Vendor import of OpenBSM 1.1 beta1, which incorporates the following
changes since the last imported OpenBSM release: OpenBSM 1.1 beta 1 - The filesz parameter in audit_control(5) now accepts suffixes: 'B' for Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes. For legacy support no suffix defaults to bytes. - Audit trail log expiration support added. It is configured in audit_control(5) with the expire-after parameter. If there is no expire-after parameter in audit_control(5), the default, then the audit trail files are not expired and removed. See audit_control(5) for more information. - Change defaults in audit_control: warn at 5% rather than 20% free for audit partitions, rotate automatically at 2mb, and set the default policy to cnt,argv rather than cnt so that execve(2) arguments are captured if AUE_EXECVE events are audited. These may provide more usable defaults for many users. - Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert au_to_socket_ex(3) arguments to BSM format. - Fix error encoding AUT_IPC_PERM tokens. Obtained from: TrustedBSD Project Sponsored by: Apple Inc.
This commit is contained in:
parent
a4bd134433
commit
694dcf49ac
1
CREDITS
1
CREDITS
@ -27,6 +27,7 @@ the development of OpenBSM:
|
|||||||
Eric Hall
|
Eric Hall
|
||||||
Xin LI
|
Xin LI
|
||||||
Stacey Son
|
Stacey Son
|
||||||
|
Todd Heberlein
|
||||||
|
|
||||||
In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
|
In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
|
||||||
Software's FlexeLint tool were used to identify a number of bugs in the
|
Software's FlexeLint tool were used to identify a number of bugs in the
|
||||||
|
21
NEWS
21
NEWS
@ -1,5 +1,24 @@
|
|||||||
OpenBSM Version History
|
OpenBSM Version History
|
||||||
|
|
||||||
|
OpenBSM 1.1 beta 1
|
||||||
|
|
||||||
|
- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
|
||||||
|
Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
|
||||||
|
For legacy support no suffix defaults to bytes.
|
||||||
|
- Audit trail log expiration support added. It is configured in
|
||||||
|
audit_control(5) with the expire-after parameter. If there is no
|
||||||
|
expire-after parameter in audit_control(5), the default, then the audit
|
||||||
|
trail files are not expired and removed. See audit_control(5) for
|
||||||
|
more information.
|
||||||
|
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
|
||||||
|
partitions, rotate automatically at 2mb, and set the default policy to
|
||||||
|
cnt,argv rather than cnt so that execve(2) arguments are captured if
|
||||||
|
AUE_EXECVE events are audited. These may provide more usable defaults for
|
||||||
|
many users.
|
||||||
|
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
|
||||||
|
au_to_socket_ex(3) arguments to BSM format.
|
||||||
|
- Fix error encoding AUT_IPC_PERM tokens.
|
||||||
|
|
||||||
OpenBSM 1.1 alpha 5
|
OpenBSM 1.1 alpha 5
|
||||||
|
|
||||||
- Stub libauditd(3) man page added.
|
- Stub libauditd(3) man page added.
|
||||||
@ -412,4 +431,4 @@ OpenBSM 1.0 alpha 1
|
|||||||
to support reloading of kernel event table.
|
to support reloading of kernel event table.
|
||||||
- Allow comments in /etc/security configuration files.
|
- Allow comments in /etc/security configuration files.
|
||||||
|
|
||||||
$P4: //depot/projects/trustedbsd/openbsm/NEWS#27 $
|
$P4: //depot/projects/trustedbsd/openbsm/NEWS#32 $
|
||||||
|
4
README
4
README
@ -1,4 +1,4 @@
|
|||||||
OpenBSM 1.1 alpha 4
|
OpenBSM 1.1 beta 1
|
||||||
|
|
||||||
Introduction
|
Introduction
|
||||||
|
|
||||||
@ -56,4 +56,4 @@ Information on TrustedBSD may be found on the TrustedBSD home page:
|
|||||||
|
|
||||||
http://www.TrustedBSD.org/
|
http://www.TrustedBSD.org/
|
||||||
|
|
||||||
$P4: //depot/projects/trustedbsd/openbsm/README#34 $
|
$P4: //depot/projects/trustedbsd/openbsm/README#35 $
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
.\" Copyright (c) 2004 Apple Inc.
|
.\" Copyright (c) 2004-2009 Apple Inc.
|
||||||
.\" All rights reserved.
|
.\" All rights reserved.
|
||||||
.\"
|
.\"
|
||||||
.\" Redistribution and use in source and binary forms, with or without
|
.\" Redistribution and use in source and binary forms, with or without
|
||||||
@ -25,9 +25,9 @@
|
|||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#13 $
|
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#15 $
|
||||||
.\"
|
.\"
|
||||||
.Dd December 11, 2008
|
.Dd January 29, 2009
|
||||||
.Dt AUDIT 8
|
.Dt AUDIT 8
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -35,7 +35,7 @@
|
|||||||
.Nd audit management utility
|
.Nd audit management utility
|
||||||
.Sh SYNOPSIS
|
.Sh SYNOPSIS
|
||||||
.Nm
|
.Nm
|
||||||
.Fl i | n | s | t
|
.Fl e | i | n | s | t
|
||||||
.Sh DESCRIPTION
|
.Sh DESCRIPTION
|
||||||
The
|
The
|
||||||
.Nm
|
.Nm
|
||||||
@ -43,6 +43,10 @@ utility controls the state of the audit system.
|
|||||||
One of the following flags is required as an argument to
|
One of the following flags is required as an argument to
|
||||||
.Nm :
|
.Nm :
|
||||||
.Bl -tag -width indent
|
.Bl -tag -width indent
|
||||||
|
.It Fl e
|
||||||
|
Forces the audit system to immediately remove audit log files that
|
||||||
|
meet the expiration criteria specified in the audit control file without
|
||||||
|
doing a log rotation.
|
||||||
.It Fl i
|
.It Fl i
|
||||||
Initializes and starts auditing.
|
Initializes and starts auditing.
|
||||||
This option is currently for Mac OS X only
|
This option is currently for Mac OS X only
|
||||||
@ -53,6 +57,8 @@ to be configured to run under
|
|||||||
.It Fl n
|
.It Fl n
|
||||||
Forces the audit system to close the existing audit log file and rotate to
|
Forces the audit system to close the existing audit log file and rotate to
|
||||||
a new log file in a location specified in the audit control file.
|
a new log file in a location specified in the audit control file.
|
||||||
|
Also, audit log files that meet the expiration criteria specified in the
|
||||||
|
audit control file will be removed.
|
||||||
.It Fl s
|
.It Fl s
|
||||||
Specifies that the audit system should [re]synchronize its
|
Specifies that the audit system should [re]synchronize its
|
||||||
configuration from the audit control file.
|
configuration from the audit control file.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2005-2008 Apple Inc.
|
* Copyright (c) 2005-2009 Apple Inc.
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
@ -26,7 +26,7 @@
|
|||||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
*
|
*
|
||||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#13 $
|
* $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#14 $
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Program to trigger the audit daemon with a message that is either:
|
* Program to trigger the audit daemon with a message that is either:
|
||||||
@ -68,12 +68,15 @@ static int send_trigger(unsigned int);
|
|||||||
#include "auditd_control.h"
|
#include "auditd_control.h"
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* XXX the following is temporary until this can be added to the kernel
|
* XXX The following are temporary until these can be added to the kernel
|
||||||
* audit.h header.
|
* audit.h header.
|
||||||
*/
|
*/
|
||||||
#ifndef AUDIT_TRIGGER_INITIALIZE
|
#ifndef AUDIT_TRIGGER_INITIALIZE
|
||||||
#define AUDIT_TRIGGER_INITIALIZE 7
|
#define AUDIT_TRIGGER_INITIALIZE 7
|
||||||
#endif
|
#endif
|
||||||
|
#ifndef AUDIT_TRIGGER_EXPIRE_TRAILS
|
||||||
|
#define AUDIT_TRIGGER_EXPIRE_TRAILS 8
|
||||||
|
#endif
|
||||||
|
|
||||||
static int
|
static int
|
||||||
send_trigger(unsigned int trigger)
|
send_trigger(unsigned int trigger)
|
||||||
@ -125,7 +128,7 @@ static void
|
|||||||
usage(void)
|
usage(void)
|
||||||
{
|
{
|
||||||
|
|
||||||
(void)fprintf(stderr, "Usage: audit -i | -n | -s | -t \n");
|
(void)fprintf(stderr, "Usage: audit -e | -i | -n | -s | -t \n");
|
||||||
exit(-1);
|
exit(-1);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -141,9 +144,13 @@ main(int argc, char **argv)
|
|||||||
if (argc != 2)
|
if (argc != 2)
|
||||||
usage();
|
usage();
|
||||||
|
|
||||||
while ((ch = getopt(argc, argv, "inst")) != -1) {
|
while ((ch = getopt(argc, argv, "einst")) != -1) {
|
||||||
switch(ch) {
|
switch(ch) {
|
||||||
|
|
||||||
|
case 'e':
|
||||||
|
trigger = AUDIT_TRIGGER_EXPIRE_TRAILS;
|
||||||
|
break;
|
||||||
|
|
||||||
case 'i':
|
case 'i':
|
||||||
trigger = AUDIT_TRIGGER_INITIALIZE;
|
trigger = AUDIT_TRIGGER_INITIALIZE;
|
||||||
break;
|
break;
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2005 Apple Inc.
|
* Copyright (c) 2005-2009 Apple Inc.
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
@ -26,7 +26,7 @@
|
|||||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
*
|
*
|
||||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#10 $
|
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#11 $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
@ -236,3 +236,18 @@ audit_warn_tmpfile(void)
|
|||||||
|
|
||||||
return (auditwarnlog(args));
|
return (auditwarnlog(args));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Indicates that this trail file has expired and was removed.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
audit_warn_expired(char *filename)
|
||||||
|
{
|
||||||
|
char *args[3];
|
||||||
|
|
||||||
|
args[0] = EXPIRED_WARN;
|
||||||
|
args[1] = filename;
|
||||||
|
args[2] = NULL;
|
||||||
|
|
||||||
|
return (auditwarnlog(args));
|
||||||
|
}
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2004-2008 Apple Inc.
|
* Copyright (c) 2004-2009 Apple Inc.
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
@ -26,7 +26,7 @@
|
|||||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
*
|
*
|
||||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#41 $
|
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#43 $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
@ -67,12 +67,16 @@
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* XXX the following is temporary until this can be added to the kernel
|
* XXX The following are temporary until these can be added to the kernel
|
||||||
* audit.h header.
|
* audit.h header.
|
||||||
*/
|
*/
|
||||||
#ifndef AUDIT_TRIGGER_INITIALIZE
|
#ifndef AUDIT_TRIGGER_INITIALIZE
|
||||||
#define AUDIT_TRIGGER_INITIALIZE 7
|
#define AUDIT_TRIGGER_INITIALIZE 7
|
||||||
#endif
|
#endif
|
||||||
|
#ifndef AUDIT_TRIGGER_EXPIRE_TRAILS
|
||||||
|
#define AUDIT_TRIGGER_EXPIRE_TRAILS 8
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* LaunchD flag (Mac OS X and, maybe, FreeBSD only.) See launchd(8) and
|
* LaunchD flag (Mac OS X and, maybe, FreeBSD only.) See launchd(8) and
|
||||||
@ -166,7 +170,7 @@ close_lastfile(char *TS)
|
|||||||
|
|
||||||
/* Rename the last file -- append timestamp. */
|
/* Rename the last file -- append timestamp. */
|
||||||
if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) {
|
if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) {
|
||||||
strlcpy(ptr, TS, TIMESTAMP_LEN);
|
memcpy(ptr, TS, POSTFIX_LEN);
|
||||||
if (rename(oldname, lastfile) != 0)
|
if (rename(oldname, lastfile) != 0)
|
||||||
auditd_log_err(
|
auditd_log_err(
|
||||||
"Could not rename %s to %s: %m", oldname,
|
"Could not rename %s to %s: %m", oldname,
|
||||||
@ -275,6 +279,14 @@ do_trail_file(void)
|
|||||||
return (-1);
|
return (-1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Finally, see if there are any trail files to expire.
|
||||||
|
*/
|
||||||
|
err = auditd_expire_trails(audit_warn_expired);
|
||||||
|
if (err)
|
||||||
|
auditd_log_err("auditd_expire_trails(): %s",
|
||||||
|
auditd_strerror(err));
|
||||||
|
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -550,6 +562,14 @@ auditd_handle_trigger(int trigger)
|
|||||||
audit_setup();
|
audit_setup();
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case AUDIT_TRIGGER_EXPIRE_TRAILS:
|
||||||
|
auditd_log_info("Got audit expire trails trigger");
|
||||||
|
err = auditd_expire_trails(audit_warn_expired);
|
||||||
|
if (err)
|
||||||
|
auditd_log_err("auditd_expire_trails(): %s",
|
||||||
|
auditd_strerror(err));
|
||||||
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
auditd_log_err("Got unknown trigger %d", trigger);
|
auditd_log_err("Got unknown trigger %d", trigger);
|
||||||
break;
|
break;
|
||||||
@ -669,9 +689,14 @@ auditd_config_controls(void)
|
|||||||
*/
|
*/
|
||||||
err = auditd_set_host();
|
err = auditd_set_host();
|
||||||
if (err) {
|
if (err) {
|
||||||
auditd_log_err("auditd_set_host() %s: %m",
|
if (err == ADE_PARSE) {
|
||||||
auditd_strerror(err));
|
auditd_log_notice(
|
||||||
ret = -1;
|
"audit_control(5) may be missing 'host:' field");
|
||||||
|
} else {
|
||||||
|
auditd_log_err("auditd_set_host() %s: %m",
|
||||||
|
auditd_strerror(err));
|
||||||
|
ret = -1;
|
||||||
|
}
|
||||||
} else
|
} else
|
||||||
auditd_log_debug(
|
auditd_log_debug(
|
||||||
"Set audit host address information in kernel.");
|
"Set audit host address information in kernel.");
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2005 Apple Inc.
|
* Copyright (c) 2005-2009 Apple Inc.
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
@ -26,7 +26,7 @@
|
|||||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
*
|
*
|
||||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#12 $
|
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#13 $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef _AUDITD_H_
|
#ifndef _AUDITD_H_
|
||||||
@ -57,6 +57,7 @@
|
|||||||
#define POSTSIGTERM_WARN "postsigterm"
|
#define POSTSIGTERM_WARN "postsigterm"
|
||||||
#define SOFTLIM_WARN "soft"
|
#define SOFTLIM_WARN "soft"
|
||||||
#define TMPFILE_WARN "tmpfile"
|
#define TMPFILE_WARN "tmpfile"
|
||||||
|
#define EXPIRED_WARN "expired"
|
||||||
|
|
||||||
#define AUDITWARN_SCRIPT "/etc/security/audit_warn"
|
#define AUDITWARN_SCRIPT "/etc/security/audit_warn"
|
||||||
#define AUDITD_PIDFILE "/var/run/auditd.pid"
|
#define AUDITD_PIDFILE "/var/run/auditd.pid"
|
||||||
@ -76,6 +77,7 @@ int audit_warn_nostart(void);
|
|||||||
int audit_warn_postsigterm(void);
|
int audit_warn_postsigterm(void);
|
||||||
int audit_warn_soft(char *filename);
|
int audit_warn_soft(char *filename);
|
||||||
int audit_warn_tmpfile(void);
|
int audit_warn_tmpfile(void);
|
||||||
|
int audit_warn_expired(char *filename);
|
||||||
|
|
||||||
void auditd_openlog(int debug, gid_t gid);
|
void auditd_openlog(int debug, gid_t gid);
|
||||||
void auditd_log_err(const char *fmt, ...);
|
void auditd_log_err(const char *fmt, ...);
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
* POSSIBILITY OF SUCH DAMAGE.
|
* POSSIBILITY OF SUCH DAMAGE.
|
||||||
*
|
*
|
||||||
* $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#3 $
|
* $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#4 $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef _BSM_AUDITD_LIB_H_
|
#ifndef _BSM_AUDITD_LIB_H_
|
||||||
@ -81,12 +81,14 @@
|
|||||||
#define ADE_INVAL -16 /* Invalid argument. */
|
#define ADE_INVAL -16 /* Invalid argument. */
|
||||||
#define ADE_GETADDR -17 /* Error resolving address from hostname. */
|
#define ADE_GETADDR -17 /* Error resolving address from hostname. */
|
||||||
#define ADE_ADDRFAM -18 /* Address family not supported. */
|
#define ADE_ADDRFAM -18 /* Address family not supported. */
|
||||||
|
#define ADE_EXPIRE -19 /* Error expiring audit trail files. */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* auditd_lib functions.
|
* auditd_lib functions.
|
||||||
*/
|
*/
|
||||||
const char *auditd_strerror(int errcode);
|
const char *auditd_strerror(int errcode);
|
||||||
int auditd_set_minfree(void);
|
int auditd_set_minfree(void);
|
||||||
|
int auditd_expire_trails(int (*warn_expired)(char *));
|
||||||
int auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *));
|
int auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *));
|
||||||
void auditd_close_dirs(void);
|
void auditd_close_dirs(void);
|
||||||
int auditd_set_evcmap(void);
|
int auditd_set_evcmap(void);
|
||||||
|
18
bsm/libbsm.h
18
bsm/libbsm.h
@ -1,5 +1,5 @@
|
|||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2004-2008 Apple Inc.
|
* Copyright (c) 2004-2009 Apple Inc.
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
@ -26,7 +26,7 @@
|
|||||||
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
* POSSIBILITY OF SUCH DAMAGE.
|
* POSSIBILITY OF SUCH DAMAGE.
|
||||||
*
|
*
|
||||||
* $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#41 $
|
* $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#42 $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef _LIBBSM_H_
|
#ifndef _LIBBSM_H_
|
||||||
@ -76,13 +76,14 @@
|
|||||||
#define AUDIT_CONTROL_FILE "/etc/security/audit_control"
|
#define AUDIT_CONTROL_FILE "/etc/security/audit_control"
|
||||||
#define AUDIT_USER_FILE "/etc/security/audit_user"
|
#define AUDIT_USER_FILE "/etc/security/audit_user"
|
||||||
|
|
||||||
#define DIR_CONTROL_ENTRY "dir"
|
#define DIR_CONTROL_ENTRY "dir"
|
||||||
#define MINFREE_CONTROL_ENTRY "minfree"
|
#define MINFREE_CONTROL_ENTRY "minfree"
|
||||||
#define FILESZ_CONTROL_ENTRY "filesz"
|
#define FILESZ_CONTROL_ENTRY "filesz"
|
||||||
#define FLAGS_CONTROL_ENTRY "flags"
|
#define FLAGS_CONTROL_ENTRY "flags"
|
||||||
#define NA_CONTROL_ENTRY "naflags"
|
#define NA_CONTROL_ENTRY "naflags"
|
||||||
#define POLICY_CONTROL_ENTRY "policy"
|
#define POLICY_CONTROL_ENTRY "policy"
|
||||||
#define AUDIT_HOST_CONTROL_ENTRY "host"
|
#define AUDIT_HOST_CONTROL_ENTRY "host"
|
||||||
|
#define EXPIRE_AFTER_CONTROL_ENTRY "expire-after"
|
||||||
|
|
||||||
#define AU_CLASS_NAME_MAX 8
|
#define AU_CLASS_NAME_MAX 8
|
||||||
#define AU_CLASS_DESC_MAX 72
|
#define AU_CLASS_DESC_MAX 72
|
||||||
@ -766,6 +767,7 @@ int getacflg(char *auditstr, int len);
|
|||||||
int getacna(char *auditstr, int len);
|
int getacna(char *auditstr, int len);
|
||||||
int getacpol(char *auditstr, size_t len);
|
int getacpol(char *auditstr, size_t len);
|
||||||
int getachost(char *auditstr, size_t len);
|
int getachost(char *auditstr, size_t len);
|
||||||
|
int getacexpire(int *andflg, time_t *age, size_t *size);
|
||||||
int getauditflagsbin(char *auditstr, au_mask_t *masks);
|
int getauditflagsbin(char *auditstr, au_mask_t *masks);
|
||||||
int getauditflagschar(char *auditstr, au_mask_t *masks,
|
int getauditflagschar(char *auditstr, au_mask_t *masks,
|
||||||
int verbose);
|
int verbose);
|
||||||
|
20
configure
vendored
20
configure
vendored
@ -1,7 +1,7 @@
|
|||||||
#! /bin/sh
|
#! /bin/sh
|
||||||
# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#49 .
|
# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#49 .
|
||||||
# Guess values for system-dependent variables and create Makefiles.
|
# Guess values for system-dependent variables and create Makefiles.
|
||||||
# Generated by GNU Autoconf 2.61 for OpenBSM 1.1alpha5.
|
# Generated by GNU Autoconf 2.61 for OpenBSM 1.1beta1.
|
||||||
#
|
#
|
||||||
# Report bugs to <trustedbsd-audit@TrustesdBSD.org>.
|
# Report bugs to <trustedbsd-audit@TrustesdBSD.org>.
|
||||||
#
|
#
|
||||||
@ -729,8 +729,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
|
|||||||
# Identity of this package.
|
# Identity of this package.
|
||||||
PACKAGE_NAME='OpenBSM'
|
PACKAGE_NAME='OpenBSM'
|
||||||
PACKAGE_TARNAME='openbsm'
|
PACKAGE_TARNAME='openbsm'
|
||||||
PACKAGE_VERSION='1.1alpha5'
|
PACKAGE_VERSION='1.1beta1'
|
||||||
PACKAGE_STRING='OpenBSM 1.1alpha5'
|
PACKAGE_STRING='OpenBSM 1.1beta1'
|
||||||
PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org'
|
PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org'
|
||||||
|
|
||||||
ac_unique_file="bin/auditreduce/auditreduce.c"
|
ac_unique_file="bin/auditreduce/auditreduce.c"
|
||||||
@ -1404,7 +1404,7 @@ if test "$ac_init_help" = "long"; then
|
|||||||
# Omit some internal or obsolete options to make the list less imposing.
|
# Omit some internal or obsolete options to make the list less imposing.
|
||||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||||
cat <<_ACEOF
|
cat <<_ACEOF
|
||||||
\`configure' configures OpenBSM 1.1alpha5 to adapt to many kinds of systems.
|
\`configure' configures OpenBSM 1.1beta1 to adapt to many kinds of systems.
|
||||||
|
|
||||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||||
|
|
||||||
@ -1474,7 +1474,7 @@ fi
|
|||||||
|
|
||||||
if test -n "$ac_init_help"; then
|
if test -n "$ac_init_help"; then
|
||||||
case $ac_init_help in
|
case $ac_init_help in
|
||||||
short | recursive ) echo "Configuration of OpenBSM 1.1alpha5:";;
|
short | recursive ) echo "Configuration of OpenBSM 1.1beta1:";;
|
||||||
esac
|
esac
|
||||||
cat <<\_ACEOF
|
cat <<\_ACEOF
|
||||||
|
|
||||||
@ -1580,7 +1580,7 @@ fi
|
|||||||
test -n "$ac_init_help" && exit $ac_status
|
test -n "$ac_init_help" && exit $ac_status
|
||||||
if $ac_init_version; then
|
if $ac_init_version; then
|
||||||
cat <<\_ACEOF
|
cat <<\_ACEOF
|
||||||
OpenBSM configure 1.1alpha5
|
OpenBSM configure 1.1beta1
|
||||||
generated by GNU Autoconf 2.61
|
generated by GNU Autoconf 2.61
|
||||||
|
|
||||||
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
|
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
|
||||||
@ -1594,7 +1594,7 @@ cat >config.log <<_ACEOF
|
|||||||
This file contains any messages produced by compilers while
|
This file contains any messages produced by compilers while
|
||||||
running configure, to aid debugging if configure makes a mistake.
|
running configure, to aid debugging if configure makes a mistake.
|
||||||
|
|
||||||
It was created by OpenBSM $as_me 1.1alpha5, which was
|
It was created by OpenBSM $as_me 1.1beta1, which was
|
||||||
generated by GNU Autoconf 2.61. Invocation command line was
|
generated by GNU Autoconf 2.61. Invocation command line was
|
||||||
|
|
||||||
$ $0 $@
|
$ $0 $@
|
||||||
@ -19076,7 +19076,7 @@ fi
|
|||||||
|
|
||||||
# Define the identity of the package.
|
# Define the identity of the package.
|
||||||
PACKAGE=OpenBSM
|
PACKAGE=OpenBSM
|
||||||
VERSION=1.1alpha5
|
VERSION=1.1beta1
|
||||||
|
|
||||||
|
|
||||||
cat >>confdefs.h <<_ACEOF
|
cat >>confdefs.h <<_ACEOF
|
||||||
@ -23584,7 +23584,7 @@ exec 6>&1
|
|||||||
# report actual input values of CONFIG_FILES etc. instead of their
|
# report actual input values of CONFIG_FILES etc. instead of their
|
||||||
# values after options handling.
|
# values after options handling.
|
||||||
ac_log="
|
ac_log="
|
||||||
This file was extended by OpenBSM $as_me 1.1alpha5, which was
|
This file was extended by OpenBSM $as_me 1.1beta1, which was
|
||||||
generated by GNU Autoconf 2.61. Invocation command line was
|
generated by GNU Autoconf 2.61. Invocation command line was
|
||||||
|
|
||||||
CONFIG_FILES = $CONFIG_FILES
|
CONFIG_FILES = $CONFIG_FILES
|
||||||
@ -23637,7 +23637,7 @@ Report bugs to <bug-autoconf@gnu.org>."
|
|||||||
_ACEOF
|
_ACEOF
|
||||||
cat >>$CONFIG_STATUS <<_ACEOF
|
cat >>$CONFIG_STATUS <<_ACEOF
|
||||||
ac_cs_version="\\
|
ac_cs_version="\\
|
||||||
OpenBSM config.status 1.1alpha5
|
OpenBSM config.status 1.1beta1
|
||||||
configured by $0, generated by GNU Autoconf 2.61,
|
configured by $0, generated by GNU Autoconf 2.61,
|
||||||
with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
|
with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
|
||||||
|
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
# Process this file with autoconf to produce a configure script.
|
# Process this file with autoconf to produce a configure script.
|
||||||
|
|
||||||
AC_PREREQ(2.59)
|
AC_PREREQ(2.59)
|
||||||
AC_INIT([OpenBSM], [1.1alpha5], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
|
AC_INIT([OpenBSM], [1.1beta1], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
|
||||||
AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#49 $])
|
AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#50 $])
|
||||||
AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c])
|
AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c])
|
||||||
AC_CONFIG_AUX_DIR(config)
|
AC_CONFIG_AUX_DIR(config)
|
||||||
AC_CONFIG_HEADER([config/config.h])
|
AC_CONFIG_HEADER([config/config.h])
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
#
|
#
|
||||||
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#5 $
|
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#6 $
|
||||||
#
|
#
|
||||||
dir:/var/audit
|
dir:/var/audit
|
||||||
flags:lo
|
flags:lo
|
||||||
minfree:20
|
minfree:5
|
||||||
naflags:lo
|
naflags:lo
|
||||||
policy:cnt
|
policy:cnt,argv
|
||||||
filesz:0
|
filesz:2097152
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#34 $
|
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#36 $
|
||||||
#
|
#
|
||||||
# The mapping between event identifiers and values is also hard-coded in
|
# The mapping between event identifiers and values is also hard-coded in
|
||||||
# audit_kevents.h and audit_uevents.h, so changes must occur in both places,
|
# audit_kevents.h and audit_uevents.h, so changes must occur in both places,
|
||||||
@ -490,7 +490,7 @@
|
|||||||
43128:AUE_MAC_GET_PID:mac_get_pid(2):pc
|
43128:AUE_MAC_GET_PID:mac_get_pid(2):pc
|
||||||
43129:AUE_MAC_GET_LINK:mac_get_link(2):fa
|
43129:AUE_MAC_GET_LINK:mac_get_link(2):fa
|
||||||
43130:AUE_MAC_SET_LINK:mac_set_link(2):fm
|
43130:AUE_MAC_SET_LINK:mac_set_link(2):fm
|
||||||
43131:AUE_MAC_EXECVE:mac_exeve(2):ex,pc
|
43131:AUE_MAC_EXECVE:mac_execve(2):ex,pc
|
||||||
43132:AUE_GETPATH_FROMFD:getpath_fromfd(2):fa
|
43132:AUE_GETPATH_FROMFD:getpath_fromfd(2):fa
|
||||||
43133:AUE_GETPATH_FROMADDR:getpath_fromaddr(2):fa
|
43133:AUE_GETPATH_FROMADDR:getpath_fromaddr(2):fa
|
||||||
43134:AUE_MQ_OPEN:mq_open(2):ip
|
43134:AUE_MQ_OPEN:mq_open(2):ip
|
||||||
@ -551,6 +551,8 @@
|
|||||||
43189:AUE_CAP_GETMODE:cap_getmode(2):pc
|
43189:AUE_CAP_GETMODE:cap_getmode(2):pc
|
||||||
43190:AUE_POSIX_SPAWN:posix_spawn(2):pc
|
43190:AUE_POSIX_SPAWN:posix_spawn(2):pc
|
||||||
43191:AUE_FSGETPATH:fsgetpath(2):ot
|
43191:AUE_FSGETPATH:fsgetpath(2):ot
|
||||||
|
43192:AUE_PREAD:pread(2):no
|
||||||
|
43193:AUE_PWRITE:pwrite(2):no
|
||||||
#
|
#
|
||||||
# Solaris userspace events.
|
# Solaris userspace events.
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2008 Apple Inc.
|
* Copyright (c) 2008-2009 Apple Inc.
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
@ -26,7 +26,7 @@
|
|||||||
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
* POSSIBILITY OF SUCH DAMAGE.
|
* POSSIBILITY OF SUCH DAMAGE.
|
||||||
*
|
*
|
||||||
* $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#2 $
|
* $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#7 $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
@ -52,6 +52,7 @@
|
|||||||
#include <bsm/auditd_lib.h>
|
#include <bsm/auditd_lib.h>
|
||||||
#include <bsm/libbsm.h>
|
#include <bsm/libbsm.h>
|
||||||
|
|
||||||
|
#include <dirent.h>
|
||||||
#include <err.h>
|
#include <err.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
@ -77,6 +78,11 @@
|
|||||||
#define AUDIT_HARD_LIMIT_FREE_BLOCKS 4
|
#define AUDIT_HARD_LIMIT_FREE_BLOCKS 4
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Number of seconds to January 1, 2000
|
||||||
|
*/
|
||||||
|
#define JAN_01_2000 946598400
|
||||||
|
|
||||||
struct dir_ent {
|
struct dir_ent {
|
||||||
char *dirname;
|
char *dirname;
|
||||||
uint8_t softlim;
|
uint8_t softlim;
|
||||||
@ -85,7 +91,19 @@ struct dir_ent {
|
|||||||
};
|
};
|
||||||
|
|
||||||
static TAILQ_HEAD(, dir_ent) dir_q;
|
static TAILQ_HEAD(, dir_ent) dir_q;
|
||||||
static int minval = -1;
|
|
||||||
|
struct audit_trail {
|
||||||
|
time_t at_time;
|
||||||
|
char *at_path;
|
||||||
|
off_t at_size;
|
||||||
|
|
||||||
|
TAILQ_ENTRY(audit_trail) at_trls;
|
||||||
|
};
|
||||||
|
|
||||||
|
static int auditd_minval = -1;
|
||||||
|
|
||||||
|
static char auditd_host[MAXHOSTNAMELEN];
|
||||||
|
static int auditd_hostlen = -1;
|
||||||
|
|
||||||
static char *auditd_errmsg[] = {
|
static char *auditd_errmsg[] = {
|
||||||
"no error", /* ADE_NOERR ( 0) */
|
"no error", /* ADE_NOERR ( 0) */
|
||||||
@ -107,6 +125,7 @@ static char *auditd_errmsg[] = {
|
|||||||
"invalid argument", /* ADE_INVAL (16) */
|
"invalid argument", /* ADE_INVAL (16) */
|
||||||
"could not resolve hostname to address", /* ADE_GETADDR (17) */
|
"could not resolve hostname to address", /* ADE_GETADDR (17) */
|
||||||
"address family not supported", /* ADE_ADDRFAM (18) */
|
"address family not supported", /* ADE_ADDRFAM (18) */
|
||||||
|
"error expiring audit trail files", /* ADE_EXPIRE (19) */
|
||||||
};
|
};
|
||||||
|
|
||||||
#define MAXERRCODE (sizeof(auditd_errmsg) / sizeof(auditd_errmsg[0]))
|
#define MAXERRCODE (sizeof(auditd_errmsg) / sizeof(auditd_errmsg[0]))
|
||||||
@ -165,7 +184,13 @@ affixdir(char *name, struct dir_ent *dirent)
|
|||||||
return (NULL);
|
return (NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
asprintf(&fn, "%s/%s", dirent->dirname, name);
|
/*
|
||||||
|
* If the host is set then also add the hostname to the filename.
|
||||||
|
*/
|
||||||
|
if (auditd_hostlen != -1)
|
||||||
|
asprintf(&fn, "%s/%s.%s", dirent->dirname, name, auditd_host);
|
||||||
|
else
|
||||||
|
asprintf(&fn, "%s/%s", dirent->dirname, name);
|
||||||
return (fn);
|
return (fn);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -204,15 +229,13 @@ insert_orderly(struct dir_ent *denew)
|
|||||||
int
|
int
|
||||||
auditd_set_host(void)
|
auditd_set_host(void)
|
||||||
{
|
{
|
||||||
char hoststr[MAXHOSTNAMELEN];
|
|
||||||
struct sockaddr_in6 *sin6;
|
struct sockaddr_in6 *sin6;
|
||||||
struct sockaddr_in *sin;
|
struct sockaddr_in *sin;
|
||||||
struct addrinfo *res;
|
struct addrinfo *res;
|
||||||
struct auditinfo_addr aia;
|
struct auditinfo_addr aia;
|
||||||
int error, ret = ADE_NOERR;
|
int error, ret = ADE_NOERR;
|
||||||
|
|
||||||
if (getachost(hoststr, MAXHOSTNAMELEN) != 0) {
|
if (getachost(auditd_host, sizeof(auditd_host)) != 0) {
|
||||||
|
|
||||||
ret = ADE_PARSE;
|
ret = ADE_PARSE;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -229,7 +252,8 @@ auditd_set_host(void)
|
|||||||
ret = ADE_AUDITON;
|
ret = ADE_AUDITON;
|
||||||
return (ret);
|
return (ret);
|
||||||
}
|
}
|
||||||
error = getaddrinfo(hoststr, NULL, NULL, &res);
|
auditd_hostlen = strlen(auditd_host);
|
||||||
|
error = getaddrinfo(auditd_host, NULL, NULL, &res);
|
||||||
if (error)
|
if (error)
|
||||||
return (ADE_GETADDR);
|
return (ADE_GETADDR);
|
||||||
switch (res->ai_family) {
|
switch (res->ai_family) {
|
||||||
@ -271,14 +295,14 @@ auditd_set_minfree(void)
|
|||||||
{
|
{
|
||||||
au_qctrl_t qctrl;
|
au_qctrl_t qctrl;
|
||||||
|
|
||||||
if (getacmin(&minval) != 0)
|
if (getacmin(&auditd_minval) != 0)
|
||||||
return (ADE_PARSE);
|
return (ADE_PARSE);
|
||||||
|
|
||||||
if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0)
|
if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0)
|
||||||
return (ADE_AUDITON);
|
return (ADE_AUDITON);
|
||||||
|
|
||||||
if (qctrl.aq_minfree != minval) {
|
if (qctrl.aq_minfree != auditd_minval) {
|
||||||
qctrl.aq_minfree = minval;
|
qctrl.aq_minfree = auditd_minval;
|
||||||
if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0)
|
if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0)
|
||||||
return (ADE_AUDITON);
|
return (ADE_AUDITON);
|
||||||
}
|
}
|
||||||
@ -286,10 +310,260 @@ auditd_set_minfree(void)
|
|||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Convert a trailname into a timestamp (seconds). Return 0 if the conversion
|
||||||
|
* was successful.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
trailname_to_tstamp(char *fn, time_t *tstamp)
|
||||||
|
{
|
||||||
|
struct tm tm;
|
||||||
|
char ts[TIMESTAMP_LEN];
|
||||||
|
char *p;
|
||||||
|
|
||||||
|
*tstamp = 0;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Get the ending time stamp.
|
||||||
|
*/
|
||||||
|
if ((p = strchr(fn, '.')) == NULL)
|
||||||
|
return (1);
|
||||||
|
strlcpy(ts, ++p, TIMESTAMP_LEN);
|
||||||
|
if (strlen(ts) != POSTFIX_LEN)
|
||||||
|
return (1);
|
||||||
|
|
||||||
|
bzero(&tm, sizeof(tm));
|
||||||
|
|
||||||
|
/* seconds (0-60) */
|
||||||
|
p = ts + POSTFIX_LEN - 2;
|
||||||
|
tm.tm_sec = atol(p);
|
||||||
|
if (tm.tm_sec < 0 || tm.tm_sec > 60)
|
||||||
|
return (1);
|
||||||
|
|
||||||
|
/* minutes (0-59) */
|
||||||
|
*p = '\0'; p -= 2;
|
||||||
|
tm.tm_min = atol(p);
|
||||||
|
if (tm.tm_min < 0 || tm.tm_min > 59)
|
||||||
|
return (1);
|
||||||
|
|
||||||
|
/* hours (0 - 23) */
|
||||||
|
*p = '\0'; p -= 2;
|
||||||
|
tm.tm_hour = atol(p);
|
||||||
|
if (tm.tm_hour < 0 || tm.tm_hour > 23)
|
||||||
|
return (1);
|
||||||
|
|
||||||
|
/* day of month (1-31) */
|
||||||
|
*p = '\0'; p -= 2;
|
||||||
|
tm.tm_mday = atol(p);
|
||||||
|
if (tm.tm_mday < 1 || tm.tm_mday > 31)
|
||||||
|
return (1);
|
||||||
|
|
||||||
|
/* month (0 - 11) */
|
||||||
|
*p = '\0'; p -= 2;
|
||||||
|
tm.tm_mon = atol(p) - 1;
|
||||||
|
if (tm.tm_mon < 0 || tm.tm_mon > 11)
|
||||||
|
return (1);
|
||||||
|
|
||||||
|
/* year (year - 1900) */
|
||||||
|
*p = '\0'; p -= 4;
|
||||||
|
tm.tm_year = atol(p) - 1900;
|
||||||
|
if (tm.tm_year < 0)
|
||||||
|
return (1);
|
||||||
|
|
||||||
|
*tstamp = timegm(&tm);
|
||||||
|
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Remove audit trails files according to the expiration conditions. Returns:
|
||||||
|
* ADE_NOERR on success or there is nothing to do.
|
||||||
|
* ADE_PARSE if error parsing audit_control(5).
|
||||||
|
* ADE_NOMEM if could not allocate memory.
|
||||||
|
* ADE_EXPIRE if there was an unespected error.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
auditd_expire_trails(int (*warn_expired)(char *))
|
||||||
|
{
|
||||||
|
int andflg, ret = ADE_NOERR;
|
||||||
|
size_t expire_size, total_size = 0L;
|
||||||
|
time_t expire_age, oldest_time, current_time = time(NULL);
|
||||||
|
struct dir_ent *traildir;
|
||||||
|
struct audit_trail *at;
|
||||||
|
char *afnp, *pn;
|
||||||
|
TAILQ_HEAD(au_trls_head, audit_trail) head =
|
||||||
|
TAILQ_HEAD_INITIALIZER(head);
|
||||||
|
struct stat stbuf;
|
||||||
|
char activefn[MAXPATHLEN];
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Read the expiration conditions. If no conditions then return no
|
||||||
|
* error.
|
||||||
|
*/
|
||||||
|
if (getacexpire(&andflg, &expire_age, &expire_size) < 0)
|
||||||
|
return (ADE_PARSE);
|
||||||
|
if (!expire_age && !expire_size)
|
||||||
|
return (ADE_NOERR);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Read the 'current' trail file name. Trim off directory path.
|
||||||
|
*/
|
||||||
|
activefn[0] = '\0';
|
||||||
|
readlink(AUDIT_CURRENT_LINK, activefn, MAXPATHLEN - 1);
|
||||||
|
if ((afnp = strrchr(activefn, '/')) != NULL)
|
||||||
|
afnp++;
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Build tail queue of the trail files.
|
||||||
|
*/
|
||||||
|
TAILQ_FOREACH(traildir, &dir_q, dirs) {
|
||||||
|
DIR *dirp;
|
||||||
|
struct dirent *dp;
|
||||||
|
|
||||||
|
dirp = opendir(traildir->dirname);
|
||||||
|
while ((dp = readdir(dirp)) != NULL) {
|
||||||
|
time_t tstamp = 0;
|
||||||
|
struct audit_trail *new;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Quickly filter non-trail files.
|
||||||
|
*/
|
||||||
|
if (dp->d_namlen != (FILENAME_LEN - 1) ||
|
||||||
|
#ifdef DT_REG
|
||||||
|
dp->d_type != DT_REG ||
|
||||||
|
#endif
|
||||||
|
dp->d_name[POSTFIX_LEN] != '.')
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if (asprintf(&pn, "%s/%s", traildir->dirname,
|
||||||
|
dp->d_name) < 0) {
|
||||||
|
ret = ADE_NOMEM;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (stat(pn, &stbuf) < 0 || !S_ISREG(stbuf.st_mode)) {
|
||||||
|
free(pn);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
total_size += stbuf.st_size;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If this is the 'current' audit trail then
|
||||||
|
* don't add it to the tail queue.
|
||||||
|
*/
|
||||||
|
if (NULL != afnp &&
|
||||||
|
strncmp(dp->d_name, afnp, FILENAME_LEN) == 0) {
|
||||||
|
free(pn);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Get the ending time stamp encoded in the trail
|
||||||
|
* name. If we can't read it or if it is older
|
||||||
|
* than Jan 1, 2000 then use the mtime.
|
||||||
|
*/
|
||||||
|
if (trailname_to_tstamp(dp->d_name, &tstamp) != 0 ||
|
||||||
|
tstamp < JAN_01_2000)
|
||||||
|
tstamp = stbuf.st_mtime;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If the time stamp is older than Jan 1, 2000 then
|
||||||
|
* update the mtime of the trail file to the current
|
||||||
|
* time. This is so we don't prematurely remove a trail
|
||||||
|
* file that was created while the system clock reset
|
||||||
|
* to the * "beginning of time" but later the system
|
||||||
|
* clock is set to the correct current time.
|
||||||
|
*/
|
||||||
|
if (current_time >= JAN_01_2000 &&
|
||||||
|
tstamp < JAN_01_2000) {
|
||||||
|
struct timeval tv[2];
|
||||||
|
|
||||||
|
tstamp = stbuf.st_mtime = current_time;
|
||||||
|
TIMESPEC_TO_TIMEVAL(&tv[0],
|
||||||
|
&stbuf.st_atimespec);
|
||||||
|
TIMESPEC_TO_TIMEVAL(&tv[1],
|
||||||
|
&stbuf.st_mtimespec);
|
||||||
|
utimes(pn, tv);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Allocate and populate the new entry.
|
||||||
|
*/
|
||||||
|
new = malloc(sizeof(*new));
|
||||||
|
if (NULL == new) {
|
||||||
|
free(pn);
|
||||||
|
ret = ADE_NOMEM;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
new->at_time = tstamp;
|
||||||
|
new->at_size = stbuf.st_size;
|
||||||
|
new->at_path = pn;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check to see if we have a new head. Otherwise,
|
||||||
|
* walk the tailq from the tail first and do a simple
|
||||||
|
* insertion sort.
|
||||||
|
*/
|
||||||
|
if (TAILQ_EMPTY(&head) ||
|
||||||
|
(new->at_time <= TAILQ_FIRST(&head)->at_time)) {
|
||||||
|
TAILQ_INSERT_HEAD(&head, new, at_trls);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
TAILQ_FOREACH_REVERSE(at, &head, au_trls_head, at_trls)
|
||||||
|
if (new->at_time >= at->at_time) {
|
||||||
|
TAILQ_INSERT_AFTER(&head, at, new,
|
||||||
|
at_trls);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
oldest_time = current_time - expire_age;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Expire trail files, oldest (mtime) first, if the given
|
||||||
|
* conditions are met.
|
||||||
|
*/
|
||||||
|
at = TAILQ_FIRST(&head);
|
||||||
|
while (NULL != at) {
|
||||||
|
struct audit_trail *at_next = TAILQ_NEXT(at, at_trls);
|
||||||
|
|
||||||
|
if (andflg) {
|
||||||
|
if ((expire_size && total_size > expire_size) &&
|
||||||
|
(expire_age && at->at_time < oldest_time)) {
|
||||||
|
if (warn_expired)
|
||||||
|
(*warn_expired)(at->at_path);
|
||||||
|
if (unlink(at->at_path) < 0)
|
||||||
|
ret = ADE_EXPIRE;
|
||||||
|
total_size -= at->at_size;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if ((expire_size && total_size > expire_size) ||
|
||||||
|
(expire_age && at->at_time < oldest_time)) {
|
||||||
|
if (warn_expired)
|
||||||
|
(*warn_expired)(at->at_path);
|
||||||
|
if (unlink(at->at_path) < 0)
|
||||||
|
ret = ADE_EXPIRE;
|
||||||
|
total_size -= at->at_size;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
free(at->at_path);
|
||||||
|
free(at);
|
||||||
|
at = at_next;
|
||||||
|
}
|
||||||
|
|
||||||
|
return (ret);
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Parses the "dir" entry in audit_control(5) into an ordered list. Also, will
|
* Parses the "dir" entry in audit_control(5) into an ordered list. Also, will
|
||||||
* set the minfree value if not already set. Arguments include function
|
* set the minfree and host values if not already set. Arguments include
|
||||||
* pointers to audit_warn functions for soft and hard limits. Returns:
|
* function pointers to audit_warn functions for soft and hard limits. Returns:
|
||||||
* ADE_NOERR on success,
|
* ADE_NOERR on success,
|
||||||
* ADE_PARSE error parsing audit_control(5),
|
* ADE_PARSE error parsing audit_control(5),
|
||||||
* ADE_AUDITON error getting/setting auditon(2) value,
|
* ADE_AUDITON error getting/setting auditon(2) value,
|
||||||
@ -309,9 +583,12 @@ auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *))
|
|||||||
int scnt = 0;
|
int scnt = 0;
|
||||||
int hcnt = 0;
|
int hcnt = 0;
|
||||||
|
|
||||||
if (minval == -1 && (err = auditd_set_minfree()) != 0)
|
if (auditd_minval == -1 && (err = auditd_set_minfree()) != 0)
|
||||||
return (err);
|
return (err);
|
||||||
|
|
||||||
|
if (auditd_hostlen == -1)
|
||||||
|
auditd_set_host();
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Init directory q. Force a re-read of the file the next time.
|
* Init directory q. Force a re-read of the file the next time.
|
||||||
*/
|
*/
|
||||||
@ -329,7 +606,8 @@ auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *))
|
|||||||
while (getacdir(cur_dir, MAXNAMLEN) >= 0) {
|
while (getacdir(cur_dir, MAXNAMLEN) >= 0) {
|
||||||
if (statfs(cur_dir, &sfs) < 0)
|
if (statfs(cur_dir, &sfs) < 0)
|
||||||
continue; /* XXX should warn */
|
continue; /* XXX should warn */
|
||||||
soft = (sfs.f_bfree < (sfs.f_blocks / (100 / minval))) ? 1 : 0;
|
soft = (sfs.f_bfree < (sfs.f_blocks / (100 / auditd_minval))) ?
|
||||||
|
1 : 0;
|
||||||
hard = (sfs.f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) ? 1 : 0;
|
hard = (sfs.f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) ? 1 : 0;
|
||||||
if (soft) {
|
if (soft) {
|
||||||
if (warn_soft)
|
if (warn_soft)
|
||||||
@ -367,7 +645,8 @@ void
|
|||||||
auditd_close_dirs(void)
|
auditd_close_dirs(void)
|
||||||
{
|
{
|
||||||
free_dir_q();
|
free_dir_q();
|
||||||
minval = -1;
|
auditd_minval = -1;
|
||||||
|
auditd_hostlen = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -549,7 +828,7 @@ auditd_swap_trail(char *TS, char **newfile, gid_t gid,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Try until we succeed. */
|
/* Try until we succeed. */
|
||||||
while ((dirent = TAILQ_FIRST(&dir_q))) {
|
TAILQ_FOREACH(dirent, &dir_q, dirs) {
|
||||||
if (dirent->hardlim)
|
if (dirent->hardlim)
|
||||||
continue;
|
continue;
|
||||||
if ((fn = affixdir(timestr, dirent)) == NULL)
|
if ((fn = affixdir(timestr, dirent)) == NULL)
|
||||||
@ -606,6 +885,28 @@ auditd_swap_trail(char *TS, char **newfile, gid_t gid,
|
|||||||
* ADE_NOERR on success,
|
* ADE_NOERR on success,
|
||||||
* ADE_SETAUDIT if setaudit(2) fails.
|
* ADE_SETAUDIT if setaudit(2) fails.
|
||||||
*/
|
*/
|
||||||
|
#ifdef __APPLE__
|
||||||
|
int
|
||||||
|
auditd_prevent_audit(void)
|
||||||
|
{
|
||||||
|
auditinfo_addr_t aia;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* To prevent event feedback cycles and avoid audit becoming stalled if
|
||||||
|
* auditing is suspended we mask this processes events from being
|
||||||
|
* audited. We allow the uid, tid, and mask fields to be implicitly
|
||||||
|
* set to zero, but do set the audit session ID to the PID.
|
||||||
|
*
|
||||||
|
* XXXRW: Is there more to it than this?
|
||||||
|
*/
|
||||||
|
bzero(&aia, sizeof(aia));
|
||||||
|
aia.ai_asid = AU_ASSIGN_ASID;
|
||||||
|
aia.ai_termid.at_type = AU_IPv4;
|
||||||
|
if (setaudit_addr(&aia, sizeof(aia)) != 0)
|
||||||
|
return (ADE_SETAUDIT);
|
||||||
|
return (ADE_NOERR);
|
||||||
|
}
|
||||||
|
#else
|
||||||
int
|
int
|
||||||
auditd_prevent_audit(void)
|
auditd_prevent_audit(void)
|
||||||
{
|
{
|
||||||
@ -625,6 +926,7 @@ auditd_prevent_audit(void)
|
|||||||
return (ADE_SETAUDIT);
|
return (ADE_SETAUDIT);
|
||||||
return (ADE_NOERR);
|
return (ADE_NOERR);
|
||||||
}
|
}
|
||||||
|
#endif /* __APPLE__ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Generate and submit audit record for audit startup or shutdown. The event
|
* Generate and submit audit record for audit startup or shutdown. The event
|
||||||
@ -713,7 +1015,7 @@ auditd_new_curlink(char *curfile)
|
|||||||
strlcpy(newname, recoveredname, MAXPATHLEN);
|
strlcpy(newname, recoveredname, MAXPATHLEN);
|
||||||
|
|
||||||
if ((ptr = strstr(newname, NOT_TERMINATED)) != NULL) {
|
if ((ptr = strstr(newname, NOT_TERMINATED)) != NULL) {
|
||||||
strlcpy(ptr, CRASH_RECOVERY, TIMESTAMP_LEN);
|
memcpy(ptr, CRASH_RECOVERY, POSTFIX_LEN);
|
||||||
if (rename(recoveredname, newname) != 0)
|
if (rename(recoveredname, newname) != 0)
|
||||||
return (ADE_RENAME);
|
return (ADE_RENAME);
|
||||||
} else
|
} else
|
||||||
@ -750,9 +1052,10 @@ int
|
|||||||
audit_quick_start(void)
|
audit_quick_start(void)
|
||||||
{
|
{
|
||||||
int err;
|
int err;
|
||||||
char *newfile;
|
char *newfile = NULL;
|
||||||
time_t tt;
|
time_t tt;
|
||||||
char TS[TIMESTAMP_LEN];
|
char TS[TIMESTAMP_LEN];
|
||||||
|
int ret = 0;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Mask auditing of this process.
|
* Mask auditing of this process.
|
||||||
@ -773,20 +1076,26 @@ audit_quick_start(void)
|
|||||||
if (getTSstr(tt, TS, TIMESTAMP_LEN) != 0)
|
if (getTSstr(tt, TS, TIMESTAMP_LEN) != 0)
|
||||||
return (-1);
|
return (-1);
|
||||||
err = auditd_swap_trail(TS, &newfile, getgid(), NULL);
|
err = auditd_swap_trail(TS, &newfile, getgid(), NULL);
|
||||||
if (err != ADE_NOERR && err != ADE_ACTL)
|
if (err != ADE_NOERR && err != ADE_ACTL) {
|
||||||
return (-1);
|
ret = -1;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Add the current symlink and recover from crash, if needed.
|
* Add the current symlink and recover from crash, if needed.
|
||||||
*/
|
*/
|
||||||
if (auditd_new_curlink(newfile) != 0)
|
if (auditd_new_curlink(newfile) != 0) {
|
||||||
return(-1);
|
ret = -1;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* At this point auditing has started so generate audit start-up record.
|
* At this point auditing has started so generate audit start-up record.
|
||||||
*/
|
*/
|
||||||
if (auditd_gen_record(AUE_audit_startup, NULL) != 0)
|
if (auditd_gen_record(AUE_audit_startup, NULL) != 0) {
|
||||||
return (-1);
|
ret = -1;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Configure the audit controls.
|
* Configure the audit controls.
|
||||||
@ -798,7 +1107,11 @@ audit_quick_start(void)
|
|||||||
(void) auditd_set_minfree();
|
(void) auditd_set_minfree();
|
||||||
(void) auditd_set_host();
|
(void) auditd_set_host();
|
||||||
|
|
||||||
return (0);
|
out:
|
||||||
|
if (newfile != NULL)
|
||||||
|
free(newfile);
|
||||||
|
|
||||||
|
return (ret);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -855,7 +1168,7 @@ audit_quick_stop(void)
|
|||||||
strlcpy(newname, oldname, len);
|
strlcpy(newname, oldname, len);
|
||||||
|
|
||||||
if ((ptr = strstr(newname, NOT_TERMINATED)) != NULL) {
|
if ((ptr = strstr(newname, NOT_TERMINATED)) != NULL) {
|
||||||
strlcpy(ptr, TS, TIMESTAMP_LEN);
|
memcpy(ptr, TS, POSTFIX_LEN);
|
||||||
if (rename(oldname, newname) != 0)
|
if (rename(oldname, newname) != 0)
|
||||||
return (-1);
|
return (-1);
|
||||||
} else
|
} else
|
||||||
|
@ -23,7 +23,7 @@
|
|||||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||||
.\" SUCH DAMAGE.
|
.\" SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#9 $
|
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#10 $
|
||||||
.\"
|
.\"
|
||||||
.Dd April 19, 2005
|
.Dd April 19, 2005
|
||||||
.Dt AU_CONTROL 3
|
.Dt AU_CONTROL 3
|
||||||
@ -33,6 +33,7 @@
|
|||||||
.Nm endac ,
|
.Nm endac ,
|
||||||
.Nm getacdir ,
|
.Nm getacdir ,
|
||||||
.Nm getacmin ,
|
.Nm getacmin ,
|
||||||
|
.Nm getacexpire ,
|
||||||
.Nm getacfilesz ,
|
.Nm getacfilesz ,
|
||||||
.Nm getacflg ,
|
.Nm getacflg ,
|
||||||
.Nm getacna ,
|
.Nm getacna ,
|
||||||
@ -53,6 +54,8 @@
|
|||||||
.Ft int
|
.Ft int
|
||||||
.Fn getacmin "int *min_val"
|
.Fn getacmin "int *min_val"
|
||||||
.Ft int
|
.Ft int
|
||||||
|
.Fn getacexpire "int *andflg, time_t *age, size_t *size"
|
||||||
|
.Ft int
|
||||||
.Fn getacfilesz "size_t *size_val"
|
.Fn getacfilesz "size_t *size_val"
|
||||||
.Ft int
|
.Ft int
|
||||||
.Fn getacflg "char *auditstr" "int len"
|
.Fn getacflg "char *auditstr" "int len"
|
||||||
@ -101,6 +104,24 @@ the passed
|
|||||||
variable.
|
variable.
|
||||||
.Pp
|
.Pp
|
||||||
The
|
The
|
||||||
|
.Fn getacexpire
|
||||||
|
function
|
||||||
|
returns the audit trail file expiration parameters in the passed
|
||||||
|
.Vt int
|
||||||
|
buffer
|
||||||
|
.Fa andflg ,
|
||||||
|
.Vt time_t
|
||||||
|
buffer
|
||||||
|
.Fa age
|
||||||
|
and
|
||||||
|
.Vt size_t
|
||||||
|
buffer
|
||||||
|
.Fa size .
|
||||||
|
If the parameter is not specified in the
|
||||||
|
.Xr audit_control 5
|
||||||
|
file it is set to zero.
|
||||||
|
.Pp
|
||||||
|
The
|
||||||
.Fn getacfilesz
|
.Fn getacfilesz
|
||||||
function
|
function
|
||||||
returns the audit trail rotation size in the passed
|
returns the audit trail rotation size in the passed
|
||||||
@ -153,6 +174,7 @@ to a numeric audit policy mask returned via
|
|||||||
The
|
The
|
||||||
.Fn getacdir ,
|
.Fn getacdir ,
|
||||||
.Fn getacmin ,
|
.Fn getacmin ,
|
||||||
|
.Fn getacexpire ,
|
||||||
.Fn getacflg ,
|
.Fn getacflg ,
|
||||||
.Fn getacna ,
|
.Fn getacna ,
|
||||||
.Fn getacpol ,
|
.Fn getacpol ,
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_domain.3#1 $
|
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_domain.3#2 $
|
||||||
.\"
|
.\"
|
||||||
.Dd December 28, 2008
|
.Dd December 28, 2008
|
||||||
.Dt AU_BSM_TO_DOMAIN 3
|
.Dt AU_BSM_TO_DOMAIN 3
|
||||||
@ -59,6 +59,7 @@ This call will fail if the BSM domain cannot be mapped into a local domain,
|
|||||||
which may occur if the socket token was generated on another operating
|
which may occur if the socket token was generated on another operating
|
||||||
system.
|
system.
|
||||||
.Pp
|
.Pp
|
||||||
|
The
|
||||||
.Fn au_domain_to_bsm
|
.Fn au_domain_to_bsm
|
||||||
function accepts a local domain, and returns the BSM domain for it.
|
function accepts a local domain, and returns the BSM domain for it.
|
||||||
This call cannot fail, and instead returns a BSM domain indicating to a later
|
This call cannot fail, and instead returns a BSM domain indicating to a later
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_errno.3#3 $
|
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_errno.3#4 $
|
||||||
.\"
|
.\"
|
||||||
.Dd December 8, 2008
|
.Dd December 8, 2008
|
||||||
.Dt AU_BSM_TO_ERRNO 3
|
.Dt AU_BSM_TO_ERRNO 3
|
||||||
@ -64,6 +64,7 @@ This call will fail if the BSM error cannot be mapped into a local error
|
|||||||
number, which may occur if the return token was generated on another
|
number, which may occur if the return token was generated on another
|
||||||
operating system.
|
operating system.
|
||||||
.Pp
|
.Pp
|
||||||
|
The
|
||||||
.Fn au_errno_to_bsm
|
.Fn au_errno_to_bsm
|
||||||
function accepts a local
|
function accepts a local
|
||||||
.Xr errno 2
|
.Xr errno 2
|
||||||
@ -73,7 +74,7 @@ a later decoder that the error could not be encoded.
|
|||||||
.Pp
|
.Pp
|
||||||
The
|
The
|
||||||
.Fn au_strerror
|
.Fn au_strerror
|
||||||
converts a BSM error value to a string, generally by converting first to a
|
function converts a BSM error value to a string, generally by converting first to a
|
||||||
local error number and using the local
|
local error number and using the local
|
||||||
.Xr strerror 3
|
.Xr strerror 3
|
||||||
function, but will also work for errors that are not locally defined.
|
function, but will also work for errors that are not locally defined.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2004 Apple Inc.
|
* Copyright (c) 2004,2009 Apple Inc.
|
||||||
* Copyright (c) 2006 Robert N. M. Watson
|
* Copyright (c) 2006 Robert N. M. Watson
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
@ -27,13 +27,14 @@
|
|||||||
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
* POSSIBILITY OF SUCH DAMAGE.
|
* POSSIBILITY OF SUCH DAMAGE.
|
||||||
*
|
*
|
||||||
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#24 $
|
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#28 $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <config/config.h>
|
#include <config/config.h>
|
||||||
|
|
||||||
#include <bsm/libbsm.h>
|
#include <bsm/libbsm.h>
|
||||||
|
|
||||||
|
#include <ctype.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
||||||
@ -64,6 +65,32 @@ static char ptrmoved = 0;
|
|||||||
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
|
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Audit policy string token table for au_poltostr() and au_strtopol().
|
||||||
|
*/
|
||||||
|
struct audit_polstr {
|
||||||
|
long ap_policy;
|
||||||
|
const char *ap_str;
|
||||||
|
};
|
||||||
|
|
||||||
|
static struct audit_polstr au_polstr[] = {
|
||||||
|
{ AUDIT_CNT, "cnt" },
|
||||||
|
{ AUDIT_AHLT, "ahlt" },
|
||||||
|
{ AUDIT_ARGV, "argv" },
|
||||||
|
{ AUDIT_ARGE, "arge" },
|
||||||
|
{ AUDIT_SEQ, "seq" },
|
||||||
|
{ AUDIT_WINDATA, "windata" },
|
||||||
|
{ AUDIT_USER, "user" },
|
||||||
|
{ AUDIT_GROUP, "group" },
|
||||||
|
{ AUDIT_TRAIL, "trail" },
|
||||||
|
{ AUDIT_PATH, "path" },
|
||||||
|
{ AUDIT_SCNT, "scnt" },
|
||||||
|
{ AUDIT_PUBLIC, "public" },
|
||||||
|
{ AUDIT_ZONENAME, "zonename" },
|
||||||
|
{ AUDIT_PERZONE, "perzone" },
|
||||||
|
{ -1, NULL }
|
||||||
|
};
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Returns the string value corresponding to the given label from the
|
* Returns the string value corresponding to the given label from the
|
||||||
* configuration file.
|
* configuration file.
|
||||||
@ -111,6 +138,82 @@ getstrfromtype_locked(char *name, char **str)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Convert a given time value with a multiplier (seconds, hours, days, years) to
|
||||||
|
* seconds. Return 0 on success.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
au_timetosec(time_t *seconds, u_long value, char mult)
|
||||||
|
{
|
||||||
|
if (NULL == seconds)
|
||||||
|
return (-1);
|
||||||
|
|
||||||
|
switch(mult) {
|
||||||
|
case 's':
|
||||||
|
/* seconds */
|
||||||
|
*seconds = (time_t)value;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'h':
|
||||||
|
/* hours */
|
||||||
|
*seconds = (time_t)value * 60 * 60;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'd':
|
||||||
|
/* days */
|
||||||
|
*seconds = (time_t)value * 60 * 60 * 24;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'y':
|
||||||
|
/* years. Add a day for each 4th (leap) year. */
|
||||||
|
*seconds = (time_t)value * 60 * 60 * 24 * 364 +
|
||||||
|
((time_t)value / 4) * 60 * 60 * 24;
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Convert a given disk space value with a multiplier (bytes, kilobytes,
|
||||||
|
* megabytes, gigabytes) to bytes. Return 0 on success.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
au_spacetobytes(size_t *bytes, u_long value, char mult)
|
||||||
|
{
|
||||||
|
if (NULL == bytes)
|
||||||
|
return (-1);
|
||||||
|
|
||||||
|
switch(mult) {
|
||||||
|
case 'B':
|
||||||
|
case ' ':
|
||||||
|
/* Bytes */
|
||||||
|
*bytes = (size_t)value;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'K':
|
||||||
|
/* Kilobytes */
|
||||||
|
*bytes = (size_t)value * 1024;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'M':
|
||||||
|
/* Megabytes */
|
||||||
|
*bytes = (size_t)value * 1024 * 1024;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'G':
|
||||||
|
/* Gigabytes */
|
||||||
|
*bytes = (size_t)value * 1024 * 1024 * 1024;
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Convert a policy to a string. Return -1 on failure, or >= 0 representing
|
* Convert a policy to a string. Return -1 on failure, or >= 0 representing
|
||||||
* the actual size of the string placed in the buffer (excluding terminating
|
* the actual size of the string placed in the buffer (excluding terminating
|
||||||
@ -119,135 +222,24 @@ getstrfromtype_locked(char *name, char **str)
|
|||||||
ssize_t
|
ssize_t
|
||||||
au_poltostr(long policy, size_t maxsize, char *buf)
|
au_poltostr(long policy, size_t maxsize, char *buf)
|
||||||
{
|
{
|
||||||
int first;
|
int first = 1;
|
||||||
|
int i = 0;
|
||||||
|
|
||||||
if (maxsize < 1)
|
if (maxsize < 1)
|
||||||
return (-1);
|
return (-1);
|
||||||
first = 1;
|
|
||||||
buf[0] = '\0';
|
buf[0] = '\0';
|
||||||
|
|
||||||
if (policy & AUDIT_CNT) {
|
do {
|
||||||
if (strlcat(buf, "cnt", maxsize) >= maxsize)
|
if (policy & au_polstr[i].ap_policy) {
|
||||||
return (-1);
|
if (!first && strlcat(buf, ",", maxsize) >= maxsize)
|
||||||
first = 0;
|
|
||||||
}
|
|
||||||
if (policy & AUDIT_AHLT) {
|
|
||||||
if (!first) {
|
|
||||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
return (-1);
|
||||||
}
|
if (strlcat(buf, au_polstr[i].ap_str, maxsize) >=
|
||||||
if (strlcat(buf, "ahlt", maxsize) >= maxsize)
|
maxsize)
|
||||||
return (-1);
|
|
||||||
first = 0;
|
|
||||||
}
|
|
||||||
if (policy & AUDIT_ARGV) {
|
|
||||||
if (!first) {
|
|
||||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
return (-1);
|
||||||
|
first = 0;
|
||||||
}
|
}
|
||||||
if (strlcat(buf, "argv", maxsize) >= maxsize)
|
} while (NULL != au_polstr[++i].ap_str);
|
||||||
return (-1);
|
|
||||||
first = 0;
|
|
||||||
}
|
|
||||||
if (policy & AUDIT_ARGE) {
|
|
||||||
if (!first) {
|
|
||||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
if (strlcat(buf, "arge", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
first = 0;
|
|
||||||
}
|
|
||||||
if (policy & AUDIT_SEQ) {
|
|
||||||
if (!first) {
|
|
||||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
if (strlcat(buf, "seq", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
first = 0;
|
|
||||||
}
|
|
||||||
if (policy & AUDIT_WINDATA) {
|
|
||||||
if (!first) {
|
|
||||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
if (strlcat(buf, "windata", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
first = 0;
|
|
||||||
}
|
|
||||||
if (policy & AUDIT_USER) {
|
|
||||||
if (!first) {
|
|
||||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
if (strlcat(buf, "user", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
first = 0;
|
|
||||||
}
|
|
||||||
if (policy & AUDIT_GROUP) {
|
|
||||||
if (!first) {
|
|
||||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
if (strlcat(buf, "group", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
first = 0;
|
|
||||||
}
|
|
||||||
if (policy & AUDIT_TRAIL) {
|
|
||||||
if (!first) {
|
|
||||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
if (strlcat(buf, "trail", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
first = 0;
|
|
||||||
}
|
|
||||||
if (policy & AUDIT_PATH) {
|
|
||||||
if (!first) {
|
|
||||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
if (strlcat(buf, "path", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
first = 0;
|
|
||||||
}
|
|
||||||
if (policy & AUDIT_SCNT) {
|
|
||||||
if (!first) {
|
|
||||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
if (strlcat(buf, "scnt", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
first = 0;
|
|
||||||
}
|
|
||||||
if (policy & AUDIT_PUBLIC) {
|
|
||||||
if (!first) {
|
|
||||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
if (strlcat(buf, "public", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
first = 0;
|
|
||||||
}
|
|
||||||
if (policy & AUDIT_ZONENAME) {
|
|
||||||
if (!first) {
|
|
||||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
if (strlcat(buf, "zonename", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
first = 0;
|
|
||||||
}
|
|
||||||
if (policy & AUDIT_PERZONE) {
|
|
||||||
if (!first) {
|
|
||||||
if (strlcat(buf, ",", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
if (strlcat(buf, "perzone", maxsize) >= maxsize)
|
|
||||||
return (-1);
|
|
||||||
first = 0;
|
|
||||||
}
|
|
||||||
return (strlen(buf));
|
return (strlen(buf));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -260,6 +252,7 @@ au_strtopol(const char *polstr, long *policy)
|
|||||||
{
|
{
|
||||||
char *bufp, *string;
|
char *bufp, *string;
|
||||||
char *buffer;
|
char *buffer;
|
||||||
|
int i, matched;
|
||||||
|
|
||||||
*policy = 0;
|
*policy = 0;
|
||||||
buffer = strdup(polstr);
|
buffer = strdup(polstr);
|
||||||
@ -268,35 +261,17 @@ au_strtopol(const char *polstr, long *policy)
|
|||||||
|
|
||||||
bufp = buffer;
|
bufp = buffer;
|
||||||
while ((string = strsep(&bufp, ",")) != NULL) {
|
while ((string = strsep(&bufp, ",")) != NULL) {
|
||||||
if (strcmp(string, "cnt") == 0)
|
matched = i = 0;
|
||||||
*policy |= AUDIT_CNT;
|
|
||||||
else if (strcmp(string, "ahlt") == 0)
|
do {
|
||||||
*policy |= AUDIT_AHLT;
|
if (strcmp(string, au_polstr[i].ap_str) == 0) {
|
||||||
else if (strcmp(string, "argv") == 0)
|
*policy |= au_polstr[i].ap_policy;
|
||||||
*policy |= AUDIT_ARGV;
|
matched = 1;
|
||||||
else if (strcmp(string, "arge") == 0)
|
break;
|
||||||
*policy |= AUDIT_ARGE;
|
}
|
||||||
else if (strcmp(string, "seq") == 0)
|
} while (NULL != au_polstr[++i].ap_str);
|
||||||
*policy |= AUDIT_SEQ;
|
|
||||||
else if (strcmp(string, "winau_fstat") == 0)
|
if (!matched) {
|
||||||
*policy |= AUDIT_WINDATA;
|
|
||||||
else if (strcmp(string, "user") == 0)
|
|
||||||
*policy |= AUDIT_USER;
|
|
||||||
else if (strcmp(string, "group") == 0)
|
|
||||||
*policy |= AUDIT_GROUP;
|
|
||||||
else if (strcmp(string, "trail") == 0)
|
|
||||||
*policy |= AUDIT_TRAIL;
|
|
||||||
else if (strcmp(string, "path") == 0)
|
|
||||||
*policy |= AUDIT_PATH;
|
|
||||||
else if (strcmp(string, "scnt") == 0)
|
|
||||||
*policy |= AUDIT_SCNT;
|
|
||||||
else if (strcmp(string, "public") == 0)
|
|
||||||
*policy |= AUDIT_PUBLIC;
|
|
||||||
else if (strcmp(string, "zonename") == 0)
|
|
||||||
*policy |= AUDIT_ZONENAME;
|
|
||||||
else if (strcmp(string, "perzone") == 0)
|
|
||||||
*policy |= AUDIT_PERZONE;
|
|
||||||
else {
|
|
||||||
free(buffer);
|
free(buffer);
|
||||||
errno = EINVAL;
|
errno = EINVAL;
|
||||||
return (-1);
|
return (-1);
|
||||||
@ -435,46 +410,65 @@ getacmin(int *min_val)
|
|||||||
int
|
int
|
||||||
getacfilesz(size_t *filesz_val)
|
getacfilesz(size_t *filesz_val)
|
||||||
{
|
{
|
||||||
char *filesz, *dummy;
|
char *str;
|
||||||
long long ll;
|
size_t val;
|
||||||
|
char mult;
|
||||||
|
int nparsed;
|
||||||
|
|
||||||
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
||||||
pthread_mutex_lock(&mutex);
|
pthread_mutex_lock(&mutex);
|
||||||
#endif
|
#endif
|
||||||
setac_locked();
|
setac_locked();
|
||||||
if (getstrfromtype_locked(FILESZ_CONTROL_ENTRY, &filesz) < 0) {
|
if (getstrfromtype_locked(FILESZ_CONTROL_ENTRY, &str) < 0) {
|
||||||
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
||||||
pthread_mutex_unlock(&mutex);
|
pthread_mutex_unlock(&mutex);
|
||||||
#endif
|
#endif
|
||||||
return (-2);
|
return (-2);
|
||||||
}
|
}
|
||||||
if (filesz == NULL) {
|
if (str == NULL) {
|
||||||
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
||||||
pthread_mutex_unlock(&mutex);
|
pthread_mutex_unlock(&mutex);
|
||||||
#endif
|
#endif
|
||||||
errno = EINVAL;
|
errno = EINVAL;
|
||||||
return (1);
|
return (1);
|
||||||
}
|
}
|
||||||
ll = strtoll(filesz, &dummy, 10);
|
|
||||||
if (*dummy != '\0') {
|
/* Trim off any leading white space. */
|
||||||
|
while (*str == ' ' || *str == '\t')
|
||||||
|
str++;
|
||||||
|
|
||||||
|
nparsed = sscanf(str, "%ju%c", (uintmax_t *)&val, &mult);
|
||||||
|
|
||||||
|
switch (nparsed) {
|
||||||
|
case 1:
|
||||||
|
/* If no multiplier then assume 'B' (bytes). */
|
||||||
|
mult = 'B';
|
||||||
|
/* fall through */
|
||||||
|
case 2:
|
||||||
|
if (au_spacetobytes(filesz_val, val, mult) == 0)
|
||||||
|
break;
|
||||||
|
/* fall through */
|
||||||
|
default:
|
||||||
|
errno = EINVAL;
|
||||||
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
||||||
pthread_mutex_unlock(&mutex);
|
pthread_mutex_unlock(&mutex);
|
||||||
#endif
|
#endif
|
||||||
errno = EINVAL;
|
|
||||||
return (-1);
|
return (-1);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The file size must either be 0 or >= MIN_AUDIT_FILE_SIZE. 0
|
* The file size must either be 0 or >= MIN_AUDIT_FILE_SIZE. 0
|
||||||
* indicates no rotation size.
|
* indicates no rotation size.
|
||||||
*/
|
*/
|
||||||
if (ll < 0 || (ll > 0 && ll < MIN_AUDIT_FILE_SIZE)) {
|
if (*filesz_val < 0 || (*filesz_val > 0 &&
|
||||||
|
*filesz_val < MIN_AUDIT_FILE_SIZE)) {
|
||||||
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
||||||
pthread_mutex_unlock(&mutex);
|
pthread_mutex_unlock(&mutex);
|
||||||
#endif
|
#endif
|
||||||
|
filesz_val = 0L;
|
||||||
errno = EINVAL;
|
errno = EINVAL;
|
||||||
return (-1);
|
return (-1);
|
||||||
}
|
}
|
||||||
*filesz_val = ll;
|
|
||||||
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
||||||
pthread_mutex_unlock(&mutex);
|
pthread_mutex_unlock(&mutex);
|
||||||
#endif
|
#endif
|
||||||
@ -619,7 +613,109 @@ getachost(char *auditstr, size_t len)
|
|||||||
#endif
|
#endif
|
||||||
return (-3);
|
return (-3);
|
||||||
}
|
}
|
||||||
strcpy(auditstr, str);
|
strlcpy(auditstr, str, len);
|
||||||
|
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
||||||
|
pthread_mutex_unlock(&mutex);
|
||||||
|
#endif
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Set expiration conditions.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
setexpirecond(time_t *age, size_t *size, u_long value, char mult)
|
||||||
|
{
|
||||||
|
|
||||||
|
if (isupper(mult) || ' ' == mult)
|
||||||
|
return (au_spacetobytes(size, value, mult));
|
||||||
|
else
|
||||||
|
return (au_timetosec(age, value, mult));
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Return the expire-after field from the audit control file.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
getacexpire(int *andflg, time_t *age, size_t *size)
|
||||||
|
{
|
||||||
|
char *str;
|
||||||
|
int nparsed;
|
||||||
|
u_long val1, val2;
|
||||||
|
char mult1, mult2;
|
||||||
|
char andor[AU_LINE_MAX];
|
||||||
|
|
||||||
|
*age = 0L;
|
||||||
|
*size = 0LL;
|
||||||
|
*andflg = 0;
|
||||||
|
|
||||||
|
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
||||||
|
pthread_mutex_lock(&mutex);
|
||||||
|
#endif
|
||||||
|
setac_locked();
|
||||||
|
if (getstrfromtype_locked(EXPIRE_AFTER_CONTROL_ENTRY, &str) < 0) {
|
||||||
|
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
||||||
|
pthread_mutex_unlock(&mutex);
|
||||||
|
#endif
|
||||||
|
return (-2);
|
||||||
|
}
|
||||||
|
if (str == NULL) {
|
||||||
|
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
||||||
|
pthread_mutex_unlock(&mutex);
|
||||||
|
#endif
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* First, trim off any leading white space. */
|
||||||
|
while (*str == ' ' || *str == '\t')
|
||||||
|
str++;
|
||||||
|
|
||||||
|
nparsed = sscanf(str, "%lu%c%[ \tadnorADNOR]%lu%c", &val1, &mult1,
|
||||||
|
andor, &val2, &mult2);
|
||||||
|
|
||||||
|
switch (nparsed) {
|
||||||
|
case 1:
|
||||||
|
/* If no multiplier then assume 'B' (Bytes). */
|
||||||
|
mult1 = 'B';
|
||||||
|
/* fall through */
|
||||||
|
case 2:
|
||||||
|
/* One expiration condition. */
|
||||||
|
if (setexpirecond(age, size, val1, mult1) != 0) {
|
||||||
|
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
||||||
|
pthread_mutex_unlock(&mutex);
|
||||||
|
#endif
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 5:
|
||||||
|
/* Two expiration conditions. */
|
||||||
|
if (setexpirecond(age, size, val1, mult1) != 0 ||
|
||||||
|
setexpirecond(age, size, val2, mult2) != 0) {
|
||||||
|
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
||||||
|
pthread_mutex_unlock(&mutex);
|
||||||
|
#endif
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
if (strcasestr(andor, "and") != NULL)
|
||||||
|
*andflg = 1;
|
||||||
|
else if (strcasestr(andor, "or") != NULL)
|
||||||
|
*andflg = 0;
|
||||||
|
else {
|
||||||
|
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
||||||
|
pthread_mutex_unlock(&mutex);
|
||||||
|
#endif
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
||||||
|
pthread_mutex_unlock(&mutex);
|
||||||
|
#endif
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
|
||||||
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
#ifdef HAVE_PTHREAD_MUTEX_LOCK
|
||||||
pthread_mutex_unlock(&mutex);
|
pthread_mutex_unlock(&mutex);
|
||||||
#endif
|
#endif
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
* POSSIBILITY OF SUCH DAMAGE.
|
* POSSIBILITY OF SUCH DAMAGE.
|
||||||
*
|
*
|
||||||
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_errno.c#16 $
|
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_errno.c#17 $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
@ -494,7 +494,7 @@ static const struct bsm_errno bsm_errnos[] = {
|
|||||||
#else
|
#else
|
||||||
ERRNO_NO_LOCAL_MAPPING,
|
ERRNO_NO_LOCAL_MAPPING,
|
||||||
#endif
|
#endif
|
||||||
ES("Malfored Macho file") },
|
ES("Malformed Macho file") },
|
||||||
{ BSM_ERRNO_EPOLICY,
|
{ BSM_ERRNO_EPOLICY,
|
||||||
#ifdef EPOLICY
|
#ifdef EPOLICY
|
||||||
EPOLICY,
|
EPOLICY,
|
||||||
|
@ -32,7 +32,7 @@
|
|||||||
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
* POSSIBILITY OF SUCH DAMAGE.
|
* POSSIBILITY OF SUCH DAMAGE.
|
||||||
*
|
*
|
||||||
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#60 $
|
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#61 $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
@ -193,7 +193,7 @@ print_mem(FILE *fp, u_char *data, size_t len)
|
|||||||
if (len > 0) {
|
if (len > 0) {
|
||||||
fprintf(fp, "0x");
|
fprintf(fp, "0x");
|
||||||
for (i = 0; i < len; i++)
|
for (i = 0; i < len; i++)
|
||||||
fprintf(fp, "%x", data[i]);
|
fprintf(fp, "%02x", data[i]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2004-2008 Apple Inc.
|
* Copyright (c) 2004-2009 Apple Inc.
|
||||||
* Copyright (c) 2005 SPARTA, Inc.
|
* Copyright (c) 2005 SPARTA, Inc.
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
@ -30,7 +30,7 @@
|
|||||||
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
* POSSIBILITY OF SUCH DAMAGE.
|
* POSSIBILITY OF SUCH DAMAGE.
|
||||||
*
|
*
|
||||||
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#86 $
|
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#90 $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
@ -168,7 +168,7 @@ au_to_attr32(struct vnode_au_info *vni)
|
|||||||
token_t *t;
|
token_t *t;
|
||||||
u_char *dptr = NULL;
|
u_char *dptr = NULL;
|
||||||
u_int16_t pad0_16 = 0;
|
u_int16_t pad0_16 = 0;
|
||||||
u_int16_t pad0_32 = 0;
|
u_int32_t pad0_32 = 0;
|
||||||
|
|
||||||
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
|
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
|
||||||
3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
|
3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
|
||||||
@ -217,7 +217,7 @@ au_to_attr64(struct vnode_au_info *vni)
|
|||||||
token_t *t;
|
token_t *t;
|
||||||
u_char *dptr = NULL;
|
u_char *dptr = NULL;
|
||||||
u_int16_t pad0_16 = 0;
|
u_int16_t pad0_16 = 0;
|
||||||
u_int16_t pad0_32 = 0;
|
u_int32_t pad0_32 = 0;
|
||||||
|
|
||||||
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
|
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
|
||||||
3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
|
3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
|
||||||
@ -487,7 +487,8 @@ au_to_ipc_perm(struct ipc_perm *perm)
|
|||||||
u_char *dptr = NULL;
|
u_char *dptr = NULL;
|
||||||
u_int16_t pad0 = 0;
|
u_int16_t pad0 = 0;
|
||||||
|
|
||||||
GET_TOKEN_AREA(t, dptr, 12 * sizeof(u_int16_t) + sizeof(u_int32_t));
|
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) +
|
||||||
|
sizeof(u_int32_t));
|
||||||
if (t == NULL)
|
if (t == NULL)
|
||||||
return (NULL);
|
return (NULL);
|
||||||
|
|
||||||
@ -962,15 +963,15 @@ au_to_socket_ex(u_short so_domain, u_short so_type,
|
|||||||
5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
|
5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
|
||||||
else if (so_domain == AF_INET6)
|
else if (so_domain == AF_INET6)
|
||||||
GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
|
GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
|
||||||
5 * sizeof(u_int16_t) + 16 * sizeof(u_int32_t));
|
5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t));
|
||||||
else {
|
else {
|
||||||
errno = EINVAL;
|
errno = EINVAL;
|
||||||
return (NULL);
|
return (NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
ADD_U_CHAR(dptr, AUT_SOCKET_EX);
|
ADD_U_CHAR(dptr, AUT_SOCKET_EX);
|
||||||
ADD_U_INT16(dptr, so_domain); /* XXXRW: explicitly convert? */
|
ADD_U_INT16(dptr, au_domain_to_bsm(so_domain));
|
||||||
ADD_U_INT16(dptr, so_type); /* XXXRW: explicitly convert? */
|
ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type));
|
||||||
if (so_domain == AF_INET) {
|
if (so_domain == AF_INET) {
|
||||||
ADD_U_INT16(dptr, AU_IPv4);
|
ADD_U_INT16(dptr, AU_IPv4);
|
||||||
sin = (struct sockaddr_in *)sa_local;
|
sin = (struct sockaddr_in *)sa_local;
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
.\" Copyright (c) 2004 Apple Inc.
|
.\" Copyright (c) 2004-2009 Apple Inc.
|
||||||
.\" Copyright (c) 2006 Robert N. M. Watson
|
.\" Copyright (c) 2006 Robert N. M. Watson
|
||||||
.\" All rights reserved.
|
.\" All rights reserved.
|
||||||
.\"
|
.\"
|
||||||
@ -26,9 +26,9 @@
|
|||||||
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#20 $
|
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#22 $
|
||||||
.\"
|
.\"
|
||||||
.Dd January 4, 2006
|
.Dd January 29, 2009
|
||||||
.Dt AUDIT_CONTROL 5
|
.Dt AUDIT_CONTROL 5
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -86,6 +86,18 @@ rotate the audit trail file at around this size.
|
|||||||
Sizes less than the minimum trail size (default of 512K) will be rejected as
|
Sizes less than the minimum trail size (default of 512K) will be rejected as
|
||||||
invalid.
|
invalid.
|
||||||
If 0, trail files will not be automatically rotated based on file size.
|
If 0, trail files will not be automatically rotated based on file size.
|
||||||
|
For convenience, the trail size may be expressed with suffix letters:
|
||||||
|
B (Bytes), K (Kilobytes), M (Megabytes), or G (Gigabytes).
|
||||||
|
For example, 2M is the same as 2097152.
|
||||||
|
.It Va expire-after
|
||||||
|
Specifies when audit log files will expire and be removed.
|
||||||
|
This may be after a time period has passed since the file was last
|
||||||
|
written to or when the aggregate of all the trail files have reached a
|
||||||
|
specified size or a combination of both.
|
||||||
|
If no expire-after parameter is given then audit log files with not
|
||||||
|
expire and be removed by the audit control system.
|
||||||
|
See the information below for the format of the expiration
|
||||||
|
specification.
|
||||||
.El
|
.El
|
||||||
.Sh AUDIT FLAGS
|
.Sh AUDIT FLAGS
|
||||||
Audit flags are a comma-delimited list of audit classes as defined in the
|
Audit flags are a comma-delimited list of audit classes as defined in the
|
||||||
@ -170,6 +182,51 @@ flag but not
|
|||||||
.Cm ahlt
|
.Cm ahlt
|
||||||
flag unless it is intended that audit logs exceeding available disk space
|
flag unless it is intended that audit logs exceeding available disk space
|
||||||
halt the system.
|
halt the system.
|
||||||
|
.Sh AUDIT LOG EXPIRATION SPECIFICATION
|
||||||
|
The expiration specification can be one value or two values with the
|
||||||
|
logical conjunction of AND/OR between them.
|
||||||
|
Values for the audit log file age are numbers with the following
|
||||||
|
suffixes:
|
||||||
|
.Pp
|
||||||
|
.Bl -tag -width "(space) or" -compact -offset indent
|
||||||
|
.It Li s
|
||||||
|
Log file age in seconds.
|
||||||
|
.It Li h
|
||||||
|
Log file age in hours.
|
||||||
|
.It Li d
|
||||||
|
Log file age in days.
|
||||||
|
.It Li y
|
||||||
|
Log file age in years.
|
||||||
|
.El
|
||||||
|
.Pp
|
||||||
|
Values for the disk space used are numbers with the following suffixes:
|
||||||
|
.Pp
|
||||||
|
.Bl -tag -width "(space) or" -compact -offset indent
|
||||||
|
.It (space) or
|
||||||
|
.It Li B
|
||||||
|
Disk space used in Bytes.
|
||||||
|
.It Li K
|
||||||
|
Disk space used in Kilobytes.
|
||||||
|
.It Li M
|
||||||
|
Disk space used in Megabytes.
|
||||||
|
.It Li G
|
||||||
|
Disk space used in Gigabytes.
|
||||||
|
.El
|
||||||
|
.Pp
|
||||||
|
The suffixes on the values are case sensitive.
|
||||||
|
If both an age and disk space value are used they are seperated by
|
||||||
|
AND or OR and both values are used to determine when audit
|
||||||
|
log files expire.
|
||||||
|
In the case of AND, both the age and disk space conditions must be meet
|
||||||
|
before the log file is removed.
|
||||||
|
In the case of OR, either condition may expire the log file.
|
||||||
|
For example:
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
expire-after: 60d AND 1G
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
will expire files that are older than 60 days but only if 1
|
||||||
|
gigabyte of disk space total is being used by the audit logs.
|
||||||
.Sh DEFAULT
|
.Sh DEFAULT
|
||||||
The following settings appear in the default
|
The following settings appear in the default
|
||||||
.Nm
|
.Nm
|
||||||
@ -177,10 +234,10 @@ file:
|
|||||||
.Bd -literal -offset indent
|
.Bd -literal -offset indent
|
||||||
dir:/var/audit
|
dir:/var/audit
|
||||||
flags:lo
|
flags:lo
|
||||||
minfree:20
|
minfree:5
|
||||||
naflags:lo
|
naflags:lo
|
||||||
policy:cnt
|
policy:cnt,argv
|
||||||
filesz:0
|
filesz:2097152
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
The
|
The
|
||||||
@ -190,9 +247,12 @@ events.
|
|||||||
The
|
The
|
||||||
.Va policy
|
.Va policy
|
||||||
parameter specifies that the system should neither fail stop nor suspend
|
parameter specifies that the system should neither fail stop nor suspend
|
||||||
processes when the audit store fills.
|
processes when the audit store fills and that command line arguments should
|
||||||
The trail file will not be automatically rotated by the audit daemon based on
|
be audited for
|
||||||
file size.
|
.Dv AUE_EXECVE
|
||||||
|
events.
|
||||||
|
The trail file will be automatically rotated by the audit daemon when the
|
||||||
|
file size reaches approximately 2MB.
|
||||||
.Sh FILES
|
.Sh FILES
|
||||||
.Bl -tag -width ".Pa /etc/security/audit_control" -compact
|
.Bl -tag -width ".Pa /etc/security/audit_control" -compact
|
||||||
.It Pa /etc/security/audit_control
|
.It Pa /etc/security/audit_control
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
.\"-
|
.\"-
|
||||||
|
.\" Copyright (c) 2008-2009 Apple Inc.
|
||||||
.\" Copyright (c) 2005 Robert N. M. Watson
|
.\" Copyright (c) 2005 Robert N. M. Watson
|
||||||
.\" Copyright (c) 2005 Tom Rhodes
|
.\" Copyright (c) 2005 Tom Rhodes
|
||||||
.\" Copyright (c) 2005 Wayne J. Salamon
|
.\" Copyright (c) 2005 Wayne J. Salamon
|
||||||
@ -25,7 +26,7 @@
|
|||||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||||
.\" SUCH DAMAGE.
|
.\" SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#14 $
|
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#15 $
|
||||||
.\"
|
.\"
|
||||||
.Dd July 10, 2008
|
.Dd July 10, 2008
|
||||||
.Dt AUDITON 2
|
.Dt AUDITON 2
|
||||||
@ -405,9 +406,15 @@ trigger values:
|
|||||||
file),
|
file),
|
||||||
.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
|
.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
|
||||||
(close the current log file and exit),
|
(close the current log file and exit),
|
||||||
or
|
|
||||||
.Dv AUDIT_TRIGGER_NO_SPACE
|
.Dv AUDIT_TRIGGER_NO_SPACE
|
||||||
(no disk space left for audit log file).
|
(no disk space left for audit log file).
|
||||||
|
.Dv AUDIT_TRIGGER_ROTATE_USER
|
||||||
|
(request audit log file rotation).
|
||||||
|
.Dv AUDIT_TRIGGER_INITIALIZE
|
||||||
|
(initialize audit subsystem for Mac OS X only).
|
||||||
|
or
|
||||||
|
.Dv AUDIT_TRIGGER_EXPIRE_TRAILS
|
||||||
|
(request audit log file expiration).
|
||||||
.El
|
.El
|
||||||
.Sh RETURN VALUES
|
.Sh RETURN VALUES
|
||||||
.Rv -std
|
.Rv -std
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
*
|
*
|
||||||
* $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#4 $
|
* $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#5 $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef _BSM_AUDIT_H
|
#ifndef _BSM_AUDIT_H
|
||||||
@ -65,8 +65,9 @@
|
|||||||
#define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */
|
#define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */
|
||||||
#define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */
|
#define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */
|
||||||
#define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests rotate. */
|
#define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests rotate. */
|
||||||
#define AUDIT_TRIGGER_INITIALIZE 7 /* Initialize audit. */
|
#define AUDIT_TRIGGER_INITIALIZE 7 /* User initialize of auditd. */
|
||||||
#define AUDIT_TRIGGER_MAX 7
|
#define AUDIT_TRIGGER_EXPIRE_TRAILS 8 /* User expiration of trails. */
|
||||||
|
#define AUDIT_TRIGGER_MAX 8
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The special device filename (FreeBSD).
|
* The special device filename (FreeBSD).
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
*
|
*
|
||||||
* $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_kevents.h#4 $
|
* $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_kevents.h#5 $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef _BSM_AUDIT_KEVENTS_H_
|
#ifndef _BSM_AUDIT_KEVENTS_H_
|
||||||
@ -586,6 +586,8 @@
|
|||||||
#define AUE_CAP_GETMODE 43189 /* TrustedBSD. */
|
#define AUE_CAP_GETMODE 43189 /* TrustedBSD. */
|
||||||
#define AUE_POSIX_SPAWN 43190 /* Darwin. */
|
#define AUE_POSIX_SPAWN 43190 /* Darwin. */
|
||||||
#define AUE_FSGETPATH 43191 /* Darwin. */
|
#define AUE_FSGETPATH 43191 /* Darwin. */
|
||||||
|
#define AUE_PREAD 43192 /* Darwin/FreeBSD. */
|
||||||
|
#define AUE_PWRITE 43193 /* Darwin/FreeBSD. */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
|
* Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
|
||||||
@ -657,7 +659,6 @@
|
|||||||
/*
|
/*
|
||||||
* Possible desired future values based on review of BSD/Darwin system calls.
|
* Possible desired future values based on review of BSD/Darwin system calls.
|
||||||
*/
|
*/
|
||||||
#define AUE_ACCESSEXTENDED AUE_NULL
|
|
||||||
#define AUE_ATGETMSG AUE_NULL
|
#define AUE_ATGETMSG AUE_NULL
|
||||||
#define AUE_ATPUTMSG AUE_NULL
|
#define AUE_ATPUTMSG AUE_NULL
|
||||||
#define AUE_ATSOCKET AUE_NULL
|
#define AUE_ATSOCKET AUE_NULL
|
||||||
@ -668,11 +669,9 @@
|
|||||||
#define AUE_BSDTHREADCREATE AUE_NULL
|
#define AUE_BSDTHREADCREATE AUE_NULL
|
||||||
#define AUE_BSDTHREADTERMINATE AUE_NULL
|
#define AUE_BSDTHREADTERMINATE AUE_NULL
|
||||||
#define AUE_BSDTHREADREGISTER AUE_NULL
|
#define AUE_BSDTHREADREGISTER AUE_NULL
|
||||||
#define AUE_CHMODEXTENDED AUE_NULL
|
|
||||||
#define AUE_CHUD AUE_NULL
|
#define AUE_CHUD AUE_NULL
|
||||||
#define AUE_CSOPS AUE_NULL
|
#define AUE_CSOPS AUE_NULL
|
||||||
#define AUE_DUP AUE_NULL
|
#define AUE_DUP AUE_NULL
|
||||||
#define AUE_FCHMODEXTENDED AUE_NULL
|
|
||||||
#define AUE_FDATASYNC AUE_NULL
|
#define AUE_FDATASYNC AUE_NULL
|
||||||
#define AUE_FFSCTL AUE_NULL
|
#define AUE_FFSCTL AUE_NULL
|
||||||
#define AUE_FGETATTRLIST AUE_NULL
|
#define AUE_FGETATTRLIST AUE_NULL
|
||||||
@ -682,11 +681,10 @@
|
|||||||
#define AUE_FSCTL AUE_NULL
|
#define AUE_FSCTL AUE_NULL
|
||||||
#define AUE_FSETATTRLIST AUE_NULL
|
#define AUE_FSETATTRLIST AUE_NULL
|
||||||
#define AUE_FSETXATTR AUE_NULL
|
#define AUE_FSETXATTR AUE_NULL
|
||||||
#define AUE_FSTATEXTENDED AUE_NULL
|
|
||||||
#define AUE_FSTATFS64 AUE_NULL
|
#define AUE_FSTATFS64 AUE_NULL
|
||||||
#define AUE_FSTATV AUE_NULL
|
#define AUE_FSTATV AUE_NULL
|
||||||
#define AUE_FSTAT64 AUE_NULL
|
#define AUE_FSTAT64 AUE_NULL
|
||||||
#define AUE_FSTAT64EXTENDED AUE_NULL
|
#define AUE_FSTAT64_EXTENDED AUE_NULL
|
||||||
#define AUE_GCCONTROL AUE_NULL
|
#define AUE_GCCONTROL AUE_NULL
|
||||||
#define AUE_GETDIRENTRIES64 AUE_NULL
|
#define AUE_GETDIRENTRIES64 AUE_NULL
|
||||||
#define AUE_GETDTABLESIZE AUE_NULL
|
#define AUE_GETDTABLESIZE AUE_NULL
|
||||||
@ -720,21 +718,15 @@
|
|||||||
#define AUE_ISSETUGID AUE_NULL
|
#define AUE_ISSETUGID AUE_NULL
|
||||||
#define AUE_LIOLISTIO AUE_NULL
|
#define AUE_LIOLISTIO AUE_NULL
|
||||||
#define AUE_LISTXATTR AUE_NULL
|
#define AUE_LISTXATTR AUE_NULL
|
||||||
#define AUE_LSTATEXTENDED AUE_NULL
|
|
||||||
#define AUE_LSTATV AUE_NULL
|
#define AUE_LSTATV AUE_NULL
|
||||||
#define AUE_LSTAT64 AUE_NULL
|
#define AUE_LSTAT64 AUE_NULL
|
||||||
#define AUE_LSTAT64EXTENDED AUE_NULL
|
#define AUE_LSTAT64_EXTENDED AUE_NULL
|
||||||
#define AUE_MADVISE AUE_NULL
|
#define AUE_MADVISE AUE_NULL
|
||||||
#define AUE_MINCORE AUE_NULL
|
#define AUE_MINCORE AUE_NULL
|
||||||
#define AUE_MKCOMPLEX AUE_NULL
|
#define AUE_MKCOMPLEX AUE_NULL
|
||||||
#define AUE_MKDIREXTENDED AUE_NULL
|
|
||||||
#define AUE_MKFIFOEXTENDED AUE_NULL
|
|
||||||
#define AUE_MODWATCH AUE_NULL
|
#define AUE_MODWATCH AUE_NULL
|
||||||
#define AUE_MSGCL AUE_NULL
|
#define AUE_MSGCL AUE_NULL
|
||||||
#define AUE_MSYNC AUE_NULL
|
#define AUE_MSYNC AUE_NULL
|
||||||
#define AUE_OPENEXTENDED AUE_NULL
|
|
||||||
#define AUE_PREAD AUE_NULL
|
|
||||||
#define AUE_PWRITE AUE_NULL
|
|
||||||
#define AUE_PREADV AUE_NULL
|
#define AUE_PREADV AUE_NULL
|
||||||
#define AUE_PROCINFO AUE_NULL
|
#define AUE_PROCINFO AUE_NULL
|
||||||
#define AUE_PTHREADCANCELED AUE_NULL
|
#define AUE_PTHREADCANCELED AUE_NULL
|
||||||
@ -778,15 +770,13 @@
|
|||||||
#define AUE_SIGWAIT AUE_NULL
|
#define AUE_SIGWAIT AUE_NULL
|
||||||
#define AUE_SSTK AUE_NULL
|
#define AUE_SSTK AUE_NULL
|
||||||
#define AUE_STACKSNAPSHOT AUE_NULL
|
#define AUE_STACKSNAPSHOT AUE_NULL
|
||||||
#define AUE_STATEXTENDED AUE_NULL
|
|
||||||
#define AUE_STATFS64 AUE_NULL
|
#define AUE_STATFS64 AUE_NULL
|
||||||
#define AUE_STATV AUE_NULL
|
#define AUE_STATV AUE_NULL
|
||||||
#define AUE_STAT64 AUE_NULL
|
#define AUE_STAT64 AUE_NULL
|
||||||
#define AUE_STAT64EXTENDED AUE_NULL
|
#define AUE_STAT64_EXTENDED AUE_NULL
|
||||||
#define AUE_SYNC AUE_NULL
|
#define AUE_SYNC AUE_NULL
|
||||||
#define AUE_SYSCALL AUE_NULL
|
#define AUE_SYSCALL AUE_NULL
|
||||||
#define AUE_TABLE AUE_NULL
|
#define AUE_TABLE AUE_NULL
|
||||||
#define AUE_UMASKEXTENDED AUE_NULL
|
|
||||||
#define AUE_VMPRESSUREMONITOR AUE_NULL
|
#define AUE_VMPRESSUREMONITOR AUE_NULL
|
||||||
#define AUE_WAITEVENT AUE_NULL
|
#define AUE_WAITEVENT AUE_NULL
|
||||||
#define AUE_WAITID AUE_NULL
|
#define AUE_WAITID AUE_NULL
|
||||||
|
@ -23,7 +23,7 @@
|
|||||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||||
* SUCH DAMAGE.
|
* SUCH DAMAGE.
|
||||||
*
|
*
|
||||||
* $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#7 $
|
* $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#8 $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <bsm/libbsm.h>
|
#include <bsm/libbsm.h>
|
||||||
@ -80,6 +80,8 @@ audump_control(void)
|
|||||||
char string[PATH_MAX], string2[PATH_MAX];
|
char string[PATH_MAX], string2[PATH_MAX];
|
||||||
int ret, val;
|
int ret, val;
|
||||||
long policy;
|
long policy;
|
||||||
|
time_t age;
|
||||||
|
size_t size;
|
||||||
|
|
||||||
ret = getacflg(string, PATH_MAX);
|
ret = getacflg(string, PATH_MAX);
|
||||||
if (ret == -2)
|
if (ret == -2)
|
||||||
@ -126,6 +128,32 @@ audump_control(void)
|
|||||||
if (au_poltostr(policy, PATH_MAX, string2) < 0)
|
if (au_poltostr(policy, PATH_MAX, string2) < 0)
|
||||||
err(-1, "au_poltostr");
|
err(-1, "au_poltostr");
|
||||||
printf("policy:%s\n", string2);
|
printf("policy:%s\n", string2);
|
||||||
|
|
||||||
|
ret = getacfilesz(&size);
|
||||||
|
if (ret == -2)
|
||||||
|
err(-1, "getacfilesz");
|
||||||
|
if (ret != 0)
|
||||||
|
err(-1, "getacfilesz: %d", ret);
|
||||||
|
|
||||||
|
printf("filesz:%ldB\n", size);
|
||||||
|
|
||||||
|
|
||||||
|
ret = getachost(string, PATH_MAX);
|
||||||
|
if (ret == -2)
|
||||||
|
err(-1, "getachost");
|
||||||
|
if (ret == -3)
|
||||||
|
err(-1, "getachost: %d", ret);
|
||||||
|
if (ret == 0 && ret != 1)
|
||||||
|
printf("host:%s\n", string);
|
||||||
|
|
||||||
|
ret = getacexpire(&val, &age, &size);
|
||||||
|
if (ret == -2)
|
||||||
|
err(-1, "getacexpire");
|
||||||
|
if (ret == -1)
|
||||||
|
err(-1, "getacexpire: %d", ret);
|
||||||
|
if (ret == 0 && ret != 1)
|
||||||
|
printf("expire-after:%ldB %s %lds\n", size,
|
||||||
|
val ? "AND" : "OR", age);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
|
Loading…
Reference in New Issue
Block a user