Vendor import TrustedBSD OpenBSM 1.0 alpha 12, with the following change

history notes since the last import:

OpenBSM 1.0 alpha 12

- Correct bug in auditreduce which prevented the -c option from working
  correctly when the user specifies to process successful or failed events.
  The problem stemmed from not having access to the return token at the time
  the initial preselection occurred, but now a second preselection process
  occurs while processing the return token.
- getacfilesz(3) API added to read new audit_control(5) filesz setting,
  which auditd(8) now sets the kernel audit trail rotation size to.
- auditreduce(1) now uses stdin if no file names are specified on the command
  line; this was the documented behavior previously, but it was not
  implemented.  Be more specific in auditreduce(1)'s examples section about
  what might be done with the output of auditreduce.
- Add audit_warn(5) closefile event so that administrators can hook
  termination of an audit trail file.  For example, this might be used to
  compress the trail file after it is closed.
- auditreduce(1) now uses regular expressions for pathname matching. Users can
  now supply one or more (comma delimited) regular expressions for searching
  the pathnames. If one of the regular expressions is prefixed with a tilde
  (~), and a path matches, it will be excluded from the search results.

MFC after:	3 days
Obtained from:	TrustedBSD Project
This commit is contained in:
Robert Watson 2006-09-25 11:40:29 +00:00
parent bb97b41819
commit 4bd0c025f3
19 changed files with 302 additions and 60 deletions

View File

@ -1,3 +1,24 @@
OpenBSM 1.0 alpha 12
- Correct bug in auditreduce which prevented the -c option from working
correctly when the user specifies to process successful or failed events.
The problem stemmed from not having access to the return token at the time
the initial preselection occurred, but now a second preselection process
occurs while processing the return token.
- getacfilesz(3) API added to read new audit_control(5) filesz setting,
which auditd(8) now sets the kernel audit trail rotation size to.
- auditreduce(1) now uses stdin if no file names are specified on the command
line; this was the documented behavior previously, but it was not
implemented. Be more specific in auditreduce(1)'s examples section about
what might be done with the output of auditreduce.
- Add audit_warn(5) closefile event so that administrators can hook
termination of an audit trail file. For example, this might be used to
compress the trail file after it is closed.
- auditreduce(1) now uses regular expressions for pathname matching. Users can
now supply one or more (comma delimited) regular expressions for searching
the pathnames. If one of the regular expressions is prefixed with a tilde
(~), and a path matches, it will be excluded from the search results.
OpenBSM 1.0 alpha 11
- Reclassify certain read/write operations as having no class rather than the
@ -243,4 +264,4 @@ OpenBSM 1.0 alpha 1
to support reloading of kernel event table.
- Allow comments in /etc/security configuration files.
$P4: //depot/projects/trustedbsd/openbsm/HISTORY#33 $
$P4: //depot/projects/trustedbsd/openbsm/HISTORY#39 $

View File

@ -17,10 +17,7 @@
just at the beginning of a record. This will make it easier to use
praudit in test suites processing single-token files without header and
trailer context.
- Teach auditd how to notify a script when it is done with trail files so
that the script can archive them, compress them, delete them, whatever.
It should walk any trail files found at startup also, assuming it
successfully registers.
- Put hostname in trail file name.
- Document audit_warn event arguments.
$P4: //depot/projects/trustedbsd/openbsm/TODO#7 $
$P4: //depot/projects/trustedbsd/openbsm/TODO#8 $

View File

@ -1 +1 @@
OPENBSM_1_0_ALPHA_11
OPENBSM_1_0_ALPHA_12

View File

@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#6 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#7 $
*/
#include <sys/types.h>
@ -124,6 +124,21 @@ audit_warn_auditoff(void)
return (auditwarnlog(args));
}
/*
* Indicate that a trail file has been closed, so can now be post-processed.
*/
int
audit_warn_closefile(char *filename)
{
char *args[3];
args[0] = CLOSEFILE_WARN;
args[1] = filename;
args[2] = NULL;
return (auditwarnlog(args));
}
/*
* Indicates that the audit deammn is already running
*/

View File

@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#21 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#23 $
*/
#include <sys/types.h>
@ -163,9 +163,11 @@ close_lastfile(char *TS)
syslog(LOG_ERR,
"Could not rename %s to %s: %m", oldname,
lastfile);
else
else {
syslog(LOG_INFO, "renamed %s to %s",
oldname, lastfile);
audit_warn_closefile(lastfile);
}
}
free(lastfile);
free(oldname);
@ -727,6 +729,8 @@ config_audit_controls(void)
char naeventstr[NA_EVENT_STR_SIZE];
char polstr[POL_STR_SIZE];
long policy;
au_fstat_t au_fstat;
size_t filesz;
/*
* Process the audit event file, obtaining a class mapping for each
@ -806,6 +810,17 @@ config_audit_controls(void)
"Failed to set default audit policy: %m");
}
/*
* Set trail rotation size.
*/
if (getacfilesz(&filesz) == 0) {
bzero(&au_fstat, sizeof(au_fstat));
au_fstat.af_filesz = filesz;
if (auditon(A_SETFSIZE, &au_fstat, sizeof(au_fstat)) < 0)
syslog(LOG_ERR, "Failed to set filesz: %m");
} else
syslog(LOG_ERR, "Failed to obtain filesz: %m");
return (0);
}

View File

@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#6 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#7 $
*/
#ifndef _AUDITD_H_
@ -62,6 +62,7 @@ struct dir_ent {
#define HARDLIM_ALL_WARN "allhard"
#define SOFTLIM_ALL_WARN "allsoft"
#define AUDITOFF_WARN "auditoff"
#define CLOSEFILE_WARN "closefile"
#define EBUSY_WARN "ebusy"
#define GETACDIR_WARN "getacdir"
#define HARDLIM_WARN "hard"
@ -76,6 +77,7 @@ struct dir_ent {
int audit_warn_allhard(int count);
int audit_warn_allsoft(void);
int audit_warn_auditoff(void);
int audit_warn_closefile(char *filename);
int audit_warn_ebusy(void);
int audit_warn_getacdir(char *filename);
int audit_warn_hard(char *filename);

View File

@ -25,7 +25,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#10 $
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $
.\"
.Dd January 24, 2004
.Dt AUDITREDUCE 1
@ -105,12 +105,17 @@ for a description of audit event names and numbers.
.It Fl o Ar object=value
.Bl -tag -width Ds
.It Nm file
Select records containing the given path name.
file="/usr" matches paths
starting with
.Pa usr .
file="~/usr" matches paths not starting with
.Pa usr .
Select records containing path tokens, where the pathname matches
one of the comma delimited extended regular expression contained in
given specification.
Regular expressions which are prefixed with a tilde (~) are excluded
from the search results.
These extended regular expressions are processed from left to right,
and a path will either be selected or deslected based on the first match.
.Pp
Since commas are used to delimit the regular expressions, a backslash (\\)
character should be used to escape the comma if it's a part of the search
pattern.
.It Nm msgqid
Select records containing the given message queue id.
.It Nm pid
@ -136,6 +141,30 @@ events from that log:
.Pp
.Nm
-m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
.Pp
Output from the above command lines will typically be piped to a new trail
file, or via standard output to the
.Xr praudit 1
command.
.Pp
Select all records containing a path token where the pathname contains
.Pa /etc/master.passwd
.Pp
.Nm
-ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634
.Pp
Select all records containing path tokens, where the pathname is a TTY
device:
.Pp
.Nm
-ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
.Pp
Select all records containing path tokens, where the pathname is a TTY
except for
.Pa /dev/ttyp2
.Pp
.Nm
-ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
.Sh SEE ALSO
.Xr praudit 1 ,
.Xr audit_control 5 ,

View File

@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#14 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#18 $
*/
/*
@ -40,6 +40,13 @@
* XXX the records present within the file and between the files themselves
*/
#include <config/config.h>
#ifdef HAVE_FULL_QUEUE_H
#include <sys/queue.h>
#else
#include <compat/queue.h>
#endif
#include <bsm/libbsm.h>
#include <err.h>
@ -51,9 +58,14 @@
#include <string.h>
#include <time.h>
#include <unistd.h>
#include <regex.h>
#include <errno.h>
#include "auditreduce.h"
static TAILQ_HEAD(tailhead, re_entry) re_head =
TAILQ_HEAD_INITIALIZER(re_head);
extern char *optarg;
extern int optind, optopt, opterr,optreset;
@ -80,11 +92,58 @@ static char *p_sockobj = NULL;
static uint32_t opttochk = 0;
static void
parse_regexp(char *re_string)
{
char *orig, *copy, re_error[64];
struct re_entry *rep;
int error, nstrs, i, len;
copy = strdup(re_string);
orig = copy;
len = strlen(copy);
for (nstrs = 0, i = 0; i < len; i++) {
if (copy[i] == ',' && i > 0) {
if (copy[i - 1] == '\\')
strcpy(&copy[i - 1], &copy[i]);
else {
nstrs++;
copy[i] = '\0';
}
}
}
TAILQ_INIT(&re_head);
for (i = 0; i < nstrs + 1; i++) {
rep = calloc(1, sizeof(*rep));
if (rep == NULL) {
(void) fprintf(stderr, "calloc: %s\n",
strerror(errno));
exit(1);
}
if (*copy == '~') {
copy++;
rep->re_negate = 1;
}
rep->re_pattern = strdup(copy);
error = regcomp(&rep->re_regexp, rep->re_pattern,
REG_EXTENDED | REG_NOSUB);
if (error != 0) {
regerror(error, &rep->re_regexp, re_error, 64);
(void) fprintf(stderr, "regcomp: %s\n", re_error);
exit(1);
}
TAILQ_INSERT_TAIL(&re_head, rep, re_glue);
len = strlen(copy);
copy += len + 1;
}
free(orig);
}
static void
usage(const char *msg)
{
fprintf(stderr, "%s\n", msg);
fprintf(stderr, "Usage: auditreduce [options] audit-trail-file [....] \n");
fprintf(stderr, "Usage: auditreduce [options] [file ...]\n");
fprintf(stderr, "\tOptions are : \n");
fprintf(stderr, "\t-A : all records\n");
fprintf(stderr, "\t-a YYYYMMDD[HH[[MM[SS]]] : after date\n");
@ -258,23 +317,20 @@ select_ipcobj(u_char type, uint32_t id, uint32_t *optchkd)
static int
select_filepath(char *path, uint32_t *optchkd)
{
char *loc;
struct re_entry *rep;
int match;
SETOPT((*optchkd), OPT_of);
match = 1;
if (ISOPTSET(opttochk, OPT_of)) {
if (p_fileobj[0] == '~') {
/* Object should not be in path. */
loc = strstr(path, p_fileobj + 1);
if ((loc != NULL) && (loc == path))
return (0);
} else {
/* Object should be in path. */
loc = strstr(path, p_fileobj);
if ((loc == NULL) || (loc != path))
return (0);
match = 0;
TAILQ_FOREACH(rep, &re_head, re_glue) {
if (regexec(&rep->re_regexp, path, 0, NULL,
0) != REG_NOMATCH)
return (!rep->re_negate);
}
}
return (1);
return (match);
}
/*
@ -328,6 +384,24 @@ select_hdr32(tokenstr_t tok, uint32_t *optchkd)
return (1);
}
static int
select_return32(tokenstr_t tok_ret32, tokenstr_t tok_hdr32, uint32_t *optchkd)
{
int sorf;
SETOPT((*optchkd), (OPT_c));
if (tok_ret32.tt.ret32.status == 0)
sorf = AU_PRS_SUCCESS;
else
sorf = AU_PRS_FAILURE;
if (ISOPTSET(opttochk, OPT_c)) {
if (au_preselect(tok_hdr32.tt.hdr32.e_type, &maskp, sorf,
AU_PRS_USECACHE) != 1)
return (0);
}
return (1);
}
/*
* Return 1 if checks for the the following succeed
* auid,
@ -395,6 +469,7 @@ select_subj32(tokenstr_t tok, uint32_t *optchkd)
static int
select_records(FILE *fp)
{
tokenstr_t tok_hdr32_copy;
u_char *buf;
tokenstr_t tok;
int reclen;
@ -423,6 +498,8 @@ select_records(FILE *fp)
case AU_HEADER_32_TOKEN:
selected = select_hdr32(tok,
&optchkd);
bcopy(&tok, &tok_hdr32_copy,
sizeof(tok));
break;
case AU_PROCESS_32_TOKEN:
@ -451,6 +528,11 @@ select_records(FILE *fp)
tok.tt.path.path, &optchkd);
break;
case AU_RETURN_32_TOKEN:
selected = select_return32(tok,
tok_hdr32_copy, &optchkd);
break;
/*
* The following tokens dont have any relevant
* attributes that we can select upon.
@ -465,7 +547,6 @@ select_records(FILE *fp)
case AU_IPCPERM_TOKEN:
case AU_IPORT_TOKEN:
case AU_OPAQUE_TOKEN:
case AU_RETURN_32_TOKEN:
case AU_SEQ_TOKEN:
case AU_TEXT_TOKEN:
case AU_ARB_TOKEN:
@ -500,6 +581,7 @@ parse_object_type(char *name, char *val)
if (!strcmp(name, FILEOBJ)) {
p_fileobj = val;
parse_regexp(val);
SETOPT(opttochk, OPT_of);
} else if (!strcmp(name, MSGQIDOBJ)) {
p_msgqobj = val;
@ -679,8 +761,12 @@ main(int argc, char **argv)
argv += optind;
argc -= optind;
if (argc == 0)
usage("Filename needed");
if (argc == 0) {
if (select_records(stdin) == -1)
errx(EXIT_FAILURE,
"Couldn't select records from stdin");
exit(EXIT_SUCCESS);
}
/*
* XXX: We should actually be merging records here.

View File

@ -26,13 +26,20 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#4 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#5 $
*/
#ifndef _AUDITREDUCE_H_
#define _AUDITREDUCE_H_
struct re_entry {
char *re_pattern;
int re_negate;
regex_t re_regexp;
TAILQ_ENTRY(re_entry) re_glue;
};
#define OPT_a 0x00000001
#define OPT_b 0x00000002
#define OPT_c 0x00000004

View File

@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#42 $
* $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#43 $
*/
#ifndef _BSM_AUDIT_KEVENTS_H_
@ -470,6 +470,10 @@
#define AUE_KENV 43114 /* FreeBSD. */
#define AUE_JAIL_ATTACH 43115 /* FreeBSD. */
#define AUE_SYSCTL_WRITE 43116 /* FreeBSD. */
#define AUE_IOPERM 43117 /* Linux. */
#define AUE_READDIR 43118 /* Linux. */
#define AUE_IOPL 43119 /* Linux. */
#define AUE_VM86 43120 /* Linux. */
/*
* Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the

View File

@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#29 $
* $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#30 $
*/
#ifndef _LIBBSM_H_
@ -78,6 +78,7 @@
#define DIR_CONTROL_ENTRY "dir"
#define MINFREE_CONTROL_ENTRY "minfree"
#define FILESZ_CONTROL_ENTRY "filesz"
#define FLAGS_CONTROL_ENTRY "flags"
#define NA_CONTROL_ENTRY "naflags"
#define POLICY_CONTROL_ENTRY "policy"
@ -719,6 +720,7 @@ void setac(void);
void endac(void);
int getacdir(char *name, int len);
int getacmin(int *min_val);
int getacfilesz(size_t *size_val);
int getacflg(char *auditstr, int len);
int getacna(char *auditstr, int len);
int getacpol(char *auditstr, size_t len);

View File

@ -1,7 +1,7 @@
#! /bin/sh
# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#31 .
# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 .
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a11.
# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a12.
#
# Report bugs to <trustedbsd-audit@TrustesdBSD.org>.
#
@ -424,8 +424,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
# Identity of this package.
PACKAGE_NAME='OpenBSM'
PACKAGE_TARNAME='openbsm'
PACKAGE_VERSION='1.0a11'
PACKAGE_STRING='OpenBSM 1.0a11'
PACKAGE_VERSION='1.0a12'
PACKAGE_STRING='OpenBSM 1.0a12'
PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org'
ac_unique_file="bin/auditreduce/auditreduce.c"
@ -955,7 +955,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures OpenBSM 1.0a11 to adapt to many kinds of systems.
\`configure' configures OpenBSM 1.0a12 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1021,7 +1021,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of OpenBSM 1.0a11:";;
short | recursive ) echo "Configuration of OpenBSM 1.0a12:";;
esac
cat <<\_ACEOF
@ -1162,7 +1162,7 @@ fi
test -n "$ac_init_help" && exit 0
if $ac_init_version; then
cat <<\_ACEOF
OpenBSM configure 1.0a11
OpenBSM configure 1.0a12
generated by GNU Autoconf 2.59
Copyright (C) 2003 Free Software Foundation, Inc.
@ -1176,7 +1176,7 @@ cat >&5 <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by OpenBSM $as_me 1.0a11, which was
It was created by OpenBSM $as_me 1.0a12, which was
generated by GNU Autoconf 2.59. Invocation command line was
$ $0 $@
@ -19278,7 +19278,7 @@ fi
# Define the identity of the package.
PACKAGE=OpenBSM
VERSION=1.0a11
VERSION=1.0a12
cat >>confdefs.h <<_ACEOF
@ -23479,7 +23479,7 @@ _ASBOX
} >&5
cat >&5 <<_CSEOF
This file was extended by OpenBSM $as_me 1.0a11, which was
This file was extended by OpenBSM $as_me 1.0a12, which was
generated by GNU Autoconf 2.59. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -23542,7 +23542,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
OpenBSM config.status 1.0a11
OpenBSM config.status 1.0a12
configured by $0, generated by GNU Autoconf 2.59,
with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"

View File

@ -2,8 +2,8 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.59)
AC_INIT([OpenBSM], [1.0a11], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#31 $])
AC_INIT([OpenBSM], [1.0a12], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 $])
AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c])
AC_CONFIG_AUX_DIR(config)
AC_CONFIG_HEADER([config/config.h])

View File

@ -1,8 +1,9 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#4 $
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#5 $
#
dir:/var/audit
flags:lo
minfree:20
naflags:lo
policy:cnt
filesz:0

View File

@ -1,5 +1,5 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#15 $
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#16 $
#
0:AUE_NULL:indir system call:no
1:AUE_EXIT:exit(2):pc
@ -418,6 +418,10 @@
43114:AUE_KENV:kenv(8):ad
43115:AUE_JAIL_ATTACH:jail_attach(2):ad
43116:AUE_SYSCTL_WRITE:sysctl(3):ad
43117:AUE_IOPERM:linux ioperm:ad
43118:AUE_READDIR:readdir(3):no
43119:AUE_IOPL:linux iopl:ad
43120:AUE_VM86:linux vm86:pc
#
# User space system events.
#

View File

@ -1,5 +1,5 @@
.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
.\" Copyright (c) 2005-2006 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#4 $
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#5 $
.\"
.Dd April 19, 2005
.Dt AU_CONTROL 3
@ -33,6 +33,7 @@
.Nm endac ,
.Nm getacdir ,
.Nm getacmin ,
.Nm getacfilesz ,
.Nm getacflg ,
.Nm getacna ,
.Nm getacpol ,
@ -52,6 +53,8 @@
.Ft int
.Fn getacmin "int *min_val"
.Ft int
.Fn getacfilesz "size_t *size_val"
.Ft int
.Fn getacflg "char *auditstr" "int len"
.Ft int
.Fn getacna "char *auditstr" "int len"
@ -88,6 +91,10 @@ the passed
.Va min_val
variable.
.Pp
.Fn getacfilesz
returns the audit trail rotation size in the passed size_t buffer
.Fa size_val .
.Pp
.Fn getacflg
returns the audit system flags via the the passed character buffer
.Va auditstr

View File

@ -27,7 +27,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#15 $
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#16 $
*/
#include <bsm/libbsm.h>
@ -395,6 +395,46 @@ getacmin(int *min_val)
return (0);
}
/*
* Return the desired trail rotation size from the audit control file.
*/
int
getacfilesz(size_t *filesz_val)
{
char *filesz, *dummy;
long long ll;
pthread_mutex_lock(&mutex);
setac_locked();
if (getstrfromtype_locked(FILESZ_CONTROL_ENTRY, &filesz) < 0) {
pthread_mutex_unlock(&mutex);
return (-2);
}
if (filesz == NULL) {
pthread_mutex_unlock(&mutex);
errno = EINVAL;
return (1);
}
ll = strtoll(filesz, &dummy, 10);
if (*dummy != '\0') {
pthread_mutex_unlock(&mutex);
errno = EINVAL;
return (-1);
}
/*
* The file size must either be 0 or >= MIN_AUDIT_FILE_SIZE. 0
* indicates no rotation size.
*/
if (ll < 0 || (ll > 0 && ll < MIN_AUDIT_FILE_SIZE)) {
pthread_mutex_unlock(&mutex);
errno = EINVAL;
return (-1);
}
*filesz_val = ll;
pthread_mutex_unlock(&mutex);
return (0);
}
/*
* Return the system audit value from the audit contol file.
*/

View File

@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#7 $
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#8 $
.\"
.Dd April 19, 2005
.Dt LIBBSM 3
@ -84,6 +84,7 @@ database:
.Xr endac 3 ,
.Xr setac 3 ,
.Xr getacdir 3 ,
.Xr getacfilesz 3 ,
.Xr getacflg 3 ,
.Xr getacmin 3 ,
.Xr getacna 3 ,

View File

@ -1,4 +1,5 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" Copyright (c) 2006 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@ -25,7 +26,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#11 $
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#13 $
.\"
.Dd January 4, 2006
.Dt AUDIT_CONTROL 5
@ -66,6 +67,12 @@ Not currently used as the value of 20 percent is chosen by the kernel.
.It Va policy
A list of global audit policy flags specifying various behaviors, such as
fail stop, auditing of paths and arguments, etc.
.It Va filesz
Maximum trail size in bytes; if set to a non-0 value, the audit daemon will
rotate the audit trail file at around this size.
Sizes less than the minimum trail size (default of 512K) will be rejected as
invalid.
If 0, trail files will not be automatically rotated based on file size.
.El
.Sh AUDIT FLAGS
Audit flags are a comma-delimited list of audit classes as defined in the
@ -78,12 +85,14 @@ Event classes may be preceded by a prefix which changes their interpretation.
The following prefixes may be used for each class:
.Pp
.Bl -tag -width Ds -compact -offset indent
.It (none)
Record both successful and failed events
.It +
Record successful events
.It -
Record failed events
.It ^
Record both successful and failed events
Record neither successful nor failed events
.It ^+
Do not record successful events
.It ^-
@ -146,6 +155,7 @@ flags:lo
minfree:20
naflags:lo
policy:cnt
filesz:0
.Ed
.Pp
The
@ -156,7 +166,8 @@ The
.Va policy
parameter specifies that the system should neither fail stop nor suspend
processes when the audit store fills.
will be audited.
The trail file will not be automatically rotated by the audit daemon based on
file size.
.Sh FILES
.Bl -tag -width "/etc/security/audit_control" -compact
.It Pa /etc/security/audit_control