Just a minor heads up that I've done an import of OpenBSM 1.1 alpha 4 into head, with the intent of shaking out bugs so that we can ship OpenBSM 1.1 in 7.2-RELEASE in a few months. There are a number of changes in 1.1, including a libauditd so that launchd on Mac OS X can link parts of auditd into it directly, binary format changes (largely enhancements), etc. Please send feedback to trustedbsd-audit_at_TrustedBSD.org if you run into any issues. Robert N M Watson Computer Laboratory University of Cambridge ---------- Forwarded message ---------- Date: Wed, 31 Dec 2008 11:12:24 +0000 (UTC) From: Robert Watson <rwatson_at_FreeBSD.org> To: src-committers_at_freebsd.org, svn-src-all_at_freebsd.org, svn-src-head_at_freebsd.org Subject: svn commit: r186647 - in head: contrib/openbsm contrib/openbsm/bin contrib/openbsm/bin/audit contrib/openbsm/bin/auditd contrib/openbsm/bin/auditfilterd contrib/openbsm/bin/auditreduce contrib/open... Author: rwatson Date: Wed Dec 31 11:12:24 2008 New Revision: 186647 URL: http://svn.freebsd.org/changeset/base/186647 Log: Merge OpenBSM alpha 4 from OpenBSM vendor branch to head, both contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual merge). Add libauditd build parts and add to auditd's linkage; force libbsm to build before libauditd. OpenBSM history for imported revisions below for reference. MFC after: 1 month Sponsored by: Apple Inc. Obtained from: TrustedBSD Project OpenBSM 1.1 alpha 4 - With the addition of BSM error number mapping, we also need to map the local error number passed to audit_submit(3) to a BSM error number, rather than have the caller perform that conversion. - Reallocate user audit events to avoid collisions with Solaris; adopt a more formal allocation scheme, and add some events allocated in Solaris that will be of immediate use on other platforms. - Add an event for Calife. - Add au_strerror(3), which allows generating strings for BSM errors directly, rather than requiring applications to map to the local error space, which might not be able to entirely represent the BSM error number space. - Major auditd rewrite for launchd(8) support. Add libauditd library that is shared between launchd and auditd. - Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for (re)starting auditing under launchd(8) on Mac OS X. - Add 'current' symlink to active audit trail. - Add crash recovery of previous audit trail file when detected on audit startup that it has not been properly terminated. - Add the event AUE_audit_recovery to indicated when an audit trail file has been recovered from not being properly terminated. This event is stored in the new audit trail file and includes the path of recovered audit trail file. - Mac OS X and FreeBSD dependent code in auditd.c is separated into auditd_darwin.c and auditd_fbsd.c files. - Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system calls. - For Mac OS X, we use ASL(3) instead of syslog(3) for logging. - Add support for NOTICE level logging. OpenBSM 1.1 alpha 3 - Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map between BSM error numbers (largely the Solaris definitions) and local errno(2) values for 32-bit and 64-bit return tokens. This is required as operating systems don't agree on some of the values of more recent error numbers. - Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the total size for the token. This buge. - Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed. Added: head/contrib/openbsm/bin/auditd/auditd_darwin.c - copied unchanged from r186607, vendor/openbsm/dist/bin/auditd/auditd_darwin.c head/contrib/openbsm/bin/auditd/auditd_fbsd.c - copied unchanged from r186607, vendor/openbsm/dist/bin/auditd/auditd_fbsd.c head/contrib/openbsm/bsm/auditd_lib.h - copied unchanged from r186607, vendor/openbsm/dist/bsm/auditd_lib.h head/contrib/openbsm/libauditd/ - copied from r186607, vendor/openbsm/dist/libauditd/ head/contrib/openbsm/libbsm/au_errno.3 - copied unchanged from r186607, vendor/openbsm/dist/libbsm/au_errno.3 head/contrib/openbsm/libbsm/bsm_errno.c - copied unchanged from r186607, vendor/openbsm/dist/libbsm/bsm_errno.c head/contrib/openbsm/sys/bsm/audit_errno.h - copied unchanged from r186607, vendor/openbsm/dist/sys/bsm/audit_errno.h head/contrib/openbsm/test/reference/E2BIG_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/E2BIG_record head/contrib/openbsm/test/reference/EACCES_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EACCES_record head/contrib/openbsm/test/reference/EBADF_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EBADF_record head/contrib/openbsm/test/reference/EBUSY_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EBUSY_record head/contrib/openbsm/test/reference/ECHILD_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ECHILD_record head/contrib/openbsm/test/reference/EDEADLK_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EDEADLK_record head/contrib/openbsm/test/reference/EEXIST_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EEXIST_record head/contrib/openbsm/test/reference/EFAULT_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EFAULT_record head/contrib/openbsm/test/reference/EFBIG_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EFBIG_record head/contrib/openbsm/test/reference/EINTR_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EINTR_record head/contrib/openbsm/test/reference/EINVAL_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EINVAL_record head/contrib/openbsm/test/reference/EIO_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EIO_record head/contrib/openbsm/test/reference/EISDIR_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EISDIR_record head/contrib/openbsm/test/reference/EMFILE_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EMFILE_record head/contrib/openbsm/test/reference/EMLINK_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EMLINK_record head/contrib/openbsm/test/reference/ENFILE_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENFILE_record head/contrib/openbsm/test/reference/ENODEV_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENODEV_record head/contrib/openbsm/test/reference/ENOENT_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOENT_record head/contrib/openbsm/test/reference/ENOEXEC_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOEXEC_record head/contrib/openbsm/test/reference/ENOMEM_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOMEM_record head/contrib/openbsm/test/reference/ENOSPC_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOSPC_record head/contrib/openbsm/test/reference/ENOTBLK_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOTBLK_record head/contrib/openbsm/test/reference/ENOTDIR_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOTDIR_record head/contrib/openbsm/test/reference/ENOTTY_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOTTY_record head/contrib/openbsm/test/reference/ENXIO_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENXIO_record head/contrib/openbsm/test/reference/EPERM_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EPERM_record head/contrib/openbsm/test/reference/EPIPE_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EPIPE_record head/contrib/openbsm/test/reference/EROFS_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EROFS_record head/contrib/openbsm/test/reference/ESPIPE_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ESPIPE_record head/contrib/openbsm/test/reference/ESRCH_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ESRCH_record head/contrib/openbsm/test/reference/ETXTBSY_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ETXTBSY_record head/contrib/openbsm/test/reference/EXDEV_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EXDEV_record head/contrib/openbsm/test/reference/socketex_record - copied unchanged from r186607, vendor/openbsm/dist/test/reference/socketex_record head/contrib/openbsm/test/reference/socketex_token - copied unchanged from r186607, vendor/openbsm/dist/test/reference/socketex_token head/lib/libauditd/ head/lib/libauditd/Makefile (contents, props changed) head/sys/bsm/audit_errno.h (contents, props changed) head/sys/security/audit/audit_bsm_errno.c (contents, props changed) Modified: head/contrib/openbsm/ (props changed) head/contrib/openbsm/Makefile.am head/contrib/openbsm/Makefile.in head/contrib/openbsm/NEWS head/contrib/openbsm/README head/contrib/openbsm/TODO head/contrib/openbsm/VERSION head/contrib/openbsm/bin/Makefile.in head/contrib/openbsm/bin/audit/Makefile.am head/contrib/openbsm/bin/audit/Makefile.in head/contrib/openbsm/bin/audit/audit.8 head/contrib/openbsm/bin/audit/audit.c head/contrib/openbsm/bin/auditd/Makefile.am head/contrib/openbsm/bin/auditd/Makefile.in head/contrib/openbsm/bin/auditd/audit_warn.c head/contrib/openbsm/bin/auditd/auditd.8 head/contrib/openbsm/bin/auditd/auditd.c head/contrib/openbsm/bin/auditd/auditd.h head/contrib/openbsm/bin/auditfilterd/Makefile.in head/contrib/openbsm/bin/auditreduce/Makefile.in head/contrib/openbsm/bin/auditreduce/auditreduce.c head/contrib/openbsm/bin/praudit/Makefile.in head/contrib/openbsm/bsm/Makefile.am head/contrib/openbsm/bsm/Makefile.in head/contrib/openbsm/bsm/audit_uevents.h head/contrib/openbsm/bsm/libbsm.h head/contrib/openbsm/compat/endian.h head/contrib/openbsm/config/config.h.in head/contrib/openbsm/configure head/contrib/openbsm/configure.ac head/contrib/openbsm/etc/audit_event head/contrib/openbsm/libbsm/Makefile.am head/contrib/openbsm/libbsm/Makefile.in head/contrib/openbsm/libbsm/au_token.3 head/contrib/openbsm/libbsm/audit_submit.3 head/contrib/openbsm/libbsm/bsm_audit.c head/contrib/openbsm/libbsm/bsm_class.c head/contrib/openbsm/libbsm/bsm_control.c head/contrib/openbsm/libbsm/bsm_event.c head/contrib/openbsm/libbsm/bsm_io.c head/contrib/openbsm/libbsm/bsm_mask.c head/contrib/openbsm/libbsm/bsm_token.c head/contrib/openbsm/libbsm/bsm_user.c head/contrib/openbsm/libbsm/bsm_wrappers.c head/contrib/openbsm/libbsm/libbsm.3 head/contrib/openbsm/man/Makefile.in head/contrib/openbsm/man/audit.log.5 head/contrib/openbsm/modules/Makefile.in head/contrib/openbsm/modules/auditfilter_noop/Makefile.in head/contrib/openbsm/sys/Makefile.in head/contrib/openbsm/sys/bsm/Makefile.am head/contrib/openbsm/sys/bsm/Makefile.in head/contrib/openbsm/sys/bsm/audit.h head/contrib/openbsm/sys/bsm/audit_internal.h head/contrib/openbsm/sys/bsm/audit_kevents.h head/contrib/openbsm/sys/bsm/audit_record.h head/contrib/openbsm/test/Makefile.in head/contrib/openbsm/test/bsm/Makefile.in head/contrib/openbsm/test/bsm/generate.c head/contrib/openbsm/test/reference/arg32_record head/contrib/openbsm/test/reference/data_record head/contrib/openbsm/test/reference/file_record head/contrib/openbsm/test/reference/header32_token head/contrib/openbsm/test/reference/in_addr_record head/contrib/openbsm/test/reference/ip_record head/contrib/openbsm/test/reference/ipc_record head/contrib/openbsm/test/reference/iport_record head/contrib/openbsm/test/reference/opaque_record head/contrib/openbsm/test/reference/path_record head/contrib/openbsm/test/reference/process32_record head/contrib/openbsm/test/reference/process32ex_record-IPv4 head/contrib/openbsm/test/reference/process32ex_record-IPv6 head/contrib/openbsm/test/reference/process64_record head/contrib/openbsm/test/reference/process64ex_record-IPv4 head/contrib/openbsm/test/reference/process64ex_record-IPv6 head/contrib/openbsm/test/reference/return32_record head/contrib/openbsm/test/reference/return32_token head/contrib/openbsm/test/reference/seq_record head/contrib/openbsm/test/reference/subject32_record head/contrib/openbsm/test/reference/subject32ex_record head/contrib/openbsm/test/reference/text_record head/contrib/openbsm/test/reference/zonename_record head/contrib/openbsm/tools/Makefile.in head/lib/Makefile head/lib/libbsm/Makefile head/share/mk/bsd.libnames.mk head/sys/bsm/audit.h head/sys/bsm/audit_internal.h head/sys/bsm/audit_kevents.h head/sys/bsm/audit_record.h head/sys/security/audit/audit_bsm_token.c head/usr.sbin/auditd/Makefile Modified: head/contrib/openbsm/Makefile.am ============================================================================== --- head/contrib/openbsm/Makefile.am Wed Dec 31 11:05:28 2008 (r186646) +++ head/contrib/openbsm/Makefile.am Wed Dec 31 11:12:24 2008 (r186647) _at__at_ -1,15 +1,23 _at__at_ # -# $P4: //depot/projects/trustedbsd/openbsm/Makefile.am#3 $ +# $P4: //depot/projects/trustedbsd/openbsm/Makefile.am#4 $ # SUBDIRS = \ - bsm \ + bsm + +if HAVE_AUDIT_SYSCALLS +SUBDIRS += \ + libauditd +endif + +SUBDIRS += \ libbsm \ bin \ man \ modules \ sys + EXTRA_DIST = \ CHANGELOG \ LICENSE \ Modified: head/contrib/openbsm/Makefile.in ============================================================================== --- head/contrib/openbsm/Makefile.in Wed Dec 31 11:05:28 2008 (r186646) +++ head/contrib/openbsm/Makefile.in Wed Dec 31 11:12:24 2008 (r186647) _at__at_ -15,7 +15,7 _at__at_ _at_SET_MAKE_at_ # -# $P4: //depot/projects/trustedbsd/openbsm/Makefile.in#8 $ +# $P4: //depot/projects/trustedbsd/openbsm/Makefile.in#9 $ # VPATH = _at_srcdir_at_ pkgdatadir = $(datadir)/_at_PACKAGE_at_ _at__at_ -35,6 +35,9 _at__at_ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = _at_build_at_ host_triplet = _at_host_at_ +_at_HAVE_AUDIT_SYSCALLS_TRUE_at_am__append_1 = \ +_at_HAVE_AUDIT_SYSCALLS_TRUE_at_ libauditd + subdir = . DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in $(top_srcdir)/config/config.h.in \ _at__at_ -63,7 +66,7 _at__at_ RECURSIVE_CLEAN_TARGETS = mostlyclean-re distclean-recursive maintainer-clean-recursive ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = $(SUBDIRS) +DIST_SUBDIRS = bsm libauditd libbsm bin man modules sys DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) _at__at_ -183,14 +186,7 _at__at_ sysconfdir = _at_sysconfdir_at_ target_alias = _at_target_alias_at_ top_builddir = _at_top_builddir_at_ top_srcdir = _at_top_srcdir_at_ -SUBDIRS = \ - bsm \ - libbsm \ - bin \ - man \ - modules \ - sys - +SUBDIRS = bsm $(am__append_1) libbsm bin man modules sys EXTRA_DIST = \ CHANGELOG \ LICENSE \ Modified: head/contrib/openbsm/NEWS ============================================================================== --- head/contrib/openbsm/NEWS Wed Dec 31 11:05:28 2008 (r186646) +++ head/contrib/openbsm/NEWS Wed Dec 31 11:12:24 2008 (r186647) _at__at_ -1,5 +1,50 _at__at_ OpenBSM Version History +OpenBSM 1.1 alpha 4 + +- With the addition of BSM error number mapping, we also need to map the + local error number passed to audit_submit(3) to a BSM error number, rather + than have the caller perform that conversion. +- Reallocate user audit events to avoid collisions with Solaris; adopt a more + formal allocation scheme, and add some events allocated in Solaris that + will be of immediate use on other platforms. +- Add an event for Calife. +- Add au_strerror(3), which allows generating strings for BSM errors + directly, rather than requiring applications to map to the local error + space, which might not be able to entirely represent the BSM error number + space. +- Major auditd rewrite for launchd(8) support. Add libauditd library that is + shared between launchd and auditd. +- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for (re)starting + auditing under launchd(8) on Mac OS X. +- Add 'current' symlink to active audit trail. +- Add crash recovery of previous audit trail file when detected on audit + startup that it has not been properly terminated. +- Add the event AUE_audit_recovery to indicated when an audit trail file has + been recovered from not being properly terminated. This event is stored + in the new audit trail file and includes the path of recovered audit trail + file. +- Mac OS X and FreeBSD dependent code in auditd.c is separated into + auditd_darwin.c and auditd_fbsd.c files. +- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system calls. +- For Mac OS X, we use ASL(3) instead of syslog(3) for logging. +- Add support for NOTICE level logging. + +OpenBSM 1.1 alpha 3 + +- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map + between BSM error numbers (largely the Solaris definitions) and local + errno(2) values for 32-bit and 64-bit return tokens. This is required as + operating systems don't agree on some of the values of more recent error + numbers. +- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the total + size for the token. This bug resulted in "unknown" tokens being printed + after the exec args/env tokens. +- Support for AUT_SOCKET_EX extended socket tokens, which describe a socket + using a pair of IPv4/IPv6 and port tuples. +- OpenBSM BSM file header version bumped for 1.1 release. +- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed. + OpenBSM 1.1 alpha 2 - Include files in OpenBSM are now broken out into two parts: library builds _at__at_ -348,4 +393,4 _at__at_ OpenBSM 1.0 alpha 1 to support reloading of kernel event table. - Allow comments in /etc/security configuration files. -$P4: //depot/projects/trustedbsd/openbsm/NEWS#9 $ +$P4: //depot/projects/trustedbsd/openbsm/NEWS#21 $ Modified: head/contrib/openbsm/README ============================================================================== --- head/contrib/openbsm/README Wed Dec 31 11:05:28 2008 (r186646) +++ head/contrib/openbsm/README Wed Dec 31 11:12:24 2008 (r186647) _at__at_ -1,4 +1,4 _at__at_ -OpenBSM 1.1 alpha 1 +OpenBSM 1.1 alpha 4 Introduction _at__at_ -19,6 +19,7 _at__at_ OpenBSM consists of several directories: bsm/ Library include files for BSM compat/ Compatibility code to build on various OS's etc/ Sample /etc/security configuration files + libauditd Common audit management functions for auditd and launchd libbsm/ Implementation of BSM library interfaces and man pages man/ System call and configuration file man pages modules/ Directory for auditfilterd module source _at__at_ -55,4 +56,4 _at__at_ Information on TrustedBSD may be found o http://www.TrustedBSD.org/ -$P4: //depot/projects/trustedbsd/openbsm/README#32 $ +$P4: //depot/projects/trustedbsd/openbsm/README#34 $ Modified: head/contrib/openbsm/TODO ============================================================================== --- head/contrib/openbsm/TODO Wed Dec 31 11:05:28 2008 (r186646) +++ head/contrib/openbsm/TODO Wed Dec 31 11:12:24 2008 (r186647) _at__at_ -20,5 +20,7 _at__at_ OpenBSM TODO - Document audit_warn event arguments. - Allow the path /etc/security to be configured at configure-time so that alternative locations can be used. +- NLS support for au_strerror(3), which provides error strings for BSM errors + not available on the local OS platform. -$P4: //depot/projects/trustedbsd/openbsm/TODO#11 $ +$P4: //depot/projects/trustedbsd/openbsm/TODO#12 $ Modified: head/contrib/openbsm/VERSION ============================================================================== --- head/contrib/openbsm/VERSION Wed Dec 31 11:05:28 2008 (r186646) +++ head/contrib/openbsm/VERSION Wed Dec 31 11:12:24 2008 (r186647) _at__at_ -1 +1 _at__at_ -OPENBSM_1_1_ALPHA_2 +OPENBSM_1_1_ALPHA_4 Modified: head/contrib/openbsm/bin/Makefile.in ============================================================================== --- head/contrib/openbsm/bin/Makefile.in Wed Dec 31 11:05:28 2008 (r186646) +++ head/contrib/openbsm/bin/Makefile.in Wed Dec 31 11:12:24 2008 (r186647) _at__at_ -15,7 +15,7 _at__at_ _at_SET_MAKE_at_ # -# $P4: //depot/projects/trustedbsd/openbsm/bin/Makefile.in#8 $ +# $P4: //depot/projects/trustedbsd/openbsm/bin/Makefile.in#10 $ # VPATH = _at_srcdir_at_ pkgdatadir = $(datadir)/_at_PACKAGE_at_ Modified: head/contrib/openbsm/bin/audit/Makefile.am ============================================================================== --- head/contrib/openbsm/bin/audit/Makefile.am Wed Dec 31 11:05:28 2008 (r186646) +++ head/contrib/openbsm/bin/audit/Makefile.am Wed Dec 31 11:12:24 2008 (r186647) _at__at_ -1,5 +1,5 _at__at_ # -# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.am#4 $ +# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.am#6 $ # if USE_NATIVE_INCLUDES _at__at_ -13,11 +13,11 _at__at_ audit_LDADD = $(top_builddir)/libbsm/lib man8_MANS = audit.8 if USE_MACH_IPC -audit_SOURCES = auditd_control_user.c audit.c -CLEANFILES = auditd_control_user.c auditd_control_user.h +audit_SOURCES = auditd_controlUser.c audit.c +CLEANFILES = auditd_controlUser.c auditd_control.h -auditd_control_user.c: $(top_srcdir)/bin/auditd/auditd_control.defs - $(MIG) -user auditd_control_user.c -header auditd_control_user.h -server /dev/null -sheader /dev/null $(top_srcdir)/bin/auditd/auditd_control.defs +auditd_controlUser.c auditd_control.h: $(top_srcdir)/bin/auditd/auditd_control.defs + $(MIG) -user auditd_controlUser.c -header auditd_control.h -server /dev/null -sheader /dev/null $(top_srcdir)/bin/auditd/auditd_control.defs else audit_SOURCES = audit.c endif Modified: head/contrib/openbsm/bin/audit/Makefile.in ============================================================================== --- head/contrib/openbsm/bin/audit/Makefile.in Wed Dec 31 11:05:28 2008 (r186646) +++ head/contrib/openbsm/bin/audit/Makefile.in Wed Dec 31 11:12:24 2008 (r186647) _at__at_ -15,7 +15,7 _at__at_ _at_SET_MAKE_at_ # -# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.in#9 $ +# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.in#11 $ # VPATH = _at_srcdir_at_ _at__at_ -49,9 +49,9 _at__at_ CONFIG_CLEAN_FILES = am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) PROGRAMS = $(sbin_PROGRAMS) -am__audit_SOURCES_DIST = audit.c auditd_control_user.c +am__audit_SOURCES_DIST = audit.c auditd_controlUser.c _at_USE_MACH_IPC_FALSE_at_am_audit_OBJECTS = audit.$(OBJEXT) -_at_USE_MACH_IPC_TRUE_at_am_audit_OBJECTS = auditd_control_user.$(OBJEXT) \ +_at_USE_MACH_IPC_TRUE_at_am_audit_OBJECTS = auditd_controlUser.$(OBJEXT) \ _at_USE_MACH_IPC_TRUE_at_ audit.$(OBJEXT) audit_OBJECTS = $(am_audit_OBJECTS) audit_DEPENDENCIES = $(top_builddir)/libbsm/libbsm.la _at__at_ -188,8 +188,8 _at__at_ top_srcdir = _at_top_srcdir_at_ audit_LDADD = $(top_builddir)/libbsm/libbsm.la man8_MANS = audit.8 _at_USE_MACH_IPC_FALSE_at_audit_SOURCES = audit.c -_at_USE_MACH_IPC_TRUE_at_audit_SOURCES = auditd_control_user.c audit.c -_at_USE_MACH_IPC_TRUE_at_CLEANFILES = auditd_control_user.c auditd_control_user.h +_at_USE_MACH_IPC_TRUE_at_audit_SOURCES = auditd_controlUser.c audit.c +_at_USE_MACH_IPC_TRUE_at_CLEANFILES = auditd_controlUser.c auditd_control.h all: all-am .SUFFIXES: _at__at_ -262,7 +262,7 _at__at_ distclean-compile: -rm -f *.tab.c _at_AMDEP_TRUE_at__at_am__include_at_ _at_am__quote_at_./$(DEPDIR)/audit.Po_at_am__quote_at_ -_at_AMDEP_TRUE_at__at_am__include_at_ _at_am__quote_at_./$(DEPDIR)/auditd_control_user.Po_at_am__quote_at_ +_at_AMDEP_TRUE_at__at_am__include_at_ _at_am__quote_at_./$(DEPDIR)/auditd_controlUser.Po_at_am__quote_at_ .c.o: _at_am__fastdepCC_TRUE_at_ $(COMPILE) -MT $_at_ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $_at_ $< _at__at_ -521,8 +521,8 _at__at_ uninstall-man: uninstall-man8 uninstall-sbinPROGRAMS -_at_USE_MACH_IPC_TRUE_at_auditd_control_user.c: $(top_srcdir)/bin/auditd/auditd_control.defs -_at_USE_MACH_IPC_TRUE_at_ $(MIG) -user auditd_control_user.c -header auditd_control_user.h -server /dev/null -sheader /dev/null $(top_srcdir)/bin/auditd/auditd_control.defs +_at_USE_MACH_IPC_TRUE_at_auditd_controlUser.c auditd_control.h: $(top_srcdir)/bin/auditd/auditd_control.defs +_at_USE_MACH_IPC_TRUE_at_ $(MIG) -user auditd_controlUser.c -header auditd_control.h -server /dev/null -sheader /dev/null $(top_srcdir)/bin/auditd/auditd_control.defs # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: Modified: head/contrib/openbsm/bin/audit/audit.8 ============================================================================== --- head/contrib/openbsm/bin/audit/audit.8 Wed Dec 31 11:05:28 2008 (r186646) +++ head/contrib/openbsm/bin/audit/audit.8 Wed Dec 31 11:12:24 2008 (r186647) _at__at_ -25,9 +25,9 _at__at_ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#11 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#13 $ .\" -.Dd October 2, 2006 +.Dd December 11, 2008 .Dt AUDIT 8 .Os .Sh NAME _at__at_ -35,7 +35,7 _at__at_ .Nd audit management utility .Sh SYNOPSIS .Nm -.Fl n | s | t +.Fl i | n | s | t .Sh DESCRIPTION The .Nm _at__at_ -43,6 +43,13 _at__at_ utility controls the state of the audit One of the following flags is required as an argument to .Nm : .Bl -tag -width indent +.It Fl i +Initializes and starts auditing. +This option is currently for Mac OS X only +and requires +.Xr auditd 8 +to be configured to run under +.Xr launchd 8 . .It Fl n Forces the audit system to close the existing audit log file and rotate to a new log file in a location specified in the audit control file. _at__at_ -59,6 +66,13 _at__at_ and renamed to indicate the time of the The .Xr auditd 8 daemon must already be running. +Optionally, it can be configured to be started +on-demand by +.Xr launchd 8 +(Mac OS X only). +The +.Nm +utility requires audit administrator privileges for successful operation. .Sh FILES .Bl -tag -width ".Pa /etc/security/audit_control" -compact .It Pa /etc/security/audit_control _at__at_ -67,7 +81,8 _at__at_ Audit policy file used to configure the .Sh SEE ALSO .Xr audit 4 , .Xr audit_control 5 , -.Xr auditd 8 +.Xr auditd 8 , +.Xr launchd 8 .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. Modified: head/contrib/openbsm/bin/audit/audit.c ============================================================================== --- head/contrib/openbsm/bin/audit/audit.c Wed Dec 31 11:05:28 2008 (r186646) +++ head/contrib/openbsm/bin/audit/audit.c Wed Dec 31 11:12:24 2008 (r186647) _at__at_ -26,7 +26,7 _at__at_ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#11 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#13 $ */ /* * Program to trigger the audit daemon with a message that is either: _at__at_ -47,6 +47,7 _at__at_ #include <bsm/libbsm.h> +#include <errno.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> _at__at_ -64,7 +65,15 _at__at_ static int send_trigger(unsigned int); #include <mach/host_special_ports.h> #include <servers/bootstrap.h> -#include "auditd_control_user.h" +#include "auditd_control.h" + +/* + * XXX the following is temporary until this can be added to the kernel + * audit.h header. + */ +#ifndef AUDIT_TRIGGER_INITIALIZE +#define AUDIT_TRIGGER_INITIALIZE 7 +#endif static int send_trigger(unsigned int trigger) _at__at_ -74,7 +83,12 _at__at_ send_trigger(unsigned int trigger) error = host_get_audit_control_port(mach_host_self(), &serverPort); if (error != KERN_SUCCESS) { - mach_error("Cannot get auditd_control Mach port: ", error); + if (geteuid() != 0) { + errno = EPERM; + perror("audit requires root privileges"); + } else + mach_error("Cannot get auditd_control Mach port:", + error); return (-1); } _at__at_ -96,7 +110,10 _at__at_ send_trigger(unsigned int trigger) error = auditon(A_SENDTRIGGER, &trigger, sizeof(trigger)); if (error != 0) { - perror("Error sending trigger"); + if (error == EPERM) + perror("audit requires root privileges"); + else + perror("Error sending trigger"); return (-1); } _at__at_ -108,7 +125,7 _at__at_ static void usage(void) { - (void)fprintf(stderr, "Usage: audit -n | -s | -t \n"); + (void)fprintf(stderr, "Usage: audit -i | -n | -s | -t \n"); exit(-1); } _at__at_ -124,9 +141,13 _at__at_ main(int argc, char **argv) if (argc != 2) usage(); - while ((ch = getopt(argc, argv, "nst")) != -1) { + while ((ch = getopt(argc, argv, "inst")) != -1) { switch(ch) { + case 'i': + trigger = AUDIT_TRIGGER_INITIALIZE; + break; + case 'n': trigger = AUDIT_TRIGGER_ROTATE_USER; break; Modified: head/contrib/openbsm/bin/auditd/Makefile.am ============================================================================== --- head/contrib/openbsm/bin/auditd/Makefile.am Wed Dec 31 11:05:28 2008 (r186646) +++ head/contrib/openbsm/bin/auditd/Makefile.am Wed Dec 31 11:12:24 2008 (r186647) _at__at_ -1,5 +1,5 _at__at_ # -# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.am#4 $ +# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.am#5 $ # if USE_NATIVE_INCLUDES _at__at_ -9,18 +9,18 _at__at_ INCLUDES = -I$(top_builddir) -I$(top_src endif sbin_PROGRAMS = auditd -auditd_LDADD = $(top_builddir)/libbsm/libbsm.la +auditd_LDADD = $(top_builddir)/libbsm/libbsm.la $(top_builddir)/libauditd/libauditd.la man8_MANS = auditd.8 if USE_MACH_IPC -auditd_SOURCES = auditd_control_server.c audit_triggers_server.c audit_warn.c auditd.c -CLEANFILES = auditd_control_server.c auditd_control_server.h audit_triggers_server.c audit_triggers_server.h +auditd_SOURCES = auditd_controlServer.c audit_triggersServer.c audit_warn.c auditd.c auditd_darwin.c +CLEANFILES = auditd_control_server.c auditd_controlServer.h audit_triggersServer.c audit_triggersServer.h -auditd_control_server.c: auditd_control.defs - $(MIG) -user /dev/null -header /dev/null -server auditd_control_server.c -sheader auditd_control_server.h $(top_srcdir)/bin/auditd/auditd_control.defs +auditd_controlServer.c auditd_controlServer.h: auditd_control.defs + $(MIG) -user /dev/null -header /dev/null -server auditd_controlServer.c -sheader auditd_controlServer.h $(top_srcdir)/bin/auditd/auditd_control.defs -audit_triggers_server.c: audit_triggers.defs - $(MIG) -user /dev/null -header /dev/null -server audit_triggers_server.c -sheader audit_triggers_server.h $(top_srcdir)/bin/auditd/audit_triggers.defs +audit_triggersServer.c audit_triggersServer.h: audit_triggers.defs + $(MIG) -user /dev/null -header /dev/null -server audit_triggersServer.c -sheader audit_triggersServer.h $(top_srcdir)/bin/auditd/audit_triggers.defs else -auditd_SOURCES = audit_warn.c auditd.c +auditd_SOURCES = audit_warn.c auditd.c auditd_fbsd.c endif Modified: head/contrib/openbsm/bin/auditd/Makefile.in ============================================================================== --- head/contrib/openbsm/bin/auditd/Makefile.in Wed Dec 31 11:05:28 2008 (r186646) +++ head/contrib/openbsm/bin/auditd/Makefile.in Wed Dec 31 11:12:24 2008 (r186647) _at__at_ -15,7 +15,7 _at__at_ _at_SET_MAKE_at_ # -# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.in#9 $ +# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.in#10 $ # VPATH = _at_srcdir_at_ _at__at_ -49,16 +49,17 _at__at_ CONFIG_CLEAN_FILES = am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) PROGRAMS = $(sbin_PROGRAMS) -am__auditd_SOURCES_DIST = audit_warn.c auditd.c \ - auditd_control_server.c audit_triggers_server.c +am__auditd_SOURCES_DIST = audit_warn.c auditd.c auditd_fbsd.c \ + auditd_controlServer.c audit_triggersServer.c auditd_darwin.c _at_USE_MACH_IPC_FALSE_at_am_auditd_OBJECTS = audit_warn.$(OBJEXT) \ -_at_USE_MACH_IPC_FALSE_at_ auditd.$(OBJEXT) -_at_USE_MACH_IPC_TRUE_at_am_auditd_OBJECTS = \ -_at_USE_MACH_IPC_TRUE_at_ auditd_control_server.$(OBJEXT) \ -_at_USE_MACH_IPC_TRUE_at_ audit_triggers_server.$(OBJEXT) \ -_at_USE_MACH_IPC_TRUE_at_ audit_warn.$(OBJEXT) auditd.$(OBJEXT) +_at_USE_MACH_IPC_FALSE_at_ auditd.$(OBJEXT) auditd_fbsd.$(OBJEXT) +_at_USE_MACH_IPC_TRUE_at_am_auditd_OBJECTS = auditd_controlServer.$(OBJEXT) \ +_at_USE_MACH_IPC_TRUE_at_ audit_triggersServer.$(OBJEXT) \ +_at_USE_MACH_IPC_TRUE_at_ audit_warn.$(OBJEXT) auditd.$(OBJEXT) \ +_at_USE_MACH_IPC_TRUE_at_ auditd_darwin.$(OBJEXT) auditd_OBJECTS = $(am_auditd_OBJECTS) -auditd_DEPENDENCIES = $(top_builddir)/libbsm/libbsm.la +auditd_DEPENDENCIES = $(top_builddir)/libbsm/libbsm.la \ + $(top_builddir)/libauditd/libauditd.la DEFAULT_INCLUDES = -I. -I$(top_builddir)/config_at_am__isrc_at_ depcomp = $(SHELL) $(top_srcdir)/config/depcomp am__depfiles_maybe = depfiles _at__at_ -189,11 +190,11 _at__at_ top_builddir = _at_top_builddir_at_ top_srcdir = _at_top_srcdir_at_ _at_USE_NATIVE_INCLUDES_FALSE_at_INCLUDES = -I$(top_builddir) -I$(top_srcdir) -I$(top_srcdir)/sys _at_USE_NATIVE_INCLUDES_TRUE_at_INCLUDES = -I$(top_builddir) -I$(top_srcdir) -auditd_LDADD = $(top_builddir)/libbsm/libbsm.la +auditd_LDADD = $(top_builddir)/libbsm/libbsm.la $(top_builddir)/libauditd/libauditd.la man8_MANS = auditd.8 -_at_USE_MACH_IPC_FALSE_at_auditd_SOURCES = audit_warn.c auditd.c -_at_USE_MACH_IPC_TRUE_at_auditd_SOURCES = auditd_control_server.c audit_triggers_server.c audit_warn.c auditd.c -_at_USE_MACH_IPC_TRUE_at_CLEANFILES = auditd_control_server.c auditd_control_server.h audit_triggers_server.c audit_triggers_server.h +_at_USE_MACH_IPC_FALSE_at_auditd_SOURCES = audit_warn.c auditd.c auditd_fbsd.c +_at_USE_MACH_IPC_TRUE_at_auditd_SOURCES = auditd_controlServer.c audit_triggersServer.c audit_warn.c auditd.c auditd_darwin.c +_at_USE_MACH_IPC_TRUE_at_CLEANFILES = auditd_control_server.c auditd_controlServer.h audit_triggersServer.c audit_triggersServer.h all: all-am .SUFFIXES: _at__at_ -265,10 +266,12 _at__at_ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -_at_AMDEP_TRUE_at__at_am__include_at_ _at_am__quote_at_./$(DEPDIR)/audit_triggers_server.Po_at_am__quote_at_ +_at_AMDEP_TRUE_at__at_am__include_at_ _at_am__quote_at_./$(DEPDIR)/audit_triggersServer.Po_at_am__quote_at_ _at_AMDEP_TRUE_at__at_am__include_at_ _at_am__quote_at_./$(DEPDIR)/audit_warn.Po_at_am__quote_at_ _at_AMDEP_TRUE_at__at_am__include_at_ _at_am__quote_at_./$(DEPDIR)/auditd.Po_at_am__quote_at_ -_at_AMDEP_TRUE_at__at_am__include_at_ _at_am__quote_at_./$(DEPDIR)/auditd_control_server.Po_at_am__quote_at_ +_at_AMDEP_TRUE_at__at_am__include_at_ _at_am__quote_at_./$(DEPDIR)/auditd_controlServer.Po_at_am__quote_at_ +_at_AMDEP_TRUE_at__at_am__include_at_ _at_am__quote_at_./$(DEPDIR)/auditd_darwin.Po_at_am__quote_at_ +_at_AMDEP_TRUE_at__at_am__include_at_ _at_am__quote_at_./$(DEPDIR)/auditd_fbsd.Po_at_am__quote_at_ .c.o: _at_am__fastdepCC_TRUE_at_ $(COMPILE) -MT $_at_ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $_at_ $< _at__at_ -527,11 +530,11 _at__at_ uninstall-man: uninstall-man8 uninstall-sbinPROGRAMS -_at_USE_MACH_IPC_TRUE_at_auditd_control_server.c: auditd_control.defs -_at_USE_MACH_IPC_TRUE_at_ $(MIG) -user /dev/null -header /dev/null -server auditd_control_server.c -sheader auditd_control_server.h $(top_srcdir)/bin/auditd/auditd_control.defs +_at_USE_MACH_IPC_TRUE_at_auditd_controlServer.c auditd_controlServer.h: auditd_control.defs +_at_USE_MACH_IPC_TRUE_at_ $(MIG) -user /dev/null -header /dev/null -server auditd_controlServer.c -sheader auditd_controlServer.h $(top_srcdir)/bin/auditd/auditd_control.defs -_at_USE_MACH_IPC_TRUE_at_audit_triggers_server.c: audit_triggers.defs -_at_USE_MACH_IPC_TRUE_at_ $(MIG) -user /dev/null -header /dev/null -server audit_triggers_server.c -sheader audit_triggers_server.h $(top_srcdir)/bin/auditd/audit_triggers.defs +_at_USE_MACH_IPC_TRUE_at_audit_triggersServer.c audit_triggersServer.h: audit_triggers.defs +_at_USE_MACH_IPC_TRUE_at_ $(MIG) -user /dev/null -header /dev/null -server audit_triggersServer.c -sheader audit_triggersServer.h $(top_srcdir)/bin/auditd/audit_triggers.defs # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: Modified: head/contrib/openbsm/bin/auditd/audit_warn.c ============================================================================== --- head/contrib/openbsm/bin/auditd/audit_warn.c Wed Dec 31 11:05:28 2008 (r186646) +++ head/contrib/openbsm/bin/auditd/audit_warn.c Wed Dec 31 11:12:24 2008 (r186647) _at__at_ -26,7 +26,7 _at__at_ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#9 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#10 $ */ #include <sys/types.h> _at__at_ -71,20 +71,15 _at__at_ auditwarnlog(char *args[]) } /* - * Indicates that the hard limit for all filesystems has been exceeded count - * times. + * Indicates that the hard limit for all filesystems has been exceeded. */ int -audit_warn_allhard(int count) +audit_warn_allhard(void) { - char intstr[12]; - char *args[3]; - - snprintf(intstr, 12, "%d", count); + char *args[2]; args[0] = HARDLIM_ALL_WARN; - args[1] = intstr; - args[2] = NULL; + args[1] = NULL; return (auditwarnlog(args)); } Modified: head/contrib/openbsm/bin/auditd/auditd.8 ============================================================================== --- head/contrib/openbsm/bin/auditd/auditd.8 Wed Dec 31 11:05:28 2008 (r186646) +++ head/contrib/openbsm/bin/auditd/auditd.8 Wed Dec 31 11:12:24 2008 (r186647) _at__at_ -25,9 +25,9 _at__at_ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#14 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#16 $ .\" -.Dd October 2, 2006 +.Dd December 11, 2008 .Dt AUDITD 8 .Os .Sh NAME _at__at_ -35,7 +35,7 _at__at_ .Nd audit log management daemon .Sh SYNOPSIS .Nm -.Op Fl d +.Op Fl d | l .Sh DESCRIPTION The .Nm _at__at_ -50,7 +50,16 _at__at_ The options are as follows: .Bl -tag -width indent .It Fl d Starts the daemon in debug mode \[em] it will not daemonize. +.It Fl l +This option is for when +.Nm +is configured to start on-demand using +.Xr launchd 8 . .El +.Pp +Optionally, the audit review group "audit" may be created. +Non-privileged +users that are members of this group may read the audit trail log files. .Sh NOTE To assure uninterrupted audit support, the .Nm _at__at_ -63,20 +72,33 _at__at_ the .Pa audit_control file. .Pp -.\" Sending a -.\" .Dv SIGHUP -.\" to a running -.\" .Nm -.\" daemon will force it to exit. -Sending a -.Dv SIGTERM -to a running +If +.Nm +is started on-demand by +.Xr launchd 8 +then auditing should only be started and stopped with +.Xr audit 8 . +.Pp +On Mac OS X, .Nm -daemon will force it to exit. +uses the +.Xr asl 3 +API for writing system log messages. +Therefore, only the audit administrator +and members of the audit review group will be able to read the +system log entries. .Sh FILES -.Bl -tag -width ".Pa /var/audit" -compact +.Bl -tag -width ".Pa /etc/security" -compact .It Pa /var/audit Default directory for storing audit log files. +.Pp +.It Pa /etc/security +The directory containing the auditing configuration files +.Xr audit_class 5 , +.Xr audit_control 5 , +.Xr audit_event 5 , +and +.Xr audit_warn 5 . .El .Sh COMPATIBILITY The historical _at__at_ -92,9 +114,14 _at__at_ and and are no longer available as arguments to .Nm . .Sh SEE ALSO +.Xr asl 3 , .Xr audit 4 , +.Xr audit_class 5 , .Xr audit_control 5 , -.Xr audit 8 +.Xr audit_event 5 , +.Xr audit_warn 5 , +.Xr audit 8 , +.Xr launchd 8 .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. Modified: head/contrib/openbsm/bin/auditd/auditd.c ============================================================================== --- head/contrib/openbsm/bin/auditd/auditd.c Wed Dec 31 11:05:28 2008 (r186646) +++ head/contrib/openbsm/bin/auditd/auditd.c Wed Dec 31 11:12:24 2008 (r186647) _at__at_ -26,30 +26,29 _at__at_ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#39 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#40 $ */ -#include <sys/param.h> +#include <sys/types.h> #include <config/config.h> #include <sys/dirent.h> -#include <sys/mman.h> -#include <sys/socket.h> #ifdef HAVE_FULL_QUEUE_H #include <sys/queue.h> #else /* !HAVE_FULL_QUEUE_H */ #include <compat/queue.h> #endif /* !HAVE_FULL_QUEUE_H */ +#include <sys/mman.h> +#include <sys/param.h> #include <sys/stat.h> #include <sys/wait.h> #include <bsm/audit.h> #include <bsm/audit_uevents.h> +#include <bsm/auditd_lib.h> #include <bsm/libbsm.h> -#include <netinet/in.h> - #include <err.h> #include <errno.h> #include <fcntl.h> _at__at_ -60,115 +59,88 _at__at_ #include <unistd.h> #include <signal.h> #include <string.h> -#include <syslog.h> -#include <netdb.h> #include "auditd.h" -#ifdef USE_MACH_IPC -#include <notify.h> -#include <mach/port.h> -#include <mach/mach_error.h> -#include <mach/mach_traps.h> -#include <mach/mach.h> -#include <mach/host_special_ports.h> - -#include "auditd_control_server.h" -#include "audit_triggers_server.h" -#endif /* USE_MACH_IPC */ #ifndef HAVE_STRLCPY #include <compat/strlcpy.h> #endif -#define NA_EVENT_STR_SIZE 25 -#define POL_STR_SIZE 128 -static int ret, minval; -static char *lastfile = NULL; -static int allhardcount = 0; -static int sigchlds, sigchlds_handled; -static int sighups, sighups_handled; -#ifndef USE_MACH_IPC -static int sigterms, sigterms_handled; -static int triggerfd = 0; - -#else /* USE_MACH_IPC */ - -static mach_port_t control_port = MACH_PORT_NULL; -static mach_port_t signal_port = MACH_PORT_NULL; -static mach_port_t port_set = MACH_PORT_NULL; - -#ifndef __BSM_INTERNAL_NOTIFY_KEY -#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" -#endif /* __BSM_INTERNAL_NOTIFY_KEY */ -#endif /* USE_MACH_IPC */ - -static TAILQ_HEAD(, dir_ent) dir_q; - -static int config_audit_controls(void); - /* - * Error starting auditd + * XXX the following is temporary until this can be added to the kernel + * audit.h header. */ -static void -fail_exit(void) -{ - - audit_warn_nostart(); - exit(1); -} +#ifndef AUDIT_TRIGGER_INITIALIZE +#define AUDIT_TRIGGER_INITIALIZE 7 +#endif /* - * Free our local list of directory names. + * LaunchD flag (Mac OS X and, maybe, FreeBSD only.) See launchd(8) and + * http://wiki.freebsd.org/launchd for more information. + * + * In order for auditd to work "on demand" with launchd(8) it can't: + * call daemon(3) + * call fork and having the parent process exit + * change uids or gids. + * set up the current working directory or chroot. + * set the session id + * change stdio to /dev/null. + * call setrusage(2) + * call setpriority(2) + * Ignore SIGTERM. + * auditd (in 'launchd mode') is launched on demand so it must catch + * SIGTERM to exit cleanly. + */ +static int launchd_flag = 0; + +/* + * The GID of the audit review group (if used). The audit trail files and + * system logs (Mac OS X only) can only be reviewed by members of this group + * or the audit administrator (aka. "root"). */ -static void -free_dir_q(void) -{ - struct dir_ent *dirent; +static gid_t audit_review_gid = -1; - while ((dirent = TAILQ_FIRST(&dir_q))) { - TAILQ_REMOVE(&dir_q, dirent, dirs); - free(dirent->dirname); - free(dirent); - } -} +/* + * The path and file name of the last audit trail file. + */ +static char *lastfile = NULL; /* - * Generate the timestamp string. + * Error starting auditd. Run warn script and exit. */ -static int -getTSstr(char *buf, int len) +static void +fail_exit(void) { - struct timeval ts; - struct timezone tzp; - time_t tt; - if (gettimeofday(&ts, &tzp) != 0) - return (-1); - tt = (time_t)ts.tv_sec; - if (!strftime(buf, len, "%Y%m%d%H%M%S", gmtime(&tt))) - return (-1); - return (0); + audit_warn_nostart(); + exit(1); } /* - * Concat the directory name to the given file name. - * XXX We should affix the hostname also + * Follow the 'current' symlink to get the active trail file name. */ static char * -affixdir(char *name, struct dir_ent *dirent) +get_curfile(void) { - char *fn = NULL; + char *cf; + int len; - syslog(LOG_DEBUG, "dir = %s", dirent->dirname); - /* - * Sanity check on file name. - */ - if (strlen(name) != (FILENAME_LEN - 1)) { - syslog(LOG_ERR, "Invalid file name: %s", name); + cf = malloc(MAXPATHLEN); + if (cf == NULL) { + auditd_log_err("malloc failed: %m"); + return (NULL); + } + + len = readlink(AUDIT_CURRENT_LINK, cf, MAXPATHLEN - 1); + if (len < 0) { + free(cf); return (NULL); } - asprintf(&fn, "%s/%s", dirent->dirname, name); - return (fn); + + /* readlink() doesn't terminate string. */ + cf[len] = '\0'; + + return (cf); } /* _at__at_ -181,6 +153,10 _at__at_ close_lastfile(char *TS) char *oldname; size_t len; + /* If lastfile is NULL try to get it from the 'current' link. */ + if (lastfile == NULL) + lastfile = get_curfile(); + if (lastfile != NULL) { len = strlen(lastfile) + 1; oldname = (char *)malloc(len); _at__at_ -192,16 +168,21 _at__at_ close_lastfile(char *TS) if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) { strlcpy(ptr, TS, TIMESTAMP_LEN); if (rename(oldname, lastfile) != 0) - syslog(LOG_ERR, + auditd_log_err( "Could not rename %s to %s: %m", oldname, lastfile); else { - syslog(LOG_INFO, "renamed %s to %s", + /* + * Remove the 'current' symlink since the link + * is now invalid. + */ + (void) unlink(AUDIT_CURRENT_LINK); + auditd_log_notice( "renamed %s to %s", oldname, lastfile); audit_warn_closefile(lastfile); } } else - syslog(LOG_ERR, "Could not rename %s to %s", oldname, + auditd_log_err( "Could not rename %s to %s", oldname, lastfile); free(lastfile); free(oldname); _at__at_ -211,168 +192,81 _at__at_ close_lastfile(char *TS) } /* - * Create the new audit file with appropriate permissions and ownership. Try - * to clean up if something goes wrong. - */ -static int -#ifdef AUDIT_REVIEW_GROUP -open_trail(const char *fname, uid_t uid, gid_t gid) -#else -open_trail(const char *fname) -#endif -{ - int error, fd; - - fd = open(fname, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP); - if (fd < 0) - return (-1); -#ifdef AUDIT_REVIEW_GROUP - if (fchown(fd, uid, gid) < 0) { - error = errno; - close(fd); - (void)unlink(fname); - errno = error; - return (-1); - } -#endif - return (fd); -} - -/* * Create the new file name, swap with existing audit file. */ static int swap_audit_file(void) { - char timestr[FILENAME_LEN]; - char *fn; + int err; + char *newfile; char TS[TIMESTAMP_LEN]; - struct dir_ent *dirent; -#ifdef AUDIT_REVIEW_GROUP - struct group *grp; - gid_t gid; - uid_t uid; -#endif - int error, fd; + time_t tt; - if (getTSstr(TS, TIMESTAMP_LEN) != 0) + if (getTSstr(tt, TS, TIMESTAMP_LEN) != 0) return (-1); + err = auditd_swap_trail(TS, &newfile, audit_review_gid, + audit_warn_getacdir); + if (err != ADE_NOERR) { + auditd_log_err( "%s: %m", auditd_strerror(err)); + if (err != ADE_ACTL) + return (-1); + } - snprintf(timestr, FILENAME_LEN, "%s.%s", TS, NOT_TERMINATED); - -#ifdef AUDIT_REVIEW_GROUP /* - * XXXRW: Currently, this code falls back to the daemon gid, which is - * likely the wheel group. Is there a better way to deal with this? + * Only close the last file if were in an auditing state before + * calling swap_audit_file(). We may need to recover from a crash. */ - grp = getgrnam(AUDIT_REVIEW_GROUP); - if (grp == NULL) { - syslog(LOG_INFO, - "Audit review group '%s' not available, using daemon gid", - AUDIT_REVIEW_GROUP); - gid = -1; - } else - gid = grp->gr_gid; - uid = getuid(); -#endif + if (auditd_get_state() == AUD_STATE_ENABLED) + close_lastfile(TS); - /* Try until we succeed. */ - while ((dirent = TAILQ_FIRST(&dir_q))) { - if ((fn = affixdir(timestr, dirent)) == NULL) { - syslog(LOG_INFO, "Failed to swap log at time %s", - timestr); - return (-1); - } *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***Received on Wed Dec 31 2008 - 15:28:13 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:39 UTC