946ac5071e
primary new feature is auditdistd. Obtained from: TrustedBSD Project Sponsored by: The FreeBSD Foundation (auditdistd)
1240 lines
29 KiB
C
1240 lines
29 KiB
C
/*-
|
|
* Copyright (c) 2008-2009 Apple Inc.
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. Neither the name of Apple Inc. ("Apple") nor the names of
|
|
* its contributors may be used to endorse or promote products derived
|
|
* from this software without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
|
|
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
|
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*
|
|
* $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#18 $
|
|
*/
|
|
|
|
#include <sys/param.h>
|
|
|
|
#include <config/config.h>
|
|
|
|
#include <sys/dirent.h>
|
|
#ifdef HAVE_FULL_QUEUE_H
|
|
#include <sys/queue.h>
|
|
#else /* !HAVE_FULL_QUEUE_H */
|
|
#include <compat/queue.h>
|
|
#endif /* !HAVE_FULL_QUEUE_H */
|
|
#include <sys/mount.h>
|
|
#include <sys/socket.h>
|
|
|
|
#include <sys/stat.h>
|
|
#include <sys/time.h>
|
|
|
|
#include <netinet/in.h>
|
|
|
|
#include <bsm/audit.h>
|
|
#include <bsm/audit_uevents.h>
|
|
#include <bsm/auditd_lib.h>
|
|
#include <bsm/libbsm.h>
|
|
|
|
#include <assert.h>
|
|
#include <dirent.h>
|
|
#include <err.h>
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
#include <time.h>
|
|
#include <unistd.h>
|
|
#include <netdb.h>
|
|
|
|
#ifdef __APPLE__
|
|
#include <notify.h>
|
|
#ifndef __BSM_INTERNAL_NOTIFY_KEY
|
|
#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change"
|
|
#endif /* __BSM_INTERNAL_NOTIFY_KEY */
|
|
#endif /* __APPLE__ */
|
|
|
|
/*
|
|
* XXX This is temporary until this is moved to <bsm/audit.h> and shared with
|
|
* the kernel.
|
|
*/
|
|
#ifndef AUDIT_HARD_LIMIT_FREE_BLOCKS
|
|
#define AUDIT_HARD_LIMIT_FREE_BLOCKS 4
|
|
#endif
|
|
|
|
/*
|
|
* Number of seconds to January 1, 2000
|
|
*/
|
|
#define JAN_01_2000 946598400
|
|
|
|
struct dir_ent {
|
|
char *dirname;
|
|
uint8_t softlim;
|
|
uint8_t hardlim;
|
|
TAILQ_ENTRY(dir_ent) dirs;
|
|
};
|
|
|
|
static TAILQ_HEAD(, dir_ent) dir_q;
|
|
|
|
struct audit_trail {
|
|
time_t at_time;
|
|
char *at_path;
|
|
off_t at_size;
|
|
|
|
TAILQ_ENTRY(audit_trail) at_trls;
|
|
};
|
|
|
|
static int auditd_minval = -1;
|
|
static int auditd_dist = 0;
|
|
|
|
static char auditd_host[MAXHOSTNAMELEN];
|
|
static int auditd_hostlen = -1;
|
|
|
|
static char *auditd_errmsg[] = {
|
|
"no error", /* ADE_NOERR ( 0) */
|
|
"could not parse audit_control(5) file", /* ADE_PARSE ( 1) */
|
|
"auditon(2) failed", /* ADE_AUDITON ( 2) */
|
|
"malloc(3) failed", /* ADE_NOMEM ( 3) */
|
|
"all audit log directories over soft limit", /* ADE_SOFTLIM ( 4) */
|
|
"all audit log directories over hard limit", /* ADE_HARDLIM ( 5) */
|
|
"could not create file name string", /* ADE_STRERR ( 6) */
|
|
"could not open audit record", /* ADE_AU_OPEN ( 7) */
|
|
"could not close audit record", /* ADE_AU_CLOSE ( 8) */
|
|
"could not set active audit session state", /* ADE_SETAUDIT ( 9) */
|
|
"auditctl(2) failed (trail still swapped)", /* ADE_ACTL (10) */
|
|
"auditctl(2) failed (trail not swapped)", /* ADE_ACTLERR (11) */
|
|
"could not swap audit trail file", /* ADE_SWAPERR (12) */
|
|
"could not rename crash recovery file", /* ADE_RENAME (13) */
|
|
"could not read 'current' link file", /* ADE_READLINK (14) */
|
|
"could not create 'current' link file", /* ADE_SYMLINK (15) */
|
|
"invalid argument", /* ADE_INVAL (16) */
|
|
"could not resolve hostname to address", /* ADE_GETADDR (17) */
|
|
"address family not supported", /* ADE_ADDRFAM (18) */
|
|
"error expiring audit trail files", /* ADE_EXPIRE (19) */
|
|
};
|
|
|
|
#define MAXERRCODE (sizeof(auditd_errmsg) / sizeof(auditd_errmsg[0]))
|
|
|
|
#define NA_EVENT_STR_SIZE 128
|
|
#define POL_STR_SIZE 128
|
|
|
|
|
|
/*
|
|
* Look up and return the error string for the given audit error code.
|
|
*/
|
|
const char *
|
|
auditd_strerror(int errcode)
|
|
{
|
|
int idx = -errcode;
|
|
|
|
if (idx < 0 || idx > (int)MAXERRCODE)
|
|
return ("Invalid auditd error code");
|
|
|
|
return (auditd_errmsg[idx]);
|
|
}
|
|
|
|
|
|
/*
|
|
* Free our local list of directory names and init list.
|
|
*/
|
|
static void
|
|
free_dir_q(void)
|
|
{
|
|
struct dir_ent *d1, *d2;
|
|
|
|
d1 = TAILQ_FIRST(&dir_q);
|
|
while (d1 != NULL) {
|
|
d2 = TAILQ_NEXT(d1, dirs);
|
|
free(d1->dirname);
|
|
free(d1);
|
|
d1 = d2;
|
|
}
|
|
TAILQ_INIT(&dir_q);
|
|
}
|
|
|
|
/*
|
|
* Concat the directory name to the given file name.
|
|
* XXX We should affix the hostname also
|
|
*/
|
|
static char *
|
|
affixdir(char *name, struct dir_ent *dirent)
|
|
{
|
|
char *fn = NULL;
|
|
|
|
/*
|
|
* Sanity check on file name.
|
|
*/
|
|
if (strlen(name) != FILENAME_LEN) {
|
|
errno = EINVAL;
|
|
return (NULL);
|
|
}
|
|
|
|
/*
|
|
* If the host is set then also add the hostname to the filename.
|
|
*/
|
|
if (auditd_hostlen != -1)
|
|
asprintf(&fn, "%s/%s.%s", dirent->dirname, name, auditd_host);
|
|
else
|
|
asprintf(&fn, "%s/%s", dirent->dirname, name);
|
|
return (fn);
|
|
}
|
|
|
|
/*
|
|
* Insert the directory entry in the list by the way they are ordered in
|
|
* audit_control(5). Move the entries that are over the soft and hard limits
|
|
* toward the tail.
|
|
*/
|
|
static void
|
|
insert_orderly(struct dir_ent *denew)
|
|
{
|
|
struct dir_ent *dep;
|
|
|
|
TAILQ_FOREACH(dep, &dir_q, dirs) {
|
|
if (dep->softlim == 1 && denew->softlim == 0) {
|
|
TAILQ_INSERT_BEFORE(dep, denew, dirs);
|
|
return;
|
|
}
|
|
if (dep->hardlim == 1 && denew->hardlim == 0) {
|
|
TAILQ_INSERT_BEFORE(dep, denew, dirs);
|
|
return;
|
|
}
|
|
}
|
|
TAILQ_INSERT_TAIL(&dir_q, denew, dirs);
|
|
}
|
|
|
|
/*
|
|
* Get the min percentage of free blocks from audit_control(5) and that
|
|
* value in the kernel. Return:
|
|
* ADE_NOERR on success,
|
|
* ADE_PARSE error parsing audit_control(5),
|
|
*/
|
|
int
|
|
auditd_set_dist(void)
|
|
{
|
|
int ret;
|
|
|
|
ret = getacdist();
|
|
if (ret < 0)
|
|
return (ADE_PARSE);
|
|
|
|
auditd_dist = ret;
|
|
|
|
return (ADE_NOERR);
|
|
}
|
|
|
|
/*
|
|
* Get the host from audit_control(5) and set it in the audit kernel
|
|
* information. Return:
|
|
* ADE_NOERR on success.
|
|
* ADE_PARSE error parsing audit_control(5).
|
|
* ADE_AUDITON error getting/setting auditon(2) value.
|
|
* ADE_GETADDR error getting address info for host.
|
|
* ADE_ADDRFAM un-supported address family.
|
|
*/
|
|
int
|
|
auditd_set_host(void)
|
|
{
|
|
struct sockaddr_in6 *sin6;
|
|
struct sockaddr_in *sin;
|
|
struct addrinfo *res;
|
|
struct auditinfo_addr aia;
|
|
int error, ret = ADE_NOERR;
|
|
|
|
if (getachost(auditd_host, sizeof(auditd_host)) != 0) {
|
|
ret = ADE_PARSE;
|
|
|
|
/*
|
|
* To maintain reverse compatability with older audit_control
|
|
* files, simply drop a warning if the host parameter has not
|
|
* been set. However, we will explicitly disable the
|
|
* generation of extended audit header by passing in a zeroed
|
|
* termid structure.
|
|
*/
|
|
bzero(&aia, sizeof(aia));
|
|
aia.ai_termid.at_type = AU_IPv4;
|
|
error = audit_set_kaudit(&aia, sizeof(aia));
|
|
if (error < 0 && errno != ENOSYS)
|
|
ret = ADE_AUDITON;
|
|
return (ret);
|
|
}
|
|
auditd_hostlen = strlen(auditd_host);
|
|
error = getaddrinfo(auditd_host, NULL, NULL, &res);
|
|
if (error)
|
|
return (ADE_GETADDR);
|
|
switch (res->ai_family) {
|
|
case PF_INET6:
|
|
sin6 = (struct sockaddr_in6 *) res->ai_addr;
|
|
bcopy(&sin6->sin6_addr.s6_addr,
|
|
&aia.ai_termid.at_addr[0], sizeof(struct in6_addr));
|
|
aia.ai_termid.at_type = AU_IPv6;
|
|
break;
|
|
|
|
case PF_INET:
|
|
sin = (struct sockaddr_in *) res->ai_addr;
|
|
bcopy(&sin->sin_addr.s_addr,
|
|
&aia.ai_termid.at_addr[0], sizeof(struct in_addr));
|
|
aia.ai_termid.at_type = AU_IPv4;
|
|
break;
|
|
|
|
default:
|
|
/* Un-supported address family in host parameter. */
|
|
errno = EAFNOSUPPORT;
|
|
return (ADE_ADDRFAM);
|
|
}
|
|
|
|
if (audit_set_kaudit(&aia, sizeof(aia)) < 0)
|
|
ret = ADE_AUDITON;
|
|
|
|
return (ret);
|
|
}
|
|
|
|
/*
|
|
* Get the min percentage of free blocks from audit_control(5) and that
|
|
* value in the kernel. Return:
|
|
* ADE_NOERR on success,
|
|
* ADE_PARSE error parsing audit_control(5),
|
|
* ADE_AUDITON error getting/setting auditon(2) value.
|
|
*/
|
|
int
|
|
auditd_set_minfree(void)
|
|
{
|
|
au_qctrl_t qctrl;
|
|
|
|
if (getacmin(&auditd_minval) != 0)
|
|
return (ADE_PARSE);
|
|
|
|
if (audit_get_qctrl(&qctrl, sizeof(qctrl)) != 0)
|
|
return (ADE_AUDITON);
|
|
|
|
if (qctrl.aq_minfree != auditd_minval) {
|
|
qctrl.aq_minfree = auditd_minval;
|
|
if (audit_set_qctrl(&qctrl, sizeof(qctrl)) != 0)
|
|
return (ADE_AUDITON);
|
|
}
|
|
|
|
return (0);
|
|
}
|
|
|
|
/*
|
|
* Convert a trailname into a timestamp (seconds). Return 0 if the conversion
|
|
* was successful.
|
|
*/
|
|
static int
|
|
trailname_to_tstamp(char *fn, time_t *tstamp)
|
|
{
|
|
struct tm tm;
|
|
char ts[TIMESTAMP_LEN + 1];
|
|
char *p;
|
|
|
|
*tstamp = 0;
|
|
|
|
/*
|
|
* Get the ending time stamp.
|
|
*/
|
|
if ((p = strchr(fn, '.')) == NULL)
|
|
return (1);
|
|
strlcpy(ts, ++p, sizeof(ts));
|
|
if (strlen(ts) != POSTFIX_LEN)
|
|
return (1);
|
|
|
|
bzero(&tm, sizeof(tm));
|
|
|
|
/* seconds (0-60) */
|
|
p = ts + POSTFIX_LEN - 2;
|
|
tm.tm_sec = atol(p);
|
|
if (tm.tm_sec < 0 || tm.tm_sec > 60)
|
|
return (1);
|
|
|
|
/* minutes (0-59) */
|
|
*p = '\0'; p -= 2;
|
|
tm.tm_min = atol(p);
|
|
if (tm.tm_min < 0 || tm.tm_min > 59)
|
|
return (1);
|
|
|
|
/* hours (0 - 23) */
|
|
*p = '\0'; p -= 2;
|
|
tm.tm_hour = atol(p);
|
|
if (tm.tm_hour < 0 || tm.tm_hour > 23)
|
|
return (1);
|
|
|
|
/* day of month (1-31) */
|
|
*p = '\0'; p -= 2;
|
|
tm.tm_mday = atol(p);
|
|
if (tm.tm_mday < 1 || tm.tm_mday > 31)
|
|
return (1);
|
|
|
|
/* month (0 - 11) */
|
|
*p = '\0'; p -= 2;
|
|
tm.tm_mon = atol(p) - 1;
|
|
if (tm.tm_mon < 0 || tm.tm_mon > 11)
|
|
return (1);
|
|
|
|
/* year (year - 1900) */
|
|
*p = '\0'; p -= 4;
|
|
tm.tm_year = atol(p) - 1900;
|
|
if (tm.tm_year < 0)
|
|
return (1);
|
|
|
|
*tstamp = timegm(&tm);
|
|
|
|
return (0);
|
|
}
|
|
|
|
/*
|
|
* Remove audit trails files according to the expiration conditions. Returns:
|
|
* ADE_NOERR on success or there is nothing to do.
|
|
* ADE_PARSE if error parsing audit_control(5).
|
|
* ADE_NOMEM if could not allocate memory.
|
|
* ADE_EXPIRE if there was an unespected error.
|
|
*/
|
|
int
|
|
auditd_expire_trails(int (*warn_expired)(char *))
|
|
{
|
|
int andflg, ret = ADE_NOERR;
|
|
size_t expire_size, total_size = 0L;
|
|
time_t expire_age, oldest_time, current_time = time(NULL);
|
|
struct dir_ent *traildir;
|
|
struct audit_trail *at;
|
|
char *afnp, *pn;
|
|
TAILQ_HEAD(au_trls_head, audit_trail) head =
|
|
TAILQ_HEAD_INITIALIZER(head);
|
|
struct stat stbuf;
|
|
char activefn[MAXPATHLEN];
|
|
|
|
/*
|
|
* Read the expiration conditions. If no conditions then return no
|
|
* error.
|
|
*/
|
|
if (getacexpire(&andflg, &expire_age, &expire_size) < 0)
|
|
return (ADE_PARSE);
|
|
if (!expire_age && !expire_size)
|
|
return (ADE_NOERR);
|
|
|
|
/*
|
|
* Read the 'current' trail file name. Trim off directory path.
|
|
*/
|
|
activefn[0] = '\0';
|
|
readlink(AUDIT_CURRENT_LINK, activefn, MAXPATHLEN - 1);
|
|
if ((afnp = strrchr(activefn, '/')) != NULL)
|
|
afnp++;
|
|
|
|
|
|
/*
|
|
* Build tail queue of the trail files.
|
|
*/
|
|
TAILQ_FOREACH(traildir, &dir_q, dirs) {
|
|
DIR *dirp;
|
|
struct dirent *dp;
|
|
|
|
dirp = opendir(traildir->dirname);
|
|
while ((dp = readdir(dirp)) != NULL) {
|
|
time_t tstamp = 0;
|
|
struct audit_trail *new;
|
|
|
|
/*
|
|
* Quickly filter non-trail files.
|
|
*/
|
|
if (dp->d_namlen < FILENAME_LEN ||
|
|
dp->d_name[POSTFIX_LEN] != '.')
|
|
continue;
|
|
|
|
if (asprintf(&pn, "%s/%s", traildir->dirname,
|
|
dp->d_name) < 0) {
|
|
ret = ADE_NOMEM;
|
|
break;
|
|
}
|
|
|
|
if (stat(pn, &stbuf) < 0 || !S_ISREG(stbuf.st_mode)) {
|
|
free(pn);
|
|
continue;
|
|
}
|
|
|
|
total_size += stbuf.st_size;
|
|
|
|
/*
|
|
* If this is the 'current' audit trail then
|
|
* don't add it to the tail queue.
|
|
*/
|
|
if (NULL != afnp && strcmp(dp->d_name, afnp) == 0) {
|
|
free(pn);
|
|
continue;
|
|
}
|
|
|
|
/*
|
|
* Get the ending time stamp encoded in the trail
|
|
* name. If we can't read it or if it is older
|
|
* than Jan 1, 2000 then use the mtime.
|
|
*/
|
|
if (trailname_to_tstamp(dp->d_name, &tstamp) != 0 ||
|
|
tstamp < JAN_01_2000)
|
|
tstamp = stbuf.st_mtime;
|
|
|
|
/*
|
|
* If the time stamp is older than Jan 1, 2000 then
|
|
* update the mtime of the trail file to the current
|
|
* time. This is so we don't prematurely remove a trail
|
|
* file that was created while the system clock reset
|
|
* to the * "beginning of time" but later the system
|
|
* clock is set to the correct current time.
|
|
*/
|
|
if (current_time >= JAN_01_2000 &&
|
|
tstamp < JAN_01_2000) {
|
|
struct timeval tv[2];
|
|
|
|
tstamp = stbuf.st_mtime = current_time;
|
|
TIMESPEC_TO_TIMEVAL(&tv[0],
|
|
&stbuf.st_atimespec);
|
|
TIMESPEC_TO_TIMEVAL(&tv[1],
|
|
&stbuf.st_mtimespec);
|
|
utimes(pn, tv);
|
|
}
|
|
|
|
/*
|
|
* Allocate and populate the new entry.
|
|
*/
|
|
new = malloc(sizeof(*new));
|
|
if (NULL == new) {
|
|
free(pn);
|
|
ret = ADE_NOMEM;
|
|
break;
|
|
}
|
|
new->at_time = tstamp;
|
|
new->at_size = stbuf.st_size;
|
|
new->at_path = pn;
|
|
|
|
/*
|
|
* Check to see if we have a new head. Otherwise,
|
|
* walk the tailq from the tail first and do a simple
|
|
* insertion sort.
|
|
*/
|
|
if (TAILQ_EMPTY(&head) ||
|
|
new->at_time <= TAILQ_FIRST(&head)->at_time) {
|
|
TAILQ_INSERT_HEAD(&head, new, at_trls);
|
|
continue;
|
|
}
|
|
|
|
TAILQ_FOREACH_REVERSE(at, &head, au_trls_head, at_trls)
|
|
if (new->at_time >= at->at_time) {
|
|
TAILQ_INSERT_AFTER(&head, at, new,
|
|
at_trls);
|
|
break;
|
|
}
|
|
|
|
}
|
|
closedir(dirp);
|
|
}
|
|
|
|
oldest_time = current_time - expire_age;
|
|
|
|
/*
|
|
* Expire trail files, oldest (mtime) first, if the given
|
|
* conditions are met.
|
|
*/
|
|
at = TAILQ_FIRST(&head);
|
|
while (NULL != at) {
|
|
struct audit_trail *at_next = TAILQ_NEXT(at, at_trls);
|
|
|
|
if (andflg) {
|
|
if ((expire_size && total_size > expire_size) &&
|
|
(expire_age && at->at_time < oldest_time)) {
|
|
if (warn_expired)
|
|
(*warn_expired)(at->at_path);
|
|
if (unlink(at->at_path) < 0)
|
|
ret = ADE_EXPIRE;
|
|
total_size -= at->at_size;
|
|
}
|
|
} else {
|
|
if ((expire_size && total_size > expire_size) ||
|
|
(expire_age && at->at_time < oldest_time)) {
|
|
if (warn_expired)
|
|
(*warn_expired)(at->at_path);
|
|
if (unlink(at->at_path) < 0)
|
|
ret = ADE_EXPIRE;
|
|
total_size -= at->at_size;
|
|
}
|
|
}
|
|
|
|
free(at->at_path);
|
|
free(at);
|
|
at = at_next;
|
|
}
|
|
|
|
return (ret);
|
|
}
|
|
|
|
/*
|
|
* Parses the "dir" entry in audit_control(5) into an ordered list. Also, will
|
|
* set the minfree and host values if not already set. Arguments include
|
|
* function pointers to audit_warn functions for soft and hard limits. Returns:
|
|
* ADE_NOERR on success,
|
|
* ADE_PARSE error parsing audit_control(5),
|
|
* ADE_AUDITON error getting/setting auditon(2) value,
|
|
* ADE_NOMEM error allocating memory,
|
|
* ADE_SOFTLIM if all the directories are over the soft limit,
|
|
* ADE_HARDLIM if all the directories are over the hard limit,
|
|
*/
|
|
int
|
|
auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *))
|
|
{
|
|
char cur_dir[MAXNAMLEN];
|
|
struct dir_ent *dirent;
|
|
struct statfs sfs;
|
|
int err;
|
|
char soft, hard;
|
|
int tcnt = 0;
|
|
int scnt = 0;
|
|
int hcnt = 0;
|
|
|
|
if (auditd_minval == -1 && (err = auditd_set_minfree()) != 0)
|
|
return (err);
|
|
|
|
if (auditd_hostlen == -1)
|
|
auditd_set_host();
|
|
|
|
/*
|
|
* Init directory q. Force a re-read of the file the next time.
|
|
*/
|
|
free_dir_q();
|
|
endac();
|
|
|
|
/*
|
|
* Read the list of directories into an ordered linked list
|
|
* admin's preference, then those over soft limit and, finally,
|
|
* those over the hard limit.
|
|
*
|
|
* XXX We should use the reentrant interfaces once they are
|
|
* available.
|
|
*/
|
|
while (getacdir(cur_dir, MAXNAMLEN) >= 0) {
|
|
if (statfs(cur_dir, &sfs) < 0)
|
|
continue; /* XXX should warn */
|
|
soft = (sfs.f_bfree < (sfs.f_blocks * auditd_minval / 100 )) ?
|
|
1 : 0;
|
|
hard = (sfs.f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) ? 1 : 0;
|
|
if (soft) {
|
|
if (warn_soft)
|
|
(*warn_soft)(cur_dir);
|
|
scnt++;
|
|
}
|
|
if (hard) {
|
|
if (warn_hard)
|
|
(*warn_hard)(cur_dir);
|
|
hcnt++;
|
|
}
|
|
dirent = (struct dir_ent *) malloc(sizeof(struct dir_ent));
|
|
if (dirent == NULL)
|
|
return (ADE_NOMEM);
|
|
dirent->softlim = soft;
|
|
dirent->hardlim = hard;
|
|
dirent->dirname = (char *) malloc(MAXNAMLEN);
|
|
if (dirent->dirname == NULL) {
|
|
free(dirent);
|
|
return (ADE_NOMEM);
|
|
}
|
|
strlcpy(dirent->dirname, cur_dir, MAXNAMLEN);
|
|
insert_orderly(dirent);
|
|
tcnt++;
|
|
}
|
|
|
|
if (hcnt == tcnt)
|
|
return (ADE_HARDLIM);
|
|
if (scnt == tcnt)
|
|
return (ADE_SOFTLIM);
|
|
return (0);
|
|
}
|
|
|
|
void
|
|
auditd_close_dirs(void)
|
|
{
|
|
free_dir_q();
|
|
auditd_minval = -1;
|
|
auditd_hostlen = -1;
|
|
}
|
|
|
|
|
|
/*
|
|
* Process the audit event file, obtaining a class mapping for each event, and
|
|
* set that mapping into the kernel. Return:
|
|
* n number of event mappings that were successfully processed,
|
|
* ADE_NOMEM if there was an error allocating memory.
|
|
*/
|
|
int
|
|
auditd_set_evcmap(void)
|
|
{
|
|
au_event_ent_t ev, *evp;
|
|
au_evclass_map_t evc_map;
|
|
int ctr = 0;
|
|
|
|
/*
|
|
* XXX There's a risk here that the BSM library will return NULL
|
|
* for an event when it can't properly map it to a class. In that
|
|
* case, we will not process any events beyond the one that failed,
|
|
* but should. We need a way to get a count of the events.
|
|
*/
|
|
ev.ae_name = (char *)malloc(AU_EVENT_NAME_MAX);
|
|
ev.ae_desc = (char *)malloc(AU_EVENT_DESC_MAX);
|
|
if (ev.ae_name == NULL || ev.ae_desc == NULL) {
|
|
if (ev.ae_name != NULL)
|
|
free(ev.ae_name);
|
|
return (ADE_NOMEM);
|
|
}
|
|
|
|
/*
|
|
* XXXRW: Currently we have no way to remove mappings from the kernel
|
|
* when they are removed from the file-based mappings.
|
|
*/
|
|
evp = &ev;
|
|
setauevent();
|
|
while ((evp = getauevent_r(evp)) != NULL) {
|
|
evc_map.ec_number = evp->ae_number;
|
|
evc_map.ec_class = evp->ae_class;
|
|
if (audit_set_class(&evc_map, sizeof(evc_map)) == 0)
|
|
ctr++;
|
|
}
|
|
endauevent();
|
|
free(ev.ae_name);
|
|
free(ev.ae_desc);
|
|
|
|
return (ctr);
|
|
}
|
|
|
|
/*
|
|
* Get the non-attributable event string and set the kernel mask. Return:
|
|
* ADE_NOERR on success,
|
|
* ADE_PARSE error parsing audit_control(5),
|
|
* ADE_AUDITON error setting the mask using auditon(2).
|
|
*/
|
|
int
|
|
auditd_set_namask(void)
|
|
{
|
|
au_mask_t aumask;
|
|
char naeventstr[NA_EVENT_STR_SIZE];
|
|
|
|
if (getacna(naeventstr, NA_EVENT_STR_SIZE) != 0 ||
|
|
getauditflagsbin(naeventstr, &aumask) != 0)
|
|
return (ADE_PARSE);
|
|
|
|
if (audit_set_kmask(&aumask, sizeof(aumask)) != 0)
|
|
return (ADE_AUDITON);
|
|
|
|
return (ADE_NOERR);
|
|
}
|
|
|
|
/*
|
|
* Set the audit control policy if a policy is configured in audit_control(5),
|
|
* implement the policy. However, if one isn't defined or if there is an error
|
|
* parsing the control file, set AUDIT_CNT to avoid leaving the system in a
|
|
* fragile state. Return:
|
|
* ADE_NOERR on success,
|
|
* ADE_PARSE error parsing audit_control(5),
|
|
* ADE_AUDITON error setting policy using auditon(2).
|
|
*/
|
|
int
|
|
auditd_set_policy(void)
|
|
{
|
|
int policy;
|
|
char polstr[POL_STR_SIZE];
|
|
|
|
if (getacpol(polstr, POL_STR_SIZE) != 0 ||
|
|
au_strtopol(polstr, &policy) != 0) {
|
|
policy = AUDIT_CNT;
|
|
if (audit_set_policy(&policy) != 0)
|
|
return (ADE_AUDITON);
|
|
return (ADE_PARSE);
|
|
}
|
|
|
|
if (audit_set_policy(&policy) != 0)
|
|
return (ADE_AUDITON);
|
|
|
|
return (ADE_NOERR);
|
|
}
|
|
|
|
/*
|
|
* Set trail rotation size. Return:
|
|
* ADE_NOERR on success,
|
|
* ADE_PARSE error parsing audit_control(5),
|
|
* ADE_AUDITON error setting file size using auditon(2).
|
|
*/
|
|
int
|
|
auditd_set_fsize(void)
|
|
{
|
|
size_t filesz;
|
|
au_fstat_t au_fstat;
|
|
|
|
/*
|
|
* Set trail rotation size.
|
|
*/
|
|
if (getacfilesz(&filesz) != 0)
|
|
return (ADE_PARSE);
|
|
|
|
bzero(&au_fstat, sizeof(au_fstat));
|
|
au_fstat.af_filesz = filesz;
|
|
if (audit_set_fsize(&au_fstat, sizeof(au_fstat)) != 0)
|
|
return (ADE_AUDITON);
|
|
|
|
return (ADE_NOERR);
|
|
}
|
|
|
|
static void
|
|
inject_dist(const char *fromname, char *toname, size_t tonamesize)
|
|
{
|
|
char *ptr;
|
|
|
|
ptr = strrchr(fromname, '/');
|
|
assert(ptr != NULL);
|
|
assert(ptr - fromname < (ssize_t)tonamesize);
|
|
strlcpy(toname, fromname, ptr - fromname + 1);
|
|
strlcat(toname, "/dist/", tonamesize);
|
|
strlcat(toname, ptr + 1, tonamesize);
|
|
}
|
|
|
|
static int
|
|
auditdist_link(const char *filename)
|
|
{
|
|
char fname[MAXPATHLEN];
|
|
|
|
if (auditd_dist) {
|
|
inject_dist(filename, fname, sizeof(fname));
|
|
/* Ignore errors. */
|
|
(void) link(filename, fname);
|
|
}
|
|
|
|
return (0);
|
|
}
|
|
|
|
int
|
|
auditd_rename(const char *fromname, const char *toname)
|
|
{
|
|
char fname[MAXPATHLEN], tname[MAXPATHLEN];
|
|
|
|
if (auditd_dist) {
|
|
inject_dist(fromname, fname, sizeof(fname));
|
|
inject_dist(toname, tname, sizeof(tname));
|
|
/* Ignore errors. */
|
|
(void) rename(fname, tname);
|
|
}
|
|
|
|
return (rename(fromname, toname));
|
|
}
|
|
|
|
/*
|
|
* Create the new audit file with appropriate permissions and ownership.
|
|
* Call auditctl(2) for this file.
|
|
* Try to clean up if something goes wrong.
|
|
* *errorp is modified only on auditctl(2) failure.
|
|
*/
|
|
static int
|
|
open_trail(char *fname, gid_t gid, int *errorp)
|
|
{
|
|
int fd;
|
|
|
|
/* XXXPJD: What should we do if the file already exists? */
|
|
fd = open(fname, O_RDONLY | O_CREAT, S_IRUSR);
|
|
if (fd < 0)
|
|
return (-1);
|
|
if (fchown(fd, -1, gid) < 0 || fchmod(fd, S_IRUSR | S_IRGRP) < 0) {
|
|
(void) close(fd);
|
|
(void) unlink(fname);
|
|
return (-1);
|
|
}
|
|
(void) close(fd);
|
|
if (auditctl(fname) < 0) {
|
|
*errorp = errno;
|
|
(void) unlink(fname);
|
|
return (-1);
|
|
}
|
|
(void) auditdist_link(fname);
|
|
return (0);
|
|
}
|
|
|
|
/*
|
|
* Create the new audit trail file, swap with existing audit file. Arguments
|
|
* include timestamp for the filename, a pointer to a string for returning the
|
|
* new file name, GID for trail file, and audit_warn function pointer for
|
|
* 'getacdir()' errors. Returns:
|
|
* ADE_NOERR on success,
|
|
* ADE_STRERR if the file name string could not be created,
|
|
* ADE_SWAPERR if the audit trail file could not be swapped,
|
|
* ADE_ACTL if the auditctl(2) call failed but file swap still
|
|
* successful.
|
|
* ADE_ACTLERR if the auditctl(2) call failed and file swap failed.
|
|
* ADE_SYMLINK if symlink(2) failed updating the current link.
|
|
*/
|
|
int
|
|
auditd_swap_trail(char *TS, char **newfile, gid_t gid,
|
|
int (*warn_getacdir)(char *))
|
|
{
|
|
char timestr[FILENAME_LEN + 1];
|
|
char *fn;
|
|
struct dir_ent *dirent;
|
|
int saverrno = 0;
|
|
|
|
if (strlen(TS) != TIMESTAMP_LEN ||
|
|
snprintf(timestr, sizeof(timestr), "%s.%s", TS,
|
|
NOT_TERMINATED) < 0) {
|
|
errno = EINVAL;
|
|
return (ADE_STRERR);
|
|
}
|
|
|
|
/* Try until we succeed. */
|
|
TAILQ_FOREACH(dirent, &dir_q, dirs) {
|
|
if (dirent->hardlim)
|
|
continue;
|
|
if ((fn = affixdir(timestr, dirent)) == NULL)
|
|
return (ADE_STRERR);
|
|
|
|
/*
|
|
* Create the file and pass to the kernel if all went well.
|
|
*/
|
|
if (open_trail(fn, gid, &saverrno) == 0) {
|
|
/* Success. */
|
|
*newfile = fn;
|
|
if (saverrno) {
|
|
/*
|
|
* auditctl() failed but still
|
|
* successful. Return errno and "soft"
|
|
* error.
|
|
*/
|
|
errno = saverrno;
|
|
return (ADE_ACTL);
|
|
}
|
|
return (ADE_NOERR);
|
|
}
|
|
/*
|
|
* auditctl failed setting log file. Try again.
|
|
*/
|
|
/*
|
|
* Tell the administrator about lack of permissions for dir.
|
|
*/
|
|
if (warn_getacdir != NULL)
|
|
(*warn_getacdir)(dirent->dirname);
|
|
}
|
|
if (saverrno) {
|
|
errno = saverrno;
|
|
return (ADE_ACTLERR);
|
|
} else
|
|
return (ADE_SWAPERR);
|
|
}
|
|
|
|
/*
|
|
* Mask calling process from being audited. Returns:
|
|
* ADE_NOERR on success,
|
|
* ADE_SETAUDIT if setaudit(2) fails.
|
|
*/
|
|
#ifdef __APPLE__
|
|
int
|
|
auditd_prevent_audit(void)
|
|
{
|
|
auditinfo_addr_t aia;
|
|
|
|
/*
|
|
* To prevent event feedback cycles and avoid audit becoming stalled if
|
|
* auditing is suspended we mask this processes events from being
|
|
* audited. We allow the uid, tid, and mask fields to be implicitly
|
|
* set to zero, but do set the audit session ID to the PID.
|
|
*
|
|
* XXXRW: Is there more to it than this?
|
|
*/
|
|
bzero(&aia, sizeof(aia));
|
|
aia.ai_asid = AU_ASSIGN_ASID;
|
|
aia.ai_termid.at_type = AU_IPv4;
|
|
if (setaudit_addr(&aia, sizeof(aia)) != 0)
|
|
return (ADE_SETAUDIT);
|
|
return (ADE_NOERR);
|
|
}
|
|
#else
|
|
int
|
|
auditd_prevent_audit(void)
|
|
{
|
|
auditinfo_t ai;
|
|
|
|
/*
|
|
* To prevent event feedback cycles and avoid audit becoming stalled if
|
|
* auditing is suspended we mask this processes events from being
|
|
* audited. We allow the uid, tid, and mask fields to be implicitly
|
|
* set to zero, but do set the audit session ID to the PID.
|
|
*
|
|
* XXXRW: Is there more to it than this?
|
|
*/
|
|
bzero(&ai, sizeof(ai));
|
|
ai.ai_asid = getpid();
|
|
if (setaudit(&ai) != 0)
|
|
return (ADE_SETAUDIT);
|
|
return (ADE_NOERR);
|
|
}
|
|
#endif /* !__APPLE__ */
|
|
|
|
/*
|
|
* Generate and submit audit record for audit startup or shutdown. The event
|
|
* argument can be AUE_audit_recovery, AUE_audit_startup or
|
|
* AUE_audit_shutdown. The path argument will add a path token, if not NULL.
|
|
* Returns:
|
|
* AUE_NOERR on success,
|
|
* ADE_NOMEM if memory allocation fails,
|
|
* ADE_AU_OPEN if au_open(3) fails,
|
|
* ADE_AU_CLOSE if au_close(3) fails.
|
|
*/
|
|
int
|
|
auditd_gen_record(int event, char *path)
|
|
{
|
|
int aufd;
|
|
uid_t uid;
|
|
pid_t pid;
|
|
char *autext = NULL;
|
|
token_t *tok;
|
|
struct auditinfo_addr aia;
|
|
|
|
if (event == AUE_audit_startup)
|
|
asprintf(&autext, "%s::Audit startup", getprogname());
|
|
else if (event == AUE_audit_shutdown)
|
|
asprintf(&autext, "%s::Audit shutdown", getprogname());
|
|
else if (event == AUE_audit_recovery)
|
|
asprintf(&autext, "%s::Audit recovery", getprogname());
|
|
else
|
|
return (ADE_INVAL);
|
|
if (autext == NULL)
|
|
return (ADE_NOMEM);
|
|
|
|
if ((aufd = au_open()) == -1) {
|
|
free(autext);
|
|
return (ADE_AU_OPEN);
|
|
}
|
|
bzero(&aia, sizeof(aia));
|
|
uid = getuid(); pid = getpid();
|
|
if ((tok = au_to_subject32_ex(uid, geteuid(), getegid(), uid, getgid(),
|
|
pid, pid, &aia.ai_termid)) != NULL)
|
|
au_write(aufd, tok);
|
|
if ((tok = au_to_text(autext)) != NULL)
|
|
au_write(aufd, tok);
|
|
free(autext);
|
|
if (path != NULL && (tok = au_to_path(path)) != NULL)
|
|
au_write(aufd, tok);
|
|
if ((tok = au_to_return32(0, 0)) != NULL)
|
|
au_write(aufd, tok);
|
|
if (au_close(aufd, 1, event) == -1)
|
|
return (ADE_AU_CLOSE);
|
|
|
|
return (ADE_NOERR);
|
|
}
|
|
|
|
/*
|
|
* Check for a 'current' symlink and do crash recovery, if needed. Create a new
|
|
* 'current' symlink. The argument 'curfile' is the file the 'current' symlink
|
|
* should point to. Returns:
|
|
* ADE_NOERR on success,
|
|
* ADE_AU_OPEN if au_open(3) fails,
|
|
* ADE_AU_CLOSE if au_close(3) fails.
|
|
* ADE_RENAME if error renaming audit trail file,
|
|
* ADE_READLINK if error reading the 'current' link,
|
|
* ADE_SYMLINK if error creating 'current' link.
|
|
*/
|
|
int
|
|
auditd_new_curlink(char *curfile)
|
|
{
|
|
int len, err;
|
|
char *ptr;
|
|
char *path = NULL;
|
|
struct stat sb;
|
|
char recoveredname[MAXPATHLEN];
|
|
char newname[MAXPATHLEN];
|
|
|
|
/*
|
|
* Check to see if audit was shutdown properly. If not, clean up,
|
|
* recover previous audit trail file, and generate audit record.
|
|
*/
|
|
len = readlink(AUDIT_CURRENT_LINK, recoveredname,
|
|
sizeof(recoveredname) - 1);
|
|
if (len > 0) {
|
|
/* 'current' exist but is it pointing at a valid file? */
|
|
recoveredname[len++] = '\0';
|
|
if (stat(recoveredname, &sb) == 0) {
|
|
/* Yes, rename it to a crash recovery file. */
|
|
strlcpy(newname, recoveredname, sizeof(newname));
|
|
|
|
if ((ptr = strstr(newname, NOT_TERMINATED)) != NULL) {
|
|
memcpy(ptr, CRASH_RECOVERY, POSTFIX_LEN);
|
|
if (auditd_rename(recoveredname, newname) != 0)
|
|
return (ADE_RENAME);
|
|
} else
|
|
return (ADE_STRERR);
|
|
|
|
path = newname;
|
|
}
|
|
|
|
/* 'current' symlink is (now) invalid so remove it. */
|
|
(void) unlink(AUDIT_CURRENT_LINK);
|
|
|
|
/* Note the crash recovery in current audit trail */
|
|
err = auditd_gen_record(AUE_audit_recovery, path);
|
|
if (err)
|
|
return (err);
|
|
}
|
|
|
|
if (len < 0 && errno != ENOENT)
|
|
return (ADE_READLINK);
|
|
|
|
if (symlink(curfile, AUDIT_CURRENT_LINK) != 0)
|
|
return (ADE_SYMLINK);
|
|
|
|
return (0);
|
|
}
|
|
|
|
/*
|
|
* Do just what we need to quickly start auditing. Assume no system logging or
|
|
* notify. Return:
|
|
* 0 on success,
|
|
* -1 on failure.
|
|
*/
|
|
int
|
|
audit_quick_start(void)
|
|
{
|
|
int err;
|
|
char *newfile = NULL;
|
|
time_t tt;
|
|
char TS[TIMESTAMP_LEN + 1];
|
|
int ret = 0;
|
|
|
|
/*
|
|
* Mask auditing of this process.
|
|
*/
|
|
if (auditd_prevent_audit() != 0)
|
|
return (-1);
|
|
|
|
/*
|
|
* Read audit_control and get log directories.
|
|
*/
|
|
err = auditd_read_dirs(NULL, NULL);
|
|
if (err != ADE_NOERR && err != ADE_SOFTLIM)
|
|
return (-1);
|
|
|
|
/*
|
|
* Setup trail file distribution.
|
|
*/
|
|
(void) auditd_set_dist();
|
|
|
|
/*
|
|
* Create a new audit trail log.
|
|
*/
|
|
if (getTSstr(tt, TS, sizeof(TS)) != 0)
|
|
return (-1);
|
|
err = auditd_swap_trail(TS, &newfile, getgid(), NULL);
|
|
if (err != ADE_NOERR && err != ADE_ACTL) {
|
|
ret = -1;
|
|
goto out;
|
|
}
|
|
|
|
/*
|
|
* Add the current symlink and recover from crash, if needed.
|
|
*/
|
|
if (auditd_new_curlink(newfile) != 0) {
|
|
ret = -1;
|
|
goto out;
|
|
}
|
|
|
|
/*
|
|
* At this point auditing has started so generate audit start-up record.
|
|
*/
|
|
if (auditd_gen_record(AUE_audit_startup, NULL) != 0) {
|
|
ret = -1;
|
|
goto out;
|
|
}
|
|
|
|
/*
|
|
* Configure the audit controls.
|
|
*/
|
|
(void) auditd_set_evcmap();
|
|
(void) auditd_set_namask();
|
|
(void) auditd_set_policy();
|
|
(void) auditd_set_fsize();
|
|
(void) auditd_set_minfree();
|
|
(void) auditd_set_host();
|
|
|
|
out:
|
|
if (newfile != NULL)
|
|
free(newfile);
|
|
|
|
return (ret);
|
|
}
|
|
|
|
/*
|
|
* Shut down auditing quickly. Assumes that is only called on system shutdown.
|
|
* Returns:
|
|
* 0 on success,
|
|
* -1 on failure.
|
|
*/
|
|
int
|
|
audit_quick_stop(void)
|
|
{
|
|
int len;
|
|
int cond;
|
|
char *ptr;
|
|
time_t tt;
|
|
char oldname[MAXPATHLEN];
|
|
char newname[MAXPATHLEN];
|
|
char TS[TIMESTAMP_LEN + 1];
|
|
|
|
/*
|
|
* Auditing already disabled?
|
|
*/
|
|
if (audit_get_cond(&cond) != 0)
|
|
return (-1);
|
|
if (cond == AUC_NOAUDIT)
|
|
return (0);
|
|
|
|
/*
|
|
* Generate audit shutdown record.
|
|
*/
|
|
(void) auditd_gen_record(AUE_audit_shutdown, NULL);
|
|
|
|
/*
|
|
* Shutdown auditing in the kernel.
|
|
*/
|
|
cond = AUC_DISABLED;
|
|
if (audit_set_cond(&cond) != 0)
|
|
return (-1);
|
|
#ifdef __BSM_INTERNAL_NOTIFY_KEY
|
|
notify_post(__BSM_INTERNAL_NOTIFY_KEY);
|
|
#endif
|
|
|
|
/*
|
|
* Rename last audit trail and remove 'current' link.
|
|
*/
|
|
len = readlink(AUDIT_CURRENT_LINK, oldname, sizeof(oldname) - 1);
|
|
if (len < 0)
|
|
return (-1);
|
|
oldname[len++] = '\0';
|
|
|
|
if (getTSstr(tt, TS, sizeof(TS)) != 0)
|
|
return (-1);
|
|
|
|
strlcpy(newname, oldname, sizeof(newname));
|
|
|
|
if ((ptr = strstr(newname, NOT_TERMINATED)) != NULL) {
|
|
memcpy(ptr, TS, POSTFIX_LEN);
|
|
if (auditd_rename(oldname, newname) != 0)
|
|
return (-1);
|
|
} else
|
|
return (-1);
|
|
|
|
(void) unlink(AUDIT_CURRENT_LINK);
|
|
|
|
return (0);
|
|
}
|