d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge OpenBSM 1.0 alpha 12 from HEAD to RELENG_6, which includes a broad

Browse Source 
range of bug fixes made as a result of reports on 6.x, as well as some
minor enhancements:

OpenBSM 1.0 alpha 12

- Correct bug in auditreduce which prevented the -c option from working
  correctly when the user specifies to process successful or failed events.
  The problem stemmed from not having access to the return token at the time
  the initial preselection occurred, but now a second preselection process
  occurs while processing the return token.
- getacfilesz(3) API added to read new audit_control(5) filesz setting,
  which auditd(8) now sets the kernel audit trail rotation size to.
- auditreduce(1) now uses stdin if no file names are specified on the command
  line; this was the documented behavior previously, but it was not
  implemented.  Be more specific in auditreduce(1)'s examples section about
  what might be done with the output of auditreduce.
- Add audit_warn(5) closefile event so that administrators can hook
  termination of an audit trail file.  For example, this might be used to
  compress the trail file after it is closed.
- auditreduce(1) now uses regular expressions for pathname matching. Users can
  now supply one or more (comma delimited) regular expressions for searching
  the pathnames. If one of the regular expressions is prefixed with a tilde
  (~), and a path matches, it will be excluded from the search results.

OpenBSM 1.0 alpha 11

- Reclassify certain read/write operations as having no class rather than the
  fr/fw class; our default classes audit intent (open) not operations (read,
  write).
- Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads
  and writes of sysctls as separate events.  Add additional kernel
  environment and jail events for FreeBSD.
- Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER
  (issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued
  by the kernel audit implementation) so that they can be distinguished.
- Disable rate limiting of rotate requests; as the kernel doesn't retransmit
  a dropped request, the log file will otherwise grow indefinitely if the
  trigger is dropped.
- Improve auditd debugging output.
- Fix a number of threading related bugs in audit_control file reading
  routines.
- Add APIs au_poltostr() and au_strtopol() to convert between text
  representations of audit_control policy flags and the flags passed to
  auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY).
- Add API getacpol() to return the 'policy:' entry from audit_control, an
  extension to the Solaris file format to allow specification of policy
  persistent flags.
- Update audump to print the audit_control policy field.
- Update auditd to read the audit_control policy field and set the kernel
  policy to match it when configuring/reconfiguring.  Remove the -s and -h
  arguments as these policies are now set via the configuration file.  If a
  policy line is not found in the configuration file, continue with the
  current default of setting AUDIT_CNT.
- Fix bugs in the parsing of large execve(2) arguments and environmental
  variable tokens; increase maximum parsed argument and variable count.
- configure now detects strlcat(), used by policy-related functions.
- Reference token and record sample files added to test tree.

Approved by:	re (kensmith)
This commit is contained in:
rwatson 2006-09-29 22:41:55 +00:00
parent fd1cbafb64
commit dfe8f4529b
27 changed files with 879 additions and 211 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
contrib/openbsm/HISTORY
View File

@ -1,3 +1,58 @@
OpenBSM 1.0 alpha 12
- Correct bug in auditreduce which prevented the -c option from working
correctly when the user specifies to process successful or failed events.
The problem stemmed from not having access to the return token at the time
the initial preselection occurred, but now a second preselection process
occurs while processing the return token.
- getacfilesz(3) API added to read new audit_control(5) filesz setting,
which auditd(8) now sets the kernel audit trail rotation size to.
- auditreduce(1) now uses stdin if no file names are specified on the command
line; this was the documented behavior previously, but it was not
implemented. Be more specific in auditreduce(1)'s examples section about
what might be done with the output of auditreduce.
- Add audit_warn(5) closefile event so that administrators can hook
termination of an audit trail file. For example, this might be used to
compress the trail file after it is closed.
- auditreduce(1) now uses regular expressions for pathname matching. Users can
now supply one or more (comma delimited) regular expressions for searching
the pathnames. If one of the regular expressions is prefixed with a tilde
(~), and a path matches, it will be excluded from the search results.
OpenBSM 1.0 alpha 11
- Reclassify certain read/write operations as having no class rather than the
fr/fw class; our default classes audit intent (open) not operations (read,
write).
- Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads
and writes of sysctls as separate events. Add additional kernel
environment and jail events for FreeBSD.
- Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER
(issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued
by the kernel audit implementation) so that they can be distinguished.
- Disable rate limiting of rotate requests; as the kernel doesn't retransmit
a dropped request, the log file will otherwise grow indefinitely if the
trigger is dropped.
- Improve auditd debugging output.
- Fix a number of threading related bugs in audit_control file reading
routines.
- Add APIs au_poltostr() and au_strtopol() to convert between text
representations of audit_control policy flags and the flags passed to
auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY).
- Add API getacpol() to return the 'policy:' entry from audit_control, an
extension to the Solaris file format to allow specification of policy
persistent flags.
- Update audump to print the audit_control policy field.
- Update auditd to read the audit_control policy field and set the kernel
policy to match it when configuring/reconfiguring. Remove the -s and -h
arguments as these policies are now set via the configuration file. If a
policy line is not found in the configuration file, continue with the
current default of setting AUDIT_CNT.
- Fix bugs in the parsing of large execve(2) arguments and environmental
variable tokens; increase maximum parsed argument and variable count.
- configure now detects strlcat(), used by policy-related functions.
- Reference token and record sample files added to test tree.
OpenBSM 1.0 alpha 10
- auditd now generates complete audit records for its events, as required for
@ -209,4 +264,4 @@ OpenBSM 1.0 alpha 1
to support reloading of kernel event table.
- Allow comments in /etc/security configuration files.
$P4: //depot/projects/trustedbsd/openbsm/HISTORY#26 $
$P4: //depot/projects/trustedbsd/openbsm/HISTORY#39 $

4
contrib/openbsm/TODO
View File

@ -17,5 +17,7 @@
just at the beginning of a record. This will make it easier to use
praudit in test suites processing single-token files without header and
trailer context.
- Put hostname in trail file name.
- Document audit_warn event arguments.
$P4: //depot/projects/trustedbsd/openbsm/TODO#6 $
$P4: //depot/projects/trustedbsd/openbsm/TODO#8 $

2
contrib/openbsm/VERSION
View File

@ -1 +1 @@
OPENBSM_1_0_ALPHA_9
OPENBSM_1_0_ALPHA_12

4
contrib/openbsm/bin/audit/audit.c
View File

@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#6 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#7 $
*/
/*
* Program to trigger the audit daemon with a message that is either:
@ -75,7 +75,7 @@ main(int argc, char **argv)
switch(ch) {
case 'n':
trigger = AUDIT_TRIGGER_OPEN_NEW;
trigger = AUDIT_TRIGGER_ROTATE_USER;
break;
case 's':

17
contrib/openbsm/bin/auditd/audit_warn.c
View File

@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#6 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#7 $
*/
#include <sys/types.h>
@ -124,6 +124,21 @@ audit_warn_auditoff(void)
return (auditwarnlog(args));
}
/*
* Indicate that a trail file has been closed, so can now be post-processed.
*/
int
audit_warn_closefile(char *filename)
{
char *args[3];
args[0] = CLOSEFILE_WARN;
args[1] = filename;
args[2] = NULL;
return (auditwarnlog(args));
}
/*
* Indicates that the audit deammn is already running
*/

22
contrib/openbsm/bin/auditd/auditd.8
View File

@ -29,7 +29,7 @@
.\"
.\" @APPLE_BSD_LICENSE_HEADER_END@
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#8 $
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#9 $
.\"
.Dd January 24, 2004
.Dt AUDITD 8
@ -51,14 +51,20 @@ The options are as follows:
.Bl -tag -width Ds
.It Fl d
Starts the daemon in debug mode - it will not daemonize.
.It Fl h
Specifies that if auditing cannot be performed as specified, the system should
halt (panic). Normally, the system will attempt to proceed - although individual
processes may be stopped (see the -s option).
.It Fl s
Specifies that individual processes should stop rather than perform operations
that may cause audit records to be lost due to log file full conditions
.El
.Pp
The historical
.Fl h
and
.Fl s
flags are now configured using
.Xr audit_control 5
policy flags
.Dv ahlt
and
.Dv cnt ,
and are no longer available as arguments to
.Xr auditd 8 .
.Sh NOTE
.Pp
To assure uninterrupted audit support, the

143
contrib/openbsm/bin/auditd/auditd.c
View File

@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#18 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#23 $
*/
#include <sys/types.h>
@ -59,6 +59,7 @@
#include "auditd.h"
#define NA_EVENT_STR_SIZE 25
#define POL_STR_SIZE 128
static int ret, minval;
static char *lastfile = NULL;
@ -67,7 +68,6 @@ static int triggerfd = 0;
static int sigchlds, sigchlds_handled;
static int sighups, sighups_handled;
static int sigterms, sigterms_handled;
static long global_flags;
static TAILQ_HEAD(, dir_ent) dir_q;
@ -160,11 +160,14 @@ close_lastfile(char *TS)
*ptr = '.';
strcpy(ptr+1, TS);
if (rename(oldname, lastfile) != 0)
syslog(LOG_ERR, "Could not rename %s to %s",
oldname, lastfile);
else
syslog(LOG_ERR,
"Could not rename %s to %s: %m", oldname,
lastfile);
else {
syslog(LOG_INFO, "renamed %s to %s",
oldname, lastfile);
audit_warn_closefile(lastfile);
}
}
free(lastfile);
free(oldname);
@ -286,7 +289,7 @@ swap_audit_file(void)
free(dirent->dirname);
free(dirent);
}
syslog(LOG_ERR, "Log directories exhausted\n");
syslog(LOG_ERR, "Log directories exhausted");
return (-1);
}
@ -343,7 +346,7 @@ read_control_file(void)
* XXX is generated here?
*/
if (0 == (ret = getacmin(&minval))) {
syslog(LOG_DEBUG, "min free = %d\n", minval);
syslog(LOG_DEBUG, "min free = %d", minval);
if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
syslog(LOG_ERR,
"could not get audit queue settings");
@ -494,31 +497,65 @@ register_daemon(void)
}
/*
* Suppress duplicate messages within a 30 second interval. This should be
* enough to time to rotate log files without thrashing from soft warnings
* generated before the log is actually rotated.
* Handle the audit trigger event.
*
* We suppress (ignore) duplicated triggers in close succession in order to
* try to avoid thrashing-like behavior. However, not all triggers can be
* ignored, as triggers generally represent edge triggers, not level
* triggers, and won't be retransmitted if the condition persists. Of
* specific concern is the rotate trigger -- if one is dropped, then it will
* not be retransmitted, and the log file will grow in an unbounded fashion.
*/
#define DUPLICATE_INTERVAL 30
static void
handle_audit_trigger(int trigger)
{
static int last_trigger;
static int last_trigger, last_warning;
static time_t last_time;
struct dir_ent *dirent;
/*
* Suppres duplicate messages from the kernel within the specified
* interval.
*/
struct timeval ts;
struct timezone tzp;
time_t tt;
/*
* Suppress duplicate messages from the kernel within the specified
* interval.
*/
if (gettimeofday(&ts, &tzp) == 0) {
tt = (time_t)ts.tv_sec;
if ((trigger == last_trigger) &&
(tt < (last_time + DUPLICATE_INTERVAL)))
return;
switch (trigger) {
case AUDIT_TRIGGER_LOW_SPACE:
case AUDIT_TRIGGER_NO_SPACE:
/*
* Triggers we can suppress. Of course, we also need
* to rate limit the warnings, so apply the same
* interval limit on syslog messages.
*/
if ((trigger == last_trigger) &&
(tt < (last_time + DUPLICATE_INTERVAL))) {
if (tt >= (last_warning + DUPLICATE_INTERVAL))
syslog(LOG_INFO,
"Suppressing duplicate trigger %d",
trigger);
return;
}
last_warning = tt;
break;
case AUDIT_TRIGGER_ROTATE_KERNEL:
case AUDIT_TRIGGER_ROTATE_USER:
case AUDIT_TRIGGER_READ_FILE:
/*
* Triggers that we cannot suppress.
*/
break;
}
/*
* Only update last_trigger after aborting due to a duplicate
* trigger, not before, or we will never allow that trigger
* again.
*/
last_trigger = trigger;
last_time = tt;
}
@ -528,7 +565,6 @@ handle_audit_trigger(int trigger)
*/
dirent = TAILQ_FIRST(&dir_q);
switch(trigger) {
case AUDIT_TRIGGER_LOW_SPACE:
syslog(LOG_INFO, "Got low space trigger");
if (dirent && (dirent->softlim != 1)) {
@ -554,7 +590,8 @@ handle_audit_trigger(int trigger)
} else {
/*
* Continue auditing to the current file. Also
* generate an allsoft warning.
* generate an allsoft warning.
*
* XXX do we want to do this ?
*/
audit_warn_allsoft();
@ -577,12 +614,14 @@ handle_audit_trigger(int trigger)
audit_warn_allhard(++allhardcount);
break;
case AUDIT_TRIGGER_OPEN_NEW:
case AUDIT_TRIGGER_ROTATE_KERNEL:
case AUDIT_TRIGGER_ROTATE_USER:
/*
* Create a new file and swap with the one being used in
* kernel
*/
syslog(LOG_INFO, "Got open new trigger");
syslog(LOG_INFO, "Got open new trigger from %s", trigger ==
AUDIT_TRIGGER_ROTATE_KERNEL ? "kernel" : "user");
if (swap_audit_file() == -1)
syslog(LOG_ERR, "Error swapping audit file");
break;
@ -656,10 +695,8 @@ wait_for_events(void)
syslog(LOG_DEBUG, "%s: SIGTERM", __FUNCTION__);
break;
}
if (sigchlds != sigchlds_handled) {
syslog(LOG_DEBUG, "%s: SIGCHLD", __FUNCTION__);
if (sigchlds != sigchlds_handled)
handle_sigchld();
}
if (sighups != sighups_handled) {
syslog(LOG_DEBUG, "%s: SIGHUP", __FUNCTION__);
handle_sighup();
@ -670,7 +707,6 @@ wait_for_events(void)
syslog(LOG_ERR, "%s: read EOF", __FUNCTION__);
return (-1);
}
syslog(LOG_DEBUG, "%s: read %d", __FUNCTION__, trigger);
if (trigger == AUDIT_TRIGGER_CLOSE_AND_DIE)
break;
else
@ -691,10 +727,15 @@ config_audit_controls(void)
au_mask_t aumask;
int ctr = 0;
char naeventstr[NA_EVENT_STR_SIZE];
char polstr[POL_STR_SIZE];
long policy;
au_fstat_t au_fstat;
size_t filesz;
/*
* Process the audit event file, obtaining a class mapping for each
* event, and send that mapping into the kernel.
*
* XXX There's a risk here that the BSM library will return NULL
* for an event when it can't properly map it to a class. In that
* case, we will not process any events beyond the one that failed,
@ -703,10 +744,17 @@ config_audit_controls(void)
ev.ae_name = (char *)malloc(AU_EVENT_NAME_MAX);
ev.ae_desc = (char *)malloc(AU_EVENT_DESC_MAX);
if ((ev.ae_name == NULL) || (ev.ae_desc == NULL)) {
if (ev.ae_name != NULL)
free(ev.ae_name);
syslog(LOG_ERR,
"Memory allocation error when configuring audit controls.");
return (-1);
}
/*
* XXXRW: Currently we have no way to remove mappings from the kernel
* when they are removed from the file-based mappings.
*/
evp = &ev;
setauevent();
while ((evp = getauevent_r(evp)) != NULL) {
@ -746,10 +794,32 @@ config_audit_controls(void)
"Failed to obtain non-attributable event mask.");
/*
* Set the audit policy flags based on passed in parameter values.
* If a policy is configured in audit_control(5), implement the
* policy. However, if one isn't defined, set AUDIT_CNT to avoid
* leaving the system in a fragile state.
*/
if (auditon(A_SETPOLICY, &global_flags, sizeof(global_flags)))
syslog(LOG_ERR, "Failed to set audit policy.");
if ((getacpol(polstr, POL_STR_SIZE) == 0) &&
(au_strtopol(polstr, &policy) == 0)) {
if (auditon(A_SETPOLICY, &policy, sizeof(policy)))
syslog(LOG_ERR, "Failed to set audit policy: %m");
} else {
syslog(LOG_ERR, "Failed to obtain policy flags: %m");
policy = AUDIT_CNT;
if (auditon(A_SETPOLICY, &policy, sizeof(policy)))
syslog(LOG_ERR,
"Failed to set default audit policy: %m");
}
/*
* Set trail rotation size.
*/
if (getacfilesz(&filesz) == 0) {
bzero(&au_fstat, sizeof(au_fstat));
au_fstat.af_filesz = filesz;
if (auditon(A_SETFSIZE, &au_fstat, sizeof(au_fstat)) < 0)
syslog(LOG_ERR, "Failed to set filesz: %m");
} else
syslog(LOG_ERR, "Failed to obtain filesz: %m");
return (0);
}
@ -826,7 +896,6 @@ main(int argc, char **argv)
int debug = 0;
int rc;
global_flags |= AUDIT_CNT;
while ((ch = getopt(argc, argv, "dhs")) != -1) {
switch(ch) {
case 'd':
@ -834,20 +903,10 @@ main(int argc, char **argv)
debug = 1;
break;
case 's':
/* Fail-stop option. */
global_flags &= ~(AUDIT_CNT);
break;
case 'h':
/* Halt-stop option. */
global_flags |= AUDIT_AHLT;
break;
case '?':
default:
(void)fprintf(stderr,
"usage: auditd [-h | -s] [-d] \n");
"usage: auditd [-d] \n");
exit(1);
}
}

6
contrib/openbsm/bin/auditd/auditd.h
View File

@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#5 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#7 $
*/
#ifndef _AUDITD_H_
@ -61,7 +61,8 @@ struct dir_ent {
#define HARDLIM_ALL_WARN "allhard"
#define SOFTLIM_ALL_WARN "allsoft"
#define AUDITOFF_WARN "aditoff"
#define AUDITOFF_WARN "auditoff"
#define CLOSEFILE_WARN "closefile"
#define EBUSY_WARN "ebusy"
#define GETACDIR_WARN "getacdir"
#define HARDLIM_WARN "hard"
@ -76,6 +77,7 @@ struct dir_ent {
int audit_warn_allhard(int count);
int audit_warn_allsoft(void);
int audit_warn_auditoff(void);
int audit_warn_closefile(char *filename);
int audit_warn_ebusy(void);
int audit_warn_getacdir(char *filename);
int audit_warn_hard(char *filename);

43
contrib/openbsm/bin/auditreduce/auditreduce.1
View File

@ -25,7 +25,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#10 $
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $
.\"
.Dd January 24, 2004
.Dt AUDITREDUCE 1
@ -105,12 +105,17 @@ for a description of audit event names and numbers.
.It Fl o Ar object=value
.Bl -tag -width Ds
.It Nm file
Select records containing the given path name.
file="/usr" matches paths
starting with
.Pa usr .
file="~/usr" matches paths not starting with
.Pa usr .
Select records containing path tokens, where the pathname matches
one of the comma delimited extended regular expression contained in
given specification.
Regular expressions which are prefixed with a tilde (~) are excluded
from the search results.
These extended regular expressions are processed from left to right,
and a path will either be selected or deslected based on the first match.
.Pp
Since commas are used to delimit the regular expressions, a backslash (\\)
character should be used to escape the comma if it's a part of the search
pattern.
.It Nm msgqid
Select records containing the given message queue id.
.It Nm pid
@ -136,6 +141,30 @@ events from that log:
.Pp
.Nm
-m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
.Pp
Output from the above command lines will typically be piped to a new trail
file, or via standard output to the
.Xr praudit 1
command.
.Pp
Select all records containing a path token where the pathname contains
.Pa /etc/master.passwd
.Pp
.Nm
-ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634
.Pp
Select all records containing path tokens, where the pathname is a TTY
device:
.Pp
.Nm
-ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
.Pp
Select all records containing path tokens, where the pathname is a TTY
except for
.Pa /dev/ttyp2
.Pp
.Nm
-ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
.Sh SEE ALSO
.Xr praudit 1 ,
.Xr audit_control 5 ,

120
contrib/openbsm/bin/auditreduce/auditreduce.c
View File

@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#14 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#18 $
*/
/*
@ -40,6 +40,13 @@
* XXX the records present within the file and between the files themselves
*/
#include <config/config.h>
#ifdef HAVE_FULL_QUEUE_H
#include <sys/queue.h>
#else
#include <compat/queue.h>
#endif
#include <bsm/libbsm.h>
#include <err.h>
@ -51,9 +58,14 @@
#include <string.h>
#include <time.h>
#include <unistd.h>
#include <regex.h>
#include <errno.h>
#include "auditreduce.h"
static TAILQ_HEAD(tailhead, re_entry) re_head =
TAILQ_HEAD_INITIALIZER(re_head);
extern char *optarg;
extern int optind, optopt, opterr,optreset;
@ -80,11 +92,58 @@ static char *p_sockobj = NULL;
static uint32_t opttochk = 0;
static void
parse_regexp(char *re_string)
{
char *orig, *copy, re_error[64];
struct re_entry *rep;
int error, nstrs, i, len;
copy = strdup(re_string);
orig = copy;
len = strlen(copy);
for (nstrs = 0, i = 0; i < len; i++) {
if (copy[i] == ',' && i > 0) {
if (copy[i - 1] == '\\')
strcpy(&copy[i - 1], &copy[i]);
else {
nstrs++;
copy[i] = '\0';
}
}
}
TAILQ_INIT(&re_head);
for (i = 0; i < nstrs + 1; i++) {
rep = calloc(1, sizeof(*rep));
if (rep == NULL) {
(void) fprintf(stderr, "calloc: %s\n",
strerror(errno));
exit(1);
}
if (*copy == '~') {
copy++;
rep->re_negate = 1;
}
rep->re_pattern = strdup(copy);
error = regcomp(&rep->re_regexp, rep->re_pattern,
REG_EXTENDED | REG_NOSUB);
if (error != 0) {
regerror(error, &rep->re_regexp, re_error, 64);
(void) fprintf(stderr, "regcomp: %s\n", re_error);
exit(1);
}
TAILQ_INSERT_TAIL(&re_head, rep, re_glue);
len = strlen(copy);
copy += len + 1;
}
free(orig);
}
static void
usage(const char *msg)
{
fprintf(stderr, "%s\n", msg);
fprintf(stderr, "Usage: auditreduce [options] audit-trail-file [....] \n");
fprintf(stderr, "Usage: auditreduce [options] [file ...]\n");
fprintf(stderr, "\tOptions are : \n");
fprintf(stderr, "\t-A : all records\n");
fprintf(stderr, "\t-a YYYYMMDD[HH[[MM[SS]]] : after date\n");
@ -258,23 +317,20 @@ select_ipcobj(u_char type, uint32_t id, uint32_t *optchkd)
static int
select_filepath(char *path, uint32_t *optchkd)
{
char *loc;
struct re_entry *rep;
int match;
SETOPT((*optchkd), OPT_of);
match = 1;
if (ISOPTSET(opttochk, OPT_of)) {
if (p_fileobj[0] == '~') {
/* Object should not be in path. */
loc = strstr(path, p_fileobj + 1);
if ((loc != NULL) && (loc == path))
return (0);
} else {
/* Object should be in path. */
loc = strstr(path, p_fileobj);
if ((loc == NULL) || (loc != path))
return (0);
match = 0;
TAILQ_FOREACH(rep, &re_head, re_glue) {
if (regexec(&rep->re_regexp, path, 0, NULL,
0) != REG_NOMATCH)
return (!rep->re_negate);
}
}
return (1);
return (match);
}
/*
@ -328,6 +384,24 @@ select_hdr32(tokenstr_t tok, uint32_t *optchkd)
return (1);
}
static int
select_return32(tokenstr_t tok_ret32, tokenstr_t tok_hdr32, uint32_t *optchkd)
{
int sorf;
SETOPT((*optchkd), (OPT_c));
if (tok_ret32.tt.ret32.status == 0)
sorf = AU_PRS_SUCCESS;
else
sorf = AU_PRS_FAILURE;
if (ISOPTSET(opttochk, OPT_c)) {
if (au_preselect(tok_hdr32.tt.hdr32.e_type, &maskp, sorf,
AU_PRS_USECACHE) != 1)
return (0);
}
return (1);
}
/*
* Return 1 if checks for the the following succeed
* auid,
@ -395,6 +469,7 @@ select_subj32(tokenstr_t tok, uint32_t *optchkd)
static int
select_records(FILE *fp)
{
tokenstr_t tok_hdr32_copy;
u_char *buf;
tokenstr_t tok;
int reclen;
@ -423,6 +498,8 @@ select_records(FILE *fp)
case AU_HEADER_32_TOKEN:
selected = select_hdr32(tok,
&optchkd);
bcopy(&tok, &tok_hdr32_copy,
sizeof(tok));
break;
case AU_PROCESS_32_TOKEN:
@ -451,6 +528,11 @@ select_records(FILE *fp)
tok.tt.path.path, &optchkd);
break;
case AU_RETURN_32_TOKEN:
selected = select_return32(tok,
tok_hdr32_copy, &optchkd);
break;
/*
* The following tokens dont have any relevant
* attributes that we can select upon.
@ -465,7 +547,6 @@ select_records(FILE *fp)
case AU_IPCPERM_TOKEN:
case AU_IPORT_TOKEN:
case AU_OPAQUE_TOKEN:
case AU_RETURN_32_TOKEN:
case AU_SEQ_TOKEN:
case AU_TEXT_TOKEN:
case AU_ARB_TOKEN:
@ -500,6 +581,7 @@ parse_object_type(char *name, char *val)
if (!strcmp(name, FILEOBJ)) {
p_fileobj = val;
parse_regexp(val);
SETOPT(opttochk, OPT_of);
} else if (!strcmp(name, MSGQIDOBJ)) {
p_msgqobj = val;
@ -679,8 +761,12 @@ main(int argc, char **argv)
argv += optind;
argc -= optind;
if (argc == 0)
usage("Filename needed");
if (argc == 0) {
if (select_records(stdin) == -1)
errx(EXIT_FAILURE,
"Couldn't select records from stdin");
exit(EXIT_SUCCESS);
}
/*
* XXX: We should actually be merging records here.

9
contrib/openbsm/bin/auditreduce/auditreduce.h
View File

@ -26,13 +26,20 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#4 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#5 $
*/
#ifndef _AUDITREDUCE_H_
#define _AUDITREDUCE_H_
struct re_entry {
char *re_pattern;
int re_negate;
regex_t re_regexp;
TAILQ_ENTRY(re_entry) re_glue;
};
#define OPT_a 0x00000001
#define OPT_b 0x00000002
#define OPT_c 0x00000004

29
contrib/openbsm/bsm/libbsm.h
View File

@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#27 $
* $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#30 $
*/
#ifndef _LIBBSM_H_
@ -37,9 +37,6 @@
* solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
*/
#define AUDIT_MAX_ARGS 10
#define AUDIT_MAX_ENV 10
#include <sys/types.h>
#include <sys/cdefs.h>
@ -55,13 +52,25 @@
#include <mach/mach.h> /* audit_token_t */
#endif
/*
* Size parsed token vectors for execve(2) arguments and environmental
* variables. Note: changing these sizes affects the ABI of the token
* structure, and as the token structure is often placed in the caller stack,
* this is undesirable.
*/
#define AUDIT_MAX_ARGS 128
#define AUDIT_MAX_ENV 128
/*
* Arguments to au_preselect(3).
*/
#define AU_PRS_USECACHE 0
#define AU_PRS_REREAD 1
#define AU_PRS_SUCCESS 1
#define AU_PRS_FAILURE 2
#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)
#define AU_PRS_USECACHE 0
#define AU_PRS_REREAD 1
#define AUDIT_EVENT_FILE "/etc/security/audit_event"
#define AUDIT_CLASS_FILE "/etc/security/audit_class"
#define AUDIT_CONTROL_FILE "/etc/security/audit_control"
@ -69,8 +78,10 @@
#define DIR_CONTROL_ENTRY "dir"
#define MINFREE_CONTROL_ENTRY "minfree"
#define FILESZ_CONTROL_ENTRY "filesz"
#define FLAGS_CONTROL_ENTRY "flags"
#define NA_CONTROL_ENTRY "naflags"
#define POLICY_CONTROL_ENTRY "policy"
#define AU_CLASS_NAME_MAX 8
#define AU_CLASS_DESC_MAX 72
@ -709,13 +720,17 @@ void setac(void);
void endac(void);
int getacdir(char *name, int len);
int getacmin(int *min_val);
int getacfilesz(size_t *size_val);
int getacflg(char *auditstr, int len);
int getacna(char *auditstr, int len);
int getacpol(char *auditstr, size_t len);
int getauditflagsbin(char *auditstr, au_mask_t *masks);
int getauditflagschar(char *auditstr, au_mask_t *masks,
int verbose);
int au_preselect(au_event_t event, au_mask_t *mask_p,
int sorf, int flag);
ssize_t au_poltostr(long policy, size_t maxsize, char *buf);
int au_strtopol(const char *polstr, long *policy);
/*
* Functions relating to querying audit event information.

11
contrib/openbsm/config/config.h
View File

@ -1,6 +1,6 @@
/* config/config.h. Generated by configure. */
/* config/config.h.in. Generated from configure.ac by autoheader. */
/* $FreeBSD$
/* $FreeBSD$ */
/* Define to 1 if you have the `alarm' function. */
#define HAVE_ALARM 1
@ -88,6 +88,9 @@
/* Define to 1 if you have the <string.h> header file. */
#define HAVE_STRING_H 1
/* Define to 1 if you have the `strlcat' function. */
#define HAVE_STRLCAT 1
/* Define to 1 if you have the `strrchr' function. */
#define HAVE_STRRCHR 1
@ -147,13 +150,13 @@
#define PACKAGE_NAME "OpenBSM"
/* Define to the full name and version of this package. */
#define PACKAGE_STRING "OpenBSM 1.0a9"
#define PACKAGE_STRING "OpenBSM 1.0a11"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "openbsm"
/* Define to the version of this package. */
#define PACKAGE_VERSION "1.0a9"
#define PACKAGE_VERSION "1.0a11"
/* Define as the return type of signal handlers (`int' or `void'). */
#define RETSIGTYPE void
@ -168,7 +171,7 @@
/* #undef TM_IN_SYS_TIME */
/* Version number of package */
#define VERSION "1.0a9"
#define VERSION "1.0a11"
/* Define to empty if `const' does not conform to ANSI C. */
/* #undef const */

3
contrib/openbsm/config/config.h.in
View File

@ -86,6 +86,9 @@
/* Define to 1 if you have the <string.h> header file. */
#undef HAVE_STRING_H
/* Define to 1 if you have the `strlcat' function. */
#undef HAVE_STRLCAT
/* Define to 1 if you have the `strrchr' function. */
#undef HAVE_STRRCHR

25
contrib/openbsm/configure vendored
View File

@ -1,7 +1,7 @@
#! /bin/sh
# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#28 .
# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 .
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a10.
# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a12.
#
# Report bugs to <trustedbsd-audit@TrustesdBSD.org>.
#
@ -424,8 +424,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
# Identity of this package.
PACKAGE_NAME='OpenBSM'
PACKAGE_TARNAME='openbsm'
PACKAGE_VERSION='1.0a10'
PACKAGE_STRING='OpenBSM 1.0a10'
PACKAGE_VERSION='1.0a12'
PACKAGE_STRING='OpenBSM 1.0a12'
PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org'
ac_unique_file="bin/auditreduce/auditreduce.c"
@ -955,7 +955,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures OpenBSM 1.0a10 to adapt to many kinds of systems.
\`configure' configures OpenBSM 1.0a12 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1021,7 +1021,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of OpenBSM 1.0a10:";;
short | recursive ) echo "Configuration of OpenBSM 1.0a12:";;
esac
cat <<\_ACEOF
@ -1162,7 +1162,7 @@ fi
test -n "$ac_init_help" && exit 0
if $ac_init_version; then
cat <<\_ACEOF
OpenBSM configure 1.0a10
OpenBSM configure 1.0a12
generated by GNU Autoconf 2.59
Copyright (C) 2003 Free Software Foundation, Inc.
@ -1176,7 +1176,7 @@ cat >&5 <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by OpenBSM $as_me 1.0a10, which was
It was created by OpenBSM $as_me 1.0a12, which was
generated by GNU Autoconf 2.59. Invocation command line was
$ $0 $@
@ -19278,7 +19278,7 @@ fi
# Define the identity of the package.
PACKAGE=OpenBSM
VERSION=1.0a10
VERSION=1.0a12
cat >>confdefs.h <<_ACEOF
@ -22834,7 +22834,8 @@ done
for ac_func in bzero clock_gettime ftruncate gettimeofday inet_ntoa memset strchr strerror strrchr strstr strtol strtoul
for ac_func in bzero clock_gettime ftruncate gettimeofday inet_ntoa memset strchr strerror strlcat strrchr strstr strtol strtoul
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
echo "$as_me:$LINENO: checking for $ac_func" >&5
@ -23478,7 +23479,7 @@ _ASBOX
} >&5
cat >&5 <<_CSEOF
This file was extended by OpenBSM $as_me 1.0a10, which was
This file was extended by OpenBSM $as_me 1.0a12, which was
generated by GNU Autoconf 2.59. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -23541,7 +23542,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
OpenBSM config.status 1.0a10
OpenBSM config.status 1.0a12
configured by $0, generated by GNU Autoconf 2.59,
with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"

6
contrib/openbsm/configure.ac
View File

@ -2,8 +2,8 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.59)
AC_INIT([OpenBSM], [1.0a10], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#29 $])
AC_INIT([OpenBSM], [1.0a12], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 $])
AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c])
AC_CONFIG_AUX_DIR(config)
AC_CONFIG_HEADER([config/config.h])
@ -56,7 +56,7 @@ AC_FUNC_MKTIME
AC_TYPE_SIGNAL
AC_FUNC_STAT
AC_FUNC_STRFTIME
AC_CHECK_FUNCS([bzero clock_gettime ftruncate gettimeofday inet_ntoa memset strchr strerror strrchr strstr strtol strtoul])
AC_CHECK_FUNCS([bzero clock_gettime ftruncate gettimeofday inet_ntoa memset strchr strerror strlcat strrchr strstr strtol strtoul])
# sys/queue.h exists on most systems, but its capabilities vary a great deal.
# test for LIST_FIRST and TAILQ_FOREACH_SAFE, which appears to not exist in

4
contrib/openbsm/etc/audit_control
View File

@ -1,8 +1,10 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#3 $
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#5 $
# $FreeBSD$
#
dir:/var/audit
flags:lo
minfree:20
naflags:lo
policy:cnt
filesz:0

19
contrib/openbsm/etc/audit_event
View File

@ -1,5 +1,5 @@
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#12 $
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#16 $
# $FreeBSD$
#
0:AUE_NULL:indir system call:no
@ -118,8 +118,8 @@
113:AUE_SYSTEMBOOT:system booted:na
114:AUE_ASYNC_DAEMON_EXIT:async_daemon(2) exited:ad
115:AUE_NFSSVC_EXIT:nfssvc(2) exited:ad
128:AUE_WRITEL:writel(2):fw
129:AUE_WRITEVL:writevl(2):fw
128:AUE_WRITEL:writel(2):no
129:AUE_WRITEVL:writevl(2):no
130:AUE_GETAUID:getauid(2):ad
131:AUE_SETAUID:setauid(2):ad
132:AUE_GETAUDIT:getaudit(2):ad
@ -266,7 +266,7 @@
325:AUE_DARWIN_KDEBUGTRACE:system call:pc
326:AUE_DARWIN_FSTAT:fstat(2):fa
327:AUE_DARWIN_FPATHCONF:fpathconf(2):fa
328:AUE_DARWIN_GETDIRENTRIES:getdirentries(2):fr
328:AUE_DARWIN_GETDIRENTRIES:getdirentries(2):no
329:AUE_DARWIN_TRUNCATE:truncate(2):fw
330:AUE_DARWIN_FTRUNCATE:ftruncate(2):fw
331:AUE_DARWIN_SYSCTL:sysctl(3):ad
@ -322,8 +322,8 @@
43017:AUE_KDEBUGTRACE:system call:pc
43018:AUE_FSTAT:fstat(2):fa
43019:AUE_FPATHCONF:fpathconf(2):fa
43020:AUE_GETDIRENTRIES:getdirentries(2):fr
43021:AUE_SYSCTL:sysctl(3):ad
43020:AUE_GETDIRENTRIES:getdirentries(2):no
43021:AUE_SYSCTL:sysctl(3):ot
43022:AUE_MLOCK:mlock(2):pc
43023:AUE_MUNLOCK:munlock(2):pc
43024:AUE_UNDELETE:undelete(2):fm
@ -416,6 +416,13 @@
43111:AUE_EXTATTR_SET_LINK:extattr_set_link(2):fm
43112:AUE_EXTATTR_LIST_LINK:extattr_list_link(2):fa
43113:AUE_EXTATTR_DELETE_LINK:extattr_delete_link(2):fm
43114:AUE_KENV:kenv(8):ad
43115:AUE_JAIL_ATTACH:jail_attach(2):ad
43116:AUE_SYSCTL_WRITE:sysctl(3):ad
43117:AUE_IOPERM:linux ioperm:ad
43118:AUE_READDIR:readdir(3):no
43119:AUE_IOPL:linux iopl:ad
43120:AUE_VM86:linux vm86:pc
#
# User space system events.
#

51
contrib/openbsm/libbsm/au_control.3
View File

@ -1,5 +1,5 @@
.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
.\" Copyright (c) 2005-2006 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#3 $
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#5 $
.\"
.Dd April 19, 2005
.Dt AU_CONTROL 3
@ -33,8 +33,12 @@
.Nm endac ,
.Nm getacdir ,
.Nm getacmin ,
.Nm getacfilesz ,
.Nm getacflg ,
.Nm getacna
.Nm getacna ,
.Nm getacpol ,
.Nm au_poltostr
.Nm au_strtopol
.Nd "Look up information from the audit_control database"
.Sh LIBRARY
.Lb libbsm
@ -49,9 +53,17 @@
.Ft int
.Fn getacmin "int *min_val"
.Ft int
.Fn getacfilesz "size_t *size_val"
.Ft int
.Fn getacflg "char *auditstr" "int len"
.Ft int
.Fn getacna "char *auditstr" "int len"
.Ft int
.Fn getacpol "char *auditstr" "size_t len"
.Ft ssize_t
.Fn au_poltostr "long policy" "size_t maxsize" "char *buf"
.Ft int
.Fn au_strtopol "const char *polstr" "long *policy"
.Sh DESCRIPTION
These interfaces may be used to look up information from the
.Xr audit_control 5
@ -79,6 +91,10 @@ the passed
.Va min_val
variable.
.Pp
.Fn getacfilesz
returns the audit trail rotation size in the passed size_t buffer
.Fa size_val .
.Pp
.Fn getacflg
returns the audit system flags via the the passed character buffer
.Va auditstr
@ -90,15 +106,42 @@ returns the non-attributable flags via the passed character buffer
.Va auditstr
of length
.Va len .
.Pp
.Fn getacpol
returns the audit policy flags via the passed character buffer
.Va auditstr
of length
.Va len .
.Pp
.Fn au_poltostr
converts a numeric audit policy mask,
.Va policy ,
value to a string in the passed character buffer
.Va buf
of lenth
.Va maxsize .
.Pp
.Fn au_strtopol
converts an audit policy flags string,
.Va polstr ,
to a numeric audit policy mask returned via
.Va policy .
.Sh RETURN VALULES
.Fn getacdir ,
.Fn getacmin ,
.Fn getacflg ,
.Fn getacna ,
.Fn getacpol ,
and
.Fn getacna
.Fn au_strtopol
return 0 on success, or a negative value on failure, along with error
information in
.Va errno .
.Pp
.Fn au_poltostr
returns a string length of 0 or more on success, or a negative value on
if there is a failure.
.Pp
Functions that return a string value will return a failure if there is
insufficient room in the passed character buffer for the full string.
.Sh SEE ALSO

10
contrib/openbsm/libbsm/au_open.3
View File

@ -23,16 +23,17 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_open.3#4 $
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_open.3#5 $
.\"
.Dd March 4, 2006
.Dt AU_OPEN 3
.Os
.Sh NAME
.Nm au_open ,
.Nm au_write ,
.Nm au_close ,
.Nm au_close_buffer
.Nm au_close_buffer ,
.Nm au_close_token ,
.Nm au_open ,
.Nm au_write
.Nd "Create and commit audit records"
.Sh LIBRARY
.Lb libbsm
@ -120,6 +121,7 @@ return 0 on success, or a negative value on failure, along with error
information in
.Va errno .
.Sh SEE ALSO
.Xr audit_submit 3 ,
.Xr libbsm 3
.Sh AUTHORS
This software was created by Robert Watson, Wayne Salamon, and Suresh

381
contrib/openbsm/libbsm/bsm_control.c
View File

@ -1,5 +1,6 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
* Copyright (c) 2006 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -26,7 +27,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#13 $
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#16 $
*/
#include <bsm/libbsm.h>
@ -37,9 +38,14 @@
#include <stdio.h>
#include <stdlib.h>
#include <config/config.h>
#ifndef HAVE_STRLCAT
#include <compat/strlcat.h>
#endif
/*
* Parse the contents of the audit_control file to return the audit control
* parameters.
* parameters. These static fields are protected by 'mutex'.
*/
static FILE *fp = NULL;
static char linestr[AU_LINE_MAX];
@ -97,22 +103,224 @@ getstrfromtype_locked(char *name, char **str)
}
}
/*
* Convert a policy to a string. Return -1 on failure, or >= 0 representing
* the actual size of the string placed in the buffer (excluding terminating
* nul).
*/
ssize_t
au_poltostr(long policy, size_t maxsize, char *buf)
{
int first;
if (maxsize < 1)
return (-1);
first = 1;
buf[0] = '\0';
if (policy & AUDIT_CNT) {
if (strlcat(buf, "cnt", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_AHLT) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "ahlt", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_ARGV) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "argv", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_ARGE) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "arge", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_SEQ) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "seq", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_WINDATA) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "windata", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_USER) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "user", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_GROUP) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "group", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_TRAIL) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "trail", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_PATH) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "path", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_SCNT) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "scnt", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_PUBLIC) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "public", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_ZONENAME) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "zonename", maxsize) >= maxsize)
return (-1);
first = 0;
}
if (policy & AUDIT_PERZONE) {
if (!first) {
if (strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
}
if (strlcat(buf, "perzone", maxsize) >= maxsize)
return (-1);
first = 0;
}
return (strlen(buf));
}
/*
* Convert a string to a policy. Return -1 on failure (with errno EINVAL,
* ENOMEM) or 0 on success.
*/
int
au_strtopol(const char *polstr, long *policy)
{
char *bufp, *string;
char *buffer;
*policy = 0;
buffer = strdup(polstr);
if (buffer == NULL)
return (-1);
bufp = buffer;
while ((string = strsep(&bufp, ",")) != NULL) {
if (strcmp(string, "cnt") == 0)
*policy |= AUDIT_CNT;
else if (strcmp(string, "ahlt") == 0)
*policy |= AUDIT_AHLT;
else if (strcmp(string, "argv") == 0)
*policy |= AUDIT_ARGV;
else if (strcmp(string, "arge") == 0)
*policy |= AUDIT_ARGE;
else if (strcmp(string, "seq") == 0)
*policy |= AUDIT_SEQ;
else if (strcmp(string, "winau_fstat") == 0)
*policy |= AUDIT_WINDATA;
else if (strcmp(string, "user") == 0)
*policy |= AUDIT_USER;
else if (strcmp(string, "group") == 0)
*policy |= AUDIT_GROUP;
else if (strcmp(string, "trail") == 0)
*policy |= AUDIT_TRAIL;
else if (strcmp(string, "path") == 0)
*policy |= AUDIT_PATH;
else if (strcmp(string, "scnt") == 0)
*policy |= AUDIT_SCNT;
else if (strcmp(string, "public") == 0)
*policy |= AUDIT_PUBLIC;
else if (strcmp(string, "zonename") == 0)
*policy |= AUDIT_ZONENAME;
else if (strcmp(string, "perzone") == 0)
*policy |= AUDIT_PERZONE;
else {
free(buffer);
errno = EINVAL;
return (-1);
}
}
free(buffer);
return (0);
}
/*
* Rewind the file pointer to beginning.
*/
static void
setac_locked(void)
{
ptrmoved = 1;
if (fp != NULL)
fseek(fp, 0, SEEK_SET);
}
void
setac(void)
{
pthread_mutex_lock(&mutex);
ptrmoved = 1;
if (fp != NULL)
fseek(fp, 0, SEEK_SET);
setac_locked();
pthread_mutex_unlock(&mutex);
}
/*
* Close the audit_control file
* Close the audit_control file.
*/
void
endac(void)
@ -136,72 +344,94 @@ getacdir(char *name, int len)
char *dir;
int ret = 0;
if (name == NULL) {
errno = EINVAL;
return (-2);
}
pthread_mutex_lock(&mutex);
/*
* Check if another function was called between
* successive calls to getacdir
* Check if another function was called between successive calls to
* getacdir.
*/
pthread_mutex_lock(&mutex);
if (inacdir && ptrmoved) {
ptrmoved = 0;
if (fp != NULL)
fseek(fp, 0, SEEK_SET);
ret = 2;
}
if (getstrfromtype_locked(DIR_CONTROL_ENTRY, &dir) < 0) {
pthread_mutex_unlock(&mutex);
return (-2);
}
pthread_mutex_unlock(&mutex);
if (dir == NULL)
if (dir == NULL) {
pthread_mutex_unlock(&mutex);
return (-1);
if (strlen(dir) >= len)
}
if (strlen(dir) >= len) {
pthread_mutex_unlock(&mutex);
return (-3);
}
strcpy(name, dir);
pthread_mutex_unlock(&mutex);
return (ret);
}
/*
* Return the minimum free diskspace value from the audit control file
* Return the minimum free diskspace value from the audit control file.
*/
int
getacmin(int *min_val)
{
char *min;
setac();
if (min_val == NULL) {
errno = EINVAL;
return (-2);
}
pthread_mutex_lock(&mutex);
setac_locked();
if (getstrfromtype_locked(MINFREE_CONTROL_ENTRY, &min) < 0) {
pthread_mutex_unlock(&mutex);
return (-2);
}
pthread_mutex_unlock(&mutex);
if (min == NULL)
if (min == NULL) {
pthread_mutex_unlock(&mutex);
return (1);
}
*min_val = atoi(min);
pthread_mutex_unlock(&mutex);
return (0);
}
/*
* Return the desired trail rotation size from the audit control file.
*/
int
getacfilesz(size_t *filesz_val)
{
char *filesz, *dummy;
long long ll;
pthread_mutex_lock(&mutex);
setac_locked();
if (getstrfromtype_locked(FILESZ_CONTROL_ENTRY, &filesz) < 0) {
pthread_mutex_unlock(&mutex);
return (-2);
}
if (filesz == NULL) {
pthread_mutex_unlock(&mutex);
errno = EINVAL;
return (1);
}
ll = strtoll(filesz, &dummy, 10);
if (*dummy != '\0') {
pthread_mutex_unlock(&mutex);
errno = EINVAL;
return (-1);
}
/*
* The file size must either be 0 or >= MIN_AUDIT_FILE_SIZE. 0
* indicates no rotation size.
*/
if (ll < 0 || (ll > 0 && ll < MIN_AUDIT_FILE_SIZE)) {
pthread_mutex_unlock(&mutex);
errno = EINVAL;
return (-1);
}
*filesz_val = ll;
pthread_mutex_unlock(&mutex);
return (0);
}
@ -213,30 +443,22 @@ getacflg(char *auditstr, int len)
{
char *str;
setac();
if (auditstr == NULL) {
errno = EINVAL;
return (-2);
}
pthread_mutex_lock(&mutex);
setac_locked();
if (getstrfromtype_locked(FLAGS_CONTROL_ENTRY, &str) < 0) {
pthread_mutex_unlock(&mutex);
return (-2);
}
pthread_mutex_unlock(&mutex);
if (str == NULL)
if (str == NULL) {
pthread_mutex_unlock(&mutex);
return (1);
if (strlen(str) >= len)
}
if (strlen(str) >= len) {
pthread_mutex_unlock(&mutex);
return (-3);
}
strcpy(auditstr, str);
pthread_mutex_unlock(&mutex);
return (0);
}
@ -248,28 +470,47 @@ getacna(char *auditstr, int len)
{
char *str;
setac();
if (auditstr == NULL) {
errno = EINVAL;
return (-2);
}
pthread_mutex_lock(&mutex);
setac_locked();
if (getstrfromtype_locked(NA_CONTROL_ENTRY, &str) < 0) {
pthread_mutex_unlock(&mutex);
return (-2);
}
pthread_mutex_unlock(&mutex);
if (str == NULL)
if (str == NULL) {
pthread_mutex_unlock(&mutex);
return (1);
if (strlen(str) >= len)
}
if (strlen(str) >= len) {
pthread_mutex_unlock(&mutex);
return (-3);
}
strcpy(auditstr, str);
return (0);
}
/*
* Return the policy field from the audit control file.
*/
int
getacpol(char *auditstr, size_t len)
{
char *str;
pthread_mutex_lock(&mutex);
setac_locked();
if (getstrfromtype_locked(POLICY_CONTROL_ENTRY, &str) < 0) {
pthread_mutex_unlock(&mutex);
return (-2);
}
if (str == NULL) {
pthread_mutex_unlock(&mutex);
return (-1);
}
if (strlen(str) >= len) {
pthread_mutex_unlock(&mutex);
return (-3);
}
strcpy(auditstr, str);
pthread_mutex_unlock(&mutex);
return (0);
}

14
contrib/openbsm/libbsm/bsm_io.c
View File

@ -31,7 +31,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#40 $
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#41 $
*/
#include <sys/types.h>
@ -1190,7 +1190,8 @@ fetch_execarg_tok(tokenstr_t *tok, char *buf, int len)
for (i = 0; i < tok->tt.execarg.count; i++) {
bptr = buf + tok->len;
tok->tt.execarg.text[i] = bptr;
if (i < AUDIT_MAX_ARGS)
tok->tt.execarg.text[i] = bptr;
/* Look for a null terminated string. */
while (bptr && (*bptr != '\0')) {
@ -1202,6 +1203,8 @@ fetch_execarg_tok(tokenstr_t *tok, char *buf, int len)
return (-1);
tok->len++; /* \0 character */
}
if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
tok->tt.execarg.count = AUDIT_MAX_ARGS;
return (0);
}
@ -1235,9 +1238,10 @@ fetch_execenv_tok(tokenstr_t *tok, char *buf, int len)
if (err)
return (-1);
for (i = 0; i< tok->tt.execenv.count; i++) {
for (i = 0; i < tok->tt.execenv.count; i++) {
bptr = buf + tok->len;
tok->tt.execenv.text[i] = bptr;
if (i < AUDIT_MAX_ENV)
tok->tt.execenv.text[i] = bptr;
/* Look for a null terminated string. */
while (bptr && (*bptr != '\0')) {
@ -1249,6 +1253,8 @@ fetch_execenv_tok(tokenstr_t *tok, char *buf, int len)
return (-1);
tok->len++; /* \0 character */
}
if (tok->tt.execenv.count > AUDIT_MAX_ENV)
tok->tt.execenv.count = AUDIT_MAX_ENV;
return (0);
}

3
contrib/openbsm/libbsm/bsm_token.c
View File

@ -30,7 +30,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#51 $
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#52 $
*/
#include <sys/types.h>
@ -71,7 +71,6 @@
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socketvar.h>
#include <bsm/audit_internal.h>
#include <bsm/libbsm.h>

16
contrib/openbsm/libbsm/libbsm.3
View File

@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#5 $
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#8 $
.\"
.Dd April 19, 2005
.Dt LIBBSM 3
@ -55,15 +55,18 @@ These are described respectively in the
.Xr au_notify 3 ,
.Xr au_stream 3 ,
.Xr au_token 3 ,
and
.Xr au_user 3
man pages.
manual pages.
.Ss Audit Event Stream Interfaces
Audit event stream interfaces support interaction with file-backed audit
event streams:
.Xr au_close 3 .
.Xr au_close 3 ,
.Xr au_close_buffer 3 ,
.Xr au_free_token 3 ,
.Xr au_open 3 ,
.Xr au_write 3 ,
.Xr audit_submit 3 .
.Ss Audit Class Interfaces
Audit class interfaces support the look up of information from the
.Xr audit_class 5
@ -81,9 +84,13 @@ database:
.Xr endac 3 ,
.Xr setac 3 ,
.Xr getacdir 3 ,
.Xr getacfilesz 3 ,
.Xr getacflg 3 ,
.Xr getacmin 3 ,
.Xr getacna 3 .
.Xr getacna 3 ,
.Xr getacpol 3 ,
.Xr au_poltostr 3 ,
.Xr au_strtopol 3 .
.Ss Audit Event Interfaces
Audit event interfaces support the look up of information from the
.Xr audit_event 5
@ -188,6 +195,7 @@ database:
.Xr au_stream 3 ,
.Xr au_token 3 ,
.Xr au_user 3 ,
.Xr audit_submit 3 ,
.Xr audit_class 5 ,
.Xr audit_control 5
.Sh AUTHORS

71
contrib/openbsm/man/audit_control.5
View File

@ -1,4 +1,5 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" Copyright (c) 2006 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@ -25,7 +26,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#9 $
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#13 $
.\"
.Dd January 4, 2006
.Dt AUDIT_CONTROL 5
@ -63,6 +64,15 @@ an action cannot be attributed to a specific user.
The minimum free space required on the file system audit logs are being written to.
When the free space falls below this limit a warning will be issued.
Not currently used as the value of 20 percent is chosen by the kernel.
.It Va policy
A list of global audit policy flags specifying various behaviors, such as
fail stop, auditing of paths and arguments, etc.
.It Va filesz
Maximum trail size in bytes; if set to a non-0 value, the audit daemon will
rotate the audit trail file at around this size.
Sizes less than the minimum trail size (default of 512K) will be rejected as
invalid.
If 0, trail files will not be automatically rotated based on file size.
.El
.Sh AUDIT FLAGS
Audit flags are a comma-delimited list of audit classes as defined in the
@ -75,17 +85,66 @@ Event classes may be preceded by a prefix which changes their interpretation.
The following prefixes may be used for each class:
.Pp
.Bl -tag -width Ds -compact -offset indent
.It (none)
Record both successful and failed events
.It +
Record successful events
.It -
Record failed events
.It ^
Record both successful and failed events
Record neither successful nor failed events
.It ^+
Do not record successful events
.It ^-
Do not record failed events
.El
.Sh AUDIT POLICY FLAGS
The policy flags field is a comma-delimited list of policy flags from the
following list:
.Pp
.Bl -tag -width zonename -compact -offset indent
.It cnt
Allow processes to continue running even though events are not being audited.
If not set, processes will be suspended when the audit store space is
exhausted.
Currently, this is not a recoverable state.
.It ahlt
Fail stop the system if unable to audit an event--this consists of first
draining pending records to disk, and then halting the operating system.
.It argv
Audit command line arguments to
.Xr execve 2 .
.It arge
Audit environmental variable arguments to
.Xr execve 2 .
.It seq
Include a unique audit sequence number token in generated audit records (not
implemented on FreeBSD or Darwin).
.It group
Include supplementary groups list in generated audit records (not implemented
on FreeBSD or Darwin; supplementary groups are never included in records on
these systems).
.It trail
Append a trailer token to each audit record (not implemented on FreeBSD or
Darwin; trailers are always included in records on these systems).
.It path
Include secondary file paths in audit records (not implemented on FreeBSD or
Darwin; secondary paths are never included in records on these systems).
.It zonename
Include a zone ID token with each audit record (not implemented on FreeBSD or
Darwin; FreeBSD audit records do not currently include the jail ID or name.)
.It perzone
Enable auditing for each local zone (not implemented on FreeBSD or Darwin; on
FreeBSD, audit records are collected from all jails and placed in a single
global trail, and only limited audit controls are permitted within a jail.)
.El
.Pp
It is recommended that installations set the
.Dv cnt
flag but not
.Dv ahlt
flag unless it is intended that audit logs exceeding available disk space
halt the system.
.Sh DEFAULT
The following settings appear in the default
.Nm
@ -95,12 +154,20 @@ dir:/var/audit
flags:lo
minfree:20
naflags:lo
policy:cnt
filesz:0
.Ed
.Pp
The
.Va flags
parameter above specifies the system-wide mask corresponding to login/logout
events.
The
.Va policy
parameter specifies that the system should neither fail stop nor suspend
processes when the audit store fills.
The trail file will not be automatically rotated by the audit daemon based on
file size.
.Sh FILES
.Bl -tag -width "/etc/security/audit_control" -compact
.It Pa /etc/security/audit_control

4
contrib/openbsm/man/auditon.2
View File

@ -25,7 +25,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#7 $
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#8 $
.\"
.Dd April 19, 2005
.Dt AUDITON 2
@ -192,7 +192,7 @@ structure. The
field will be set to the maximum audit log file size.
A value of 0 indicates no limit to the size.
The
.Ft af_filesz
.Ft af_currsz
will be set to the current audit log file size.
.It Dv A_GETCWD
.\" [COMMENTED OUT]: Valid description, not yet implemented.

16
contrib/openbsm/tools/audump.c
View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 2005 Robert N. M. Watson
* Copyright (c) 2005-2006 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -23,7 +23,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#5 $
* $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#6 $
*/
#include <bsm/libbsm.h>
@ -77,8 +77,9 @@ audump_class_r(void)
static void
audump_control(void)
{
char string[PATH_MAX];
char string[PATH_MAX], string2[PATH_MAX];
int ret, val;
long policy;
ret = getacflg(string, PATH_MAX);
if (ret == -2)
@ -116,6 +117,15 @@ audump_control(void)
printf("dir:%s\n", string);
} while (ret == 0);
ret = getacpol(string, PATH_MAX);
if (ret != 0)
err(-1, "getacpol");
if (au_strtopol(string, &policy) < 0)
err(-1, "au_strtopol");
if (au_poltostr(policy, string2, PATH_MAX) < 0)
err(-1, "au_poltostr");
printf("policy:%s\n", string2);
}
static void