Vendor import of OpenBSM 1.1 beta1, which incorporates the following

changes since the last imported OpenBSM release:

OpenBSM 1.1 beta 1

- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
  Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
  For legacy support no suffix defaults to bytes.
- Audit trail log expiration support added.  It is configured in
  audit_control(5) with the expire-after parameter.  If there is no
  expire-after parameter in audit_control(5), the default, then the audit
  trail files are not expired and removed.  See audit_control(5) for
  more information.
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
  partitions, rotate automatically at 2mb, and set the default policy to
  cnt,argv rather than cnt so that execve(2) arguments are captured if
  AUE_EXECVE events are audited.  These may provide more usable defaults for
  many users.
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
  au_to_socket_ex(3) arguments to BSM format.
- Fix error encoding AUT_IPC_PERM tokens.

Obtained from:    TrustedBSD Project
Sponsored by:     Apple Inc.
This commit is contained in:
Robert Watson 2009-03-02 10:46:23 +00:00
parent a4bd134433
commit 694dcf49ac
28 changed files with 890 additions and 289 deletions

View File

@ -27,6 +27,7 @@ the development of OpenBSM:
Eric Hall
Xin LI
Stacey Son
Todd Heberlein
In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
Software's FlexeLint tool were used to identify a number of bugs in the

21
NEWS
View File

@ -1,5 +1,24 @@
OpenBSM Version History
OpenBSM 1.1 beta 1
- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
For legacy support no suffix defaults to bytes.
- Audit trail log expiration support added. It is configured in
audit_control(5) with the expire-after parameter. If there is no
expire-after parameter in audit_control(5), the default, then the audit
trail files are not expired and removed. See audit_control(5) for
more information.
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
partitions, rotate automatically at 2mb, and set the default policy to
cnt,argv rather than cnt so that execve(2) arguments are captured if
AUE_EXECVE events are audited. These may provide more usable defaults for
many users.
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
au_to_socket_ex(3) arguments to BSM format.
- Fix error encoding AUT_IPC_PERM tokens.
OpenBSM 1.1 alpha 5
- Stub libauditd(3) man page added.
@ -412,4 +431,4 @@ OpenBSM 1.0 alpha 1
to support reloading of kernel event table.
- Allow comments in /etc/security configuration files.
$P4: //depot/projects/trustedbsd/openbsm/NEWS#27 $
$P4: //depot/projects/trustedbsd/openbsm/NEWS#32 $

4
README
View File

@ -1,4 +1,4 @@
OpenBSM 1.1 alpha 4
OpenBSM 1.1 beta 1
Introduction
@ -56,4 +56,4 @@ Information on TrustedBSD may be found on the TrustedBSD home page:
http://www.TrustedBSD.org/
$P4: //depot/projects/trustedbsd/openbsm/README#34 $
$P4: //depot/projects/trustedbsd/openbsm/README#35 $

View File

@ -1 +1 @@
OPENBSM_1_1_ALPHA_5
OPENBSM_1_1_BETA_1

View File

@ -1,4 +1,4 @@
.\" Copyright (c) 2004 Apple Inc.
.\" Copyright (c) 2004-2009 Apple Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@ -25,9 +25,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#13 $
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#15 $
.\"
.Dd December 11, 2008
.Dd January 29, 2009
.Dt AUDIT 8
.Os
.Sh NAME
@ -35,7 +35,7 @@
.Nd audit management utility
.Sh SYNOPSIS
.Nm
.Fl i | n | s | t
.Fl e | i | n | s | t
.Sh DESCRIPTION
The
.Nm
@ -43,6 +43,10 @@ utility controls the state of the audit system.
One of the following flags is required as an argument to
.Nm :
.Bl -tag -width indent
.It Fl e
Forces the audit system to immediately remove audit log files that
meet the expiration criteria specified in the audit control file without
doing a log rotation.
.It Fl i
Initializes and starts auditing.
This option is currently for Mac OS X only
@ -53,6 +57,8 @@ to be configured to run under
.It Fl n
Forces the audit system to close the existing audit log file and rotate to
a new log file in a location specified in the audit control file.
Also, audit log files that meet the expiration criteria specified in the
audit control file will be removed.
.It Fl s
Specifies that the audit system should [re]synchronize its
configuration from the audit control file.

View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 2005-2008 Apple Inc.
* Copyright (c) 2005-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#13 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#14 $
*/
/*
* Program to trigger the audit daemon with a message that is either:
@ -68,12 +68,15 @@ static int send_trigger(unsigned int);
#include "auditd_control.h"
/*
* XXX the following is temporary until this can be added to the kernel
* XXX The following are temporary until these can be added to the kernel
* audit.h header.
*/
#ifndef AUDIT_TRIGGER_INITIALIZE
#define AUDIT_TRIGGER_INITIALIZE 7
#endif
#ifndef AUDIT_TRIGGER_EXPIRE_TRAILS
#define AUDIT_TRIGGER_EXPIRE_TRAILS 8
#endif
static int
send_trigger(unsigned int trigger)
@ -125,7 +128,7 @@ static void
usage(void)
{
(void)fprintf(stderr, "Usage: audit -i | -n | -s | -t \n");
(void)fprintf(stderr, "Usage: audit -e | -i | -n | -s | -t \n");
exit(-1);
}
@ -141,9 +144,13 @@ main(int argc, char **argv)
if (argc != 2)
usage();
while ((ch = getopt(argc, argv, "inst")) != -1) {
while ((ch = getopt(argc, argv, "einst")) != -1) {
switch(ch) {
case 'e':
trigger = AUDIT_TRIGGER_EXPIRE_TRAILS;
break;
case 'i':
trigger = AUDIT_TRIGGER_INITIALIZE;
break;

View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 2005 Apple Inc.
* Copyright (c) 2005-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#10 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#11 $
*/
#include <sys/types.h>
@ -236,3 +236,18 @@ audit_warn_tmpfile(void)
return (auditwarnlog(args));
}
/*
* Indicates that this trail file has expired and was removed.
*/
int
audit_warn_expired(char *filename)
{
char *args[3];
args[0] = EXPIRED_WARN;
args[1] = filename;
args[2] = NULL;
return (auditwarnlog(args));
}

View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 2004-2008 Apple Inc.
* Copyright (c) 2004-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#41 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#43 $
*/
#include <sys/types.h>
@ -67,12 +67,16 @@
#endif
/*
* XXX the following is temporary until this can be added to the kernel
* XXX The following are temporary until these can be added to the kernel
* audit.h header.
*/
#ifndef AUDIT_TRIGGER_INITIALIZE
#define AUDIT_TRIGGER_INITIALIZE 7
#endif
#ifndef AUDIT_TRIGGER_EXPIRE_TRAILS
#define AUDIT_TRIGGER_EXPIRE_TRAILS 8
#endif
/*
* LaunchD flag (Mac OS X and, maybe, FreeBSD only.) See launchd(8) and
@ -166,7 +170,7 @@ close_lastfile(char *TS)
/* Rename the last file -- append timestamp. */
if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) {
strlcpy(ptr, TS, TIMESTAMP_LEN);
memcpy(ptr, TS, POSTFIX_LEN);
if (rename(oldname, lastfile) != 0)
auditd_log_err(
"Could not rename %s to %s: %m", oldname,
@ -275,6 +279,14 @@ do_trail_file(void)
return (-1);
}
/*
* Finally, see if there are any trail files to expire.
*/
err = auditd_expire_trails(audit_warn_expired);
if (err)
auditd_log_err("auditd_expire_trails(): %s",
auditd_strerror(err));
return (0);
}
@ -550,6 +562,14 @@ auditd_handle_trigger(int trigger)
audit_setup();
break;
case AUDIT_TRIGGER_EXPIRE_TRAILS:
auditd_log_info("Got audit expire trails trigger");
err = auditd_expire_trails(audit_warn_expired);
if (err)
auditd_log_err("auditd_expire_trails(): %s",
auditd_strerror(err));
break;
default:
auditd_log_err("Got unknown trigger %d", trigger);
break;
@ -669,13 +689,18 @@ auditd_config_controls(void)
*/
err = auditd_set_host();
if (err) {
auditd_log_err("auditd_set_host() %s: %m",
auditd_strerror(err));
ret = -1;
if (err == ADE_PARSE) {
auditd_log_notice(
"audit_control(5) may be missing 'host:' field");
} else {
auditd_log_err("auditd_set_host() %s: %m",
auditd_strerror(err));
ret = -1;
}
} else
auditd_log_debug(
"Set audit host address information in kernel.");
return (ret);
}

View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 2005 Apple Inc.
* Copyright (c) 2005-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#12 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#13 $
*/
#ifndef _AUDITD_H_
@ -57,6 +57,7 @@
#define POSTSIGTERM_WARN "postsigterm"
#define SOFTLIM_WARN "soft"
#define TMPFILE_WARN "tmpfile"
#define EXPIRED_WARN "expired"
#define AUDITWARN_SCRIPT "/etc/security/audit_warn"
#define AUDITD_PIDFILE "/var/run/auditd.pid"
@ -76,6 +77,7 @@ int audit_warn_nostart(void);
int audit_warn_postsigterm(void);
int audit_warn_soft(char *filename);
int audit_warn_tmpfile(void);
int audit_warn_expired(char *filename);
void auditd_openlog(int debug, gid_t gid);
void auditd_log_err(const char *fmt, ...);

View File

@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#3 $
* $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#4 $
*/
#ifndef _BSM_AUDITD_LIB_H_
@ -81,12 +81,14 @@
#define ADE_INVAL -16 /* Invalid argument. */
#define ADE_GETADDR -17 /* Error resolving address from hostname. */
#define ADE_ADDRFAM -18 /* Address family not supported. */
#define ADE_EXPIRE -19 /* Error expiring audit trail files. */
/*
* auditd_lib functions.
*/
const char *auditd_strerror(int errcode);
int auditd_set_minfree(void);
int auditd_expire_trails(int (*warn_expired)(char *));
int auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *));
void auditd_close_dirs(void);
int auditd_set_evcmap(void);

View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 2004-2008 Apple Inc.
* Copyright (c) 2004-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#41 $
* $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#42 $
*/
#ifndef _LIBBSM_H_
@ -76,13 +76,14 @@
#define AUDIT_CONTROL_FILE "/etc/security/audit_control"
#define AUDIT_USER_FILE "/etc/security/audit_user"
#define DIR_CONTROL_ENTRY "dir"
#define MINFREE_CONTROL_ENTRY "minfree"
#define FILESZ_CONTROL_ENTRY "filesz"
#define FLAGS_CONTROL_ENTRY "flags"
#define NA_CONTROL_ENTRY "naflags"
#define POLICY_CONTROL_ENTRY "policy"
#define DIR_CONTROL_ENTRY "dir"
#define MINFREE_CONTROL_ENTRY "minfree"
#define FILESZ_CONTROL_ENTRY "filesz"
#define FLAGS_CONTROL_ENTRY "flags"
#define NA_CONTROL_ENTRY "naflags"
#define POLICY_CONTROL_ENTRY "policy"
#define AUDIT_HOST_CONTROL_ENTRY "host"
#define EXPIRE_AFTER_CONTROL_ENTRY "expire-after"
#define AU_CLASS_NAME_MAX 8
#define AU_CLASS_DESC_MAX 72
@ -766,6 +767,7 @@ int getacflg(char *auditstr, int len);
int getacna(char *auditstr, int len);
int getacpol(char *auditstr, size_t len);
int getachost(char *auditstr, size_t len);
int getacexpire(int *andflg, time_t *age, size_t *size);
int getauditflagsbin(char *auditstr, au_mask_t *masks);
int getauditflagschar(char *auditstr, au_mask_t *masks,
int verbose);

20
configure vendored
View File

@ -1,7 +1,7 @@
#! /bin/sh
# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#49 .
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.61 for OpenBSM 1.1alpha5.
# Generated by GNU Autoconf 2.61 for OpenBSM 1.1beta1.
#
# Report bugs to <trustedbsd-audit@TrustesdBSD.org>.
#
@ -729,8 +729,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
# Identity of this package.
PACKAGE_NAME='OpenBSM'
PACKAGE_TARNAME='openbsm'
PACKAGE_VERSION='1.1alpha5'
PACKAGE_STRING='OpenBSM 1.1alpha5'
PACKAGE_VERSION='1.1beta1'
PACKAGE_STRING='OpenBSM 1.1beta1'
PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org'
ac_unique_file="bin/auditreduce/auditreduce.c"
@ -1404,7 +1404,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures OpenBSM 1.1alpha5 to adapt to many kinds of systems.
\`configure' configures OpenBSM 1.1beta1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1474,7 +1474,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of OpenBSM 1.1alpha5:";;
short | recursive ) echo "Configuration of OpenBSM 1.1beta1:";;
esac
cat <<\_ACEOF
@ -1580,7 +1580,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
OpenBSM configure 1.1alpha5
OpenBSM configure 1.1beta1
generated by GNU Autoconf 2.61
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@ -1594,7 +1594,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by OpenBSM $as_me 1.1alpha5, which was
It was created by OpenBSM $as_me 1.1beta1, which was
generated by GNU Autoconf 2.61. Invocation command line was
$ $0 $@
@ -19076,7 +19076,7 @@ fi
# Define the identity of the package.
PACKAGE=OpenBSM
VERSION=1.1alpha5
VERSION=1.1beta1
cat >>confdefs.h <<_ACEOF
@ -23584,7 +23584,7 @@ exec 6>&1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by OpenBSM $as_me 1.1alpha5, which was
This file was extended by OpenBSM $as_me 1.1beta1, which was
generated by GNU Autoconf 2.61. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -23637,7 +23637,7 @@ Report bugs to <bug-autoconf@gnu.org>."
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
OpenBSM config.status 1.1alpha5
OpenBSM config.status 1.1beta1
configured by $0, generated by GNU Autoconf 2.61,
with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"

View File

@ -2,8 +2,8 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.59)
AC_INIT([OpenBSM], [1.1alpha5], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#49 $])
AC_INIT([OpenBSM], [1.1beta1], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#50 $])
AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c])
AC_CONFIG_AUX_DIR(config)
AC_CONFIG_HEADER([config/config.h])

View File

@ -1,9 +1,9 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#5 $
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#6 $
#
dir:/var/audit
flags:lo
minfree:20
minfree:5
naflags:lo
policy:cnt
filesz:0
policy:cnt,argv
filesz:2097152

View File

@ -1,5 +1,5 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#34 $
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#36 $
#
# The mapping between event identifiers and values is also hard-coded in
# audit_kevents.h and audit_uevents.h, so changes must occur in both places,
@ -490,7 +490,7 @@
43128:AUE_MAC_GET_PID:mac_get_pid(2):pc
43129:AUE_MAC_GET_LINK:mac_get_link(2):fa
43130:AUE_MAC_SET_LINK:mac_set_link(2):fm
43131:AUE_MAC_EXECVE:mac_exeve(2):ex,pc
43131:AUE_MAC_EXECVE:mac_execve(2):ex,pc
43132:AUE_GETPATH_FROMFD:getpath_fromfd(2):fa
43133:AUE_GETPATH_FROMADDR:getpath_fromaddr(2):fa
43134:AUE_MQ_OPEN:mq_open(2):ip
@ -551,6 +551,8 @@
43189:AUE_CAP_GETMODE:cap_getmode(2):pc
43190:AUE_POSIX_SPAWN:posix_spawn(2):pc
43191:AUE_FSGETPATH:fsgetpath(2):ot
43192:AUE_PREAD:pread(2):no
43193:AUE_PWRITE:pwrite(2):no
#
# Solaris userspace events.
#

View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 2008 Apple Inc.
* Copyright (c) 2008-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#2 $
* $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#7 $
*/
#include <sys/param.h>
@ -52,6 +52,7 @@
#include <bsm/auditd_lib.h>
#include <bsm/libbsm.h>
#include <dirent.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
@ -77,6 +78,11 @@
#define AUDIT_HARD_LIMIT_FREE_BLOCKS 4
#endif
/*
* Number of seconds to January 1, 2000
*/
#define JAN_01_2000 946598400
struct dir_ent {
char *dirname;
uint8_t softlim;
@ -85,7 +91,19 @@ struct dir_ent {
};
static TAILQ_HEAD(, dir_ent) dir_q;
static int minval = -1;
struct audit_trail {
time_t at_time;
char *at_path;
off_t at_size;
TAILQ_ENTRY(audit_trail) at_trls;
};
static int auditd_minval = -1;
static char auditd_host[MAXHOSTNAMELEN];
static int auditd_hostlen = -1;
static char *auditd_errmsg[] = {
"no error", /* ADE_NOERR ( 0) */
@ -107,6 +125,7 @@ static char *auditd_errmsg[] = {
"invalid argument", /* ADE_INVAL (16) */
"could not resolve hostname to address", /* ADE_GETADDR (17) */
"address family not supported", /* ADE_ADDRFAM (18) */
"error expiring audit trail files", /* ADE_EXPIRE (19) */
};
#define MAXERRCODE (sizeof(auditd_errmsg) / sizeof(auditd_errmsg[0]))
@ -165,7 +184,13 @@ affixdir(char *name, struct dir_ent *dirent)
return (NULL);
}
asprintf(&fn, "%s/%s", dirent->dirname, name);
/*
* If the host is set then also add the hostname to the filename.
*/
if (auditd_hostlen != -1)
asprintf(&fn, "%s/%s.%s", dirent->dirname, name, auditd_host);
else
asprintf(&fn, "%s/%s", dirent->dirname, name);
return (fn);
}
@ -204,16 +229,14 @@ insert_orderly(struct dir_ent *denew)
int
auditd_set_host(void)
{
char hoststr[MAXHOSTNAMELEN];
struct sockaddr_in6 *sin6;
struct sockaddr_in *sin;
struct addrinfo *res;
struct auditinfo_addr aia;
int error, ret = ADE_NOERR;
if (getachost(hoststr, MAXHOSTNAMELEN) != 0) {
ret = ADE_PARSE;
if (getachost(auditd_host, sizeof(auditd_host)) != 0) {
ret = ADE_PARSE;
/*
* To maintain reverse compatability with older audit_control
@ -229,7 +252,8 @@ auditd_set_host(void)
ret = ADE_AUDITON;
return (ret);
}
error = getaddrinfo(hoststr, NULL, NULL, &res);
auditd_hostlen = strlen(auditd_host);
error = getaddrinfo(auditd_host, NULL, NULL, &res);
if (error)
return (ADE_GETADDR);
switch (res->ai_family) {
@ -271,14 +295,14 @@ auditd_set_minfree(void)
{
au_qctrl_t qctrl;
if (getacmin(&minval) != 0)
if (getacmin(&auditd_minval) != 0)
return (ADE_PARSE);
if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0)
return (ADE_AUDITON);
if (qctrl.aq_minfree != minval) {
qctrl.aq_minfree = minval;
if (qctrl.aq_minfree != auditd_minval) {
qctrl.aq_minfree = auditd_minval;
if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0)
return (ADE_AUDITON);
}
@ -286,10 +310,260 @@ auditd_set_minfree(void)
return (0);
}
/*
* Convert a trailname into a timestamp (seconds). Return 0 if the conversion
* was successful.
*/
static int
trailname_to_tstamp(char *fn, time_t *tstamp)
{
struct tm tm;
char ts[TIMESTAMP_LEN];
char *p;
*tstamp = 0;
/*
* Get the ending time stamp.
*/
if ((p = strchr(fn, '.')) == NULL)
return (1);
strlcpy(ts, ++p, TIMESTAMP_LEN);
if (strlen(ts) != POSTFIX_LEN)
return (1);
bzero(&tm, sizeof(tm));
/* seconds (0-60) */
p = ts + POSTFIX_LEN - 2;
tm.tm_sec = atol(p);
if (tm.tm_sec < 0 || tm.tm_sec > 60)
return (1);
/* minutes (0-59) */
*p = '\0'; p -= 2;
tm.tm_min = atol(p);
if (tm.tm_min < 0 || tm.tm_min > 59)
return (1);
/* hours (0 - 23) */
*p = '\0'; p -= 2;
tm.tm_hour = atol(p);
if (tm.tm_hour < 0 || tm.tm_hour > 23)
return (1);
/* day of month (1-31) */
*p = '\0'; p -= 2;
tm.tm_mday = atol(p);
if (tm.tm_mday < 1 || tm.tm_mday > 31)
return (1);
/* month (0 - 11) */
*p = '\0'; p -= 2;
tm.tm_mon = atol(p) - 1;
if (tm.tm_mon < 0 || tm.tm_mon > 11)
return (1);
/* year (year - 1900) */
*p = '\0'; p -= 4;
tm.tm_year = atol(p) - 1900;
if (tm.tm_year < 0)
return (1);
*tstamp = timegm(&tm);
return (0);
}
/*
* Remove audit trails files according to the expiration conditions. Returns:
* ADE_NOERR on success or there is nothing to do.
* ADE_PARSE if error parsing audit_control(5).
* ADE_NOMEM if could not allocate memory.
* ADE_EXPIRE if there was an unespected error.
*/
int
auditd_expire_trails(int (*warn_expired)(char *))
{
int andflg, ret = ADE_NOERR;
size_t expire_size, total_size = 0L;
time_t expire_age, oldest_time, current_time = time(NULL);
struct dir_ent *traildir;
struct audit_trail *at;
char *afnp, *pn;
TAILQ_HEAD(au_trls_head, audit_trail) head =
TAILQ_HEAD_INITIALIZER(head);
struct stat stbuf;
char activefn[MAXPATHLEN];
/*
* Read the expiration conditions. If no conditions then return no
* error.
*/
if (getacexpire(&andflg, &expire_age, &expire_size) < 0)
return (ADE_PARSE);
if (!expire_age && !expire_size)
return (ADE_NOERR);
/*
* Read the 'current' trail file name. Trim off directory path.
*/
activefn[0] = '\0';
readlink(AUDIT_CURRENT_LINK, activefn, MAXPATHLEN - 1);
if ((afnp = strrchr(activefn, '/')) != NULL)
afnp++;
/*
* Build tail queue of the trail files.
*/
TAILQ_FOREACH(traildir, &dir_q, dirs) {
DIR *dirp;
struct dirent *dp;
dirp = opendir(traildir->dirname);
while ((dp = readdir(dirp)) != NULL) {
time_t tstamp = 0;
struct audit_trail *new;
/*
* Quickly filter non-trail files.
*/
if (dp->d_namlen != (FILENAME_LEN - 1) ||
#ifdef DT_REG
dp->d_type != DT_REG ||
#endif
dp->d_name[POSTFIX_LEN] != '.')
continue;
if (asprintf(&pn, "%s/%s", traildir->dirname,
dp->d_name) < 0) {
ret = ADE_NOMEM;
break;
}
if (stat(pn, &stbuf) < 0 || !S_ISREG(stbuf.st_mode)) {
free(pn);
continue;
}
total_size += stbuf.st_size;
/*
* If this is the 'current' audit trail then
* don't add it to the tail queue.
*/
if (NULL != afnp &&
strncmp(dp->d_name, afnp, FILENAME_LEN) == 0) {
free(pn);
continue;
}
/*
* Get the ending time stamp encoded in the trail
* name. If we can't read it or if it is older
* than Jan 1, 2000 then use the mtime.
*/
if (trailname_to_tstamp(dp->d_name, &tstamp) != 0 ||
tstamp < JAN_01_2000)
tstamp = stbuf.st_mtime;
/*
* If the time stamp is older than Jan 1, 2000 then
* update the mtime of the trail file to the current
* time. This is so we don't prematurely remove a trail
* file that was created while the system clock reset
* to the * "beginning of time" but later the system
* clock is set to the correct current time.
*/
if (current_time >= JAN_01_2000 &&
tstamp < JAN_01_2000) {
struct timeval tv[2];
tstamp = stbuf.st_mtime = current_time;
TIMESPEC_TO_TIMEVAL(&tv[0],
&stbuf.st_atimespec);
TIMESPEC_TO_TIMEVAL(&tv[1],
&stbuf.st_mtimespec);
utimes(pn, tv);
}
/*
* Allocate and populate the new entry.
*/
new = malloc(sizeof(*new));
if (NULL == new) {
free(pn);
ret = ADE_NOMEM;
break;
}
new->at_time = tstamp;
new->at_size = stbuf.st_size;
new->at_path = pn;
/*
* Check to see if we have a new head. Otherwise,
* walk the tailq from the tail first and do a simple
* insertion sort.
*/
if (TAILQ_EMPTY(&head) ||
(new->at_time <= TAILQ_FIRST(&head)->at_time)) {
TAILQ_INSERT_HEAD(&head, new, at_trls);
continue;
}
TAILQ_FOREACH_REVERSE(at, &head, au_trls_head, at_trls)
if (new->at_time >= at->at_time) {
TAILQ_INSERT_AFTER(&head, at, new,
at_trls);
break;
}
}
}
oldest_time = current_time - expire_age;
/*
* Expire trail files, oldest (mtime) first, if the given
* conditions are met.
*/
at = TAILQ_FIRST(&head);
while (NULL != at) {
struct audit_trail *at_next = TAILQ_NEXT(at, at_trls);
if (andflg) {
if ((expire_size && total_size > expire_size) &&
(expire_age && at->at_time < oldest_time)) {
if (warn_expired)
(*warn_expired)(at->at_path);
if (unlink(at->at_path) < 0)
ret = ADE_EXPIRE;
total_size -= at->at_size;
}
} else {
if ((expire_size && total_size > expire_size) ||
(expire_age && at->at_time < oldest_time)) {
if (warn_expired)
(*warn_expired)(at->at_path);
if (unlink(at->at_path) < 0)
ret = ADE_EXPIRE;
total_size -= at->at_size;
}
}
free(at->at_path);
free(at);
at = at_next;
}
return (ret);
}
/*
* Parses the "dir" entry in audit_control(5) into an ordered list. Also, will
* set the minfree value if not already set. Arguments include function
* pointers to audit_warn functions for soft and hard limits. Returns:
* set the minfree and host values if not already set. Arguments include
* function pointers to audit_warn functions for soft and hard limits. Returns:
* ADE_NOERR on success,
* ADE_PARSE error parsing audit_control(5),
* ADE_AUDITON error getting/setting auditon(2) value,
@ -309,9 +583,12 @@ auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *))
int scnt = 0;
int hcnt = 0;
if (minval == -1 && (err = auditd_set_minfree()) != 0)
if (auditd_minval == -1 && (err = auditd_set_minfree()) != 0)
return (err);
if (auditd_hostlen == -1)
auditd_set_host();
/*
* Init directory q. Force a re-read of the file the next time.
*/
@ -329,7 +606,8 @@ auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *))
while (getacdir(cur_dir, MAXNAMLEN) >= 0) {
if (statfs(cur_dir, &sfs) < 0)
continue; /* XXX should warn */
soft = (sfs.f_bfree < (sfs.f_blocks / (100 / minval))) ? 1 : 0;
soft = (sfs.f_bfree < (sfs.f_blocks / (100 / auditd_minval))) ?
1 : 0;
hard = (sfs.f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) ? 1 : 0;
if (soft) {
if (warn_soft)
@ -367,7 +645,8 @@ void
auditd_close_dirs(void)
{
free_dir_q();
minval = -1;
auditd_minval = -1;
auditd_hostlen = -1;
}
@ -549,7 +828,7 @@ auditd_swap_trail(char *TS, char **newfile, gid_t gid,
}
/* Try until we succeed. */
while ((dirent = TAILQ_FIRST(&dir_q))) {
TAILQ_FOREACH(dirent, &dir_q, dirs) {
if (dirent->hardlim)
continue;
if ((fn = affixdir(timestr, dirent)) == NULL)
@ -606,6 +885,28 @@ auditd_swap_trail(char *TS, char **newfile, gid_t gid,
* ADE_NOERR on success,
* ADE_SETAUDIT if setaudit(2) fails.
*/
#ifdef __APPLE__
int
auditd_prevent_audit(void)
{
auditinfo_addr_t aia;
/*
* To prevent event feedback cycles and avoid audit becoming stalled if
* auditing is suspended we mask this processes events from being
* audited. We allow the uid, tid, and mask fields to be implicitly
* set to zero, but do set the audit session ID to the PID.
*
* XXXRW: Is there more to it than this?
*/
bzero(&aia, sizeof(aia));
aia.ai_asid = AU_ASSIGN_ASID;
aia.ai_termid.at_type = AU_IPv4;
if (setaudit_addr(&aia, sizeof(aia)) != 0)
return (ADE_SETAUDIT);
return (ADE_NOERR);
}
#else
int
auditd_prevent_audit(void)
{
@ -625,6 +926,7 @@ auditd_prevent_audit(void)
return (ADE_SETAUDIT);
return (ADE_NOERR);
}
#endif /* __APPLE__ */
/*
* Generate and submit audit record for audit startup or shutdown. The event
@ -713,7 +1015,7 @@ auditd_new_curlink(char *curfile)
strlcpy(newname, recoveredname, MAXPATHLEN);
if ((ptr = strstr(newname, NOT_TERMINATED)) != NULL) {
strlcpy(ptr, CRASH_RECOVERY, TIMESTAMP_LEN);
memcpy(ptr, CRASH_RECOVERY, POSTFIX_LEN);
if (rename(recoveredname, newname) != 0)
return (ADE_RENAME);
} else
@ -750,9 +1052,10 @@ int
audit_quick_start(void)
{
int err;
char *newfile;
char *newfile = NULL;
time_t tt;
char TS[TIMESTAMP_LEN];
int ret = 0;
/*
* Mask auditing of this process.
@ -773,20 +1076,26 @@ audit_quick_start(void)
if (getTSstr(tt, TS, TIMESTAMP_LEN) != 0)
return (-1);
err = auditd_swap_trail(TS, &newfile, getgid(), NULL);
if (err != ADE_NOERR && err != ADE_ACTL)
return (-1);
if (err != ADE_NOERR && err != ADE_ACTL) {
ret = -1;
goto out;
}
/*
* Add the current symlink and recover from crash, if needed.
*/
if (auditd_new_curlink(newfile) != 0)
return(-1);
if (auditd_new_curlink(newfile) != 0) {
ret = -1;
goto out;
}
/*
* At this point auditing has started so generate audit start-up record.
*/
if (auditd_gen_record(AUE_audit_startup, NULL) != 0)
return (-1);
if (auditd_gen_record(AUE_audit_startup, NULL) != 0) {
ret = -1;
goto out;
}
/*
* Configure the audit controls.
@ -798,7 +1107,11 @@ audit_quick_start(void)
(void) auditd_set_minfree();
(void) auditd_set_host();
return (0);
out:
if (newfile != NULL)
free(newfile);
return (ret);
}
/*
@ -855,7 +1168,7 @@ audit_quick_stop(void)
strlcpy(newname, oldname, len);
if ((ptr = strstr(newname, NOT_TERMINATED)) != NULL) {
strlcpy(ptr, TS, TIMESTAMP_LEN);
memcpy(ptr, TS, POSTFIX_LEN);
if (rename(oldname, newname) != 0)
return (-1);
} else

View File

@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#9 $
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#10 $
.\"
.Dd April 19, 2005
.Dt AU_CONTROL 3
@ -33,6 +33,7 @@
.Nm endac ,
.Nm getacdir ,
.Nm getacmin ,
.Nm getacexpire ,
.Nm getacfilesz ,
.Nm getacflg ,
.Nm getacna ,
@ -53,6 +54,8 @@
.Ft int
.Fn getacmin "int *min_val"
.Ft int
.Fn getacexpire "int *andflg, time_t *age, size_t *size"
.Ft int
.Fn getacfilesz "size_t *size_val"
.Ft int
.Fn getacflg "char *auditstr" "int len"
@ -101,6 +104,24 @@ the passed
variable.
.Pp
The
.Fn getacexpire
function
returns the audit trail file expiration parameters in the passed
.Vt int
buffer
.Fa andflg ,
.Vt time_t
buffer
.Fa age
and
.Vt size_t
buffer
.Fa size .
If the parameter is not specified in the
.Xr audit_control 5
file it is set to zero.
.Pp
The
.Fn getacfilesz
function
returns the audit trail rotation size in the passed
@ -153,6 +174,7 @@ to a numeric audit policy mask returned via
The
.Fn getacdir ,
.Fn getacmin ,
.Fn getacexpire ,
.Fn getacflg ,
.Fn getacna ,
.Fn getacpol ,

View File

@ -26,7 +26,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_domain.3#1 $
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_domain.3#2 $
.\"
.Dd December 28, 2008
.Dt AU_BSM_TO_DOMAIN 3
@ -59,6 +59,7 @@ This call will fail if the BSM domain cannot be mapped into a local domain,
which may occur if the socket token was generated on another operating
system.
.Pp
The
.Fn au_domain_to_bsm
function accepts a local domain, and returns the BSM domain for it.
This call cannot fail, and instead returns a BSM domain indicating to a later

View File

@ -26,7 +26,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_errno.3#3 $
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_errno.3#4 $
.\"
.Dd December 8, 2008
.Dt AU_BSM_TO_ERRNO 3
@ -64,6 +64,7 @@ This call will fail if the BSM error cannot be mapped into a local error
number, which may occur if the return token was generated on another
operating system.
.Pp
The
.Fn au_errno_to_bsm
function accepts a local
.Xr errno 2
@ -73,7 +74,7 @@ a later decoder that the error could not be encoded.
.Pp
The
.Fn au_strerror
converts a BSM error value to a string, generally by converting first to a
function converts a BSM error value to a string, generally by converting first to a
local error number and using the local
.Xr strerror 3
function, but will also work for errors that are not locally defined.

View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 2004 Apple Inc.
* Copyright (c) 2004,2009 Apple Inc.
* Copyright (c) 2006 Robert N. M. Watson
* All rights reserved.
*
@ -27,13 +27,14 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#24 $
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#28 $
*/
#include <config/config.h>
#include <bsm/libbsm.h>
#include <ctype.h>
#include <errno.h>
#include <string.h>
#ifdef HAVE_PTHREAD_MUTEX_LOCK
@ -64,6 +65,32 @@ static char ptrmoved = 0;
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
#endif
/*
* Audit policy string token table for au_poltostr() and au_strtopol().
*/
struct audit_polstr {
long ap_policy;
const char *ap_str;
};
static struct audit_polstr au_polstr[] = {
{ AUDIT_CNT, "cnt" },
{ AUDIT_AHLT, "ahlt" },
{ AUDIT_ARGV, "argv" },
{ AUDIT_ARGE, "arge" },
{ AUDIT_SEQ, "seq" },
{ AUDIT_WINDATA, "windata" },
{ AUDIT_USER, "user" },
{ AUDIT_GROUP, "group" },
{ AUDIT_TRAIL, "trail" },
{ AUDIT_PATH, "path" },
{ AUDIT_SCNT, "scnt" },
{ AUDIT_PUBLIC, "public" },
{ AUDIT_ZONENAME, "zonename" },
{ AUDIT_PERZONE, "perzone" },
{ -1, NULL }
};
/*
* Returns the string value corresponding to the given label from the
* configuration file.
@ -111,6 +138,82 @@ getstrfromtype_locked(char *name, char **str)
}
}
/*
* Convert a given time value with a multiplier (seconds, hours, days, years) to
* seconds. Return 0 on success.
*/
static int
au_timetosec(time_t *seconds, u_long value, char mult)
{
if (NULL == seconds)
return (-1);
switch(mult) {
case 's':
/* seconds */
*seconds = (time_t)value;
break;
case 'h':
/* hours */
*seconds = (time_t)value * 60 * 60;
break;
case 'd':
/* days */
*seconds = (time_t)value * 60 * 60 * 24;
break;
case 'y':
/* years. Add a day for each 4th (leap) year. */
*seconds = (time_t)value * 60 * 60 * 24 * 364 +
((time_t)value / 4) * 60 * 60 * 24;
break;
default:
return (-1);
}
return (0);
}
/*
* Convert a given disk space value with a multiplier (bytes, kilobytes,
* megabytes, gigabytes) to bytes. Return 0 on success.
*/
static int
au_spacetobytes(size_t *bytes, u_long value, char mult)
{
if (NULL == bytes)
return (-1);
switch(mult) {
case 'B':
case ' ':
/* Bytes */
*bytes = (size_t)value;
break;
case 'K':
/* Kilobytes */
*bytes = (size_t)value * 1024;
break;
case 'M':
/* Megabytes */
*bytes = (size_t)value * 1024 * 1024;
break;
case 'G':
/* Gigabytes */
*bytes = (size_t)value * 1024 * 1024 * 1024;
break;
default:
return (-1);
}
return (0);
}
/*
* Convert a policy to a string. Return -1 on failure, or >= 0 representing
* the actual size of the string placed in the buffer (excluding terminating
@ -119,135 +222,24 @@ getstrfromtype_locked(char *name, char **str)
ssize_t
au_poltostr(long policy, size_t maxsize, char *buf)
{
int first;
int first = 1;
int i = 0;
if (maxsize < 1)
return (-1);
first = 1;
buf[0] = '\0';
if (policy & AUDIT_CNT) {
if (strlcat(buf, "cnt", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_AHLT) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
do {
if (policy & au_polstr[i].ap_policy) {
if (!first && strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "ahlt", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_ARGV) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
if (strlcat(buf, au_polstr[i].ap_str, maxsize) >=
maxsize)
return (-1);
first = 0;
}
if (strlcat(buf, "argv", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_ARGE) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "arge", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_SEQ) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "seq", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_WINDATA) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "windata", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_USER) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "user", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_GROUP) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "group", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_TRAIL) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "trail", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_PATH) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "path", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_SCNT) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "scnt", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_PUBLIC) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "public", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_ZONENAME) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "zonename", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_PERZONE) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "perzone", maxsize) >= maxsize)
return (-1);
first = 0;
}
} while (NULL != au_polstr[++i].ap_str);
return (strlen(buf));
}
@ -260,6 +252,7 @@ au_strtopol(const char *polstr, long *policy)
{
char *bufp, *string;
char *buffer;
int i, matched;
*policy = 0;
buffer = strdup(polstr);
@ -268,35 +261,17 @@ au_strtopol(const char *polstr, long *policy)
bufp = buffer;
while ((string = strsep(&bufp, ",")) != NULL) {
if (strcmp(string, "cnt") == 0)
*policy |= AUDIT_CNT;
else if (strcmp(string, "ahlt") == 0)
*policy |= AUDIT_AHLT;
else if (strcmp(string, "argv") == 0)
*policy |= AUDIT_ARGV;
else if (strcmp(string, "arge") == 0)
*policy |= AUDIT_ARGE;
else if (strcmp(string, "seq") == 0)
*policy |= AUDIT_SEQ;
else if (strcmp(string, "winau_fstat") == 0)
*policy |= AUDIT_WINDATA;
else if (strcmp(string, "user") == 0)
*policy |= AUDIT_USER;
else if (strcmp(string, "group") == 0)
*policy |= AUDIT_GROUP;
else if (strcmp(string, "trail") == 0)
*policy |= AUDIT_TRAIL;
else if (strcmp(string, "path") == 0)
*policy |= AUDIT_PATH;
else if (strcmp(string, "scnt") == 0)
*policy |= AUDIT_SCNT;
else if (strcmp(string, "public") == 0)
*policy |= AUDIT_PUBLIC;
else if (strcmp(string, "zonename") == 0)
*policy |= AUDIT_ZONENAME;
else if (strcmp(string, "perzone") == 0)
*policy |= AUDIT_PERZONE;
else {
matched = i = 0;
do {
if (strcmp(string, au_polstr[i].ap_str) == 0) {
*policy |= au_polstr[i].ap_policy;
matched = 1;
break;
}
} while (NULL != au_polstr[++i].ap_str);
if (!matched) {
free(buffer);
errno = EINVAL;
return (-1);
@ -435,46 +410,65 @@ getacmin(int *min_val)
int
getacfilesz(size_t *filesz_val)
{
char *filesz, *dummy;
long long ll;
char *str;
size_t val;
char mult;
int nparsed;
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_lock(&mutex);
#endif
setac_locked();
if (getstrfromtype_locked(FILESZ_CONTROL_ENTRY, &filesz) < 0) {
if (getstrfromtype_locked(FILESZ_CONTROL_ENTRY, &str) < 0) {
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
return (-2);
}
if (filesz == NULL) {
if (str == NULL) {
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
errno = EINVAL;
return (1);
}
ll = strtoll(filesz, &dummy, 10);
if (*dummy != '\0') {
/* Trim off any leading white space. */
while (*str == ' ' || *str == '\t')
str++;
nparsed = sscanf(str, "%ju%c", (uintmax_t *)&val, &mult);
switch (nparsed) {
case 1:
/* If no multiplier then assume 'B' (bytes). */
mult = 'B';
/* fall through */
case 2:
if (au_spacetobytes(filesz_val, val, mult) == 0)
break;
/* fall through */
default:
errno = EINVAL;
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
errno = EINVAL;
return (-1);
}
/*
* The file size must either be 0 or >= MIN_AUDIT_FILE_SIZE. 0
* indicates no rotation size.
*/
if (ll < 0 || (ll > 0 && ll < MIN_AUDIT_FILE_SIZE)) {
if (*filesz_val < 0 || (*filesz_val > 0 &&
*filesz_val < MIN_AUDIT_FILE_SIZE)) {
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
filesz_val = 0L;
errno = EINVAL;
return (-1);
}
*filesz_val = ll;
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
@ -619,7 +613,109 @@ getachost(char *auditstr, size_t len)
#endif
return (-3);
}
strcpy(auditstr, str);
strlcpy(auditstr, str, len);
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
return (0);
}
/*
* Set expiration conditions.
*/
static int
setexpirecond(time_t *age, size_t *size, u_long value, char mult)
{
if (isupper(mult) || ' ' == mult)
return (au_spacetobytes(size, value, mult));
else
return (au_timetosec(age, value, mult));
}
/*
* Return the expire-after field from the audit control file.
*/
int
getacexpire(int *andflg, time_t *age, size_t *size)
{
char *str;
int nparsed;
u_long val1, val2;
char mult1, mult2;
char andor[AU_LINE_MAX];
*age = 0L;
*size = 0LL;
*andflg = 0;
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_lock(&mutex);
#endif
setac_locked();
if (getstrfromtype_locked(EXPIRE_AFTER_CONTROL_ENTRY, &str) < 0) {
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
return (-2);
}
if (str == NULL) {
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
return (1);
}
/* First, trim off any leading white space. */
while (*str == ' ' || *str == '\t')
str++;
nparsed = sscanf(str, "%lu%c%[ \tadnorADNOR]%lu%c", &val1, &mult1,
andor, &val2, &mult2);
switch (nparsed) {
case 1:
/* If no multiplier then assume 'B' (Bytes). */
mult1 = 'B';
/* fall through */
case 2:
/* One expiration condition. */
if (setexpirecond(age, size, val1, mult1) != 0) {
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
return (-1);
}
break;
case 5:
/* Two expiration conditions. */
if (setexpirecond(age, size, val1, mult1) != 0 ||
setexpirecond(age, size, val2, mult2) != 0) {
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
return (-1);
}
if (strcasestr(andor, "and") != NULL)
*andflg = 1;
else if (strcasestr(andor, "or") != NULL)
*andflg = 0;
else {
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
return (-1);
}
break;
default:
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
return (-1);
}
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif

View File

@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_errno.c#16 $
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_errno.c#17 $
*/
#include <sys/types.h>
@ -494,7 +494,7 @@ static const struct bsm_errno bsm_errnos[] = {
#else
ERRNO_NO_LOCAL_MAPPING,
#endif
ES("Malfored Macho file") },
ES("Malformed Macho file") },
{ BSM_ERRNO_EPOLICY,
#ifdef EPOLICY
EPOLICY,

View File

@ -32,7 +32,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#60 $
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#61 $
*/
#include <sys/types.h>
@ -193,7 +193,7 @@ print_mem(FILE *fp, u_char *data, size_t len)
if (len > 0) {
fprintf(fp, "0x");
for (i = 0; i < len; i++)
fprintf(fp, "%x", data[i]);
fprintf(fp, "%02x", data[i]);
}
}

View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 2004-2008 Apple Inc.
* Copyright (c) 2004-2009 Apple Inc.
* Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
*
@ -30,7 +30,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#86 $
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#90 $
*/
#include <sys/types.h>
@ -168,7 +168,7 @@ au_to_attr32(struct vnode_au_info *vni)
token_t *t;
u_char *dptr = NULL;
u_int16_t pad0_16 = 0;
u_int16_t pad0_32 = 0;
u_int32_t pad0_32 = 0;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
@ -217,7 +217,7 @@ au_to_attr64(struct vnode_au_info *vni)
token_t *t;
u_char *dptr = NULL;
u_int16_t pad0_16 = 0;
u_int16_t pad0_32 = 0;
u_int32_t pad0_32 = 0;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
@ -487,7 +487,8 @@ au_to_ipc_perm(struct ipc_perm *perm)
u_char *dptr = NULL;
u_int16_t pad0 = 0;
GET_TOKEN_AREA(t, dptr, 12 * sizeof(u_int16_t) + sizeof(u_int32_t));
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) +
sizeof(u_int32_t));
if (t == NULL)
return (NULL);
@ -962,15 +963,15 @@ au_to_socket_ex(u_short so_domain, u_short so_type,
5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
else if (so_domain == AF_INET6)
GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
5 * sizeof(u_int16_t) + 16 * sizeof(u_int32_t));
5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t));
else {
errno = EINVAL;
return (NULL);
}
ADD_U_CHAR(dptr, AUT_SOCKET_EX);
ADD_U_INT16(dptr, so_domain); /* XXXRW: explicitly convert? */
ADD_U_INT16(dptr, so_type); /* XXXRW: explicitly convert? */
ADD_U_INT16(dptr, au_domain_to_bsm(so_domain));
ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type));
if (so_domain == AF_INET) {
ADD_U_INT16(dptr, AU_IPv4);
sin = (struct sockaddr_in *)sa_local;

View File

@ -1,4 +1,4 @@
.\" Copyright (c) 2004 Apple Inc.
.\" Copyright (c) 2004-2009 Apple Inc.
.\" Copyright (c) 2006 Robert N. M. Watson
.\" All rights reserved.
.\"
@ -26,9 +26,9 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#20 $
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#22 $
.\"
.Dd January 4, 2006
.Dd January 29, 2009
.Dt AUDIT_CONTROL 5
.Os
.Sh NAME
@ -86,6 +86,18 @@ rotate the audit trail file at around this size.
Sizes less than the minimum trail size (default of 512K) will be rejected as
invalid.
If 0, trail files will not be automatically rotated based on file size.
For convenience, the trail size may be expressed with suffix letters:
B (Bytes), K (Kilobytes), M (Megabytes), or G (Gigabytes).
For example, 2M is the same as 2097152.
.It Va expire-after
Specifies when audit log files will expire and be removed.
This may be after a time period has passed since the file was last
written to or when the aggregate of all the trail files have reached a
specified size or a combination of both.
If no expire-after parameter is given then audit log files with not
expire and be removed by the audit control system.
See the information below for the format of the expiration
specification.
.El
.Sh AUDIT FLAGS
Audit flags are a comma-delimited list of audit classes as defined in the
@ -170,6 +182,51 @@ flag but not
.Cm ahlt
flag unless it is intended that audit logs exceeding available disk space
halt the system.
.Sh AUDIT LOG EXPIRATION SPECIFICATION
The expiration specification can be one value or two values with the
logical conjunction of AND/OR between them.
Values for the audit log file age are numbers with the following
suffixes:
.Pp
.Bl -tag -width "(space) or" -compact -offset indent
.It Li s
Log file age in seconds.
.It Li h
Log file age in hours.
.It Li d
Log file age in days.
.It Li y
Log file age in years.
.El
.Pp
Values for the disk space used are numbers with the following suffixes:
.Pp
.Bl -tag -width "(space) or" -compact -offset indent
.It (space) or
.It Li B
Disk space used in Bytes.
.It Li K
Disk space used in Kilobytes.
.It Li M
Disk space used in Megabytes.
.It Li G
Disk space used in Gigabytes.
.El
.Pp
The suffixes on the values are case sensitive.
If both an age and disk space value are used they are seperated by
AND or OR and both values are used to determine when audit
log files expire.
In the case of AND, both the age and disk space conditions must be meet
before the log file is removed.
In the case of OR, either condition may expire the log file.
For example:
.Bd -literal -offset indent
expire-after: 60d AND 1G
.Ed
.Pp
will expire files that are older than 60 days but only if 1
gigabyte of disk space total is being used by the audit logs.
.Sh DEFAULT
The following settings appear in the default
.Nm
@ -177,10 +234,10 @@ file:
.Bd -literal -offset indent
dir:/var/audit
flags:lo
minfree:20
minfree:5
naflags:lo
policy:cnt
filesz:0
policy:cnt,argv
filesz:2097152
.Ed
.Pp
The
@ -190,9 +247,12 @@ events.
The
.Va policy
parameter specifies that the system should neither fail stop nor suspend
processes when the audit store fills.
The trail file will not be automatically rotated by the audit daemon based on
file size.
processes when the audit store fills and that command line arguments should
be audited for
.Dv AUE_EXECVE
events.
The trail file will be automatically rotated by the audit daemon when the
file size reaches approximately 2MB.
.Sh FILES
.Bl -tag -width ".Pa /etc/security/audit_control" -compact
.It Pa /etc/security/audit_control

View File

@ -1,4 +1,5 @@
.\"-
.\" Copyright (c) 2008-2009 Apple Inc.
.\" Copyright (c) 2005 Robert N. M. Watson
.\" Copyright (c) 2005 Tom Rhodes
.\" Copyright (c) 2005 Wayne J. Salamon
@ -25,7 +26,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#14 $
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#15 $
.\"
.Dd July 10, 2008
.Dt AUDITON 2
@ -405,9 +406,15 @@ trigger values:
file),
.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
(close the current log file and exit),
or
.Dv AUDIT_TRIGGER_NO_SPACE
(no disk space left for audit log file).
.Dv AUDIT_TRIGGER_ROTATE_USER
(request audit log file rotation).
.Dv AUDIT_TRIGGER_INITIALIZE
(initialize audit subsystem for Mac OS X only).
or
.Dv AUDIT_TRIGGER_EXPIRE_TRAILS
(request audit log file expiration).
.El
.Sh RETURN VALUES
.Rv -std

View File

@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#4 $
* $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#5 $
*/
#ifndef _BSM_AUDIT_H
@ -65,8 +65,9 @@
#define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */
#define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */
#define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests rotate. */
#define AUDIT_TRIGGER_INITIALIZE 7 /* Initialize audit. */
#define AUDIT_TRIGGER_MAX 7
#define AUDIT_TRIGGER_INITIALIZE 7 /* User initialize of auditd. */
#define AUDIT_TRIGGER_EXPIRE_TRAILS 8 /* User expiration of trails. */
#define AUDIT_TRIGGER_MAX 8
/*
* The special device filename (FreeBSD).

View File

@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_kevents.h#4 $
* $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_kevents.h#5 $
*/
#ifndef _BSM_AUDIT_KEVENTS_H_
@ -586,6 +586,8 @@
#define AUE_CAP_GETMODE 43189 /* TrustedBSD. */
#define AUE_POSIX_SPAWN 43190 /* Darwin. */
#define AUE_FSGETPATH 43191 /* Darwin. */
#define AUE_PREAD 43192 /* Darwin/FreeBSD. */
#define AUE_PWRITE 43193 /* Darwin/FreeBSD. */
/*
* Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
@ -657,7 +659,6 @@
/*
* Possible desired future values based on review of BSD/Darwin system calls.
*/
#define AUE_ACCESSEXTENDED AUE_NULL
#define AUE_ATGETMSG AUE_NULL
#define AUE_ATPUTMSG AUE_NULL
#define AUE_ATSOCKET AUE_NULL
@ -668,11 +669,9 @@
#define AUE_BSDTHREADCREATE AUE_NULL
#define AUE_BSDTHREADTERMINATE AUE_NULL
#define AUE_BSDTHREADREGISTER AUE_NULL
#define AUE_CHMODEXTENDED AUE_NULL
#define AUE_CHUD AUE_NULL
#define AUE_CSOPS AUE_NULL
#define AUE_DUP AUE_NULL
#define AUE_FCHMODEXTENDED AUE_NULL
#define AUE_FDATASYNC AUE_NULL
#define AUE_FFSCTL AUE_NULL
#define AUE_FGETATTRLIST AUE_NULL
@ -682,11 +681,10 @@
#define AUE_FSCTL AUE_NULL
#define AUE_FSETATTRLIST AUE_NULL
#define AUE_FSETXATTR AUE_NULL
#define AUE_FSTATEXTENDED AUE_NULL
#define AUE_FSTATFS64 AUE_NULL
#define AUE_FSTATV AUE_NULL
#define AUE_FSTAT64 AUE_NULL
#define AUE_FSTAT64EXTENDED AUE_NULL
#define AUE_FSTAT64_EXTENDED AUE_NULL
#define AUE_GCCONTROL AUE_NULL
#define AUE_GETDIRENTRIES64 AUE_NULL
#define AUE_GETDTABLESIZE AUE_NULL
@ -720,21 +718,15 @@
#define AUE_ISSETUGID AUE_NULL
#define AUE_LIOLISTIO AUE_NULL
#define AUE_LISTXATTR AUE_NULL
#define AUE_LSTATEXTENDED AUE_NULL
#define AUE_LSTATV AUE_NULL
#define AUE_LSTAT64 AUE_NULL
#define AUE_LSTAT64EXTENDED AUE_NULL
#define AUE_LSTAT64_EXTENDED AUE_NULL
#define AUE_MADVISE AUE_NULL
#define AUE_MINCORE AUE_NULL
#define AUE_MKCOMPLEX AUE_NULL
#define AUE_MKDIREXTENDED AUE_NULL
#define AUE_MKFIFOEXTENDED AUE_NULL
#define AUE_MODWATCH AUE_NULL
#define AUE_MSGCL AUE_NULL
#define AUE_MSYNC AUE_NULL
#define AUE_OPENEXTENDED AUE_NULL
#define AUE_PREAD AUE_NULL
#define AUE_PWRITE AUE_NULL
#define AUE_PREADV AUE_NULL
#define AUE_PROCINFO AUE_NULL
#define AUE_PTHREADCANCELED AUE_NULL
@ -778,15 +770,13 @@
#define AUE_SIGWAIT AUE_NULL
#define AUE_SSTK AUE_NULL
#define AUE_STACKSNAPSHOT AUE_NULL
#define AUE_STATEXTENDED AUE_NULL
#define AUE_STATFS64 AUE_NULL
#define AUE_STATV AUE_NULL
#define AUE_STAT64 AUE_NULL
#define AUE_STAT64EXTENDED AUE_NULL
#define AUE_STAT64_EXTENDED AUE_NULL
#define AUE_SYNC AUE_NULL
#define AUE_SYSCALL AUE_NULL
#define AUE_TABLE AUE_NULL
#define AUE_UMASKEXTENDED AUE_NULL
#define AUE_VMPRESSUREMONITOR AUE_NULL
#define AUE_WAITEVENT AUE_NULL
#define AUE_WAITID AUE_NULL

View File

@ -23,7 +23,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#7 $
* $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#8 $
*/
#include <bsm/libbsm.h>
@ -80,6 +80,8 @@ audump_control(void)
char string[PATH_MAX], string2[PATH_MAX];
int ret, val;
long policy;
time_t age;
size_t size;
ret = getacflg(string, PATH_MAX);
if (ret == -2)
@ -126,6 +128,32 @@ audump_control(void)
if (au_poltostr(policy, PATH_MAX, string2) < 0)
err(-1, "au_poltostr");
printf("policy:%s\n", string2);
ret = getacfilesz(&size);
if (ret == -2)
err(-1, "getacfilesz");
if (ret != 0)
err(-1, "getacfilesz: %d", ret);
printf("filesz:%ldB\n", size);
ret = getachost(string, PATH_MAX);
if (ret == -2)
err(-1, "getachost");
if (ret == -3)
err(-1, "getachost: %d", ret);
if (ret == 0 && ret != 1)
printf("host:%s\n", string);
ret = getacexpire(&val, &age, &size);
if (ret == -2)
err(-1, "getacexpire");
if (ret == -1)
err(-1, "getacexpire: %d", ret);
if (ret == 0 && ret != 1)
printf("expire-after:%ldB %s %lds\n", size,
val ? "AND" : "OR", age);
}
static void