockaddr *ta);
token_t *au_to_socket_ex_128(uint16_t lp, uint16_t rp, struct sockaddr *la,
struct sockaddr *ta);
#endif
token_t *au_to_sock_inet(struct sockaddr_in *so);
token_t *au_to_sock_inet32(struct sockaddr_in *so);
token_t *au_to_sock_inet128(struct sockaddr_in6 *so);
token_t *au_to_sock_unix(struct sockaddr_un *so);
token_t *au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
token_t *au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
token_t *au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
token_t *au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
token_t *au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
token_t *au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
token_t *au_to_exec_args(const char **);
token_t *au_to_exec_env(const char **);
token_t *au_to_text(char *text);
token_t *au_to_kevent(struct kevent *kev);
token_t *au_to_trailer(int rec_size);
__END_DECLS
#endif /* ! _BSM_AUDIT_RECORD_H_ */

102
contrib/openbsm/bsm/audit_uevents.h Normal file
View File

@ -0,0 +1,102 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_uevents.h#7 $
*/
#ifndef _BSM_AUDIT_UEVENTS_H_
#define _BSM_AUDIT_UEVENTS_H_
/*-
* User level audit event numbers
*
* Range of audit event numbers:
* 0 Reserved, invalid
* 1 - 2047 Reserved for kernel events
* 2048 - 32767 Defined by BSM for user events
* 32768 - 36864 Reserved for Mac OS-X applications
* 36865 - 65535 Reserved for applications
*
*/
#define AUE_at_create 6144
#define AUE_at_delete 6145
#define AUE_at_perm 6146
#define AUE_cron_invoke 6147
#define AUE_crontab_create 6148
#define AUE_crontab_delete 6149
#define AUE_crontab_perm 6150
#define AUE_inetd_connect 6151
#define AUE_login 6152
#define AUE_logout 6153
#define AUE_telnet 6154
#define AUE_rlogin 6155
#define AUE_mountd_mount 6156
#define AUE_mountd_umount 6157
#define AUE_rshd 6158
#define AUE_su 6159
#define AUE_halt 6160
#define AUE_reboot 6161
#define AUE_rexecd 6162
#define AUE_passwd 6163
#define AUE_rexd 6164
#define AUE_ftpd 6165
#define AUE_init 6166
#define AUE_uadmin 6167
#define AUE_shutdown 6168
#define AUE_poweroff 6169
#define AUE_crontab_mod 6170
#define AUE_audit_startup 6171
#define AUE_audit_shutdown 6172
#define AUE_allocate_succ 6200
#define AUE_allocate_fail 6201
#define AUE_deallocate_succ 6202
#define AUE_deallocate_fail 6203
#define AUE_listdevice_succ 6205
#define AUE_listdevice_fail 6206
#define AUE_create_user 6207
#define AUE_modify_user 6208
#define AUE_delete_user 6209
#define AUE_disable_user 6210
#define AUE_enable_user 6211
#define AUE_sudo 6300
#define AUE_modify_password 6501 /* Not assigned by Sun. */
#define AUE_create_group 6511 /* Not assigned by Sun. */
#define AUE_delete_group 6512 /* Not assigned by Sun. */
#define AUE_modify_group 6513 /* Not assigned by Sun. */
#define AUE_add_to_group 6514 /* Not assigned by Sun. */
#define AUE_remove_from_group 6515 /* Not assigned by Sun. */
#define AUE_revoke_obj 6521 /* Not assigned by Sun; not used. */
#define AUE_lw_login 6600 /* Not assigned by Sun; tentative. */
#define AUE_lw_logout 6601 /* Not assigned by Sun; tentative. */
#define AUE_auth_user 7000 /* Not assigned by Sun. */
#define AUE_ssconn 7001 /* Not assigned by Sun. */
#define AUE_ssauthorize 7002 /* Not assigned by Sun. */
#define AUE_ssauthint 7003 /* Not assigned by Sun. */
#define AUE_openssh 32800
#endif /* !_BSM_AUDIT_UEVENTS_H_ */

1175
contrib/openbsm/bsm/libbsm.h Normal file
View File

File diff suppressed because it is too large Load Diff

264
contrib/openbsm/compat/endian.h Normal file
View File

@ -0,0 +1,264 @@
/*-
* Copyright (c) 2002 Thomas Moestl <tmm@FreeBSD.org>
* Copyright (c) 2005 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* Derived from FreeBSD src/sys/sys/endian.h:1.6.
* $P4: //depot/projects/trustedbsd/openbsm/compat/endian.h#5 $
*/
#ifndef _COMPAT_ENDIAN_H_
#define _COMPAT_ENDIAN_H_
/*
* Pick up value of BYTE_ORDER/_BYTE_ORDER if not yet included.
*/
#include <machine/endian.h>
/*
* Some systems will have the uint/int types defined here already, others
* will need stdint.h.
*/
#include <stdint.h>
/*
* Some operating systems do not yet have the more recent endian APIs that
* permit encoding to and decoding from byte streams. For those systems, we
* implement local non-optimized versions.
*/
static __inline uint16_t
bswap16(uint16_t int16)
{
const unsigned char *from;
unsigned char *to;
uint16_t t;
from = (const unsigned char *) &int16;
to = (unsigned char *) &t;
to[0] = from[1];
to[1] = from[0];
return (t);
}
static __inline uint32_t
bswap32(uint32_t int32)
{
const unsigned char *from;
unsigned char *to;
uint32_t t;
from = (const unsigned char *) &int32;
to = (unsigned char *) &t;
to[0] = from[3];
to[1] = from[2];
to[2] = from[1];
to[3] = from[0];
return (t);
}
static __inline uint64_t
bswap64(uint64_t int64)
{
const unsigned char *from;
unsigned char *to;
uint64_t t;
from = (const unsigned char *) &int64;
to = (unsigned char *) &t;
to[0] = from[7];
to[1] = from[6];
to[2] = from[5];
to[3] = from[4];
to[4] = from[3];
to[5] = from[2];
to[6] = from[1];
to[7] = from[0];
return (t);
}
#if defined(BYTE_ORDER) && !defined(_BYTE_ORDER)
#define _BYTE_ORDER BYTE_ORDER
#endif
#if !defined(_BYTE_ORDER)
#error "Neither BYTE_ORDER nor _BYTE_ORDER defined"
#endif
#if defined(BIG_ENDIAN) && !defined(_BIG_ENDIAN)
#define _BIG_ENDIAN BIG_ENDIAN
#endif
#if defined(LITTLE_ENDIAN) && !defined(_LITTLE_ENDIAN)
#define _LITTLE_ENDIAN LITTLE_ENDIAN
#endif
/*
* Host to big endian, host to little endian, big endian to host, and little
* endian to host byte order functions as detailed in byteorder(9).
*/
#if _BYTE_ORDER == _LITTLE_ENDIAN
#define htobe16(x) bswap16((x))
#define htobe32(x) bswap32((x))
#define htobe64(x) bswap64((x))
#define htole16(x) ((uint16_t)(x))
#define htole32(x) ((uint32_t)(x))
#define htole64(x) ((uint64_t)(x))
#define be16toh(x) bswap16((x))
#define be32toh(x) bswap32((x))
#define be64toh(x) bswap64((x))
#define le16toh(x) ((uint16_t)(x))
#define le32toh(x) ((uint32_t)(x))
#define le64toh(x) ((uint64_t)(x))
#else /* _BYTE_ORDER != _LITTLE_ENDIAN */
#define htobe16(x) ((uint16_t)(x))
#define htobe32(x) ((uint32_t)(x))
#define htobe64(x) ((uint64_t)(x))
#define htole16(x) bswap16((x))
#define htole32(x) bswap32((x))
#define htole64(x) bswap64((x))
#define be16toh(x) ((uint16_t)(x))
#define be32toh(x) ((uint32_t)(x))
#define be64toh(x) ((uint64_t)(x))
#define le16toh(x) bswap16((x))
#define le32toh(x) bswap32((x))
#define le64toh(x) bswap64((x))
#endif /* _BYTE_ORDER == _LITTLE_ENDIAN */
/* Alignment-agnostic encode/decode bytestream to/from little/big endian. */
static __inline uint16_t
be16dec(const void *pp)
{
unsigned char const *p = (unsigned char const *)pp;
return ((p[0] << 8) | p[1]);
}
static __inline uint32_t
be32dec(const void *pp)
{
unsigned char const *p = (unsigned char const *)pp;
return ((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]);
}
static __inline uint64_t
be64dec(const void *pp)
{
unsigned char const *p = (unsigned char const *)pp;
return (((uint64_t)be32dec(p) << 32) | be32dec(p + 4));
}
static __inline uint16_t
le16dec(const void *pp)
{
unsigned char const *p = (unsigned char const *)pp;
return ((p[1] << 8) | p[0]);
}
static __inline uint32_t
le32dec(const void *pp)
{
unsigned char const *p = (unsigned char const *)pp;
return ((p[3] << 24) | (p[2] << 16) | (p[1] << 8) | p[0]);
}
static __inline uint64_t
le64dec(const void *pp)
{
unsigned char const *p = (unsigned char const *)pp;
return (((uint64_t)le32dec(p + 4) << 32) | le32dec(p));
}
static __inline void
be16enc(void *pp, uint16_t u)
{
unsigned char *p = (unsigned char *)pp;
p[0] = (u >> 8) & 0xff;
p[1] = u & 0xff;
}
static __inline void
be32enc(void *pp, uint32_t u)
{
unsigned char *p = (unsigned char *)pp;
p[0] = (u >> 24) & 0xff;
p[1] = (u >> 16) & 0xff;
p[2] = (u >> 8) & 0xff;
p[3] = u & 0xff;
}
static __inline void
be64enc(void *pp, uint64_t u)
{
unsigned char *p = (unsigned char *)pp;
be32enc(p, u >> 32);
be32enc(p + 4, u & 0xffffffff);
}
static __inline void
le16enc(void *pp, uint16_t u)
{
unsigned char *p = (unsigned char *)pp;
p[0] = u & 0xff;
p[1] = (u >> 8) & 0xff;
}
static __inline void
le32enc(void *pp, uint32_t u)
{
unsigned char *p = (unsigned char *)pp;
p[0] = u & 0xff;
p[1] = (u >> 8) & 0xff;
p[2] = (u >> 16) & 0xff;
p[3] = (u >> 24) & 0xff;
}
static __inline void
le64enc(void *pp, uint64_t u)
{
unsigned char *p = (unsigned char *)pp;
le32enc(p, u & 0xffffffff);
le32enc(p + 4, u >> 32);
}
#endif /* _COMPAT_ENDIAN_H_ */

25
contrib/openbsm/etc/audit_class Normal file
View File

@ -0,0 +1,25 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_class#3 $
#
# This file must match audit.h
#
0x00000000:no:invalid class
0x00000001:fr:file read
0x00000002:fw:file write
0x00000004:fa:file attribute access
0x00000008:fm:file attribute modify
0x00000010:fc:file create
0x00000020:fd:file delete
0x00000040:cl:file close
0x00000080:pc:process
0x00000100:nt:network
0x00000200:ip:ipc
0x00000400:na:non attributable
0x00000800:ad:administrative
0x00001000:lo:login_logout
0x00002000:tf:tfm
0x00004000:ap:application
0x20000000:io:ioctl
0x40000000:ex:exec
0x80000000:ot:miscellaneous
0xffffffff:all:all flags set

7
contrib/openbsm/etc/audit_control Normal file
View File

@ -0,0 +1,7 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#2 $
#
dir:/var/audit
flags:lo,ad,-all,^-fa,^-fc,^-cl
minfree:20
naflags:lo

343
contrib/openbsm/etc/audit_event Normal file
View File

@ -0,0 +1,343 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#10 $
#
0:AUE_NULL:indir system call:no
1:AUE_EXIT:exit(2):pc
2:AUE_FORK:fork(2):pc
3:AUE_OPEN:open(2) - attr only:fa
4:AUE_CREAT:creat(2):fc
5:AUE_LINK:link(2):fc
6:AUE_UNLINK:unlink(2):fd
7:AUE_EXEC:exec(2):pc,ex
8:AUE_CHDIR:chdir(2):pc
9:AUE_MKNOD:mknod(2):fc
10:AUE_CHMOD:chmod(2):fm
11:AUE_CHOWN:chown(2):fm
12:AUE_UMOUNT:umount(2) - old version:ad
13:AUE_JUNK:junk:no
14:AUE_ACCESS:access(2):fa
15:AUE_KILL:kill(2):pc
16:AUE_STAT:stat(2):fa
17:AUE_LSTAT:lstat(2):fa
18:AUE_ACCT:acct(2):ad
19:AUE_MCTL:mctl(2):no
20:AUE_REBOOT:reboot(2):ad
21:AUE_SYMLINK:symlink(2):fc
22:AUE_READLINK:readlink(2):fr
23:AUE_EXECVE:execve(2):pc,ex
24:AUE_CHROOT:chroot(2):pc
25:AUE_VFORK:vfork(2):pc
26:AUE_SETGROUPS:setgroups(2):pc
27:AUE_SETPGRP:setpgrp(2):pc
28:AUE_SWAPON:swapon(2):ad
29:AUE_SETHOSTNAME:sethostname(2):ad
30:AUE_FCNTL:fcntl(2):fm
31:AUE_SETPRIORITY:setpriority(2):pc
32:AUE_CONNECT:connect(2):nt
33:AUE_ACCEPT:accept(2):nt
34:AUE_BIND:bind(2):nt
35:AUE_SETSOCKOPT:setsockopt(2):nt
36:AUE_VTRACE:vtrace(2):pc
37:AUE_SETTIMEOFDAY:settimeofday(2):ad
38:AUE_FCHOWN:fchown(2):fm
39:AUE_FCHMOD:fchmod(2):fm
40:AUE_SETREUID:setreuid(2):pc
41:AUE_SETREGID:setregid(2):pc
42:AUE_RENAME:rename(2):fc,fd
43:AUE_TRUNCATE:truncate(2):fw
44:AUE_FTRUNCATE:ftruncate(2):fw
45:AUE_FLOCK:flock(2):fm
46:AUE_SHUTDOWN:shutdown(2):nt
47:AUE_MKDIR:mkdir(2):fc
48:AUE_RMDIR:rmdir(2):fd
49:AUE_UTIMES:utimes(2):fm
50:AUE_ADJTIME:adjtime(2):ad
51:AUE_SETRLIMIT:setrlimit(2):pc
52:AUE_KILLPG:killpg(2):pc
53:AUE_NFS_SVC:nfs_svc(2):ad
54:AUE_STATFS:statfs(2):fa
55:AUE_FSTATFS:fstatfs(2):fa
56:AUE_UNMOUNT:unmount(2):ad
57:AUE_ASYNC_DAEMON:async_daemon(2):ad
58:AUE_NFS_GETFH:nfs_getfh(2):ad
59:AUE_SETDOMAINNAME:setdomainname(2):ad
60:AUE_QUOTACTL:quotactl(2):ad
61:AUE_EXPORTFS:exportfs(2):ad
62:AUE_MOUNT:mount(2):ad
63:AUE_SEMSYS:semsys(2):ip
64:AUE_MSGSYS:msgsys(2):ip
65:AUE_SHMSYS:shmsys(2):ip
66:AUE_BSMSYS:bsmsys(2):ad
67:AUE_RFSSYS:rfssys(2):ad
68:AUE_FCHDIR:fchdir(2):pc
69:AUE_FCHROOT:fchroot(2):pc
70:AUE_VPIXSYS:vpixsys(2):no
71:AUE_PATHCONF:pathconf(2):fa
72:AUE_OPEN_R:open(2) - read:fr
73:AUE_OPEN_RC:open(2) - read,creat:fc,fr,fa,fm
74:AUE_OPEN_RT:open(2) - read,trunc:fd,fr,fa,fm
75:AUE_OPEN_RTC:open(2) - read,creat,trunc:fc,fd,fr,fa,fm
76:AUE_OPEN_W:open(2) - write:fw
77:AUE_OPEN_WC:open(2) - write,creat:fc,fw,fa,fm
78:AUE_OPEN_WT:open(2) - write,trunc:fd,fw,fa,fm
79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw,fa,fm
80:AUE_OPEN_RW:open(2) - read,write:fr,fw
81:AUE_OPEN_RWC:open(2) - read,write,creat:fc,fw,fr,fa,fm
82:AUE_OPEN_RWT:open(2) - read,write,trunc:fd,fr,fw,fa,fm
83:AUE_OPEN_RWTC:open(2) - read,write,creat,trunc:fc,fd,fw,fr,fa,fm
84:AUE_MSGCTL:msgctl(2) - illegal command:ip
85:AUE_MSGCTL_RMID:msgctl(2) - IPC_RMID command:ip
86:AUE_MSGCTL_SET:msgctl(2) - IPC_SET command:ip
87:AUE_MSGCTL_STAT:msgctl(2) - IPC_STAT command:ip
88:AUE_MSGGET:msgget(2):ip
89:AUE_MSGRCV:msgrcv(2):ip
90:AUE_MSGSND:msgsnd(2):ip
91:AUE_SHMCTL:shmctl(2) - illegal command:ip
92:AUE_SHMCTL_RMID:shmctl(2) - IPC_RMID command:ip
93:AUE_SHMCTL_SET:shmctl(2) - IPC_SET command:ip
94:AUE_SHMCTL_STAT:shmctl(2) - IPC_STAT command:ip
95:AUE_SHMGET:shmget(2):ip
96:AUE_SHMAT:shmat(2):ip
97:AUE_SHMDT:shmdt(2):ip
98:AUE_SEMCTL:semctl(2) - illegal command:ip
99:AUE_SEMCTL_RMID:semctl(2) - IPC_RMID command:ip
100:AUE_SEMCTL_SET:semctl(2) - IPC_SET command:ip
101:AUE_SEMCTL_STAT:semctl(2) - IPC_STAT command:ip
102:AUE_SEMCTL_GETNCNT:semctl(2) - GETNCNT command:ip
103:AUE_SEMCTL_GETPID:semctl(2) - GETPID command:ip
104:AUE_SEMCTL_GETVAL:semctl(2) - GETVAL command:ip
105:AUE_SEMCTL_GETALL:semctl(2) - GETALL command:ip
106:AUE_SEMCTL_GETZCNT:semctl(2) - GETZCNT command:ip
107:AUE_SEMCTL_SETVAL:semctl(2) - SETVAL command:ip
108:AUE_SEMCTL_SETALL:semctl(2) - SETALL command:ip
109:AUE_SEMGET:semget(2):ip
110:AUE_SEMOP:semop(2):ip
111:AUE_CORE:process dumped core:fc
112:AUE_CLOSE:close(2):cl
113:AUE_SYSTEMBOOT:system booted:na
114:AUE_ASYNC_DAEMON_EXIT:async_daemon(2) exited:ad
115:AUE_NFSSVC_EXIT:nfssvc(2) exited:ad
128:AUE_WRITEL:writel(2):fw
129:AUE_WRITEVL:writevl(2):fw
130:AUE_GETAUID:getauid(2):ad
131:AUE_SETAUID:setauid(2):ad
132:AUE_GETAUDIT:getaudit(2):ad
133:AUE_SETAUDIT:setaudit(2):ad
134:AUE_GETUSERAUDIT:getuseraudit(2):ad
135:AUE_SETUSERAUDIT:setuseraudit(2):ad
136:AUE_AUDITSVC:auditsvc(2):ad
137:AUE_AUDITUSER:audituser(2):ad
138:AUE_AUDITON:auditon(2):ad
139:AUE_AUDITON_GTERMID:auditon(2) - GETTERMID command:ad
140:AUE_AUDITON_STERMID:auditon(2) - SETTERMID command:ad
141:AUE_AUDITON_GPOLICY:auditon(2) - GPOLICY command:ad
142:AUE_AUDITON_SPOLICY:auditon(2) - SPOLICY command:ad
143:AUE_AUDITON_GESTATE:auditon(2) - GESTATE command:ad
144:AUE_AUDITON_SESTATE:auditon(2) - SESTATE command:ad
145:AUE_AUDITON_GQCTRL:auditon(2) - GQCTRL command:ad
146:AUE_AUDITON_SQCTRL:auditon(2) - SQCTRL command:ad
147:AUE_GETKERNSTATE:getkernstate(2):ad
148:AUE_SETKERNSTATE:setkernstate(2):ad
149:AUE_GETPORTAUDIT:getportaudit(2):ad
150:AUE_AUDITSTAT:auditstat(2):ad
153:AUE_ENTERPROM:enter prom:ad
154:AUE_EXITPROM:exit prom:ad
158:AUE_IOCTL:ioctl(2):io
173:AUE_ONESIDE:one-sided session record:nt
174:AUE_MSGGETL:msggetl(2):ip
175:AUE_MSGRCVL:msgrcvl(2):ip
176:AUE_MSGSNDL:msgsndl(2):ip
177:AUE_SEMGETL:semgetl(2):ip
178:AUE_SHMGETL:shmgetl(2):ip
183:AUE_SOCKET:socket(2):nt
184:AUE_SENDTO:sendto(2):nt
185:AUE_PIPE:pipe(2):ip
186:AUE_SOCKETPAIR:socketpair(2):nt
187:AUE_SEND:send(2):nt
188:AUE_SENDMSG:sendmsg(2):nt
189:AUE_RECV:recv(2):nt
190:AUE_RECVMSG:recvmsg(2):nt
191:AUE_RECVFROM:recvfrom(2):nt
192:AUE_READ:read(2):no
193:AUE_GETDENTS:getdents(2):no
194:AUE_LSEEK:lseek(2):no
195:AUE_WRITE:write(2):no
196:AUE_WRITEV:writev(2):no
197:AUE_NFS:nfs server:ad
198:AUE_READV:readv(2):no
199:AUE_OSTAT:old stat(2):fa
200:AUE_SETUID:setuid(2):pc
201:AUE_STIME:old stime(2):ad
202:AUE_UTIME:old utime(2):fm
203:AUE_NICE:old nice(2):pc
204:AUE_OSETPGRP:old setpgrp(2):pc
205:AUE_SETGID:setgid(2):pc
206:AUE_READL:readl(2):no
207:AUE_READVL:readvl(2):no
209:AUE_DUP2:dup2(2):no
210:AUE_MMAP:mmap(2):no
211:AUE_AUDIT:audit(2):ot
212:AUE_PRIOCNTLSYS:priocntlsys(2):pc
213:AUE_MUNMAP:munmap(2):cl
214:AUE_SETEGID:setegid(2):pc
215:AUE_SETEUID:seteuid(2):pc
216:AUE_PUTMSG:putmsg(2):nt
217:AUE_GETMSG:getmsg(2):nt
218:AUE_PUTPMSG:putpmsg(2):nt
219:AUE_GETPMSG:getpmsg(2):nt
220:AUE_AUDITSYS:audit system calls place holder:no
221:AUE_AUDITON_GETKMASK:auditon(2) - get kernel mask:ad
222:AUE_AUDITON_SETKMASK:auditon(2) - set kernel mask:ad
223:AUE_AUDITON_GETCWD:auditon(2) - get cwd:ad
224:AUE_AUDITON_GETCAR:auditon(2) - get car:ad
225:AUE_AUDITON_GETSTAT:auditon(2) - get audit statistics:ad
226:AUE_AUDITON_SETSTAT:auditon(2) - reset audit statistics:ad
227:AUE_AUDITON_SETUMASK:auditon(2) - set mask per uid:ad
228:AUE_AUDITON_SETSMASK:auditon(2) - set mask per session ID:ad
229:AUE_AUDITON_GETCOND:auditon(2) - get audit state:ad
230:AUE_AUDITON_SETCOND:auditon(2) - set audit state:ad
231:AUE_AUDITON_GETCLASS:auditon(2) - get event class:ad
232:AUE_AUDITON_SETCLASS:auditon(2) - set event class:ad
233:AUE_UTSSYS:utssys(2) - fusers:ad
234:AUE_STATVFS:statvfs(2):fa
235:AUE_XSTAT:xstat(2):fa
236:AUE_LXSTAT:lx6stat(2):fa
237:AUE_LCHOWN:lchown(2):fm
238:AUE_MEMCNTL:memcntl(2):ot
239:AUE_SYSINFO:sysinfo(2):ad
240:AUE_XMKNOD:xmknod(2):fc
241:AUE_FORK1:fork1(2):pc
242:AUE_MODCTL:modctl(2) system call place holder:no
243:AUE_MODLOAD:modctl(2) - load module:ad
244:AUE_MODUNLOAD:modctl(2) - unload module:ad
245:AUE_MODCONFIG:modctl(2) - configure module:ad
246:AUE_MODADDMAJ:modctl(2) - bind module:ad
247:AUE_SOCKACCEPT:getmsg-accept:nt
248:AUE_SOCKCONNECT:putmsg-connect:nt
249:AUE_SOCKSEND:putmsg-send:nt
250:AUE_SOCKRECEIVE:getmsg-receive:nt
251:AUE_ACLSET:acl(2) - SETACL comand:fm
252:AUE_FACLSET:facl(2) - SETACL command:fm
253:AUE_DOORFS:doorfs(2) - system call place holder:no
254:AUE_DOORFS_DOOR_CALL:doorfs(2) - DOOR_CALL:ip
255:AUE_DOORFS_DOOR_RETURN:doorfs(2) - DOOR_RETURN:ip
256:AUE_DOORFS_DOOR_CREATE:doorfs(2) - DOOR_CREATE:ip
257:AUE_DOORFS_DOOR_REVOKE:doorfs(2) - DOOR_REVOKE:ip
258:AUE_DOORFS_DOOR_INFO:doorfs(2) - DOOR_INFO:ip
259:AUE_DOORFS_DOOR_CRED:doorfs(2) - DOOR_CRED:ip
260:AUE_DOORFS_DOOR_BIND:doorfs(2) - DOOR_BIND:ip
261:AUE_DOORFS_DOOR_UNBIND:doorfs(2) - DOOR_UNBIND:ip
262:AUE_P_ONLINE:p_online(2):ad
263:AUE_PROCESSOR_BIND:processor_bind(2):ad
264:AUE_INST_SYNC:inst_sync(2):ad
266:AUE_SETAUDIT_ADDR:setaudit_addr(2):ad
267:AUE_GETAUDIT_ADDR:getaudit_addr(2):ad
268:AUE_CLOCK_SETTIME:clock_settime(2):ad
269:AUE_NTP_ADJTIME:ntp_adjtime(2):ad
301:AUE_GETFSSTAT:getfsstat(2):fa
302:AUE_PTRACE:ptrace(2):pc
303:AUE_CHFLAGS:chflags(2):fm
304:AUE_FCHFLAGS:fchflags(2):fm
305:AUE_PROFILE:profil(2):pc
306:AUE_KTRACE:ktrace(2):pc
307:AUE_SETLOGIN:setlogin(2):pc
308:AUE_DARWIN_REBOOT:reboot(2):ad
309:AUE_REVOKE:revoke(2):cl
310:AUE_UMASK:umask(2):pc
311:AUE_MPROTECT:mprotect(2):fm
312:AUE_DARWIN_SETPRIORITY:setpriority(2):pc,ot
313:AUE_DARWIN_SETTIMEOFDAY:settimeofday(2):ad
314:AUE_DARWIN_FLOCK:flock(2):fm
315:AUE_MKFIFO:mkfifo(2):fc
316:AUE_POLL:poll(2):no
317:AUE_DARWIN_SOCKETPAIR:socketpair(2):nt
318:AUE_FUTIMES:futimes(2):fm
319:AUE_SETSID:setsid(2):pc
320:AUE_SETPRIVEXEC:setprivexec(2):pc
321:AUE_DARWIN_NFSSVC:nfssvc(2):ad
322:AUE_DARWIN_GETFH:getfh(2):fa
323:AUE_DARWIN_QUOTACTL:quotactl(2):ad
324:AUE_ADDPROFILE:system call:pc
325:AUE_KDEBUGTRACE:system call:pc
326:AUE_FSTAT:fstat(2):fa
327:AUE_FPATHCONF:fpathconf(2):fa
328:AUE_GETDIRENTRIES:getdirentries(2):fr
329:AUE_DARWIN_TRUNCATE:truncate(2):fw
330:AUE_DARWIN_FTRUNCATE:ftruncate(2):fw
331:AUE_SYSCTL:sysctl(3):ad
332:AUE_MLOCK:mlock(2):pc
333:AUE_MUNLOCK:munlock(2):pc
334:AUE_UNDELETE:undelete(2):fm
335:AUE_GETATTRLIST:getattrlist():fa
336:AUE_SETATTRLIST:setattrlist():fm
337:AUE_GETDIRENTRIESATTR:getdirentriesattr():fa
338:AUE_EXCHANGEDATA:exchangedata():fw
339:AUE_SEARCHFS:searchfs():fa
340:AUE_MINHERIT:minherit(2):pc
341:AUE_SEMCONFIG:semconfig():ip
342:AUE_SEMOPEN:sem_open(2):ip
343:AUE_SEMCLOSE:sem_close(2):ip
344:AUE_SEMUNLINK:sem_unlink(2):ip
345:AUE_SHMOPEN:shm_open(2):ip
346:AUE_SHMUNLINK:shm_unlink(2):ip
347:AUE_LOADSHFILE:load_shared_file():fr
348:AUE_RESETSHFILE:reset_shared_file():ot
349:AUE_NEWSYSTEMSHREG:new_system_share_regions():ot
350:AUE_PTHREADKILL:pthread_kill(2):pc
351:AUE_PTHREADSIGMASK:pthread_sigmask(2):pc
352:AUE_AUDITCTL:auditctl(2):ad
353:AUE_RFORK:rfork(2):pc
354:AUE_LCHMOD:lchmod(2):fm
355:AUE_SWAPOFF:swapoff():ad
356:AUE_INITPROCESS:init_process():pc
357:AUE_MAPFD:map_fd():fa
358:AUE_TASKFORPID:task_for_pid():pc
359:AUE_PIDFORTASK:pid_for_task():pc
360:AUE_SYSCTL_NONADMIN:sysctl() - non-admin:ot
361:AUE_COPYFILE:copyfile():fr,fw
362:AUE_LUTIMES:lutimes(2):fm
363:AUE_LCHFLAGS:lchflags(2):fm
364:AUE_SENDFILE:sendfile(2):nt
365:AUE_USELIB:uselib(2):fa
366:AUE_GETRESUID:getresuid(2):pc
367:AUE_SETRESUID:setresuid(2):pc
368:AUE_GETRESGID:getresgid(2):pc
369:AUE_SETRESGID:setresgid(2):pc
370:AUE_WAIT4:wait4(2):pc
371:AUE_LGETFH:lgetfh(2):fa
372:AUE_FHSTATFS:fhstatfs(2):fa
373:AUE_FHOPEN:fhopen(2):fa
374:AUE_FHSTAT:fhstat(2):fa
375:AUE_JAIL:jail(2):pc
376:AUE_EACCESS:eaccess(2):fa
377:AUE_KQUEUE:kqueue(2):no
378:AUE_KEVENT:kevent(2):no
379:AUE_FSYNC:fsync(2):fm
380:AUE_NMOUNT:nmount(2):ad
6152:AUE_login:login - local:lo
6153:AUE_logout:logout - local:lo
6159:AUE_su:su(1):lo
6160:AUE_halt:system halt:ad
6168:AUE_shutdown:system shutdown:ad
6171:AUE_audit_startup:audit startup:ad
6172:AUE_audit_shutdown:audit shutdown:ad
6207:AUE_create_user:create user:ad
6208:AUE_modify_user:modify user:ad
6209:AUE_delete_user:delete user:ad
6210:AUE_disable_user:disable user:ad
6211:AUE_enable_user::ad
6300:AUE_sudo:sudo(1):ad
6501:AUE_modify_password:modify password:ad
6511:AUE_create_group:create group:ad
6512:AUE_delete_group:delete group:ad
6513:AUE_modify_group:modify group:ad
6514:AUE_add_to_group:add to group:ad
6515:AUE_remove_from_group:remove from group:ad
6521:AUE_revoke_obj:revoke object priv:fm
6600:AUE_lw_login:loginwindow login:lo
6601:AUE_lw_logout:loginwindow logout:lo
7000:AUE_auth_user:user authentication:ad
7001:AUE_ssconn:SecSrvr connection setup:ad
7002:AUE_ssauthorize:SecSrvr AuthEngine:ad
7003:AUE_ssauthint:SecSrvr authinternal mech:ad
32800:AUE_openssh:OpenSSH login:lo

5
contrib/openbsm/etc/audit_user Normal file
View File

@ -0,0 +1,5 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#2 $
#
root:lo:no
audit:fc:no

5
contrib/openbsm/etc/audit_warn Normal file
View File

@ -0,0 +1,5 @@
#!/bin/sh
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_warn#3 $
#
logger -p security.warning "audit warning: $@"

119
contrib/openbsm/libbsm/Makefile Normal file
View File

@ -0,0 +1,119 @@
#
# OpenBSM libbsm
#
# $P4: //depot/projects/trustedbsd/openbsm/libbsm/Makefile#11 $
#
LIB= bsm
SHLIB_MAJOR= 1
CFLAGS+=-I- \
-I .. \
-Wall
SRCS= bsm_audit.c \
bsm_class.c \
bsm_control.c \
bsm_event.c \
bsm_flags.c \
bsm_io.c \
bsm_mask.c \
bsm_notify.c \
bsm_token.c \
bsm_user.c \
bsm_wrappers.c
MAN= libbsm.3 \
au_class.3 \
au_control.3 \
au_event.3 \
au_free_token.3 \
au_io.3 \
au_mask.3 \
au_token.3 \
au_user.3
MLINKS= libbsm.3 bsm.3 \
au_class.3 getauclassent.3 \
au_class.3 getauclassnam.3 \
au_class.3 setauclass.3 \
au_class.3 endauclass.3 \
au_control.3 setac.3 \
au_control.3 endac.3 \
au_control.3 getacdir.3 \
au_control.3 getacmin.3 \
au_control.3 getacflg.3 \
au_control.3 getacna.3 \
au_event.3 setauevent.3 \
au_event.3 endauevent.3 \
au_event.3 getauevent.3 \
au_event.3 getauevnam.3 \
au_event.3 getauevnum.3 \
au_event.3 getauevnonam.3 \
au_io.3 au_fetch_tok.3 \
au_io.3 au_print_tok.3 \
au_io.3 au_read_rec.3 \
au_mask.3 au_preselect.3 \
au_mask.3 getauditflagsbin.3 \
au_mask.3 getauditflagschar.3 \
au_user.3 setauuser.3 \
au_user.3 endauuser.3 \
au_user.3 getauuserent.3 \
au_user.3 getauusernam.3 \
au_user.3 au_user_mask.3 \
au_user.3 getfauditflags.3 \
au_token.3 au_to_arg32.3 \
au_token.3 au_to_arg64.3 \
au_token.3 au_to_arg.3 \
au_token.3 au_to_attr64.3 \
au_token.3 au_to_data.3 \
au_token.3 au_to_exit.3 \
au_token.3 au_to_groups.3 \
au_token.3 au_to_newgroups.3 \
au_token.3 au_to_in_addr.3 \
au_token.3 au_to_in_addr_ex.3 \
au_token.3 au_to_ip.3 \
au_token.3 au_to_ipc.3 \
au_token.3 au_to_ipc_perm.3 \
au_token.3 au_to_iport.3 \
au_token.3 au_to_opaque.3 \
au_token.3 au_to_file.3 \
au_token.3 au_to_text.3 \
au_token.3 au_to_path.3 \
au_token.3 au_to_process32.3 \
au_token.3 au_to_process64.3 \
au_token.3 au_to_process.3 \
au_token.3 au_to_process32_ex.3 \
au_token.3 au_to_process64_ex.3 \
au_token.3 au_to_process_ex.3 \
au_token.3 au_to_return32.3 \
au_token.3 au_to_return64.3 \
au_token.3 au_to_return.3 \
au_token.3 au_to_seq.3 \
au_token.3 au_to_socket.3 \
au_token.3 au_to_socket_ex_32.3 \
au_token.3 au_to_socket_ex_128.3 \
au_token.3 au_to_sock_inet32.3 \
au_token.3 au_to_sock_inet128.3 \
au_token.3 au_to_sock_inet.3 \
au_token.3 au_to_subject32.3 \
au_token.3 au_to_subject64.3 \
au_token.3 au_to_subject.3 \
au_token.3 au_to_subject32_ex.3 \
au_token.3 au_to_subject64_ex.3 \
au_token.3 au_to_subject_ex.3 \
au_token.3 au_to_me.3 \
au_token.3 au_to_exec_args.3 \
au_token.3 au_to_exec_env.3 \
au_token.3 au_to_header.3 \
au_token.3 au_to_header32.3 \
au_token.3 au_to_header64.3 \
au_token.3 au_to_trailer.3
beforeinstall:
if test -d ${INCSDIR}; then \
else \
mkdir ${INCSDIR}; \
fi;
.include <bsd.lib.mk>

108
contrib/openbsm/libbsm/au_class.3 Normal file
View File

@ -0,0 +1,108 @@
.\"-
.\" Copyright (c) 2005-2006 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_class.3#3 $
.\"
.Dd April 19, 2005
.Dt AU_CLASS 3
.Os
.Sh NAME
.Nm getauclassent ,
.Nm getauclassent_r ,
.Nm getauclassnam ,
.Nm getauclassnam_r ,
.Nm setauclass ,
.Nm endauclass
.Nd "Look up information from the audit_class database"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
.In libbsm.h
.Ft struct au_class_ent *
.Fn getauclassent "void"
.Ft struct au_class_ent *
.Fn getauclassent_r "struct au_class_ent *e"
.Ft struct au_class_ent *
.Fn getauclassnam "const char *name"
.Ft struct au_class_ent *
.Fn getauclassnam_r "struct au_class_ent *e" "const char *name"
.Ft void
.Fn setauclass "void"
.Ft void
.Fn endauclass "void"
.Sh DESCRIPTION
These interfaces may be used to look up information from the
.Xr audit_class 5
database, which describes audit event classes.
Audit event classes are described by
.Vt struct au_class_ent .
.Pp
.Pp
.Fn getauclassent
will return the next class found in the
.Xr audit_class 5
database, or the first if the function has not yet been called.
.Dv NULL
will be returned if no further records are available.
.Pp
.Fn getauclassnam
looks up a class by name.
.Dv NULL
will be returned if no matching class can be found.
.Pp
.Fn setauclass
resets the iterator through the
.Xr audit_class 5
database, causing the next call to
.Fn getauclassent
to start again from the beginning of the file.
.Pp
.Fn endauclass
closes the
.Xr audit_class 5
database, if open.
.Sh SEE ALSO
.Xr libbsm 3 ,
.Xr audit_class 5
.Sh AUTHORS
This software was created by Robert Watson, Wayne Salamon, and Suresh
Krishnaswamy for McAfee Research, the security research division of McAfee,
Inc., under contract to Apple Computer, Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
.Sh BUGS
These routines cannot currently distinguish between an entry not being found
and an error accessing the database.
The implementation should be changed to return an error via
.Va errno
when
.Dv NULL
is returned.

136
contrib/openbsm/libbsm/au_control.3 Normal file
View File

@ -0,0 +1,136 @@
.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#2 $
.\"
.Dd April 19, 2005
.Dt AU_CONTROL 3
.Os
.Sh NAME
.Nm setac ,
.Nm endac ,
.Nm getacdir ,
.Nm getacmin ,
.Nm getacflg ,
.Nm getacna
.Nd "Look up information from the audit_control database"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
.In libbsm.h
.Ft void
.Fn setac "void"
.Ft void
.Fn endac "void"
.Ft int
.Fn getacdir "char *name" "int len"
.Ft int
.Fn getacmin "int *min_val"
.Ft int
.Fn getacflg "char *auditstr" "int len"
.Ft int
.Fn getacna "char *auditstr" "int len"
.Sh DESCRIPTION
These interfaces may be used to look up information from the
.Xr audit_control 5
database, which contains various audit-related administrative parameters.
.Pp
.Fn setac
resets the database iterator to the beginning of the database; see the
BUGS section for more information.
.Pp
.Fn sendac
closes the
.Xr audit_control 5
database.
.Pp
.Fn getacdir
Return the name of the directory where log data is stored via the passed
character buffer
.Va name
of length
.Va len .
.Pp
.Fn getacmin
returns the minimum free disk space for the audit log target file system via
the passed
.Va min_val
variable.
.Pp
.Fn getacflg
returns the audit system flags via the the passed character buffer
.Va auditstr
of length
.Va len .
.Pp
.Fn getacna
returns the non-attributable flags via the passed character buffer
.Va auditstr
of length
.Va len .
.Sh RETURN VALULES
.Fn getacdir ,
.Fn getacmin ,
.Fn getacflg ,
and
.Fn getacna
return 0 on success, or a negative value on failure, along with error
information in
.Va errno .
Functions that return a string value will return a failure if there is
insufficient room in the passed character buffer for the full string.
.Sh SEE ALSO
.Xr libbsm 3 ,
.Xr audit_control 5
.Sh AUTHORS
This software was created by Robert Watson, Wayne Salamon, and Suresh
Krishnaswamy for McAfee Research, the security research division of McAfee,
Inc., under contract to Apple Computer, Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
.Sh BUGS
These routines cannot currently distinguish between an entry not being found
and an error accessing the database.
The implementation should be changed to return an error via
.Va errno
when
.Dv NULL
is returned.
.Sh BUGS
There is no reason for the
.Fn setac
interface to be exposed as part of the public API, as it is called implicitly
by other access functions and iteration is not supported.
.Pp
These interfaces inconsistently return various negative values depending on
the failure mode, and do not always set
.Va errno
on failure.

153
contrib/openbsm/libbsm/au_event.3 Normal file
View File

@ -0,0 +1,153 @@
.\"-
.\" Copyright (c) 2005-2006 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#3 $
.\"
.Dd April 19, 2005
.Dt AU_EVENT 3
.Os
.Sh NAME
.Nm free_au_event_ent ,
.Nm setauevent ,
.Nm endauevent ,
.Nm getauevent ,
.Nm getauevent_r ,
.Nm getauevnam ,
.Nm getauevnam_r ,
.Nm getauevnum ,
.Nm getauevnum_r ,
.Nm getauevnonam ,
.Nm getauevnonam_r ,
.Nd "Look up information from the audit_event database"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
.In libbsm.h
.Ft void
.Fn setauevent "void"
.Ft void
.Fn endauevent "void"
.Ft "struct au_event_ent *"
.Fn getauevent "void"
.Ft "struct au_event_ent *"
.Fn getauevent_r "struct au_event_ent *e"
.Ft "struct au_event_ent *"
.Fn getauevnam "char *name"
.Ft "struct au_event_ent *"
.Fn getauevnam_r "struct au_event_ent *e" "char *name"
.Ft "struct au_event_ent *"
.Fn getauevnum "au_event_t event_number"
.Ft "struct au_event_ent *"
.Fn getauevnum_r "struct au_event_ent *e" "au_event_t event_number"
.Ft "au_event_t *"
.Fn getauevnonam "char *event_name"
.Ft "au_event_t *"
.Fn getauevnonam_r "au_event_t *ev" "char *event_name"
.Sh DESCRIPTION
These interfaces may be used to look up information from the
.Xr audit_event 5
database, which describes audit events.
Entries in the database are described by
.Vt struct au_event_ent
entries, which are returned by calls to
.Fn getauevent ,
.Fn getauevnam ,
or
.Fn getauevnum .
It is also possible look up an event number via a call to
.Nm getauevnonam .
.Pp
.Fn setauevent
resets the database access session for
.Xr audit_event 5 ,
so that the next call to
.Fn getauevent
will start with the first entry in the database.
.Pp
.Fn endauevent
closes the
.Xr audit_event 5
database session.
.Pp
.Fn getauevent
returns a reference to the next entry in the
.Xr audit_event 5
database.
.Pp
.Fn getauevnam
returns a reference to the entry in the
.Xr audit_event 5
database with a name of
.Va name .
.Pp
.Fn getauevnum
returns a reference to the entry in the
.Xr audit_event 5
database with an event number of
.Va event_number .
.Pp
.Fn getauevnonam
returns a reference to an audit event number using the
.Xr audit_event 5
database.
.Sh RETURN VALUES
Functions
.Fn getauevent ,
.Fn getauevent_r ,
.Fn getauevnam ,
.Fn getauevnam_r ,
.Fn getauevnum ,
.Fn getauevnum_r ,
and
.Fn getauevnuam
will return a reference to a
.Dt struct au_event_ent
or
.Dt au_event_t
on success, or
.Dv NULL on failure, with
.Va errno
set to provide further error information.
.Sh SEE ALSO
.Xr libbsm 3 ,
.Xr audit_event 5
.Sh AUTHORS
This software was created by Robert Watson, Wayne Salamon, and Suresh
Krishnaswamy for McAfee Research, the security research division of McAfee,
Inc., under contract to Apple Computer, Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
.Sh BUGS
.Va errno
is not always properly set following a failure.
.Pp
These routines are thread-safe, but not re-entrant, so simultaneous or
interleaved use of these functions will affect the iterator.

91
contrib/openbsm/libbsm/au_free_token.3 Normal file
View File

@ -0,0 +1,91 @@
.\"-
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" Copyright (c) 2005 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRING LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#2 $
.\"
.Dd April 19, 2005
.Dt AU_FREE_TOKEN 3
.Os
.Sh NAME
.Nm au_free_token
.Nd "Deallocate a token_t created by any of the au_to_*() BSM API functions"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
.In libbsm.h
.Ft void
.Fn au_free_tokenen "token_t *tok"
.Sh DESCRIPTION
The BSM API generally manages deallocation of
.Vt token_t
objects.
However, if
.Xr au_write 3
is passed a bad audit descriptor, the
.Vt token_t *
parameter will be left untouched.
In that case, the caller can deallocate the
.Vt token_t
using
.Nm
if desired.
.Pp
The
.Va tok
argument is a
.Vt token_t *
generated by one of the au_to_*() BSM API calls.
For convenience,
.Va tok
may be
.Dv NULL ,
in which case
.Nm
returns immediately.
.Sh IMPLEMENTATION NOTES
This is, in fact, what
.Xr audit_write 3
does, in keeping with the existing memory management model of the BSM API.
.Sh SEE ALSO
.Xr au_write 3 ,
.Xr audit_write 3 ,
.Xr libbsm 3
.Sh AUTHORS
This software was created by Robert Watson, Wayne Salamon, and Suresh
Krishnaswamy for McAfee Research, the security research division of McAfee,
Inc., under contract to Apple Computer, Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.

119
contrib/openbsm/libbsm/au_io.3 Normal file
View File

@ -0,0 +1,119 @@
.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_io.3#2 $
.\"
.Dd April 19, 2005
.Dt AU_IO 3
.Os
.Sh NAME
.Nm au_fetch_tok ,
.Nm au_print_tok ,
.Nm au_read_rec
.Nd "Perform I/O involving an audit record"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
.In libbsm.h
.Ft int
.Fn au_fetch_tok "tokenstr_t *tok" "u_char *buf" "int len"
.Ft void
.Fn au_print_tok "FILE outfp" "tokenstr_t *tok" "char *del" "char raw" "char sfrm"
.Ft int
.Fn au_read_rec "FILE *fp" "u_char **buf"
.Sh DESCRIPTION
These interfaces support input and output (I/O) involving audit records,
internalizing an audit record from a byte stream, converting a token to
either a raw or default string, and reading a single record from a file.
.Pp
.Fn au_fetch_tok
reads a token from the passed buffer
.Va buf
of length
.Va len
bytes, and returns a pointer to the token via
.Va tok .
.Pp
.Fn au_print_tok
prints a string form of the token
.Va tok
to the file output stream
.Va outfp,
either in default mode, or raw mode if
.Va raw
is set non-zero.
The delimiter
.Va del
is used when printing.
.Pp
.Fn au_read_rec
reads an audit record from the file stream
.Va fp ,
and returns an allocated memory buffer containing the record via
.Va *buf ,
which must be freed by the caller using
.Xr free 3 .
.Pp
A typical use of these routines might open a file with
.Xr fopen 3 ,
then read records from the file sequentially by calling
.Fn au_read_rec .
Each record would be broken down into components tokens through sequential
calls to
.Fn au_fetch_tok
on the buffer, and then invoking
.Fn au_print_tok
to print each token to an output stream such as
.Dv stdout .
On completion of the processing of each record, a call to
.Xr free 3
would be used to free the record buffer.
Finally, the source stream would be closed by a call to
.Xr fclose 3 .
.Sh RETURN VALUES
.Fn au_fetch_tok
and
.Fn au_read_rec
return 0 on success, or -1 on failure along with additional error information
returned via
.Va errno .
.Sh SEE ALSO
.Xr free 3 ,
.Xr libbsm 3
.Sh AUTHORS
This software was created by Robert Watson, Wayne Salamon, and Suresh
Krishnaswamy for McAfee Research, the security research division of McAfee,
Inc., under contract to Apple Computer, Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
.Sh BUGS
.Va errno
may not always be properly set in the event of an error.

140
contrib/openbsm/libbsm/au_mask.3 Normal file
View File

@ -0,0 +1,140 @@
.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#2 $
.\"
.Dd April 19, 2005
.Dt AU_MASK 3
.Os
.Sh NAME
.Nm au_preselect ,
.Nm getauditflagsbin ,
.Nm getauditflagschar
.Nd "Convert between string and numeric values of audit masks"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
.In libbsm.h
.Ft int
.Fn au_preselect "au_event_t event" "au_mask_t *mask_p" "int sorf" "int flag"
.Ft int
.Fn getauditflagsbin "char *auditstr" "au_mask_t *masks"
.Ft int
.Fn getauditflagschar "char *auditstr" "au_mask_t *masks" "int verbose"
.Sh DESCRIPTION
These interfaces support processing of an audit mask represented by type
.Vt au_mask_t ,
including conversion between numeric and text formats, and computing whether
or not an event is matched by a mask.
.Pp
.Fn au_preselect
calculates whether or not the audit event passed via
.Va event
is matched by the audit mask passed via
.Va au_mask_t .
The
.Va sorf
argument indicates whether or not to consider the event as a success,
if the
.Dv AU_PRS_SUCCESS
flag is set, or failure, if the
.Dv AU_PRS_FAILURE
flag is set.
The
.Va flag
argument accepts additional arguments influencing the behavior of
.Fn au_preselect ,
including
.Dv AU_PRS_REREAD ,
which causes the event to be re-looked up rather than read from the cache,
or
.Dv AU_PRS_USECACHE
which forces use of the cache.
.Pp
.Fn getauditflagsbin
converts a string representation of an audit mask passed via a character
string pointed to by
.Va auditstr ,
returning the resulting mask, if valid, via
.Va *masks .
.Pp
.Fn getauditflagschar
converts the audit event mask passed via
.Va *masks
and converts it to a character string in a buffer pointed to by
.Va auditstr .
See the BUGS section for more information on how to provide a buffer of
sufficient size.
If the
.Va verbose
flag is set, the class description string retrieved from
.Xr audit_class 5
will be used; otherwise, the two-character class name.
.Sh RETURN VALUES
.Fn au_preselect
returns 0 on success, or returns -1 if there is a failure looking up the
event type or other database access, in which case
.Va errno
will be set to indicate the error.
It returns 1 if the event is matched; 0 if not.
.Pp
.Fn getauditflagsbin
and
.Fn getauditflagschar
returns 0 on success, or -1 if there is a failure, in which case
.Va errno
will be set to indicate the error.
.Sh IMPLEMENTATION NOTES
.Fn au_preselect
makes implicit use of various audit database routines, and may influence
the behavior of simultaenous or interleaved processing of those databases by
other code.
.Sh SEE ALSO
.Xr libbsm 3 ,
.Xr audit_class 5
.Sh AUTHORS
This software was created by Robert Watson, Wayne Salamon, and Suresh
Krishnaswamy for McAfee Research, the security research division of McAfee,
Inc., under contract to Apple Computer, Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
.Sh BUGS
.Va errno
may not always be properly set in the event of an error.
.Pp
.Fn getauditflagschar
does not provide a way to indicate how long the character buffer is, in order
to detect overflow.
As a result, the caller must always provide a buffer of sufficient length for
any possible mask, which may be calculated as three times the number of
non-zero bits in the mask argument in the event non-verbose class names are
used, and is not trivially predictable for verbose class names.
This API should be replaced with a more robust one.

209
contrib/openbsm/libbsm/au_token.3 Normal file
View File

@ -0,0 +1,209 @@
.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#4 $
.\"
.Dd April 19, 2005
.Dt AU_TOKEN 3
.Os
.Sh NAME
.Nm au_to_arg32 ,
.Nm au_to_arg64 ,
.Nm au_to_arg ,
.Nm au_to_attr64 ,
.Nm au_to_data ,
.Nm au_to_exit ,
.Nm au_to_groups ,
.Nm au_to_newgroups ,
.Nm au_to_in_addr ,
.Nm au_to_in_addr_ex ,
.Nm au_to_ip ,
.Nm au_to_ipc ,
.Nm au_to_ipc_perm ,
.Nm au_to_iport ,
.Nm au_to_opaque ,
.Nm au_to_file ,
.Nm au_to_text ,
.Nm au_to_path ,
.Nm au_to_process32 ,
.Nm au_to_process64 ,
.Nm au_to_process ,
.Nm au_to_process32_ex ,
.Nm au_to_process64_ex ,
.Nm au_to_process_ex ,
.Nm au_to_return32 ,
.Nm au_to_return64 ,
.Nm au_to_return ,
.Nm au_to_seq ,
.Nm au_to_socket ,
.Nm au_to_socket_ex_32 ,
.Nm au_to_socket_ex_128 ,
.Nm au_to_sock_inet32 ,
.Nm au_to_sock_inet128 ,
.Nm au_to_sock_inet ,
.Nm au_to_subject32 ,
.Nm au_to_subject64 ,
.Nm au_to_subject ,
.Nm au_to_subject32_ex ,
.Nm au_to_subject64_ex ,
.Nm au_to_subject_ex ,
.Nm au_to_me ,
.Nm au_to_exec_args ,
.Nm au_to_exec_env ,
.Nm au_to_header ,
.Nm au_to_header32 ,
.Nm au_to_header64 ,
.Nm au_to_trailer .
.Nd "Routines for generating BSM audit tokens"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
.In libbsm.h
.Ft token_t *
.Fn au_to_arg32 "char n" "char *text" "u_int32_t v"
.Ft token_t *
.Fn au_to_arg64 "char n" "char *text" "u_int64_t v"
.Ft token_t *
.Fn au_to_arg "char n" "char *text" "u_int32_t v"
.Ft token_t *
.Fn au_to_attr32 "struct vattr *attr"
.Ft token_t *
.Fn au_to_attr64 "struct vattr *attr"
.Ft token_t *
.Fn au_to_attr "struct vattr *attr"
.Ft token_t *
.Fn au_to_data "char unit_print" "char unit_type" "char unit_count" "char *p"
.Ft token_t *
.Fn au_to_exit "int retval" "int err"
.Ft token_t *
.Fn au_to_groups "int *groups"
.Ft token_t *
.Fn au_to_newgroups "u_int16_t n" "gid_t *groups"
.Ft token_t *
.Fn au_to_in_addr "struct in_addr *internet_addr"
.Ft token_t *
.Fn au_to_in_addr_ex "struct in6_addr *internet_addr"
.Ft token_t *
.Fn au_to_ip "struct ip *ip"
.Ft token_t *
.Fn au_to_ipc "char type" "int id"
.Ft token_t *
.Fn au_to_ipc_perm "struct ipc_perm *perm"
.Ft token_t *
.Fn au_to_iport "u_int16_t iport"
.Ft token_t *
.Fn au_to_opaque "char *data" "u_int64_t bytes"
.Ft token_t *
.Fn au_to_file "char *file"
.Ft token_t *
.Fn au_to_file "char *file"
.Ft token_t *
.Fn au_to_text "char *text"
.Ft token_t *
.Fn au_to_path "char *text"
.Ft token_t *
.Fn au_to_process32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
.Ft token_t *
.Fn au_to_process64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
.Ft token_t *
.Fn au_to_process32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
.Ft token_t *
.Fn au_to_process64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
.Ft token_t *
.Fn au_to_return32 "char status" "u_int32_t ret"
.Ft token_t *
.Fn au_to_return64 "char status" "u_int64_t ret"
.Ft token_t *
.Fn au_to_return "char status" "u_int32_t ret"
.Ft token_t *
.Fn au_to_seq "long audit_count"
.Ft token_t *
.Fn au_to_socket "struct socket *so"
.Ft token_t *
.Fn au_to_socket_ex_32 "struct socket *so"
.Ft token_t *
.Fn au_to_socket_ex_128 "struct socket *so"
.Ft token_t *
.Fn au_to_sock_inet32 "struct sockaddr_in *so"
.Ft token_t *
.Fn au_to_sock_inet128 "struct sockaddr_in6 *so"
.Ft token_t *
.Fn au_to_sock_int "struct sockaddr_in *so"
.Ft token_t *
.Fn au_to_subject32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
.Ft token_t *
.Fn au_to_subject64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
.Ft token_t *
.Fn au_to_subject "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
.Ft token_t *
.Fn au_to_subject32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
.Ft token_t *
.Fn au_to_subject64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
.Ft token_t *
.Fn au_to_subject_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
.Ft token_t *
.Fn au_to_me "void"
.Ft token_t *
.Fn au_to_exec_args "const char **args"
.Ft token_t *
.Fn au_to_exec_env "const char **env"
.Ft token_t *
.Fn au_to_header "int rec_size" "au_event_t e_type" "au_emod_t emod"
.Ft token_t *
.Fn au_to_header32 "int rec_size" "au_event_t e_type" "au_emod_t emod"
.Ft token_t *
.Fn au_to_header64 "int rec_size" "au_event_t e_type" "au_emod_t e_mod"
.Ft token_t *
.Fn au_to_trailer "int rec_size"
.Sh DESCRIPTION
These interfaces support the allocation of BSM audit tokens, represented by
.Dt token_t ,
for various data types.
.Sh RETURN VALUES
On sucess, a pointer to a
.Vt token_t
will be returned; the allocated
.Vt token_t
can be freed via a call to
.Xr au_free_token 3 .
On failure,
.Dv NULL
will be returned, and an error condition returned via
.Va errno .
.Sh SEE ALSO
.Xr libbsm 3
.Sh AUTHORS
This software was created by Robert Watson, Wayne Salamon, and Suresh
Krishnaswamy for McAfee Research, the security research division of McAfee,
Inc., under contract to Apple Computer, Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
.Sh BUGS

136
contrib/openbsm/libbsm/au_user.3 Normal file
View File

@ -0,0 +1,136 @@
.\"-
.\" Copyright (c) 2005-2006 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#3 $
.\"
.Dd April 19, 2005
.Dt AU_USER 3
.Os
.Sh NAME
.Nm setauuser ,
.Nm endauuser ,
.Nm getauuserent ,
.Nm getauuserent_r ,
.Nm getauusernam ,
.Nm getauusernam_r ,
.Nm au_user_mask ,
.Nm getfauditflags
.Nd "Look up information from the audit_user database"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
.In libbsm.h
.Ft void
.Fn setauuser "void"
.Ft void
.Fn endauuser "void"
.Ft struct au_user_ent *
.Fn getauuserent "void"
.Ft struct au_user_ent *
.Fn getauuserent_r "struct au_user_ent *u" "void"
.Ft struct au_user_ent *
.Fn getauusernam "const char *name"
.Ft struct au_user_ent *
.Fn getauusernam_r "struct au_user_ent *u" "const char *name"
.Ft int
.Fn au_user_mask "char *username" "au_mask_t *mask_p"
.Ft int
.Fn getfauditflags "au_mask_t *usremask" "au_mask_t *usrdmask" "au_mask_t *lastmask"
.Sh DESCRIPTION
These interfaces may be used to look up information from the
.Xr audit_user 5
database, which describes per-user audit configuration.
Audit user entries are described by a
.Vt au_user_ent ,
which stores the user's name in
.Dv au_name ,
events to always audit in
.Dv au_always ,
and events never to audit
.Dv au_never .
.Pp
.Fn getauuserent
return the next user found in the
.Xr audit_user 5
database, or the first if the function has not yet been called.
.Dv NULL
will be returned if no further records are available.
.Pp
.Fn getauusernam
looks up a user by name.
.Dv NULL
will be returned if no matching class can be found.
.Pp
.Fn setauuser
resets the iterator through the
.Xr audit_user 5
database, causing the next call to
.Fn getauuserent
to start again from the beginning of the file.
.Pp
.Fn endauuser
closes the
.Xr audit_user 5
database, if open.
.Pp
.Nm au_user_mask
calculate a new session audit mask to be returned via
.Dv mask_p
for the user identified by
.Dv username .
If the user audit configuration is not found, the default system audit
properties returned by
.Xr getacflg 3 .
The resulting mask may be set via a call to
.Xr setaudit 3
or related variants.
.Pp
.Nm getfauditflags
XXXXXXXXXXXXXXXXX
.Sh SEE ALSO
.Xr libbsm 3 ,
.Xr getacflg 3 ,
.Xr setaudit 3 ,
.Xr audit_user 5
.Sh AUTHORS
This software was created by Robert Watson, Wayne Salamon, and Suresh
Krishnaswamy for McAfee Research, the security research division of McAfee,
Inc., under contract to Apple Computer, Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
.Sh BUGS
These routines cannot currently distinguish between an entry not being found
and an error accessing the database.
The implementation should be changed to return an error via
.Va errno
when
.Dv NULL
is returned.

354
contrib/openbsm/libbsm/bsm_audit.c Normal file
View File

@ -0,0 +1,354 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
* Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
*
* This code was developed in part by Robert N. M. Watson, Senior Principal
* Scientist, SPARTA, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_audit.c#18 $
*/
#include <sys/types.h>
#include <sys/queue.h>
#include <bsm/audit_internal.h>
#include <bsm/libbsm.h>
#include <errno.h>
#include <pthread.h>
#include <stdlib.h>
#include <string.h>
/* array of used descriptors */
static au_record_t *open_desc_table[MAX_AUDIT_RECORDS];
/* The current number of active record descriptors */
static int bsm_rec_count = 0;
/*
* Records that can be recycled are maintained in the list given below. The
* maximum number of elements that can be present in this list is bounded by
* MAX_AUDIT_RECORDS. Memory allocated for these records are never freed.
*/
static LIST_HEAD(, au_record) bsm_free_q;
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
/*
* This call frees a token_t and its internal data.
*/
void
au_free_token(token_t *tok)
{
if (tok != NULL) {
if (tok->t_data)
free(tok->t_data);
free(tok);
}
}
/*
* This call reserves memory for the audit record. Memory must be guaranteed
* before any auditable event can be generated. The au_record_t structure
* maintains a reference to the memory allocated above and also the list of
* tokens associated with this record. Descriptors are recyled once the
* records are added to the audit trail following au_close().
*/
int
au_open(void)
{
au_record_t *rec = NULL;
pthread_mutex_lock(&mutex);
if (bsm_rec_count == 0)
LIST_INIT(&bsm_free_q);
/*
* Find an unused descriptor, remove it from the free list, mark as
* used.
*/
if (!LIST_EMPTY(&bsm_free_q)) {
rec = LIST_FIRST(&bsm_free_q);
rec->used = 1;
LIST_REMOVE(rec, au_rec_q);
}
pthread_mutex_unlock(&mutex);
if (rec == NULL) {
/*
* Create a new au_record_t if no descriptors are available.
*/
rec = malloc (sizeof(au_record_t));
if (rec == NULL)
return (-1);
rec->data = malloc (MAX_AUDIT_RECORD_SIZE * sizeof(u_char));
if (rec->data == NULL) {
free(rec);
errno = ENOMEM;
return (-1);
}
pthread_mutex_lock(&mutex);
if (bsm_rec_count == MAX_AUDIT_RECORDS) {
pthread_mutex_unlock(&mutex);
free(rec->data);
free(rec);
/* XXX We need to increase size of MAX_AUDIT_RECORDS */
errno = ENOMEM;
return (-1);
}
rec->desc = bsm_rec_count;
open_desc_table[bsm_rec_count] = rec;
bsm_rec_count++;
pthread_mutex_unlock(&mutex);
}
memset(rec->data, 0, MAX_AUDIT_RECORD_SIZE);
TAILQ_INIT(&rec->token_q);
rec->len = 0;
rec->used = 1;
return (rec->desc);
}
/*
* Store the token with the record descriptor.
*
* Don't permit writing more to the buffer than would let the trailer be
* appended later.
*/
int
au_write(int d, token_t *tok)
{
au_record_t *rec;
if (tok == NULL) {
errno = EINVAL;
return (-1); /* Invalid Token */
}
/* Write the token to the record descriptor */
rec = open_desc_table[d];
if ((rec == NULL) || (rec->used == 0)) {
errno = EINVAL;
return (-1); /* Invalid descriptor */
}
if (rec->len + tok->len + BSM_TRAILER_SIZE > MAX_AUDIT_RECORD_SIZE) {
errno = ENOMEM;
return (-1);
}
/* Add the token to the tail */
/*
* XXX Not locking here -- we should not be writing to
* XXX the same descriptor from different threads
*/
TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
rec->len += tok->len; /* grow record length by token size bytes */
/* Token should not be available after this call */
tok = NULL;
return (0); /* Success */
}
/*
* Assemble an audit record out of its tokens, including allocating header and
* trailer tokens. Does not free the token chain, which must be done by the
* caller if desirable.
*
* XXX: Assumes there is sufficient space for the header and trailer.
*/
static int
au_assemble(au_record_t *rec, short event)
{
token_t *header, *tok, *trailer;
size_t tot_rec_size;
u_char *dptr;
int error;
tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE;
header = au_to_header32(tot_rec_size, event, 0);
if (header == NULL)
return (-1);
trailer = au_to_trailer(tot_rec_size);
if (trailer == NULL) {
error = errno;
au_free_token(header);
errno = error;
return (-1);
}
TAILQ_INSERT_HEAD(&rec->token_q, header, tokens);
TAILQ_INSERT_TAIL(&rec->token_q, trailer, tokens);
rec->len = tot_rec_size;
dptr = rec->data;
TAILQ_FOREACH(tok, &rec->token_q, tokens) {
memcpy(dptr, tok->t_data, tok->len);
dptr += tok->len;
}
return (0);
}
/*
* Given a record that is no longer of interest, tear it down and convert to a
* free record.
*/
static void
au_teardown(au_record_t *rec)
{
token_t *tok;
/* Free the token list */
while ((tok = TAILQ_FIRST(&rec->token_q)) != NULL) {
TAILQ_REMOVE(&rec->token_q, tok, tokens);
free(tok->t_data);
free(tok);
}
rec->used = 0;
rec->len = 0;
pthread_mutex_lock(&mutex);
/* Add the record to the freelist tail */
LIST_INSERT_HEAD(&bsm_free_q, rec, au_rec_q);
pthread_mutex_unlock(&mutex);
}
/*
* Add the header token, identify any missing tokens. Write out the tokens to
* the record memory and finally, call audit.
*/
int au_close(int d, int keep, short event)
{
au_record_t *rec;
size_t tot_rec_size;
int retval = 0;
rec = open_desc_table[d];
if ((rec == NULL) || (rec->used == 0)) {
errno = EINVAL;
return (-1); /* Invalid descriptor */
}
if (!keep) {
retval = 0;
goto cleanup;
}
tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE;
if (tot_rec_size > MAX_AUDIT_RECORD_SIZE) {
/*
* XXXRW: Since au_write() is supposed to prevent this, spew
* an error here.
*/
fprintf(stderr, "au_close failed");
errno = ENOMEM;
retval = -1;
goto cleanup;
}
if (au_assemble(rec, event) < 0) {
/*
* XXXRW: This is also not supposed to happen, but might if we
* are unable to allocate header and trailer memory.
*/
retval = -1;
goto cleanup;
}
/* Call the kernel interface to audit */
retval = audit(rec->data, rec->len);
cleanup:
/* CLEANUP */
au_teardown(rec);
return (retval);
}
/*
* au_close(), except onto an in-memory buffer. Buffer size as an argument,
* record size returned via same argument on success.
*/
int
au_close_buffer(int d, short event, u_char *buffer, size_t *buflen)
{
size_t tot_rec_size;
au_record_t *rec;
int retval;
rec = open_desc_table[d];
if ((rec == NULL) || (rec->used == 0)) {
errno = EINVAL;
return (-1);
}
retval = 0;
tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE;
if ((tot_rec_size > MAX_AUDIT_RECORD_SIZE) ||
(tot_rec_size > *buflen)) {
/*
* XXXRW: See au_close() comment.
*/
fprintf(stderr, "au_close_buffer failed %zd", tot_rec_size);
errno = ENOMEM;
retval = -1;
goto cleanup;
}
if (au_assemble(rec, event) < 0) {
/* XXXRW: See au_close() comment. */
retval = -1;
goto cleanup;
}
memcpy(buffer, rec->data, rec->len);
*buflen = rec->len;
cleanup:
au_teardown(rec);
return (retval);
}

267
contrib/openbsm/libbsm/bsm_class.c Normal file
View File

@ -0,0 +1,267 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
* Copyright (c) 2006 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_class.c#11 $
*/
#include <bsm/libbsm.h>
#include <string.h>
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
/*
* Parse the contents of the audit_class file to return struct au_class_ent
* entries.
*/
static FILE *fp = NULL;
static char linestr[AU_LINE_MAX];
static const char *classdelim = ":";
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
/*
* Parse a single line from the audit_class file passed in str to the struct
* au_class_ent elements; store the result in c.
*/
static struct au_class_ent *
classfromstr(char *str, struct au_class_ent *c)
{
char *classname, *classdesc, *classflag;
char *last;
/* Each line contains flag:name:desc. */
classflag = strtok_r(str, classdelim, &last);
classname = strtok_r(NULL, classdelim, &last);
classdesc = strtok_r(NULL, classdelim, &last);
if ((classflag == NULL) || (classname == NULL) || (classdesc == NULL))
return (NULL);
/*
* Check for very large classnames.
*/
if (strlen(classname) >= AU_CLASS_NAME_MAX)
return (NULL);
strcpy(c->ac_name, classname);
/*
* Check for very large class description.
*/
if (strlen(classdesc) >= AU_CLASS_DESC_MAX)
return (NULL);
strcpy(c->ac_desc, classdesc);
c->ac_class = strtoul(classflag, (char **) NULL, 0);
return (c);
}
/*
* Return the next au_class_ent structure from the file setauclass should be
* called before invoking this function for the first time.
*
* Must be called with mutex held.
*/
static struct au_class_ent *
getauclassent_r_locked(struct au_class_ent *c)
{
char *tokptr, *nl;
if ((fp == NULL) && ((fp = fopen(AUDIT_CLASS_FILE, "r")) == NULL))
return (NULL);
/*
* Read until next non-comment line is found, or EOF.
*/
while (1) {
if (fgets(linestr, AU_LINE_MAX, fp) == NULL)
return (NULL);
/* Skip comments. */
if (linestr[0] == '#')
continue;
/* Remove trailing new line character. */
if ((nl = strrchr(linestr, '\n')) != NULL)
*nl = '\0';
/* Parse tokptr to au_class_ent components. */
tokptr = linestr;
if (classfromstr(tokptr, c) == NULL)
return (NULL);
break;
}
return (c);
}
struct au_class_ent *
getauclassent_r(struct au_class_ent *c)
{
struct au_class_ent *cp;
pthread_mutex_lock(&mutex);
cp = getauclassent_r_locked(c);
pthread_mutex_unlock(&mutex);
return (cp);
}
struct au_class_ent *
getauclassent(void)
{
static char class_ent_name[AU_CLASS_NAME_MAX];
static char class_ent_desc[AU_CLASS_DESC_MAX];
static struct au_class_ent c, *cp;
bzero(&c, sizeof(c));
bzero(class_ent_name, sizeof(class_ent_name));
bzero(class_ent_desc, sizeof(class_ent_desc));
c.ac_name = class_ent_name;
c.ac_desc = class_ent_desc;
pthread_mutex_lock(&mutex);
cp = getauclassent_r_locked(&c);
pthread_mutex_unlock(&mutex);
return (cp);
}
/*
* Rewind to the beginning of the enumeration.
*
* Must be called with mutex held.
*/
static void
setauclass_locked(void)
{
if (fp != NULL)
fseek(fp, 0, SEEK_SET);
}
void
setauclass(void)
{
pthread_mutex_lock(&mutex);
setauclass_locked();
pthread_mutex_unlock(&mutex);
}
/*
* Return the next au_class_entry having the given class name.
*/
struct au_class_ent *
getauclassnam_r(struct au_class_ent *c, const char *name)
{
struct au_class_ent *cp;
if (name == NULL)
return (NULL);
pthread_mutex_lock(&mutex);
setauclass_locked();
while ((cp = getauclassent_r_locked(c)) != NULL) {
if (strcmp(name, cp->ac_name) == 0) {
pthread_mutex_unlock(&mutex);
return (cp);
}
}
pthread_mutex_unlock(&mutex);
return (NULL);
}
struct au_class_ent *
getauclassnam(const char *name)
{
static char class_ent_name[AU_CLASS_NAME_MAX];
static char class_ent_desc[AU_CLASS_DESC_MAX];
static struct au_class_ent c;
bzero(&c, sizeof(c));
bzero(class_ent_name, sizeof(class_ent_name));
bzero(class_ent_desc, sizeof(class_ent_desc));
c.ac_name = class_ent_name;
c.ac_desc = class_ent_desc;
return (getauclassnam_r(&c, name));
}
/*
* Return the next au_class_entry having the given class number.
*
* OpenBSM extension.
*/
struct au_class_ent *
getauclassnum_r(struct au_class_ent *c, au_class_t class_number)
{
struct au_class_ent *cp;
pthread_mutex_lock(&mutex);
setauclass_locked();
while ((cp = getauclassent_r_locked(c)) != NULL) {
if (class_number == cp->ac_class)
return (cp);
}
pthread_mutex_unlock(&mutex);
return (NULL);
}
struct au_class_ent *
getauclassnum(au_class_t class_number)
{
static char class_ent_name[AU_CLASS_NAME_MAX];
static char class_ent_desc[AU_CLASS_DESC_MAX];
static struct au_class_ent c;
bzero(&c, sizeof(c));
bzero(class_ent_name, sizeof(class_ent_name));
bzero(class_ent_desc, sizeof(class_ent_desc));
c.ac_name = class_ent_name;
c.ac_desc = class_ent_desc;
return (getauclassnum_r(&c, class_number));
}
/*
* audit_class processing is complete; close any open files.
*/
void
endauclass(void)
{
pthread_mutex_lock(&mutex);
if (fp != NULL) {
fclose(fp);
fp = NULL;
}
pthread_mutex_unlock(&mutex);
}

275
contrib/openbsm/libbsm/bsm_control.c Normal file
View File

@ -0,0 +1,275 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#13 $
*/
#include <bsm/libbsm.h>
#include <errno.h>
#include <string.h>
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
/*
* Parse the contents of the audit_control file to return the audit control
* parameters.
*/
static FILE *fp = NULL;
static char linestr[AU_LINE_MAX];
static char *delim = ":";
static char inacdir = 0;
static char ptrmoved = 0;
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
/*
* Returns the string value corresponding to the given label from the
* configuration file.
*
* Must be called with mutex held.
*/
static int
getstrfromtype_locked(char *name, char **str)
{
char *type, *nl;
char *tokptr;
char *last;
*str = NULL;
if ((fp == NULL) && ((fp = fopen(AUDIT_CONTROL_FILE, "r")) == NULL))
return (-1); /* Error */
while (1) {
if (fgets(linestr, AU_LINE_MAX, fp) == NULL) {
if (ferror(fp))
return (-1);
return (0); /* EOF */
}
if (linestr[0] == '#')
continue;
/* Remove trailing new line character. */
if ((nl = strrchr(linestr, '\n')) != NULL)
*nl = '\0';
tokptr = linestr;
if ((type = strtok_r(tokptr, delim, &last)) != NULL) {
if (strcmp(name, type) == 0) {
/* Found matching name. */
*str = strtok_r(NULL, delim, &last);
if (*str == NULL) {
errno = EINVAL;
return (-1); /* Parse error in file */
}
return (0); /* Success */
}
}
}
}
/*
* Rewind the file pointer to beginning.
*/
void
setac(void)
{
pthread_mutex_lock(&mutex);
ptrmoved = 1;
if (fp != NULL)
fseek(fp, 0, SEEK_SET);
pthread_mutex_unlock(&mutex);
}
/*
* Close the audit_control file
*/
void
endac(void)
{
pthread_mutex_lock(&mutex);
ptrmoved = 1;
if (fp != NULL) {
fclose(fp);
fp = NULL;
}
pthread_mutex_unlock(&mutex);
}
/*
* Return audit directory information from the audit control file.
*/
int
getacdir(char *name, int len)
{
char *dir;
int ret = 0;
if (name == NULL) {
errno = EINVAL;
return (-2);
}
pthread_mutex_lock(&mutex);
/*
* Check if another function was called between
* successive calls to getacdir
*/
if (inacdir && ptrmoved) {
ptrmoved = 0;
if (fp != NULL)
fseek(fp, 0, SEEK_SET);
ret = 2;
}
if (getstrfromtype_locked(DIR_CONTROL_ENTRY, &dir) < 0) {
pthread_mutex_unlock(&mutex);
return (-2);
}
pthread_mutex_unlock(&mutex);
if (dir == NULL)
return (-1);
if (strlen(dir) >= len)
return (-3);
strcpy(name, dir);
return (ret);
}
/*
* Return the minimum free diskspace value from the audit control file
*/
int
getacmin(int *min_val)
{
char *min;
setac();
if (min_val == NULL) {
errno = EINVAL;
return (-2);
}
pthread_mutex_lock(&mutex);
if (getstrfromtype_locked(MINFREE_CONTROL_ENTRY, &min) < 0) {
pthread_mutex_unlock(&mutex);
return (-2);
}
pthread_mutex_unlock(&mutex);
if (min == NULL)
return (1);
*min_val = atoi(min);
return (0);
}
/*
* Return the system audit value from the audit contol file.
*/
int
getacflg(char *auditstr, int len)
{
char *str;
setac();
if (auditstr == NULL) {
errno = EINVAL;
return (-2);
}
pthread_mutex_lock(&mutex);
if (getstrfromtype_locked(FLAGS_CONTROL_ENTRY, &str) < 0) {
pthread_mutex_unlock(&mutex);
return (-2);
}
pthread_mutex_unlock(&mutex);
if (str == NULL)
return (1);
if (strlen(str) >= len)
return (-3);
strcpy(auditstr, str);
return (0);
}
/*
* Return the non attributable flags from the audit contol file.
*/
int
getacna(char *auditstr, int len)
{
char *str;
setac();
if (auditstr == NULL) {
errno = EINVAL;
return (-2);
}
pthread_mutex_lock(&mutex);
if (getstrfromtype_locked(NA_CONTROL_ENTRY, &str) < 0) {
pthread_mutex_unlock(&mutex);
return (-2);
}
pthread_mutex_unlock(&mutex);
if (str == NULL)
return (1);
if (strlen(str) >= len)
return (-3);
strcpy(auditstr, str);
return (0);
}

327
contrib/openbsm/libbsm/bsm_event.c Normal file
View File

@ -0,0 +1,327 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
* Copyright (c) 2006 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_event.c#11 $
*/
#include <bsm/libbsm.h>
#include <string.h>
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
/*
* Parse the contents of the audit_event file to return
* au_event_ent entries
*/
static FILE *fp = NULL;
static char linestr[AU_LINE_MAX];
static const char *eventdelim = ":";
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
/*
* Parse one line from the audit_event file into the au_event_ent structure.
*/
static struct au_event_ent *
eventfromstr(char *str, struct au_event_ent *e)
{
char *evno, *evname, *evdesc, *evclass;
struct au_mask evmask;
char *last;
evno = strtok_r(str, eventdelim, &last);
evname = strtok_r(NULL, eventdelim, &last);
evdesc = strtok_r(NULL, eventdelim, &last);
evclass = strtok_r(NULL, eventdelim, &last);
if ((evno == NULL) || (evname == NULL) || (evdesc == NULL) ||
(evclass == NULL))
return (NULL);
if (strlen(evname) >= AU_EVENT_NAME_MAX)
return (NULL);
strcpy(e->ae_name, evname);
if (strlen(evdesc) >= AU_EVENT_DESC_MAX)
return (NULL);
strcpy(e->ae_desc, evdesc);
e->ae_number = atoi(evno);
/*
* Find out the mask that corresponds to the given list of classes.
*/
if (getauditflagsbin(evclass, &evmask) != 0)
e->ae_class = AU_NULL;
else
e->ae_class = evmask.am_success;
return (e);
}
/*
* Rewind the audit_event file.
*/
static void
setauevent_locked(void)
{
if (fp != NULL)
fseek(fp, 0, SEEK_SET);
}
void
setauevent(void)
{
pthread_mutex_lock(&mutex);
setauevent_locked();
pthread_mutex_unlock(&mutex);
}
/*
* Close the open file pointers.
*/
void
endauevent(void)
{
pthread_mutex_lock(&mutex);
if (fp != NULL) {
fclose(fp);
fp = NULL;
}
pthread_mutex_unlock(&mutex);
}
/*
* Enumerate the au_event_ent entries.
*/
static struct au_event_ent *
getauevent_r_locked(struct au_event_ent *e)
{
char *nl;
if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
return (NULL);
while (1) {
if (fgets(linestr, AU_LINE_MAX, fp) == NULL)
return (NULL);
/* Remove new lines. */
if ((nl = strrchr(linestr, '\n')) != NULL)
*nl = '\0';
/* Skip comments. */
if (linestr[0] == '#')
continue;
/* Get the next event structure. */
if (eventfromstr(linestr, e) == NULL)
return (NULL);
break;
}
return (e);
}
struct au_event_ent *
getauevent_r(struct au_event_ent *e)
{
struct au_event_ent *ep;
pthread_mutex_lock(&mutex);
ep = getauevent_r_locked(e);
pthread_mutex_unlock(&mutex);
return (ep);
}
struct au_event_ent *
getauevent(void)
{
static char event_ent_name[AU_EVENT_NAME_MAX];
static char event_ent_desc[AU_EVENT_DESC_MAX];
static struct au_event_ent e;
bzero(&e, sizeof(e));
bzero(event_ent_name, sizeof(event_ent_name));
bzero(event_ent_desc, sizeof(event_ent_desc));
e.ae_name = event_ent_name;
e.ae_desc = event_ent_desc;
return (getauevent_r(&e));
}
/*
* Search for an audit event structure having the given event name.
*
* XXXRW: Why accept NULL name?
*/
static struct au_event_ent *
getauevnam_r_locked(struct au_event_ent *e, const char *name)
{
char *nl;
if (name == NULL)
return (NULL);
/* Rewind to beginning of the file. */
setauevent_locked();
if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
return (NULL);
while (fgets(linestr, AU_LINE_MAX, fp) != NULL) {
/* Remove new lines. */
if ((nl = strrchr(linestr, '\n')) != NULL)
*nl = '\0';
if (eventfromstr(linestr, e) != NULL) {
if (strcmp(name, e->ae_name) == 0)
return (e);
}
}
return (NULL);
}
struct au_event_ent *
getauevnam_r(struct au_event_ent *e, const char *name)
{
struct au_event_ent *ep;
pthread_mutex_lock(&mutex);
ep = getauevnam_r_locked(e, name);
pthread_mutex_unlock(&mutex);
return (ep);
}
struct au_event_ent *
getauevnam(const char *name)
{
static char event_ent_name[AU_EVENT_NAME_MAX];
static char event_ent_desc[AU_EVENT_DESC_MAX];
static struct au_event_ent e;
bzero(&e, sizeof(e));
bzero(event_ent_name, sizeof(event_ent_name));
bzero(event_ent_desc, sizeof(event_ent_desc));
e.ae_name = event_ent_name;
e.ae_desc = event_ent_desc;
return (getauevnam_r(&e, name));
}
/*
* Search for an audit event structure having the given event number.
*/
static struct au_event_ent *
getauevnum_r_locked(struct au_event_ent *e, au_event_t event_number)
{
char *nl;
/* Rewind to beginning of the file. */
setauevent_locked();
if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
return (NULL);
while (fgets(linestr, AU_LINE_MAX, fp) != NULL) {
/* Remove new lines. */
if ((nl = strrchr(linestr, '\n')) != NULL)
*nl = '\0';
if (eventfromstr(linestr, e) != NULL) {
if (event_number == e->ae_number)
return (e);
}
}
return (NULL);
}
struct au_event_ent *
getauevnum_r(struct au_event_ent *e, au_event_t event_number)
{
struct au_event_ent *ep;
pthread_mutex_lock(&mutex);
ep = getauevnum_r_locked(e, event_number);
pthread_mutex_unlock(&mutex);
return (ep);
}
struct au_event_ent *
getauevnum(au_event_t event_number)
{
static char event_ent_name[AU_EVENT_NAME_MAX];
static char event_ent_desc[AU_EVENT_DESC_MAX];
static struct au_event_ent e;
bzero(&e, sizeof(e));
bzero(event_ent_name, sizeof(event_ent_name));
bzero(event_ent_desc, sizeof(event_ent_desc));
e.ae_name = event_ent_name;
e.ae_desc = event_ent_desc;
return (getauevnum_r(&e, event_number));
}
/*
* Search for an audit_event entry with a given event_name and returns the
* corresponding event number.
*/
au_event_t *
getauevnonam_r(au_event_t *ev, const char *event_name)
{
static char event_ent_name[AU_EVENT_NAME_MAX];
static char event_ent_desc[AU_EVENT_DESC_MAX];
static struct au_event_ent e, *ep;
bzero(event_ent_name, sizeof(event_ent_name));
bzero(event_ent_desc, sizeof(event_ent_desc));
bzero(&e, sizeof(e));
e.ae_name = event_ent_name;
e.ae_desc = event_ent_desc;
ep = getauevnam_r(&e, event_name);
if (ep == NULL)
return (NULL);
*ev = e.ae_number;
return (ev);
}
au_event_t *
getauevnonam(const char *event_name)
{
static au_event_t event;
return (getauevnonam_r(&event, event_name));
}

176
contrib/openbsm/libbsm/bsm_flags.c Normal file
View File

@ -0,0 +1,176 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
* Copyright (c) 2006 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_flags.c#13 $
*/
#include <bsm/libbsm.h>
#include <errno.h>
#include <stdio.h>
#include <string.h>
static const char *flagdelim = ",";
/*
* Convert the character representation of audit values into the au_mask_t
* field.
*/
int
getauditflagsbin(char *auditstr, au_mask_t *masks)
{
char class_ent_name[AU_CLASS_NAME_MAX];
char class_ent_desc[AU_CLASS_DESC_MAX];
struct au_class_ent c;
char *tok;
char sel, sub;
char *last;
bzero(&c, sizeof(c));
bzero(class_ent_name, sizeof(class_ent_name));
bzero(class_ent_desc, sizeof(class_ent_desc));
c.ac_name = class_ent_name;
c.ac_desc = class_ent_desc;
masks->am_success = 0;
masks->am_failure = 0;
tok = strtok_r(auditstr, flagdelim, &last);
while (tok != NULL) {
/* Check for the events that should not be audited. */
if (tok[0] == '^') {
sub = 1;
tok++;
} else
sub = 0;
/* Check for the events to be audited for success. */
if (tok[0] == '+') {
sel = AU_PRS_SUCCESS;
tok++;
} else if (tok[0] == '-') {
sel = AU_PRS_FAILURE;
tok++;
} else
sel = AU_PRS_BOTH;
if ((getauclassnam_r(&c, tok)) != NULL) {
if (sub)
SUB_FROM_MASK(masks, c.ac_class, sel);
else
ADD_TO_MASK(masks, c.ac_class, sel);
} else {
errno = EINVAL;
return (-1);
}
/* Get the next class. */
tok = strtok_r(NULL, flagdelim, &last);
}
return (0);
}
/*
* Convert the au_mask_t fields into a string value. If verbose is non-zero
* the long flag names are used else the short (2-character)flag names are
* used.
*
* XXXRW: If bits are specified that are not matched by any class, they are
* omitted rather than rejected with EINVAL.
*
* XXXRW: This is not thread-safe as it relies on atomicity between
* setauclass() and sequential calls to getauclassent(). This could be
* fixed by iterating through the bitmask fields rather than iterating
* through the classes.
*/
int
getauditflagschar(char *auditstr, au_mask_t *masks, int verbose)
{
char class_ent_name[AU_CLASS_NAME_MAX];
char class_ent_desc[AU_CLASS_DESC_MAX];
struct au_class_ent c;
char *strptr = auditstr;
u_char sel;
bzero(&c, sizeof(c));
bzero(class_ent_name, sizeof(class_ent_name));
bzero(class_ent_desc, sizeof(class_ent_desc));
c.ac_name = class_ent_name;
c.ac_desc = class_ent_desc;
/*
* Enumerate the class entries, check if each is selected in either
* the success or failure masks.
*/
setauclass();
while ((getauclassent_r(&c)) != NULL) {
sel = 0;
/* Dont do anything for class = no. */
if (c.ac_class == 0)
continue;
sel |= ((c.ac_class & masks->am_success) == c.ac_class) ?
AU_PRS_SUCCESS : 0;
sel |= ((c.ac_class & masks->am_failure) == c.ac_class) ?
AU_PRS_FAILURE : 0;
/*
* No prefix should be attached if both success and failure
* are selected.
*/
if ((sel & AU_PRS_BOTH) == 0) {
if ((sel & AU_PRS_SUCCESS) != 0) {
*strptr = '+';
strptr = strptr + 1;
} else if ((sel & AU_PRS_FAILURE) != 0) {
*strptr = '-';
strptr = strptr + 1;
}
}
if (sel != 0) {
if (verbose) {
strcpy(strptr, c.ac_desc);
strptr += strlen(c.ac_desc);
} else {
strcpy(strptr, c.ac_name);
strptr += strlen(c.ac_name);
}
*strptr = ','; /* delimiter */
strptr = strptr + 1;
}
}
/* Overwrite the last delimiter with the string terminator. */
if (strptr != auditstr)
*(strptr-1) = '\0';
return (0);
}

2831
contrib/openbsm/libbsm/bsm_io.c Normal file
View File

File diff suppressed because it is too large Load Diff

194
contrib/openbsm/libbsm/bsm_mask.c Normal file
View File

@ -0,0 +1,194 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
* Copyright (c) 2005 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_mask.c#11 $
*/
#include <sys/types.h>
#include <sys/queue.h>
#include <bsm/libbsm.h>
#include <pthread.h>
#include <stdlib.h>
#include <string.h>
/* MT-Safe */
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
static int firsttime = 1;
/*
* XXX ev_cache, once created, sticks around until the calling program exits.
* This may or may not be a problem as far as absolute memory usage goes, but
* at least there don't appear to be any leaks in using the cache.
*
* XXXRW: Note that despite (mutex), load_event_table() could race with
* other consumers of the getauevents() API.
*/
struct audit_event_map {
char ev_name[AU_EVENT_NAME_MAX];
char ev_desc[AU_EVENT_DESC_MAX];
struct au_event_ent ev;
LIST_ENTRY(audit_event_map) ev_list;
};
static LIST_HEAD(, audit_event_map) ev_cache;
static struct audit_event_map *
audit_event_map_alloc(void)
{
struct audit_event_map *aemp;
aemp = malloc(sizeof(*aemp));
if (aemp == NULL)
return (aemp);
bzero(aemp, sizeof(*aemp));
aemp->ev.ae_name = aemp->ev_name;
aemp->ev.ae_desc = aemp->ev_desc;
return (aemp);
}
static void
audit_event_map_free(struct audit_event_map *aemp)
{
free(aemp);
}
/*
* When reading into the cache fails, we need to flush the entire cache to
* prevent it from containing some but not all records.
*/
static void
flush_cache(void)
{
struct audit_event_map *aemp;
/* XXX: Would assert 'mutex'. */
while ((aemp = LIST_FIRST(&ev_cache)) != NULL) {
LIST_REMOVE(aemp, ev_list);
audit_event_map_free(aemp);
}
}
static int
load_event_table(void)
{
struct audit_event_map *aemp;
struct au_event_ent *ep;
/*
* XXX: Would assert 'mutex'.
* Loading of the cache happens only once; dont check if cache is
* already loaded.
*/
LIST_INIT(&ev_cache);
setauevent(); /* Rewind to beginning of entries. */
do {
aemp = audit_event_map_alloc();
if (aemp == NULL) {
flush_cache();
return (-1);
}
ep = getauevent_r(&aemp->ev);
if (ep != NULL)
LIST_INSERT_HEAD(&ev_cache, aemp, ev_list);
else
audit_event_map_free(aemp);
} while (ep != NULL);
return (1);
}
/*
* Read the event with the matching event number from the cache.
*/
static struct au_event_ent *
read_from_cache(au_event_t event)
{
struct audit_event_map *elem;
/* XXX: Would assert 'mutex'. */
LIST_FOREACH(elem, &ev_cache, ev_list) {
if (elem->ev.ae_number == event)
return (&elem->ev);
}
return (NULL);
}
/*
* Check if the audit event is preselected against the preselection mask.
*/
int
au_preselect(au_event_t event, au_mask_t *mask_p, int sorf, int flag)
{
struct au_event_ent *ev;
au_class_t effmask = 0;
if (mask_p == NULL)
return (-1);
pthread_mutex_lock(&mutex);
if (firsttime) {
firsttime = 0;
if ( -1 == load_event_table()) {
pthread_mutex_unlock(&mutex);
return (-1);
}
}
switch (flag) {
case AU_PRS_REREAD:
flush_cache();
if (load_event_table() == -1) {
pthread_mutex_unlock(&mutex);
return (-1);
}
ev = read_from_cache(event);
break;
case AU_PRS_USECACHE:
ev = read_from_cache(event);
break;
default:
ev = NULL;
}
if (ev == NULL) {
pthread_mutex_unlock(&mutex);
return (-1);
}
if (sorf & AU_PRS_SUCCESS)
effmask |= (mask_p->am_success & ev->ae_class);
if (sorf & AU_PRS_FAILURE)
effmask |= (mask_p->am_failure & ev->ae_class);
pthread_mutex_unlock(&mutex);
if (effmask != 0)
return (1);
return (0);
}

149
contrib/openbsm/libbsm/bsm_notify.c Normal file
View File

@ -0,0 +1,149 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_notify.c#8 $
*/
#ifdef __APPLE__
/*
* Based on sample code from Marc Majka.
*/
#include <notify.h>
#include <string.h> /* strerror() */
#include <sys/errno.h> /* errno */
#include <bsm/libbsm.h>
#include <stdint.h> /* uint32_t */
#include <syslog.h> /* syslog() */
#include <stdarg.h> /* syslog() */
/* If 1, assumes a kernel that sends the right notification. */
#define AUDIT_NOTIFICATION_ENABLED 1
#if AUDIT_NOTIFICATION_ENABLED
static int token = 0;
#endif /* AUDIT_NOTIFICATION_ENABLED */
static long au_cond = AUC_UNSET; /* <bsm/audit.h> */
uint32_t
au_notify_initialize(void)
{
#if AUDIT_NOTIFICATION_ENABLED
uint32_t status, ignore_first;
status = notify_register_check(__BSM_INTERNAL_NOTIFY_KEY, &token);
if (status != NOTIFY_STATUS_OK)
return (status);
status = notify_check(token, &ignore_first);
if (status != NOTIFY_STATUS_OK)
return (status);
#endif
if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {
syslog(LOG_ERR, "Initial audit status check failed (%s)",
strerror(errno));
if (errno == ENOSYS) /* auditon() unimplemented. */
return (AU_UNIMPL);
return (NOTIFY_STATUS_FAILED); /* Is there a better code? */
}
return (NOTIFY_STATUS_OK);
}
int
au_notify_terminate(void)
{
#if AUDIT_NOTIFICATION_ENABLED
return ((notify_cancel(token) == NOTIFY_STATUS_OK) ? 0 : -1);
#else
return (0);
#endif
}
/*
* On error of any notify(3) call, reset 'au_cond' to ensure we re-run
* au_notify_initialize() next time 'round--but assume auditing is on. This
* is a slight performance hit if auditing is off, but at least the system
* will behave correctly. The notification calls are unlikely to fail,
* anyway.
*/
int
au_get_state(void)
{
#if AUDIT_NOTIFICATION_ENABLED
uint32_t did_notify;
#endif
int status;
/*
* Don't make the client initialize this set of routines, but take the
* slight performance hit by checking ourselves every time.
*/
if (au_cond == AUC_UNSET) {
status = au_notify_initialize();
if (status != NOTIFY_STATUS_OK) {
if (status == AU_UNIMPL)
return (AU_UNIMPL);
return (AUC_AUDITING);
} else
return (au_cond);
}
#if AUDIT_NOTIFICATION_ENABLED
status = notify_check(token, &did_notify);
if (status != NOTIFY_STATUS_OK) {
au_cond = AUC_UNSET;
return (AUC_AUDITING);
}
if (did_notify == 0)
return (au_cond);
#endif
if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {
/* XXX Reset au_cond to AUC_UNSET? */
syslog(LOG_ERR, "Audit status check failed (%s)",
strerror(errno));
if (errno == ENOSYS) /* Function unimplemented. */
return (AU_UNIMPL);
return (errno);
}
switch (au_cond) {
case AUC_NOAUDIT: /* Auditing suspended. */
case AUC_DISABLED: /* Auditing shut off. */
return (AUC_NOAUDIT);
case AUC_UNSET: /* Uninitialized; shouldn't get here. */
case AUC_AUDITING: /* Audit on. */
default:
return (AUC_AUDITING);
}
}
#endif /* !__APPLE__ */

1219
contrib/openbsm/libbsm/bsm_token.c Normal file
View File

File diff suppressed because it is too large Load Diff

268
contrib/openbsm/libbsm/bsm_user.c Normal file
View File

@ -0,0 +1,268 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
* Copyright (c) 2006 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_user.c#14 $
*/
#include <bsm/libbsm.h>
#include <string.h>
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
/*
* Parse the contents of the audit_user file into au_user_ent structures.
*/
static FILE *fp = NULL;
static char linestr[AU_LINE_MAX];
static const char *user_delim = ":";
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
/*
* Parse one line from the audit_user file into the au_user_ent structure.
*/
static struct au_user_ent *
userfromstr(char *str, struct au_user_ent *u)
{
char *username, *always, *never;
char *last;
username = strtok_r(str, user_delim, &last);
always = strtok_r(NULL, user_delim, &last);
never = strtok_r(NULL, user_delim, &last);
if ((username == NULL) || (always == NULL) || (never == NULL))
return (NULL);
if (strlen(username) >= AU_USER_NAME_MAX)
return (NULL);
strcpy(u->au_name, username);
if (getauditflagsbin(always, &(u->au_always)) == -1)
return (NULL);
if (getauditflagsbin(never, &(u->au_never)) == -1)
return (NULL);
return (u);
}
/*
* Rewind to beginning of the file
*/
static void
setauuser_locked(void)
{
if (fp != NULL)
fseek(fp, 0, SEEK_SET);
}
void
setauuser(void)
{
pthread_mutex_lock(&mutex);
setauuser_locked();
pthread_mutex_unlock(&mutex);
}
/*
* Close the file descriptor
*/
void
endauuser(void)
{
pthread_mutex_lock(&mutex);
if (fp != NULL) {
fclose(fp);
fp = NULL;
}
pthread_mutex_unlock(&mutex);
}
/*
* Enumerate the au_user_ent structures from the file
*/
static struct au_user_ent *
getauuserent_r_locked(struct au_user_ent *u)
{
char *nl;
if ((fp == NULL) && ((fp = fopen(AUDIT_USER_FILE, "r")) == NULL))
return (NULL);
while (1) {
if (fgets(linestr, AU_LINE_MAX, fp) == NULL)
return (NULL);
/* Remove new lines. */
if ((nl = strrchr(linestr, '\n')) != NULL)
*nl = '\0';
/* Skip comments. */
if (linestr[0] == '#')
continue;
/* Get the next structure. */
if (userfromstr(linestr, u) == NULL)
return (NULL);
break;
}
return (u);
}
struct au_user_ent *
getauuserent_r(struct au_user_ent *u)
{
struct au_user_ent *up;
pthread_mutex_lock(&mutex);
up = getauuserent_r_locked(u);
pthread_mutex_unlock(&mutex);
return (up);
}
struct au_user_ent *
getauuserent(void)
{
static char user_ent_name[AU_USER_NAME_MAX];
static struct au_user_ent u;
bzero(&u, sizeof(u));
bzero(user_ent_name, sizeof(user_ent_name));
u.au_name = user_ent_name;
return (getauuserent_r(&u));
}
/*
* Find a au_user_ent structure matching the given user name.
*/
struct au_user_ent *
getauusernam_r(struct au_user_ent *u, const char *name)
{
struct au_user_ent *up;
if (name == NULL)
return (NULL);
pthread_mutex_lock(&mutex);
setauuser_locked();
while ((up = getauuserent_r_locked(u)) != NULL) {
if (strcmp(name, u->au_name) == 0) {
pthread_mutex_unlock(&mutex);
return (u);
}
}
pthread_mutex_unlock(&mutex);
return (NULL);
}
struct au_user_ent *
getauusernam(const char *name)
{
static char user_ent_name[AU_USER_NAME_MAX];
static struct au_user_ent u;
bzero(&u, sizeof(u));
bzero(user_ent_name, sizeof(user_ent_name));
u.au_name = user_ent_name;
return (getauusernam_r(&u, name));
}
/*
* Read the default system wide audit classes from audit_control, combine with
* the per-user audit class and update the binary preselection mask.
*/
int
au_user_mask(char *username, au_mask_t *mask_p)
{
char auditstring[MAX_AUDITSTRING_LEN + 1];
char user_ent_name[AU_USER_NAME_MAX];
struct au_user_ent u, *up;
bzero(&u, sizeof(u));
bzero(user_ent_name, sizeof(user_ent_name));
u.au_name = user_ent_name;
/* Get user mask. */
if ((up = getauusernam_r(&u, username)) != NULL) {
if (-1 == getfauditflags(&up->au_always, &up->au_never,
mask_p))
return (-1);
return (0);
}
/* Read the default system mask. */
if (getacflg(auditstring, MAX_AUDITSTRING_LEN) == 0) {
if (-1 == getauditflagsbin(auditstring, mask_p))
return (-1);
return (0);
}
/* No masks defined. */
return (-1);
}
/*
* Generate the process audit state by combining the audit masks passed as
* parameters with the system audit masks.
*/
int
getfauditflags(au_mask_t *usremask, au_mask_t *usrdmask, au_mask_t *lastmask)
{
char auditstring[MAX_AUDITSTRING_LEN + 1];
if ((usremask == NULL) || (usrdmask == NULL) || (lastmask == NULL))
return (-1);
lastmask->am_success = 0;
lastmask->am_failure = 0;
/* Get the system mask. */
if (getacflg(auditstring, MAX_AUDITSTRING_LEN) == 0) {
if (getauditflagsbin(auditstring, lastmask) != 0)
return (-1);
}
ADDMASK(lastmask, usremask);
SUBMASK(lastmask, usrdmask);
return (0);
}

322
contrib/openbsm/libbsm/bsm_wrappers.c Normal file
View File

@ -0,0 +1,322 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#14 $
*/
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/sysctl.h>
#include <bsm/libbsm.h>
#include <unistd.h>
#include <syslog.h>
#include <string.h>
#include <errno.h>
/* These are not advertised in libbsm.h */
int audit_set_terminal_port(dev_t *p);
int audit_set_terminal_host(uint32_t *m);
int
audit_set_terminal_port(dev_t *p)
{
struct stat st;
if (p == NULL)
return (kAUBadParamErr);
*p = NODEV;
/* for /usr/bin/login, try fstat() first */
if (fstat(STDIN_FILENO, &st) != 0) {
if (errno != EBADF) {
syslog(LOG_ERR, "fstat() failed (%s)",
strerror(errno));
return (kAUStatErr);
}
if (stat("/dev/console", &st) != 0) {
syslog(LOG_ERR, "stat() failed (%s)",
strerror(errno));
return (kAUStatErr);
}
}
*p = st.st_rdev;
return (kAUNoErr);
}
int
audit_set_terminal_host(uint32_t *m)
{
int name[2] = { CTL_KERN, KERN_HOSTID };
size_t len;
if (m == NULL)
return (kAUBadParamErr);
*m = 0;
len = sizeof(*m);
if (sysctl(name, 2, m, &len, NULL, 0) != 0) {
syslog(LOG_ERR, "sysctl() failed (%s)", strerror(errno));
return (kAUSysctlErr);
}
return (kAUNoErr);
}
int
audit_set_terminal_id(au_tid_t *tid)
{
int ret;
if (tid == NULL)
return (kAUBadParamErr);
if ((ret = audit_set_terminal_port(&tid->port)) != kAUNoErr)
return (ret);
return (audit_set_terminal_host(&tid->machine));
}
/*
* This is OK for those callers who have only one token to write. If you have
* multiple tokens that logically form part of the same audit record, you need
* to use the existing au_open()/au_write()/au_close() API:
*
* aufd = au_open();
* tok = au_to_random_token_1(...);
* au_write(aufd, tok);
* tok = au_to_random_token_2(...);
* au_write(aufd, tok);
* ...
* au_close(aufd, 1, AUE_your_event_type);
*
* Assumes, like all wrapper calls, that the caller has previously checked
* that auditing is enabled via the audit_get_state() call.
*
* XXX: Should be more robust against bad arguments.
*/
int
audit_write(short event_code, token_t *subject, token_t *misctok, char retval,
int errcode)
{
int aufd;
char *func = "audit_write()";
token_t *rettok;
if ((aufd = au_open()) == -1) {
au_free_token(subject);
au_free_token(misctok);
syslog(LOG_ERR, "%s: au_open() failed", func);
return (kAUOpenErr);
}
/* Save subject. */
if (subject && au_write(aufd, subject) == -1) {
au_free_token(subject);
au_free_token(misctok);
(void)au_close(aufd, 0, event_code);
syslog(LOG_ERR, "%s: write of subject failed", func);
return (kAUWriteSubjectTokErr);
}
/* Save the event-specific token. */
if (misctok && au_write(aufd, misctok) == -1) {
au_free_token(misctok);
(void)au_close(aufd, 0, event_code);
syslog(LOG_ERR, "%s: write of caller token failed", func);
return (kAUWriteCallerTokErr);
}
/* Tokenize and save the return value. */
if ((rettok = au_to_return32(retval, errcode)) == NULL) {
(void)au_close(aufd, 0, event_code);
syslog(LOG_ERR, "%s: au_to_return32() failed", func);
return (kAUMakeReturnTokErr);
}
if (au_write(aufd, rettok) == -1) {
au_free_token(rettok);
(void)au_close(aufd, 0, event_code);
syslog(LOG_ERR, "%s: write of return code failed", func);
return (kAUWriteReturnTokErr);
}
/*
* au_close()'s second argument is "keep": if keep == 0, the record is
* discarded. We assume the caller wouldn't have bothered with this
* function if it hadn't already decided to keep the record.
*/
if (au_close(aufd, 1, event_code) < 0) {
syslog(LOG_ERR, "%s: au_close() failed", func);
return (kAUCloseErr);
}
return (kAUNoErr);
}
/*
* Same caveats as audit_write(). In addition, this function explicitly
* assumes success; use audit_write_failure() on error.
*/
int
audit_write_success(short event_code, token_t *tok, au_id_t auid, uid_t euid,
gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
au_tid_t *tid)
{
char *func = "audit_write_success()";
token_t *subject = NULL;
/* Tokenize and save subject. */
subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
tid);
if (subject == NULL) {
syslog(LOG_ERR, "%s: au_to_subject32() failed", func);
return kAUMakeSubjectTokErr;
}
return (audit_write(event_code, subject, tok, 0, 0));
}
/*
* Same caveats as audit_write(). In addition, this function explicitly
* assumes success; use audit_write_failure_self() on error.
*/
int
audit_write_success_self(short event_code, token_t *tok)
{
token_t *subject;
char *func = "audit_write_success_self()";
if ((subject = au_to_me()) == NULL) {
syslog(LOG_ERR, "%s: au_to_me() failed", func);
return (kAUMakeSubjectTokErr);
}
return (audit_write(event_code, subject, tok, 0, 0));
}
/*
* Same caveats as audit_write(). In addition, this function explicitly
* assumes failure; use audit_write_success() otherwise.
*
* XXX This should let the caller pass an error return value rather than
* hard-coding -1.
*/
int
audit_write_failure(short event_code, char *errmsg, int errcode, au_id_t auid,
uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
au_tid_t *tid)
{
char *func = "audit_write_failure()";
token_t *subject, *errtok;
subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, tid);
if (subject == NULL) {
syslog(LOG_ERR, "%s: au_to_subject32() failed", func);
return (kAUMakeSubjectTokErr);
}
/* tokenize and save the error message */
if ((errtok = au_to_text(errmsg)) == NULL) {
au_free_token(subject);
syslog(LOG_ERR, "%s: au_to_text() failed", func);
return (kAUMakeTextTokErr);
}
return (audit_write(event_code, subject, errtok, -1, errcode));
}
/*
* Same caveats as audit_write(). In addition, this function explicitly
* assumes failure; use audit_write_success_self() otherwise.
*
* XXX This should let the caller pass an error return value rather than
* hard-coding -1.
*/
int
audit_write_failure_self(short event_code, char *errmsg, int errret)
{
char *func = "audit_write_failure_self()";
token_t *subject, *errtok;
if ((subject = au_to_me()) == NULL) {
syslog(LOG_ERR, "%s: au_to_me() failed", func);
return (kAUMakeSubjectTokErr);
}
/* tokenize and save the error message */
if ((errtok = au_to_text(errmsg)) == NULL) {
au_free_token(subject);
syslog(LOG_ERR, "%s: au_to_text() failed", func);
return (kAUMakeTextTokErr);
}
return (audit_write(event_code, subject, errtok, -1, errret));
}
/*
* For auditing errors during login. Such errors are implicitly
* non-attributable (i.e., not ascribable to any user).
*
* Assumes, like all wrapper calls, that the caller has previously checked
* that auditing is enabled via the audit_get_state() call.
*/
int
audit_write_failure_na(short event_code, char *errmsg, int errret, uid_t euid,
uid_t egid, pid_t pid, au_tid_t *tid)
{
return (audit_write_failure(event_code, errmsg, errret, -1, euid,
egid, -1, -1, pid, -1, tid));
}
/* END OF au_write() WRAPPERS */
#ifdef __APPLE__
void
audit_token_to_au32(audit_token_t atoken, uid_t *auidp, uid_t *euidp,
gid_t *egidp, uid_t *ruidp, gid_t *rgidp, pid_t *pidp, au_asid_t *asidp,
au_tid_t *tidp)
{
if (auidp != NULL)
*auidp = (uid_t)atoken.val[0];
if (euidp != NULL)
*euidp = (uid_t)atoken.val[1];
if (egidp != NULL)
*egidp = (gid_t)atoken.val[2];
if (ruidp != NULL)
*ruidp = (uid_t)atoken.val[3];
if (rgidp != NULL)
*rgidp = (gid_t)atoken.val[4];
if (pidp != NULL)
*pidp = (pid_t)atoken.val[5];
if (asidp != NULL)
*asidp = (au_asid_t)atoken.val[6];
if (tidp != NULL) {
audit_set_terminal_host(&tidp->machine);
tidp->port = (dev_t)atoken.val[7];
}
}
#endif /* !__APPLE__ */

220
contrib/openbsm/libbsm/libbsm.3 Normal file
View File

@ -0,0 +1,220 @@
.\"-
.\" Copyright (c) 2005-2006 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#3 $
.\"
.Dd April 19, 2005
.Dt LIBBSM 3
.Os
.Sh NAME
.Nm libbsm
.Nd "Basic Security Module (BSM) Audit API"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
.In libbsm.h
.Sh DESCRIPTION
The
.Nm
library routines provide an interface to BSM audit record streams, allowing
both the parsing of existing audit streams, as well as the creation of new
audit records and streams.
.Sh INTERFACES
.Nm
provides a large number of Audit programming interfaces in several classes:
event stream interfaces, class interfaces, control interfaces, event
interfaces, I/O interfaces, mask interfaces, notification interfaces, token
interfaces, and user interfaces.
These are described respectively in the
.Xr au_stream 3 ,
.Xr au_class 3 ,
.Xr au_control 3 ,
.Xr au_event 3 ,
.Xr au_mask 3 ,
.Xr au_notify 3 ,
.Xr au_token 3 ,
.Xr au_user 3
man pages.
.Ss Audit Event Stream Interfaces
Audit event stream interfaces support interaction with file-backed audit
event streams:
.Xr au_free_token 3 ,
.Xr au_free_token 3 ,
.Xr au_open 3 ,
.Xr au_write 3 ,
.Xr au_close 3 .
.Ss Audit Class Interfaces
Audit class interfaces support the look up of information from the
.Xr audit_class 5
database:
.Xr getauclassent 3 ,
.Xr getauclassent_r 3 ,
.Xr getauclassnam 3 ,
.Xr getauclassnam_r 3 ,
.Xr setauclass 3 ,
.Xr endauclass 3 .
.Ss Audit Control Interfaces
Audit control interfaces support the look up of information from the
.Xr audit_control 5
database:
.Xr setac 3 ,
.Xr endac 3 ,
.Xr getacdir 3 ,
.Xr getacmin 3 ,
.Xr getacflg 3 ,
.Xr getacna 3 .
.Ss Audit Event Interfaces
Audit event interfaces support the look up of information from the
.Xr audit_event 5
database:
.Xr setauevent 3 ,
.Xr endauevent 3 ,
.Xr getauevent 3 ,
.Xr getauevent_r 3 ,
.Xr getauevnam 3 ,
.Xr getauevnam_r 3 ,
.Xr getauevnum 3 ,
.Xr getauevnum_r 3 ,
.Xr getauevnonam 3 ,
.Xr getauevnonam_r 3 ,
.Ss Audit I/O Interfaces
Audit I/O interfaces support the processing and printing of tokens, as well
as the reading of audit records:
.Xr au_fetch_tok 3 ,
.Xr au_print_tok 3 ,
.Xr au_read_rec 3 .
.Ss Audit Mask Interfaces
Audit mask interfaces convert support the conversion between strings and
.Vt au_mask_t
values.
They may also be used to determine if a particular audit event is matched
by a mask:
.Xr au_preselect 3 ,
.Xr getauditflagsbin 3 ,
.Xr getauditflagschar 3 .
.Ss Audit Notification Interfaces
Audit notification routines track audit state in a form permitting efficient
update, avoiding frequent system calls to check the kernel audit state:
.Xr au_notify_initialize 3 ,
.Xr au_notify_terminate 3 ,
.Xr au_get_state 3 .
These interfaces are implemented only for Darwin/Mac OS X.
.Ss Audit Token Interface
Audit token interfaces permit the creation of tokens for use in creating
audit records for submission to event streams.
Each interface converts a C type to its
.Vt token_t
representation.
.Xr au_to_arg32 3 ,
.Xr au_to_arg64 3 ,
.Xr au_to_arg 3 ,
.Xr au_to_attr64 3 ,
.Xr au_to_data 3 ,
.Xr au_to_exit 3 ,
.Xr au_to_groups 3 ,
.Xr au_to_newgroups 3 ,
.Xr au_to_in_addr 3 ,
.Xr au_to_in_addr_ex 3 ,
.Xr au_to_ip 3 ,
.Xr au_to_ipc 3 ,
.Xr au_to_ipc_perm 3 ,
.Xr au_to_iport 3 ,
.Xr au_to_opaque 3 ,
.Xr au_to_file 3 ,
.Xr au_to_text 3 ,
.Xr au_to_path 3 ,
.Xr au_to_process32 3 ,
.Xr au_to_process64 3 ,
.Xr au_to_process 3 ,
.Xr au_to_process32_ex 3 ,
.Xr au_to_process64_ex 3 ,
.Xr au_to_process_ex 3 ,
.Xr au_to_return32 3 ,
.Xr au_to_return64 3 ,
.Xr au_to_return 3 ,
.Xr au_to_seq 3 ,
.Xr au_to_socket 3 ,
.Xr au_to_socket_ex_32 3 ,
.Xr au_to_socket_ex_128 3 ,
.Xr au_to_sock_inet32 3 ,
.Xr au_to_sock_inet128 3 ,
.Xr au_to_sock_inet 3 ,
.Xr au_to_subject32 3 ,
.Xr au_to_subject64 3 ,
.Xr au_to_subject 3 ,
.Xr au_to_subject32_ex 3 ,
.Xr au_to_subject64_ex 3 ,
.Xr au_to_subject_ex 3 ,
.Xr au_to_me 3 ,
.Xr au_to_exec_args 3 ,
.Xr au_to_exec_env 3 ,
.Xr au_to_header32 3 ,
.Xr au_to_header64 3 ,
.Xr au_to_trailer 3 .
.Ss Audit User Interfaces
Audit user interfaces support the look up of information from the
.Xr audit_user 5
database:
.Xr setauuser 3 ,
.Xr endauuser 3 ,
.Xr getauuserent 3 ,
.Xr getauuserent_r 3 ,
.Xr getauusernam 3 ,
.Xr getauusernam_r 3 ,
.Xr au_user_mask 3 ,
.Xr getfauditflags 3 .
.Sh SEE ALSO
.Xr au_class 3 ,
.Xr au_mask 3 ,
.Xr au_notify 3 ,
.Xr au_stream 3 ,
.Xr au_token 3 ,
.Xr au_user 3 ,
.Xr audit_class 5 ,
.Xr audit_control 5
.Sh AUTHORS
This software was created by Robert Watson, Wayne Salamon, and Suresh
Krishnaswamy for McAfee Research, the security research division of McAfee,
Inc., under contract to Apple Computer, Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
.Sh BUGS
Bugs would not be unlikely.
.Pp
The
.Nm
library implementations are generally thread-safe, but not reentrant.
.Pp
The assignment of routines to classes could use some work, as it is
decidely ad hoc.
For example,
.Fn au_read_rec
should probably be considered a stream routine.

19
contrib/openbsm/man/Makefile Normal file
View File

@ -0,0 +1,19 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/man/Makefile#5 $
#
MAN= audit.2 \
auditctl.2 \
auditon.2 \
getaudit.2 \
getauid.2 \
setaudit.2 \
setauid.2 \
audit.log.5 \
audit_class.5 \
audit_control.5 \
audit_event.5 \
audit_user.5 \
audit_warn.5
.include <bsd.prog.mk>

96
contrib/openbsm/man/audit.2 Normal file
View File

@ -0,0 +1,96 @@
.\"-
.\" Copyright (c) 2005 Tom Rhodes
.\" Copyright (c) 2005 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#6 $
.\"
.Dd April 19, 2005
.Dt AUDIT 2
.Os
.Sh NAME
.Nm audit
.Nd "Commit a BSM audit record to the audit log"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn audit "const char *record" "u_int length"
.Sh DESCRIPTION
.Fn audit
submits a completed BSM audit record to the system audit log.
.Pp
.Fa record
is a pointer to the the specific event to be recorded and
.Vt length
is the size in bytes of the data to be written.
.Sh RETURN VALUES
.Rv -std
.Sh ERRORS
The
.Fn audit
system call will fail and the data never written if:
.Bl -tag -width Er
.It Bq Er EFAULT
The
.Fa record
argument is beyond the allocated address space of the process.
.It Bq Er EINVAL
The token ID is invalid or
.Vt length
is larger than
.Vt MAXAUDITDATA .
.It Bq Er EPERM
The process does not have sufficient permission to complete
the operation.
.El
.Sh SEE ALSO
.Xr auditon 2 ,
.Xr getauid 2 ,
.Xr setauid 2 ,
.Xr getaudit 2 ,
.Xr setaudit 2 ,
.Xr getaudit_addr 2 ,
.Xr setaudit_addr 2 ,
.Xr libbsm 3
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Tom Rhodes Aq trhodes@FreeBSD.org .
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
.Sh BUGS
The
.Fx
kernel does not fully validate that the argument passed is syntactically
valid BSM.
Submitting invalid audit records may corrupt the audit log.

622
contrib/openbsm/man/audit.log.5 Normal file
View File

@ -0,0 +1,622 @@
.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#6 $
.\"
.Dd May 1, 2005
.Dt AUDIT.LOG 5
.Os
.Sh NAME
.Nm audit
.Nd "Basic Security Module (BSM) File Format"
.Sh DESCRIPTION
The
.Nm
file format is based on Sun's Basic Security Module (BSM) file format, a
token-based record stream to represent system audit data.
This file format is both flexible and extensible, able to describe a broad
range of data types, and easily extended to describe new data types in a
moderately backward and forward compatible way.
.Pp
BSM token streams typically begin and end with a
.Dv file
token, which provides time stamp and file name information for the stream;
when processing a BSM token stream from a stream as opposed to a single file
source, file tokens may be seen at any point between ordinary records
identifying when particular parts of the stream begin and end.
All other tokens will appear in the context of a complete BSM audit record,
which begins with a
.Dv header
token, and ends with a
.Dv trailer
token, which describe the audit record.
Between these two tokens will appear a variety of data tokens, such as
process information, file path names, IPC object information, MAC labels,
socket information, and so on.
.Pp
The BSM file format defines specific token orders for each record event type;
however, some variation may occur depending on the operating system in use,
what system options, such as mandatory access control, are present.
.Pp
This manual page documents the common token types and their binary format, and
is intended for reference purposes only.
It is recommended that application programmers use the
.Xr libbsm 3
interface to read and write tokens, rather than parsing or constructing
records by hand.
.Ss File Token
The
.Dv file
token is used at the beginning and end of an audit log file to indicate
when the audit log begins and ends.
It includes a pathname so that, if concatenated together, original file
boundaries are still observable, and gaps in the audit log can be identified.
A
.Dv file
token can be created using
.Xr au_to_file 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Seconds" Ta "4 bytes" Ta "File time stamp"
.It Li "Microseconds" Ta "4 bytes" Ta "File time stamp"
.It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail"
.It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail"
.El
.Ss Header Token
The
.Dv header
token is used to mark the beginning of a complete audit record, and includes
the length of the total record in bytes, a version number for the record
layout, the event type and subtype, and the time at which the event occurred.
A
.Dv header
token can be created using
.Xr au_to_header32 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
.It Li "Event Type" Ta "2 bytes" Ta "Event type"
.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
.El
.Ss Expanded Header Token
The
.Dv expanded header
token is an expanded version of the
.Dv header
token, with the addition of a machine IPv4 or IPv6 address.
The
.Xr libbsm 3
API cannot currently create an
.Dv expanded header
token.
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
.It Li "Event Type" Ta "2 bytes" Ta "Event type"
.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
.It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length"
.It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
.El
.Ss Trailer Token
The
.Dv trailer
terminates a BSM audit record, and contains a magic number,
.Dv TRAILER_PAD_MAGIC
and length that can be used to validate that the record was read properly.
A
.Dv trailer
token can be created using
.Xr au_to_trailer 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number"
.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
.El
.Ss Arbitrary Data Token
The
.Dv arbitrary data
token contains a byte stream of opaque (untyped) data.
The size of the data is calculated as the size of each unit of data
multipled by the number of units of data.
A
.Dv How to print
field is present to specify how to print the data, but interpretation of
that field is not currently defined.
The
.Xr libbsm 3
API cannot currently create an
.Dv arbitrary data
token.
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "How to Print" Ta "1 byte" Ta "User-defined printing information"
.It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes"
.It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present"
.It Li "Data Items" Ta "Variable" Ta "User data"
.El
.Ss in_addr Token
The
.Dv in_addr
token holds a network byte order IPv4 or IPv6 address.
An
.Dv in_addr
token can be created using
.Xr au_to_in_addr 3
for an IPv4 address, or
.Xr au_to_in_addr_ex 3
for an IPv6 address.
.Pp
See the BUGS section for information on the storage of this token.
.Pp
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "IP Address Type" Ta "1 byte" Ta "Type of address"
.It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
.El
.Ss Expanded in_addr Token
The
.Dv expanded in_addr
token ...
.Pp
See the BUGS section for information on the storage of this token.
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It XXXX
.El
.Ss ip Token
The
.Dv ip
token contains an IP packet header in network byte order.
An
.Dv ip
token can be cread using
.Xr au_to_ip 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length"
.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field"
.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order"
.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly"
.It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order"
.It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live"
.It Li "Protocol" Ta "1 byte" Ta "IP protocol number"
.It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order"
.It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address"
.It Li "Desintation Address" Ta "4 bytes" Ta "IPv4 destination address"
.El
.Ss Expanded ip Token
The
.Dv expanded ip
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It XXXX
.El
.Ss iport Token
The
.Dv iport
token stores an IP port number in network byte order.
An
.Dv iport
token can be created using
.Xr au_to_iport 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order"
.El
.Ss Path Token
The
.Dv path
token contains a pathname.
A
.Dv path
token can be created using
.Xr auto_path 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes"
.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name"
.El
.Ss path_attr Token
The
.Dv path_attr
token contains a set of nul-terminated path names.
The
.Xr libbsm 3
API cannot currently create an
.Dv path_attr
token.
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token"
.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)"
.El
.Ss Process Token
The
.Dv process
token contains a description of the security properties of a process
involved as the target of an auditable event, such as the destination for
signal delivery.
It should not be confused with the
.Dv subject
token, which describes the subject performing an auditable event.
This includes both the traditional
.Ux
security properties, such as user IDs and group IDs, but also audit
information such as the audit user ID and sesion.
A
.Dv process
token can be created using
.Xr au_to_process32 3
or
.Xr au_to_process64 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
.El
.Ss Expanded Process Token
The .Dv expanded process
token contains the contents of the
.Dv process
token, with the addition of a machine address type and variable length
address storage capable of containing IPv6 addresses.
A
.Dv expanded process
token can be created using
.Xr au_to_process32_ex 3
or
.Xr au_to_process64 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
.El
.Ss Return Token
The
.Dv return
token contains a system call or library function return condition, including
return value and error number associated with the global variable
.Er errno .
A
.Dv return
token can be created using
.Xr au_to_return32 3
or
.Xr au_to_return64 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined"
.It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)"
.El
.Ss Subject Token
The
.Dv subject
token contains information on the subject performing the operation described
by an audit record, and includes similar information to that found in the
.Dv process
and
.Dv expanded process
tokens.
However, those tokens are used where the process being described is the
target of the operation, not the authorizing party.
A
.Dv subject
token can be created using
.Xr au_to_subject32 3
and
.Xr au_to_subject64 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
.El
.Ss Expanded Subject Token
The
.Dv expanded subject
token consists of the same elements as the
.Dv subject
token, with the addition of type/length and variable size machine address
information in the terminal ID.
A
.Dv expanded subject
token can be created using
.Xr au_to_subject32_ex 3
or
.Xr au_to_subject64_ex 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
.El
.Ss System V IPC Token
The
.Dv System V IPC
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss Text Token
The
.Dv text
token contains a single nul-terminated text string.
A
.Dv text
token may be created using
.Xr au_to_text 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul"
.It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul"
.El
.Ss Attribute Token
The
.Dv attribute
token describes the attributes of a file associated with the audit event.
As files may be identified by 0, 1, or many path names, a path name is not
included with the attribute block for a file; optional
.Dv path
tokens may also be present in an audit record indicating which path, if any,
was used to reach the object.
A
.Dv attribute
token can be created using
.Xr au_to_attr32 3
or
.Xr au_to_attr64 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file"
.It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file"
.It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file"
.It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file"
.It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file"
.It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)"
.El
.Ss Groups Token
The
.Dv groups
token contains a list of group IDs associated with the audit event.
A
.Dv groups
token can be created using
.Xr au_to_groups 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token"
.It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs"
.El
.Ss System V IPC Permission Token
The
.Dv System V IPC permission
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss Arg Token
The
.Dv arg
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss exec_args Token
The
.Dv exec_args
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss exec_env Token
The
.Dv exec_env
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss Exit Token
The
.Dv exit
token contains process exit/return code information.
An
.Dv exit
token can be created using
.Xr au_to_exit 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Status" Ta "4 bytes" Ta "Process status on exit"
.It Li "Return Value" ta "4 bytes" Ta "Process return value on exit"
.El
.Ss Socket Token
The
.Dv socket
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss Expanded Socket Token
The
.Dv expanded socket
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss Seq Token
The
.Dv seq
token contains a unique and monotonically increasing audit event sequence ID.
Due to the limited range of 32 bits, serial number arithmetic and caution
should be used when comparing sequence numbers.
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number"
.El
.Ss privilege Token
The
.Dv privilege
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss Use-of-auth Token
The
.Dv use-of-auth
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss Command Token
The
.Dv command
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss ACL Token
The
.Dv ACL
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss Zonename Token
The
.Dv zonename
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Sh SEE ALSO
.Xr libbsm 3
.Sh AUTHORS
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
.Sh BUGS
The
.Dv How to print
field in the
.Dv arbitrary data
token has undefined values.
.Pp
The
.Dv in_addr
and
.Dv in_addr_ex
token layout documented here appears to be in conflict with the
.Xr libbsm 3
implementations of
.Xr au_to_in_addr 3
and
.Xr au_to_in_addr_ex 3 .

70
contrib/openbsm/man/audit_class.5 Normal file
View File

@ -0,0 +1,70 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#5 $
.\"
.Dd Jan 24, 2004
.Dt AUDIT_CLASS 5
.Os
.Sh NAME
.Nm audit_class
.Nd "contains audit event class descriptions"
.Sh DESCRIPTION
The
.Nm
file contains descriptions of the auditable event classes on the system.
Each auditable event is a member of an event class.
Each line maps an audit event
mask (bitmap) to a class and a description.
Entries are of the form
.Dl classmask:eventclass:description.
.Pp
Example entries in this file are:
.Bd -literal -offset indent
0x00000000:no:invalid class
0x00000001:fr:file read
0x00000002:fw:file write
0x00000004:fa:file attribute access
0x00000080:pc:process
0xffffffff:all:all flags set
.Ed
.Sh FILES
.Bl -tag -width "/etc/security/audit_class" -compact
.It Pa /etc/security/audit_class
.El
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.

121
contrib/openbsm/man/audit_control.5 Normal file
View File

@ -0,0 +1,121 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#5 $
.\"
.Dd Jan 24, 2004
.Dt AUDIT_CONTROL 5
.Os
.Sh NAME
.Nm audit_control
.Nd "contains audit system parameters"
.Sh DESCRIPTION
The
.Nm
file contains several audit system parameters.
Each line of this file is of the form:
.Dl parameter:value.
The parameters are:
.Bl -tag -width Ds
.It Pa dir
The directory where audit log files are stored.
There may be more than one of these entries.
Changes to this entry can only be enacted by restarting the
audit system.
See
.Xr audit 1
for a description of how to restart the audit system.
.It Va flags
Specifies which audit event classes are audited for all users.
.Xr audit_user 5
describes how to audit events for individual users.
See the information below for the format of the audit flags.
.It Va naflags
Contains the audit flags that define what classes of events are audited when
an action cannot be attributed to a specific user.
.It Va minfree
The minimum free space required on the file system audit logs are being written to.
When the free space falls below this limit a warning will be issued.
Not currently used as the value of 20 percent is chosen by the kernel.
.El
.Sh AUDIT FLAGS
Audit flags are a comma delimited list of audit classes as defined in the
audit_class file.
See
.Xr audit_class 5
for details.
Event classes may be preceded by a prefix which changes their interpretation.
The following prefixes may be used for each class:
.Bl -tag -width Ds -compact -offset indent
.It +
Record successful events
.It -
Record failed events
.It ^
Record both successful and failed events
.It ^+
Don't record successful events
.It ^-
Don't record failed events
.El
.Sh DEFAULT
The following settings appear in the default
.Nm
file:
.Bd -literal -offset indent
dir:/var/audit
flags:lo,ad,-all,^-fc,^-cl
minfree:20
naflags:lo
.Ed
.Pp
The
.Va flags
parameter above specifies the system-wide mask corresponding to login/logout
events, administrative events, and all failures except for failures in creating
or closing files.
.Sh FILES
.Bl -tag -width "/etc/security/audit_control" -compact
.It Pa /etc/security/audit_control
.El
.Sh SEE ALSO
.Xr audit 1 ,
.Xr auditd 8 ,
.Xr audit_class 5 ,
.Xr audit_user 5
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.

74
contrib/openbsm/man/audit_event.5 Normal file
View File

@ -0,0 +1,74 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#5 $
.\"
.Dd Jan 24, 2004
.Dt AUDIT_EVENT 5
.Os
.Sh NAME
.Nm audit_event
.Nd "contains audit event descriptions"
.Sh DESCRIPTION
The
.Nm
file contains descriptions of the auditable events on the system.
Each line maps an audit event number to a name, a description, and a class.
Entries are of the form
.Dl eventnum:eventname:description:eventclass .
Each
.Vt eventclass
should have a corresponding entry in the audit_class file.
See
.Xr audit_class 5
for details.
.Pp
Example entries in this file are:
.Bd -literal -offset indent
0:AUE_NULL:indir system call:no
1:AUE_EXIT:exit(2):pc
2:AUE_FORK:fork(2):pc
3:AUE_OPEN:open(2):fa
.Ed
.Sh FILES
.Bl -tag -width "/etc/security/audit_event" -compact
.It Pa /etc/security/audit_event
.El
.Sh SEE ALSO
.Xr audit_class 5
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.

91
contrib/openbsm/man/audit_user.5 Normal file
View File

@ -0,0 +1,91 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#5 $
.\"
.Dd Jan 24, 2004
.Dt AUDIT_USER 5
.Os
.Sh NAME
.Nm audit_user
.Nd "specifies events to be audited for the given users"
.Sh DESCRIPTION
The
.Nm
file specifies which audit event classes are to be audited for the given users.
If specified, these flags are combined with the system-wide audit flags in the
.Pa audit_control
file to determine which classes of events to audit for that user.
These settings take effect when the user logs in.
.Pp
Each line maps a user name to a list of classes that should be audited and a
list of classes that should not be audited.
Entries are of the form of
.Dl username:alwaysaudit:neveraudit ,
where
.Vt alwaysaudit
is a set of event classes that are always audited, and
.Vt neveraudit
is a set of event classes that should not be audited.
These sets can indicate
the inclusion or exclusion of multiple classes, and whether to audit successful
or failed events.
See
.Xr audit_control 5
for more information about audit flags.
.Pp
Example entries in this file are:
.Bd -literal -offset indent
root:lo,ad:no
jdoe:-fc,ad:+fw
.Ed
.Pp
These settings would cause login and administrative events that succeed on
behalf of user root to be audited.
No failure events are audited.
For the user
.Em jdoe ,
failed file creation events are audited, administrative events are
audited, and successful file write events are never audited.
.Sh FILES
.Bl -tag -width "/etc/security/audit_user" -compact
.It Pa /etc/security/audit_user
.El
.Sh SEE ALSO
.Xr audit_control 5
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.

69
contrib/openbsm/man/audit_warn.5 Normal file
View File

@ -0,0 +1,69 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#5 $
.\"
.Dd Mar 17, 2004
.Dt AUDIT_WARN 5
.Os
.Sh NAME
.Nm audit_warn
.Nd "alert when audit daemon issues warnings"
.Sh DESCRIPTION
.Nm
runs when
.Xr auditd 8
generates warning messages.
.Pp
The default
.Nm
is a script whose first parameter is the type of warning; the script
appends its arguments to
.Pa /etc/security/audit_messages .
Administrators may replace this script: a more comprehensive one would take
different actions based on the type of warning.
For example, a low-space warning
could result in an email message being sent to the administrator.
.Sh FILES
.Bl -tag -width "/etc/security/audit_warn" -compact
.It Pa /etc/security/audit_warn
.It Pa /etc/security/audit_messages
.El
.Sh SEE ALSO
.Xr auditd 8
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.

78
contrib/openbsm/man/auditctl.2 Normal file
View File

@ -0,0 +1,78 @@
.\"-
.\" Copyright (c) 2005-2006 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#4 $
.\"
.Dd April 19, 2005
.Dt AUDITCTL 2
.Os
.Sh NAME
.Nm auditctl
.Nd "Configure system audit parameters"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn auditon "const char *path"
.Sh DESCRIPTION
The
.Fn auditctl
system call directs the kernel to open a new audit trail log file.
.Fn auditctl
requires appropriate privilege.
In the
.Fx
implementation,
.Fn auditctl
opens new files, but
.Fn auditon
is used to disable the audit log.
In the Mac OS X implementation, passing
.Va NULL
to
.Fn auditctl
will disable the audit log.
.Sh RETURN VALUES
.Nm
returns 0 on success, or returns -1 on failure, providing additional error
information via
.Va errno .
.Sh SEE ALSO
.Xr libbsm 3 ,
.Xr auditd 8
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.

288
contrib/openbsm/man/auditon.2 Normal file
View File

@ -0,0 +1,288 @@
.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
.\" Copyright (c) 2005 Tom Rhodes
.\" Copyright (c) 2005 Wayne J. Salamon
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#6 $
.\"
.Dd April 19, 2005
.Dt AUDITON 2
.Os
.Sh NAME
.Nm auditon
.Nd "Configure system audit parameters"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn auditon "int cmd" "void *data" "u_int length"
.Sh DESCRIPTION
The
.Nm
system call is used to manipulate various audit control operations.
.Ft *data
should point to a structure whose type depends on the command.
.Ft length
specifies the size of the
.Em data
in bytes.
.Ft cmd
may be any of the following:
.Bl -tag -width ".It Dv A_GETPINFO_ADDR"
.It Dv A_SETPOLICY
Set audit policy flags.
.Ft *data
must point to an long value set to one of the audit
policy control values defined in audit.h.
Currently, only
.Dv AUDIT_CNT
and
.Dv AUDIT_AHLT
are implemented.
In the
.Dv AUDIT_CNT
case, the action will continue regardless if
an event will not be audited.
In the
.Dv AUDIT_AHLT
case, a
.Xr panic 9
will result if an event will not be written to the
audit log file.
.It Dv A_SETKAUDIT
Return
.Er ENOSYS .
.It Dv A_SETKMASK
Set the kernel preselection masks (success and failure).
.Ft *data
must point to a
.Ft au_mask_t
structure containing the mask values.
These masks are used for non-attributable audit event preselection.
.It Dv A_SETQCTRL
Set kernel audit queue parameters.
.Ft *data
must point to a
.Ft au_qctrl_t
structure containing the
kernel audit queue control settings:
.Va high water ,
.Va low water ,
.Va output buffer size ,
.Va percent min free disk space ,
and
.Em delay
(not currently used).
.It Dv A_SETSTAT
Return
.Er ENOSYS .
.It Dv A_SETUMASK
Return
.Er ENOSYS .
.It Dv A_SETSMASK
Return
.Er ENOSYS .
.It Dv A_SETCOND
Set the current auditing condition.
.Ft *data
must point to an long value containing the new
audit condition, one of
.Dv AUC_AUDITING ,
.Dv AUC_NOAUDIT ,
or
.Dv AUC_DISABLED .
.It Dv A_SETCLASS
Set the event class preselection mask for an audit event.
.Ft *data
must point to a
.Ft au_evclass_map_t
structure containing the audit event and mask.
.It Dv A_SETPMASK
Set the preselection masks for a process.
.Ft *data
must point to a
.Ft auditpinfo_t
structure that contains the given process's audit
preselection masks for both success and failure.
.It Dv A_SETFSIZE
Set the maximum size of the audit log file.
.Ft *data
must point to a
.Ft au_fstat_t
structure with the
.Ft af_filesz
field set to the maximum audit log file size. A value of 0
indicates no limit to the size.
.It Dv A_SETKAUDIT
Return
.Er ENOSYS .
.It Dv A_GETCLASS
Return the event to class mapping for the designated audit event.
.Ft *data
must point to a
.Ft au_evclass_map_t
structure.
.It Dv A_GETKAUDIT
Return
.Er ENOSYS .
.It Dv A_GETPINFO
Return the audit settings for a process.
.Ft *data
must point to a
.Ft auditpinfo_t
structure which will be set to contain
the audit ID, preselection mask, terminal ID, and audit session
ID of the given process.
.It Dv A_GETPINFO_ADDR
Return
.Er ENOSYS .
.It Dv A_GETKMASK
Return the current kernel preselection masks.
.Ft *data
must point to a
.Ft au_mask_t
structure which will be set to
the current kernel preselection masks for non-attributable events.
.It Dv A_GETPOLICY
Return the current audit policy setting.
.Ft *data
must point to an long value which will be set to
one of the current audit policy flags.
Currently, only
.Dv AUDIT_CNT
and
.Dv AUDIT_AHLT
are implemented.
.It Dv A_GETQCTRL
Return the current kernel audit queue control parameters.
.Ft *data
must point to a
.Ft au_qctrl_t
structure which will be set to the current
kernel audit queue control parameters.
.It Dv A_GETFSIZE
Returns the maximum size of the audit log file.
.Ft *data
must point to a
.Ft au_fstat_t
structure. The
.Ft af_filesz
field will set to the maximum audit log file size. A value of 0
indicates no limit to the size.
The
.Ft af_filesz
will be set to the current audit log file size.
.It Dv A_GETCWD
.\" [COMMENTED OUT]: Valid description, not yet implemented.
.\" Return the current working directory as stored in the audit subsystem.
Return
.Er ENOSYS .
.It Dv A_GETCAR
.\" [COMMENTED OUT]: Valid description, not yet implemented.
.\"Stores and returns the current active root as stored in the audit
.\"subsystem.
Return
.Er ENOSYS .
.It Dv A_GETSTAT
.\" [COMMENTED OUT]: Valid description, not yet implemented.
.\"Return the statistics stored in the audit system.
Return
.Er ENOSYS .
.It Dv A_GETCOND
Return the current auditing condition.
.Ft *data
must point to a long value which will be set to
the current audit condition, either
.Dv AUC_AUDITING
or
.Dv AUC_NOAUDIT .
.It Dv A_SENDTRIGGER
Send a trigger to the audit daemon.
.Fr *data
must point to a long value set to one of the acceptable
trigger values:
.Dv AUDIT_TRIGGER_LOW_SPACE
(low disk space where the audit log resides),
.Dv AUDIT_TRIGGER_OPEN_NEW
(open a new audit log file),
.Dv AUDIT_TRIGGER_READ_FILE
(read the audit_control file),
.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
(close the current log file and exit),
or
.Dv AUDIT_TRIGGER_NO_SPACE
(no disk space left for audit log file).
.El
.Sh RETURN VALUES
.Rv -std
.Sh ERRORS
The
.Fn auditon
function will fail if:
.Bl -tag -width Er
.It Bq Er ENOSYS
Returned by options not yet implemented.
.It Bq Er EFAULT
A failure occurred while data transferred to or from
the kernel failed.
.It Bq Er EINVAL
Illegal argument was passed by a system call.
.It Bq Er EPERM
The process does not have sufficient permission to complete
the operation.
.El
.Pp
The
.Dv A_SENDTRIGGER
command is specific to the
.Fx
and Mac OS X implementations, and is not present in Solaris.
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditctl 2 ,
.Xr getauid 2 ,
.Xr setauid 2 ,
.Xr getaudit 2 ,
.Xr setaudit 2 ,
.Xr getaudit_addr 2 ,
.Xr setaudit_addr 2 ,
.Xr libbsm 3
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Tom Rhodes Aq trhodes@FreeBSD.org ,
.An Robert Watson Aq rwatson@FreeBSD.org ,
and
.An Wayne Salamon Aq wsalamon@FreeBSD.org .
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2003.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.

80
contrib/openbsm/man/getaudit.2 Normal file
View File

@ -0,0 +1,80 @@
.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#4 $
.\"
.Dd April 19, 2005
.Dt GETAUDIT 2
.Os
.Sh NAME
.Nm getaudit ,
.Nm getaudit_addr
.Nd "Retrieve audit session state"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn getaudit "auditinfo_t *auditinfo"
.Ft int
.Fn getaudit_addr "auditinfo_addr_t *auditinfo_addr" "u_int length"
.Sh DESCRIPTION
.Fn getaudit
retrieves the active audit session state for the current process via the
.Vt auditinfo_t
pointed to by
.Va auditinfo .
.Fn getaudit_addr
retrieves extended state via
.Va auditinfo_addr
and
.Va length .
.Pp
This system call required appropriate privilege to complete.
.Sh RETURN VALUES
.Nm
returns 0 on success, or returns -1 on failure, providing additional error
information via
.Va errno .
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditon 2 ,
.Xr getauid 2 ,
.Xr setauid 2 ,
.Xr setaudit 2 ,
.Xr libbsm 3
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.

74
contrib/openbsm/man/getauid.2 Normal file
View File

@ -0,0 +1,74 @@
.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#4 $
.\"
.Dd April 19, 2005
.Dt GETAUID 2
.Os
.Sh NAME
.Nm getauid
.Nd "Retrieve audit session ID"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn getauid "au_id_t *auid"
.Sh DESCRIPTION
.Nm
retrieves the active audit session ID for the current process via the
.Vt au_id_t
pointed to by
.Va auid .
.Pp
This system call required appropriate privilege to complete.
.Sh RETURN VALUES
.Nm
returns 0 on success, or returns -1 on failure, providing additional error
information via
.Va errno .
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditon 2 ,
.Xr setauid 2 ,
.Xr getaudit 2 ,
.Xr setaudit 2 ,
.Xr getaudit_addr 2 ,
.Xr setaudit_addr 2 ,
.Xr libbsm 3
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.

81
contrib/openbsm/man/setaudit.2 Normal file
View File

@ -0,0 +1,81 @@
.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#4 $
.\"
.Dd April 19, 2005
.Dt SETAUDIT 2
.Os
.Sh NAME
.Nm setaudit ,
.Nm setaudit_addr
.Nd "Set audit session state"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn setaudit "auditinfo_t *auditinfo"
.Ft int
.Fn setaudit_addr "auditinfo_addr_t *auditinfo" "u_int length"
.Sh DESCRIPTION
.Nm
sets the active audit session state for the current process via the
.Vt auditinfo_t
pointed to by
.Va auditinfo .
.Fn setaudit_addr
sets extended state via
.Va auditinfo_addr
and
.Va length .
.Pp
This system call required appropriate privilege to complete.
.Sh RETURN VALUES
.Nm
returns 0 on success, or returns -1 on failure, providing additional error
information via
.Va errno .
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditon 2 ,
.Xr getaudit 2 ,
.Xr getauid 2 ,
.Xr setauid 2 ,
.Xr getaudit 2 ,
.Xr libbsm 3
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.

74
contrib/openbsm/man/setauid.2 Normal file
View File

@ -0,0 +1,74 @@
.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#4 $
.\"
.Dd April 19, 2005
.Dt SETAUID 2
.Os
.Sh NAME
.Nm setauid
.Nd "Set audit session ID"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn setauid "au_id_t *auid"
.Sh DESCRIPTION
.Nm
sets the active audit session ID for the current process from the
.Vt au_id_t
pointed to by
.Va auid .
.Pp
This system call required appropriate privilege to complete.
.Sh RETURN VALUES
.Nm
returns 0 on success, or returns -1 on failure, providing additional error
information via
.Va errno .
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditon 2 ,
.Xr getauid 2 ,
.Xr getaudit 2 ,
.Xr setaudit 2 ,
.Xr getaudit_addr 2 ,
.Xr setaudit_addr 2 ,
.Xr libbsm 3
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.

13
contrib/openbsm/tools/Makefile Normal file
View File

@ -0,0 +1,13 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/tools/Makefile#3 $
#
CFLAGS+= -I- -I .. -I ../libbsm -L ../libbsm -I.
PROG= audump
NO_MAN=
DPADD= /usr/lib/libbsm.a
LDADD= -lbsm
BINDIR= /usr/sbin
WARNS= 3
.include <bsd.prog.mk>

234
contrib/openbsm/tools/audump.c Normal file
View File

@ -0,0 +1,234 @@
/*-
* Copyright (c) 2005 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#4 $
*/
#include <bsm/libbsm.h>
#include <string.h>
#include <err.h>
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
/*
* Simple tool to dump various /etc/security databases using the defined APIs.
*/
static void
usage(void)
{
fprintf(stderr, "usage: dump [class|class_r|control|event|event_r|"
"user|user_r]\n");
exit(-1);
}
static void
audump_class(void)
{
au_class_ent_t *cp;
while ((cp = getauclassent()) != NULL)
printf("0x%08x:%s:%s\n", cp->ac_class, cp->ac_name,
cp->ac_desc);
}
static void
audump_class_r(void)
{
char class_ent_name[AU_CLASS_NAME_MAX];
char class_ent_desc[AU_CLASS_DESC_MAX];
au_class_ent_t c, *cp;
bzero(&c, sizeof(c));
bzero(class_ent_name, sizeof(class_ent_name));
bzero(class_ent_desc, sizeof(class_ent_desc));
c.ac_name = class_ent_name;
c.ac_desc = class_ent_desc;
while ((cp = getauclassent_r(&c)) != NULL)
printf("0x%08x:%s:%s\n", cp->ac_class, cp->ac_name,
cp->ac_desc);
}
static void
audump_control(void)
{
char string[PATH_MAX];
int ret, val;
ret = getacflg(string, PATH_MAX);
if (ret == -2)
err(-1, "getacflg");
if (ret != 0)
errx(-1, "getacflg: %d", ret);
printf("flags:%s\n", string);
ret = getacmin(&val);
if (ret == -2)
err(-1, "getacmin");
if (ret != 0)
errx(-1, "getacmin: %d", ret);
printf("min:%d\n", val);
ret = getacna(string, PATH_MAX);
if (ret == -2)
err(-1, "getacna");
if (ret != 0)
errx(-1, "getacna: %d", ret);
printf("naflags:%s\n", string);
setac();
do {
ret = getacdir(string, PATH_MAX);
if (ret == -1)
break;
if (ret == -2)
err(-1, "getacdir");
if (ret != 0)
errx(-1, "getacdir: %d", ret);
printf("dir:%s\n", string);
} while (ret == 0);
}
static void
printf_classmask(au_class_t classmask)
{
au_class_ent_t *c;
u_int32_t i;
int first;
first = 1;
for (i = 0; i < 32; i++) {
if (classmask & (2 << i)) {
if (first)
first = 0;
else
printf(",");
c = getauclassnum(2 << i);
if (c != NULL)
printf("%s", c->ac_name);
else
printf("0x%x", 2 << i);
}
}
}
static void
audump_event(void)
{
au_event_ent_t *ep;
while ((ep = getauevent()) != NULL) {
printf("%d:%s:%s:", ep->ae_number, ep->ae_name, ep->ae_desc);
printf_classmask(ep->ae_class);
printf("\n");
}
}
static void
audump_event_r(void)
{
char event_ent_name[AU_EVENT_NAME_MAX];
char event_ent_desc[AU_EVENT_DESC_MAX];
au_event_ent_t e, *ep;
bzero(&e, sizeof(e));
bzero(event_ent_name, sizeof(event_ent_name));
bzero(event_ent_desc, sizeof(event_ent_desc));
e.ae_name = event_ent_name;
e.ae_desc = event_ent_desc;
while ((ep = getauevent_r(&e)) != NULL) {
printf("%d:%s:%s:", ep->ae_number, ep->ae_name, ep->ae_desc);
printf_classmask(ep->ae_class);
printf("\n");
}
}
static void
audump_user(void)
{
au_user_ent_t *up;
while ((up = getauuserent()) != NULL) {
printf("%s:", up->au_name);
// printf_classmask(up->au_always);
printf(":");
// printf_classmask(up->au_never);
printf("\n");
}
}
static void
audump_user_r(void)
{
char user_ent_name[AU_USER_NAME_MAX];
au_user_ent_t u, *up;
bzero(&u, sizeof(u));
bzero(user_ent_name, sizeof(user_ent_name));
u.au_name = user_ent_name;
while ((up = getauuserent_r(&u)) != NULL) {
printf("%s:", up->au_name);
// printf_classmask(up->au_always);
printf(":");
// printf_classmask(up->au_never);
printf("\n");
}
}
int
main(int argc, char *argv[])
{
if (argc != 2)
usage();
if (strcmp(argv[1], "class") == 0)
audump_class();
else if (strcmp(argv[1], "class_r") == 0)
audump_class_r();
else if (strcmp(argv[1], "control") == 0)
audump_control();
else if (strcmp(argv[1], "event") == 0)
audump_event();
else if (strcmp(argv[1], "event_r") == 0)
audump_event_r();
else if (strcmp(argv[1], "user") == 0)
audump_user();
else if (strcmp(argv[1], "user_r") == 0)
audump_user_r();
else
usage();
return (0);
}