svn commit: r189279 - in head: contrib/openbsm
contrib/openbsm/bin/audit contrib/openbsm/bin/auditd
contrib/openbsm/bsm contrib/openbsm/etc
contrib/openbsm/libauditd contrib/openbsm/libbsm contrib/...
Robert Watson
rwatson at FreeBSD.org
Mon Mar 2 05:29:19 PST 2009
Author: rwatson
Date: Mon Mar 2 13:29:18 2009
New Revision: 189279
URL: http://svn.freebsd.org/changeset/base/189279
Log:
Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).
OpenBSM history for imported revision below for reference.
MFC after: 1 month
Sponsored by: Apple, Inc.
Obtained from: TrustedBSD Project
OpenBSM 1.1 beta 1
- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
For legacy support no suffix defaults to bytes.
- Audit trail log expiration support added. It is configured in
audit_control(5) with the expire-after parameter. If there is no
expire-after parameter in audit_control(5), the default, then the audit
trail files are not expired and removed. See audit_control(5) for
more information.
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
partitions, rotate automatically at 2mb, and set the default policy to
cnt,argv rather than cnt so that execve(2) arguments are captured if
AUE_EXECVE events are audited. These may provide more usable defaults for
many users.
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
au_to_socket_ex(3) arguments to BSM format.
- Fix error encoding AUT_IPC_PERM tokens.
Modified:
head/contrib/openbsm/ (props changed)
head/contrib/openbsm/CREDITS
head/contrib/openbsm/NEWS
head/contrib/openbsm/README
head/contrib/openbsm/VERSION
head/contrib/openbsm/bin/audit/audit.8
head/contrib/openbsm/bin/audit/audit.c
head/contrib/openbsm/bin/auditd/audit_warn.c
head/contrib/openbsm/bin/auditd/auditd.c
head/contrib/openbsm/bin/auditd/auditd.h
head/contrib/openbsm/bsm/auditd_lib.h
head/contrib/openbsm/bsm/libbsm.h
head/contrib/openbsm/configure
head/contrib/openbsm/configure.ac
head/contrib/openbsm/etc/audit_control
head/contrib/openbsm/etc/audit_event
head/contrib/openbsm/libauditd/auditd_lib.c
head/contrib/openbsm/libbsm/au_control.3
head/contrib/openbsm/libbsm/au_domain.3
head/contrib/openbsm/libbsm/au_errno.3
head/contrib/openbsm/libbsm/bsm_control.c
head/contrib/openbsm/libbsm/bsm_errno.c
head/contrib/openbsm/libbsm/bsm_io.c
head/contrib/openbsm/libbsm/bsm_token.c
head/contrib/openbsm/man/audit_control.5
head/contrib/openbsm/man/auditon.2
head/contrib/openbsm/sys/bsm/audit.h
head/contrib/openbsm/sys/bsm/audit_kevents.h
head/contrib/openbsm/tools/audump.c
head/sys/bsm/audit.h
head/sys/bsm/audit_kevents.h
head/sys/security/audit/audit_bsm_errno.c
head/sys/security/audit/audit_bsm_token.c
Modified: head/contrib/openbsm/CREDITS
==============================================================================
--- head/contrib/openbsm/CREDITS Mon Mar 2 10:48:15 2009 (r189278)
+++ head/contrib/openbsm/CREDITS Mon Mar 2 13:29:18 2009 (r189279)
@@ -27,6 +27,7 @@ the development of OpenBSM:
Eric Hall
Xin LI
Stacey Son
+ Todd Heberlein
In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
Software's FlexeLint tool were used to identify a number of bugs in the
Modified: head/contrib/openbsm/NEWS
==============================================================================
--- head/contrib/openbsm/NEWS Mon Mar 2 10:48:15 2009 (r189278)
+++ head/contrib/openbsm/NEWS Mon Mar 2 13:29:18 2009 (r189279)
@@ -1,5 +1,24 @@
OpenBSM Version History
+OpenBSM 1.1 beta 1
+
+- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
+ Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
+ For legacy support no suffix defaults to bytes.
+- Audit trail log expiration support added. It is configured in
+ audit_control(5) with the expire-after parameter. If there is no
+ expire-after parameter in audit_control(5), the default, then the audit
+ trail files are not expired and removed. See audit_control(5) for
+ more information.
+- Change defaults in audit_control: warn at 5% rather than 20% free for audit
+ partitions, rotate automatically at 2mb, and set the default policy to
+ cnt,argv rather than cnt so that execve(2) arguments are captured if
+ AUE_EXECVE events are audited. These may provide more usable defaults for
+ many users.
+- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
+ au_to_socket_ex(3) arguments to BSM format.
+- Fix error encoding AUT_IPC_PERM tokens.
+
OpenBSM 1.1 alpha 5
- Stub libauditd(3) man page added.
@@ -412,4 +431,4 @@ OpenBSM 1.0 alpha 1
to support reloading of kernel event table.
- Allow comments in /etc/security configuration files.
-$P4: //depot/projects/trustedbsd/openbsm/NEWS#27 $
+$P4: //depot/projects/trustedbsd/openbsm/NEWS#32 $
Modified: head/contrib/openbsm/README
==============================================================================
--- head/contrib/openbsm/README Mon Mar 2 10:48:15 2009 (r189278)
+++ head/contrib/openbsm/README Mon Mar 2 13:29:18 2009 (r189279)
@@ -1,4 +1,4 @@
-OpenBSM 1.1 alpha 4
+OpenBSM 1.1 beta 1
Introduction
@@ -56,4 +56,4 @@ Information on TrustedBSD may be found o
http://www.TrustedBSD.org/
-$P4: //depot/projects/trustedbsd/openbsm/README#34 $
+$P4: //depot/projects/trustedbsd/openbsm/README#35 $
Modified: head/contrib/openbsm/VERSION
==============================================================================
--- head/contrib/openbsm/VERSION Mon Mar 2 10:48:15 2009 (r189278)
+++ head/contrib/openbsm/VERSION Mon Mar 2 13:29:18 2009 (r189279)
@@ -1 +1 @@
-OPENBSM_1_1_ALPHA_5
+OPENBSM_1_1_BETA_1
Modified: head/contrib/openbsm/bin/audit/audit.8
==============================================================================
--- head/contrib/openbsm/bin/audit/audit.8 Mon Mar 2 10:48:15 2009 (r189278)
+++ head/contrib/openbsm/bin/audit/audit.8 Mon Mar 2 13:29:18 2009 (r189279)
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2004 Apple Inc.
+.\" Copyright (c) 2004-2009 Apple Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -25,9 +25,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#13 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#15 $
.\"
-.Dd December 11, 2008
+.Dd January 29, 2009
.Dt AUDIT 8
.Os
.Sh NAME
@@ -35,7 +35,7 @@
.Nd audit management utility
.Sh SYNOPSIS
.Nm
-.Fl i | n | s | t
+.Fl e | i | n | s | t
.Sh DESCRIPTION
The
.Nm
@@ -43,6 +43,10 @@ utility controls the state of the audit
One of the following flags is required as an argument to
.Nm :
.Bl -tag -width indent
+.It Fl e
+Forces the audit system to immediately remove audit log files that
+meet the expiration criteria specified in the audit control file without
+doing a log rotation.
.It Fl i
Initializes and starts auditing.
This option is currently for Mac OS X only
@@ -53,6 +57,8 @@ to be configured to run under
.It Fl n
Forces the audit system to close the existing audit log file and rotate to
a new log file in a location specified in the audit control file.
+Also, audit log files that meet the expiration criteria specified in the
+audit control file will be removed.
.It Fl s
Specifies that the audit system should [re]synchronize its
configuration from the audit control file.
Modified: head/contrib/openbsm/bin/audit/audit.c
==============================================================================
--- head/contrib/openbsm/bin/audit/audit.c Mon Mar 2 10:48:15 2009 (r189278)
+++ head/contrib/openbsm/bin/audit/audit.c Mon Mar 2 13:29:18 2009 (r189279)
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2005-2008 Apple Inc.
+ * Copyright (c) 2005-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#13 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#14 $
*/
/*
* Program to trigger the audit daemon with a message that is either:
@@ -68,12 +68,15 @@ static int send_trigger(unsigned int);
#include "auditd_control.h"
/*
- * XXX the following is temporary until this can be added to the kernel
+ * XXX The following are temporary until these can be added to the kernel
* audit.h header.
*/
#ifndef AUDIT_TRIGGER_INITIALIZE
#define AUDIT_TRIGGER_INITIALIZE 7
#endif
+#ifndef AUDIT_TRIGGER_EXPIRE_TRAILS
+#define AUDIT_TRIGGER_EXPIRE_TRAILS 8
+#endif
static int
send_trigger(unsigned int trigger)
@@ -125,7 +128,7 @@ static void
usage(void)
{
- (void)fprintf(stderr, "Usage: audit -i | -n | -s | -t \n");
+ (void)fprintf(stderr, "Usage: audit -e | -i | -n | -s | -t \n");
exit(-1);
}
@@ -141,9 +144,13 @@ main(int argc, char **argv)
if (argc != 2)
usage();
- while ((ch = getopt(argc, argv, "inst")) != -1) {
+ while ((ch = getopt(argc, argv, "einst")) != -1) {
switch(ch) {
+ case 'e':
+ trigger = AUDIT_TRIGGER_EXPIRE_TRAILS;
+ break;
+
case 'i':
trigger = AUDIT_TRIGGER_INITIALIZE;
break;
Modified: head/contrib/openbsm/bin/auditd/audit_warn.c
==============================================================================
--- head/contrib/openbsm/bin/auditd/audit_warn.c Mon Mar 2 10:48:15 2009 (r189278)
+++ head/contrib/openbsm/bin/auditd/audit_warn.c Mon Mar 2 13:29:18 2009 (r189279)
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2005 Apple Inc.
+ * Copyright (c) 2005-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#10 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#11 $
*/
#include <sys/types.h>
@@ -236,3 +236,18 @@ audit_warn_tmpfile(void)
return (auditwarnlog(args));
}
+
+/*
+ * Indicates that this trail file has expired and was removed.
+ */
+int
+audit_warn_expired(char *filename)
+{
+ char *args[3];
+
+ args[0] = EXPIRED_WARN;
+ args[1] = filename;
+ args[2] = NULL;
+
+ return (auditwarnlog(args));
+}
Modified: head/contrib/openbsm/bin/auditd/auditd.c
==============================================================================
--- head/contrib/openbsm/bin/auditd/auditd.c Mon Mar 2 10:48:15 2009 (r189278)
+++ head/contrib/openbsm/bin/auditd/auditd.c Mon Mar 2 13:29:18 2009 (r189279)
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2004-2008 Apple Inc.
+ * Copyright (c) 2004-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#41 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#43 $
*/
#include <sys/types.h>
@@ -67,12 +67,16 @@
#endif
/*
- * XXX the following is temporary until this can be added to the kernel
+ * XXX The following are temporary until these can be added to the kernel
* audit.h header.
*/
#ifndef AUDIT_TRIGGER_INITIALIZE
#define AUDIT_TRIGGER_INITIALIZE 7
#endif
+#ifndef AUDIT_TRIGGER_EXPIRE_TRAILS
+#define AUDIT_TRIGGER_EXPIRE_TRAILS 8
+#endif
+
/*
* LaunchD flag (Mac OS X and, maybe, FreeBSD only.) See launchd(8) and
@@ -166,7 +170,7 @@ close_lastfile(char *TS)
/* Rename the last file -- append timestamp. */
if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) {
- strlcpy(ptr, TS, TIMESTAMP_LEN);
+ memcpy(ptr, TS, POSTFIX_LEN);
if (rename(oldname, lastfile) != 0)
auditd_log_err(
"Could not rename %s to %s: %m", oldname,
@@ -275,6 +279,14 @@ do_trail_file(void)
return (-1);
}
+ /*
+ * Finally, see if there are any trail files to expire.
+ */
+ err = auditd_expire_trails(audit_warn_expired);
+ if (err)
+ auditd_log_err("auditd_expire_trails(): %s",
+ auditd_strerror(err));
+
return (0);
}
@@ -550,6 +562,14 @@ auditd_handle_trigger(int trigger)
audit_setup();
break;
+ case AUDIT_TRIGGER_EXPIRE_TRAILS:
+ auditd_log_info("Got audit expire trails trigger");
+ err = auditd_expire_trails(audit_warn_expired);
+ if (err)
+ auditd_log_err("auditd_expire_trails(): %s",
+ auditd_strerror(err));
+ break;
+
default:
auditd_log_err("Got unknown trigger %d", trigger);
break;
@@ -669,13 +689,18 @@ auditd_config_controls(void)
*/
err = auditd_set_host();
if (err) {
- auditd_log_err("auditd_set_host() %s: %m",
- auditd_strerror(err));
- ret = -1;
+ if (err == ADE_PARSE) {
+ auditd_log_notice(
+ "audit_control(5) may be missing 'host:' field");
+ } else {
+ auditd_log_err("auditd_set_host() %s: %m",
+ auditd_strerror(err));
+ ret = -1;
+ }
} else
auditd_log_debug(
"Set audit host address information in kernel.");
-
+
return (ret);
}
Modified: head/contrib/openbsm/bin/auditd/auditd.h
==============================================================================
--- head/contrib/openbsm/bin/auditd/auditd.h Mon Mar 2 10:48:15 2009 (r189278)
+++ head/contrib/openbsm/bin/auditd/auditd.h Mon Mar 2 13:29:18 2009 (r189279)
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2005 Apple Inc.
+ * Copyright (c) 2005-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#12 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#13 $
*/
#ifndef _AUDITD_H_
@@ -57,6 +57,7 @@
#define POSTSIGTERM_WARN "postsigterm"
#define SOFTLIM_WARN "soft"
#define TMPFILE_WARN "tmpfile"
+#define EXPIRED_WARN "expired"
#define AUDITWARN_SCRIPT "/etc/security/audit_warn"
#define AUDITD_PIDFILE "/var/run/auditd.pid"
@@ -76,6 +77,7 @@ int audit_warn_nostart(void);
int audit_warn_postsigterm(void);
int audit_warn_soft(char *filename);
int audit_warn_tmpfile(void);
+int audit_warn_expired(char *filename);
void auditd_openlog(int debug, gid_t gid);
void auditd_log_err(const char *fmt, ...);
Modified: head/contrib/openbsm/bsm/auditd_lib.h
==============================================================================
--- head/contrib/openbsm/bsm/auditd_lib.h Mon Mar 2 10:48:15 2009 (r189278)
+++ head/contrib/openbsm/bsm/auditd_lib.h Mon Mar 2 13:29:18 2009 (r189279)
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#3 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#4 $
*/
#ifndef _BSM_AUDITD_LIB_H_
@@ -81,12 +81,14 @@
#define ADE_INVAL -16 /* Invalid argument. */
#define ADE_GETADDR -17 /* Error resolving address from hostname. */
#define ADE_ADDRFAM -18 /* Address family not supported. */
+#define ADE_EXPIRE -19 /* Error expiring audit trail files. */
/*
* auditd_lib functions.
*/
const char *auditd_strerror(int errcode);
int auditd_set_minfree(void);
+int auditd_expire_trails(int (*warn_expired)(char *));
int auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *));
void auditd_close_dirs(void);
int auditd_set_evcmap(void);
Modified: head/contrib/openbsm/bsm/libbsm.h
==============================================================================
--- head/contrib/openbsm/bsm/libbsm.h Mon Mar 2 10:48:15 2009 (r189278)
+++ head/contrib/openbsm/bsm/libbsm.h Mon Mar 2 13:29:18 2009 (r189279)
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2004-2008 Apple Inc.
+ * Copyright (c) 2004-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#41 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#42 $
*/
#ifndef _LIBBSM_H_
@@ -76,13 +76,14 @@
#define AUDIT_CONTROL_FILE "/etc/security/audit_control"
#define AUDIT_USER_FILE "/etc/security/audit_user"
-#define DIR_CONTROL_ENTRY "dir"
-#define MINFREE_CONTROL_ENTRY "minfree"
-#define FILESZ_CONTROL_ENTRY "filesz"
-#define FLAGS_CONTROL_ENTRY "flags"
-#define NA_CONTROL_ENTRY "naflags"
-#define POLICY_CONTROL_ENTRY "policy"
+#define DIR_CONTROL_ENTRY "dir"
+#define MINFREE_CONTROL_ENTRY "minfree"
+#define FILESZ_CONTROL_ENTRY "filesz"
+#define FLAGS_CONTROL_ENTRY "flags"
+#define NA_CONTROL_ENTRY "naflags"
+#define POLICY_CONTROL_ENTRY "policy"
#define AUDIT_HOST_CONTROL_ENTRY "host"
+#define EXPIRE_AFTER_CONTROL_ENTRY "expire-after"
#define AU_CLASS_NAME_MAX 8
#define AU_CLASS_DESC_MAX 72
@@ -766,6 +767,7 @@ int getacflg(char *auditstr, int len)
int getacna(char *auditstr, int len);
int getacpol(char *auditstr, size_t len);
int getachost(char *auditstr, size_t len);
+int getacexpire(int *andflg, time_t *age, size_t *size);
int getauditflagsbin(char *auditstr, au_mask_t *masks);
int getauditflagschar(char *auditstr, au_mask_t *masks,
int verbose);
Modified: head/contrib/openbsm/configure
==============================================================================
--- head/contrib/openbsm/configure Mon Mar 2 10:48:15 2009 (r189278)
+++ head/contrib/openbsm/configure Mon Mar 2 13:29:18 2009 (r189279)
@@ -1,7 +1,7 @@
#! /bin/sh
# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#49 .
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for OpenBSM 1.1alpha5.
+# Generated by GNU Autoconf 2.61 for OpenBSM 1.1beta1.
#
# Report bugs to <trustedbsd-audit at TrustesdBSD.org>.
#
@@ -729,8 +729,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
# Identity of this package.
PACKAGE_NAME='OpenBSM'
PACKAGE_TARNAME='openbsm'
-PACKAGE_VERSION='1.1alpha5'
-PACKAGE_STRING='OpenBSM 1.1alpha5'
+PACKAGE_VERSION='1.1beta1'
+PACKAGE_STRING='OpenBSM 1.1beta1'
PACKAGE_BUGREPORT='trustedbsd-audit at TrustesdBSD.org'
ac_unique_file="bin/auditreduce/auditreduce.c"
@@ -1404,7 +1404,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures OpenBSM 1.1alpha5 to adapt to many kinds of systems.
+\`configure' configures OpenBSM 1.1beta1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1474,7 +1474,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of OpenBSM 1.1alpha5:";;
+ short | recursive ) echo "Configuration of OpenBSM 1.1beta1:";;
esac
cat <<\_ACEOF
@@ -1580,7 +1580,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-OpenBSM configure 1.1alpha5
+OpenBSM configure 1.1beta1
generated by GNU Autoconf 2.61
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1594,7 +1594,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by OpenBSM $as_me 1.1alpha5, which was
+It was created by OpenBSM $as_me 1.1beta1, which was
generated by GNU Autoconf 2.61. Invocation command line was
$ $0 $@
@@ -19076,7 +19076,7 @@ fi
# Define the identity of the package.
PACKAGE=OpenBSM
- VERSION=1.1alpha5
+ VERSION=1.1beta1
cat >>confdefs.h <<_ACEOF
@@ -23584,7 +23584,7 @@ exec 6>&1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by OpenBSM $as_me 1.1alpha5, which was
+This file was extended by OpenBSM $as_me 1.1beta1, which was
generated by GNU Autoconf 2.61. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -23637,7 +23637,7 @@ Report bugs to <bug-autoconf at gnu.org>."
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-OpenBSM config.status 1.1alpha5
+OpenBSM config.status 1.1beta1
configured by $0, generated by GNU Autoconf 2.61,
with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
Modified: head/contrib/openbsm/configure.ac
==============================================================================
--- head/contrib/openbsm/configure.ac Mon Mar 2 10:48:15 2009 (r189278)
+++ head/contrib/openbsm/configure.ac Mon Mar 2 13:29:18 2009 (r189279)
@@ -2,8 +2,8 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.59)
-AC_INIT([OpenBSM], [1.1alpha5], [trustedbsd-audit at TrustesdBSD.org],[openbsm])
-AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#49 $])
+AC_INIT([OpenBSM], [1.1beta1], [trustedbsd-audit at TrustesdBSD.org],[openbsm])
+AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#50 $])
AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c])
AC_CONFIG_AUX_DIR(config)
AC_CONFIG_HEADER([config/config.h])
Modified: head/contrib/openbsm/etc/audit_control
==============================================================================
--- head/contrib/openbsm/etc/audit_control Mon Mar 2 10:48:15 2009 (r189278)
+++ head/contrib/openbsm/etc/audit_control Mon Mar 2 13:29:18 2009 (r189279)
@@ -1,10 +1,10 @@
#
-# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#5 $
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#6 $
# $FreeBSD$
#
dir:/var/audit
flags:lo
-minfree:20
+minfree:5
naflags:lo
-policy:cnt
-filesz:0
+policy:cnt,argv
+filesz:2097152
Modified: head/contrib/openbsm/etc/audit_event
==============================================================================
--- head/contrib/openbsm/etc/audit_event Mon Mar 2 10:48:15 2009 (r189278)
+++ head/contrib/openbsm/etc/audit_event Mon Mar 2 13:29:18 2009 (r189279)
@@ -1,5 +1,5 @@
#
-# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#34 $
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#36 $
# $FreeBSD$
#
# The mapping between event identifiers and values is also hard-coded in
@@ -491,7 +491,7 @@
43128:AUE_MAC_GET_PID:mac_get_pid(2):pc
43129:AUE_MAC_GET_LINK:mac_get_link(2):fa
43130:AUE_MAC_SET_LINK:mac_set_link(2):fm
-43131:AUE_MAC_EXECVE:mac_exeve(2):ex,pc
+43131:AUE_MAC_EXECVE:mac_execve(2):ex,pc
43132:AUE_GETPATH_FROMFD:getpath_fromfd(2):fa
43133:AUE_GETPATH_FROMADDR:getpath_fromaddr(2):fa
43134:AUE_MQ_OPEN:mq_open(2):ip
@@ -552,6 +552,8 @@
43189:AUE_CAP_GETMODE:cap_getmode(2):pc
43190:AUE_POSIX_SPAWN:posix_spawn(2):pc
43191:AUE_FSGETPATH:fsgetpath(2):ot
+43192:AUE_PREAD:pread(2):no
+43193:AUE_PWRITE:pwrite(2):no
#
# Solaris userspace events.
#
Modified: head/contrib/openbsm/libauditd/auditd_lib.c
==============================================================================
--- head/contrib/openbsm/libauditd/auditd_lib.c Mon Mar 2 10:48:15 2009 (r189278)
+++ head/contrib/openbsm/libauditd/auditd_lib.c Mon Mar 2 13:29:18 2009 (r189279)
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2008 Apple Inc.
+ * Copyright (c) 2008-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#2 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#7 $
*/
#include <sys/param.h>
@@ -52,6 +52,7 @@
#include <bsm/auditd_lib.h>
#include <bsm/libbsm.h>
+#include <dirent.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
@@ -77,6 +78,11 @@
#define AUDIT_HARD_LIMIT_FREE_BLOCKS 4
#endif
+/*
+ * Number of seconds to January 1, 2000
+ */
+#define JAN_01_2000 946598400
+
struct dir_ent {
char *dirname;
uint8_t softlim;
@@ -85,7 +91,19 @@ struct dir_ent {
};
static TAILQ_HEAD(, dir_ent) dir_q;
-static int minval = -1;
+
+struct audit_trail {
+ time_t at_time;
+ char *at_path;
+ off_t at_size;
+
+ TAILQ_ENTRY(audit_trail) at_trls;
+};
+
+static int auditd_minval = -1;
+
+static char auditd_host[MAXHOSTNAMELEN];
+static int auditd_hostlen = -1;
static char *auditd_errmsg[] = {
"no error", /* ADE_NOERR ( 0) */
@@ -107,6 +125,7 @@ static char *auditd_errmsg[] = {
"invalid argument", /* ADE_INVAL (16) */
"could not resolve hostname to address", /* ADE_GETADDR (17) */
"address family not supported", /* ADE_ADDRFAM (18) */
+ "error expiring audit trail files", /* ADE_EXPIRE (19) */
};
#define MAXERRCODE (sizeof(auditd_errmsg) / sizeof(auditd_errmsg[0]))
@@ -165,7 +184,13 @@ affixdir(char *name, struct dir_ent *dir
return (NULL);
}
- asprintf(&fn, "%s/%s", dirent->dirname, name);
+ /*
+ * If the host is set then also add the hostname to the filename.
+ */
+ if (auditd_hostlen != -1)
+ asprintf(&fn, "%s/%s.%s", dirent->dirname, name, auditd_host);
+ else
+ asprintf(&fn, "%s/%s", dirent->dirname, name);
return (fn);
}
@@ -204,16 +229,14 @@ insert_orderly(struct dir_ent *denew)
int
auditd_set_host(void)
{
- char hoststr[MAXHOSTNAMELEN];
struct sockaddr_in6 *sin6;
struct sockaddr_in *sin;
struct addrinfo *res;
struct auditinfo_addr aia;
int error, ret = ADE_NOERR;
- if (getachost(hoststr, MAXHOSTNAMELEN) != 0) {
-
- ret = ADE_PARSE;
+ if (getachost(auditd_host, sizeof(auditd_host)) != 0) {
+ ret = ADE_PARSE;
/*
* To maintain reverse compatability with older audit_control
@@ -229,7 +252,8 @@ auditd_set_host(void)
ret = ADE_AUDITON;
return (ret);
}
- error = getaddrinfo(hoststr, NULL, NULL, &res);
+ auditd_hostlen = strlen(auditd_host);
+ error = getaddrinfo(auditd_host, NULL, NULL, &res);
if (error)
return (ADE_GETADDR);
switch (res->ai_family) {
@@ -271,14 +295,14 @@ auditd_set_minfree(void)
{
au_qctrl_t qctrl;
- if (getacmin(&minval) != 0)
+ if (getacmin(&auditd_minval) != 0)
return (ADE_PARSE);
if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0)
return (ADE_AUDITON);
- if (qctrl.aq_minfree != minval) {
- qctrl.aq_minfree = minval;
+ if (qctrl.aq_minfree != auditd_minval) {
+ qctrl.aq_minfree = auditd_minval;
if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0)
return (ADE_AUDITON);
}
@@ -287,9 +311,259 @@ auditd_set_minfree(void)
}
/*
+ * Convert a trailname into a timestamp (seconds). Return 0 if the conversion
+ * was successful.
+ */
+static int
+trailname_to_tstamp(char *fn, time_t *tstamp)
+{
+ struct tm tm;
+ char ts[TIMESTAMP_LEN];
+ char *p;
+
+ *tstamp = 0;
+
+ /*
+ * Get the ending time stamp.
+ */
+ if ((p = strchr(fn, '.')) == NULL)
+ return (1);
+ strlcpy(ts, ++p, TIMESTAMP_LEN);
+ if (strlen(ts) != POSTFIX_LEN)
+ return (1);
+
+ bzero(&tm, sizeof(tm));
+
+ /* seconds (0-60) */
+ p = ts + POSTFIX_LEN - 2;
+ tm.tm_sec = atol(p);
+ if (tm.tm_sec < 0 || tm.tm_sec > 60)
+ return (1);
+
+ /* minutes (0-59) */
+ *p = '\0'; p -= 2;
+ tm.tm_min = atol(p);
+ if (tm.tm_min < 0 || tm.tm_min > 59)
+ return (1);
+
+ /* hours (0 - 23) */
+ *p = '\0'; p -= 2;
+ tm.tm_hour = atol(p);
+ if (tm.tm_hour < 0 || tm.tm_hour > 23)
+ return (1);
+
+ /* day of month (1-31) */
+ *p = '\0'; p -= 2;
+ tm.tm_mday = atol(p);
+ if (tm.tm_mday < 1 || tm.tm_mday > 31)
+ return (1);
+
+ /* month (0 - 11) */
+ *p = '\0'; p -= 2;
+ tm.tm_mon = atol(p) - 1;
+ if (tm.tm_mon < 0 || tm.tm_mon > 11)
+ return (1);
+
+ /* year (year - 1900) */
+ *p = '\0'; p -= 4;
+ tm.tm_year = atol(p) - 1900;
+ if (tm.tm_year < 0)
+ return (1);
+
+ *tstamp = timegm(&tm);
+
+ return (0);
+}
+
+/*
+ * Remove audit trails files according to the expiration conditions. Returns:
+ * ADE_NOERR on success or there is nothing to do.
+ * ADE_PARSE if error parsing audit_control(5).
+ * ADE_NOMEM if could not allocate memory.
+ * ADE_EXPIRE if there was an unespected error.
+ */
+int
+auditd_expire_trails(int (*warn_expired)(char *))
+{
+ int andflg, ret = ADE_NOERR;
+ size_t expire_size, total_size = 0L;
+ time_t expire_age, oldest_time, current_time = time(NULL);
+ struct dir_ent *traildir;
+ struct audit_trail *at;
+ char *afnp, *pn;
+ TAILQ_HEAD(au_trls_head, audit_trail) head =
+ TAILQ_HEAD_INITIALIZER(head);
+ struct stat stbuf;
+ char activefn[MAXPATHLEN];
+
+ /*
+ * Read the expiration conditions. If no conditions then return no
+ * error.
+ */
+ if (getacexpire(&andflg, &expire_age, &expire_size) < 0)
+ return (ADE_PARSE);
+ if (!expire_age && !expire_size)
+ return (ADE_NOERR);
+
+ /*
+ * Read the 'current' trail file name. Trim off directory path.
+ */
+ activefn[0] = '\0';
+ readlink(AUDIT_CURRENT_LINK, activefn, MAXPATHLEN - 1);
+ if ((afnp = strrchr(activefn, '/')) != NULL)
+ afnp++;
+
+
+ /*
+ * Build tail queue of the trail files.
+ */
+ TAILQ_FOREACH(traildir, &dir_q, dirs) {
+ DIR *dirp;
+ struct dirent *dp;
+
+ dirp = opendir(traildir->dirname);
+ while ((dp = readdir(dirp)) != NULL) {
+ time_t tstamp = 0;
+ struct audit_trail *new;
+
+ /*
+ * Quickly filter non-trail files.
+ */
+ if (dp->d_namlen != (FILENAME_LEN - 1) ||
+#ifdef DT_REG
+ dp->d_type != DT_REG ||
+#endif
+ dp->d_name[POSTFIX_LEN] != '.')
+ continue;
+
+ if (asprintf(&pn, "%s/%s", traildir->dirname,
+ dp->d_name) < 0) {
+ ret = ADE_NOMEM;
+ break;
+ }
+
+ if (stat(pn, &stbuf) < 0 || !S_ISREG(stbuf.st_mode)) {
+ free(pn);
+ continue;
+ }
+
+ total_size += stbuf.st_size;
+
+ /*
+ * If this is the 'current' audit trail then
+ * don't add it to the tail queue.
+ */
+ if (NULL != afnp &&
+ strncmp(dp->d_name, afnp, FILENAME_LEN) == 0) {
+ free(pn);
+ continue;
+ }
+
+ /*
+ * Get the ending time stamp encoded in the trail
+ * name. If we can't read it or if it is older
+ * than Jan 1, 2000 then use the mtime.
+ */
+ if (trailname_to_tstamp(dp->d_name, &tstamp) != 0 ||
+ tstamp < JAN_01_2000)
+ tstamp = stbuf.st_mtime;
+
+ /*
+ * If the time stamp is older than Jan 1, 2000 then
+ * update the mtime of the trail file to the current
+ * time. This is so we don't prematurely remove a trail
+ * file that was created while the system clock reset
+ * to the * "beginning of time" but later the system
+ * clock is set to the correct current time.
+ */
+ if (current_time >= JAN_01_2000 &&
+ tstamp < JAN_01_2000) {
+ struct timeval tv[2];
+
+ tstamp = stbuf.st_mtime = current_time;
+ TIMESPEC_TO_TIMEVAL(&tv[0],
+ &stbuf.st_atimespec);
+ TIMESPEC_TO_TIMEVAL(&tv[1],
+ &stbuf.st_mtimespec);
+ utimes(pn, tv);
+ }
+
+ /*
+ * Allocate and populate the new entry.
+ */
+ new = malloc(sizeof(*new));
+ if (NULL == new) {
+ free(pn);
+ ret = ADE_NOMEM;
+ break;
+ }
+ new->at_time = tstamp;
+ new->at_size = stbuf.st_size;
+ new->at_path = pn;
+
+ /*
+ * Check to see if we have a new head. Otherwise,
+ * walk the tailq from the tail first and do a simple
+ * insertion sort.
+ */
+ if (TAILQ_EMPTY(&head) ||
+ (new->at_time <= TAILQ_FIRST(&head)->at_time)) {
+ TAILQ_INSERT_HEAD(&head, new, at_trls);
+ continue;
+ }
+
+ TAILQ_FOREACH_REVERSE(at, &head, au_trls_head, at_trls)
+ if (new->at_time >= at->at_time) {
+ TAILQ_INSERT_AFTER(&head, at, new,
+ at_trls);
+ break;
+ }
+
+ }
+ }
+
+ oldest_time = current_time - expire_age;
+
+ /*
+ * Expire trail files, oldest (mtime) first, if the given
+ * conditions are met.
+ */
+ at = TAILQ_FIRST(&head);
+ while (NULL != at) {
+ struct audit_trail *at_next = TAILQ_NEXT(at, at_trls);
+
+ if (andflg) {
+ if ((expire_size && total_size > expire_size) &&
+ (expire_age && at->at_time < oldest_time)) {
+ if (warn_expired)
+ (*warn_expired)(at->at_path);
+ if (unlink(at->at_path) < 0)
+ ret = ADE_EXPIRE;
+ total_size -= at->at_size;
+ }
+ } else {
+ if ((expire_size && total_size > expire_size) ||
+ (expire_age && at->at_time < oldest_time)) {
+ if (warn_expired)
+ (*warn_expired)(at->at_path);
+ if (unlink(at->at_path) < 0)
+ ret = ADE_EXPIRE;
+ total_size -= at->at_size;
+ }
+ }
+
+ free(at->at_path);
+ free(at);
+ at = at_next;
+ }
+
+ return (ret);
+}
+
+/*
* Parses the "dir" entry in audit_control(5) into an ordered list. Also, will
- * set the minfree value if not already set. Arguments include function
- * pointers to audit_warn functions for soft and hard limits. Returns:
+ * set the minfree and host values if not already set. Arguments include
+ * function pointers to audit_warn functions for soft and hard limits. Returns:
* ADE_NOERR on success,
* ADE_PARSE error parsing audit_control(5),
* ADE_AUDITON error getting/setting auditon(2) value,
@@ -309,9 +583,12 @@ auditd_read_dirs(int (*warn_soft)(char *
int scnt = 0;
int hcnt = 0;
- if (minval == -1 && (err = auditd_set_minfree()) != 0)
+ if (auditd_minval == -1 && (err = auditd_set_minfree()) != 0)
return (err);
+ if (auditd_hostlen == -1)
+ auditd_set_host();
+
/*
* Init directory q. Force a re-read of the file the next time.
*/
@@ -329,7 +606,8 @@ auditd_read_dirs(int (*warn_soft)(char *
while (getacdir(cur_dir, MAXNAMLEN) >= 0) {
if (statfs(cur_dir, &sfs) < 0)
continue; /* XXX should warn */
- soft = (sfs.f_bfree < (sfs.f_blocks / (100 / minval))) ? 1 : 0;
+ soft = (sfs.f_bfree < (sfs.f_blocks / (100 / auditd_minval))) ?
+ 1 : 0;
hard = (sfs.f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) ? 1 : 0;
if (soft) {
if (warn_soft)
@@ -367,7 +645,8 @@ void
auditd_close_dirs(void)
{
free_dir_q();
- minval = -1;
+ auditd_minval = -1;
+ auditd_hostlen = -1;
}
@@ -549,7 +828,7 @@ auditd_swap_trail(char *TS, char **newfi
}
/* Try until we succeed. */
- while ((dirent = TAILQ_FIRST(&dir_q))) {
+ TAILQ_FOREACH(dirent, &dir_q, dirs) {
if (dirent->hardlim)
continue;
if ((fn = affixdir(timestr, dirent)) == NULL)
@@ -606,6 +885,28 @@ auditd_swap_trail(char *TS, char **newfi
* ADE_NOERR on success,
* ADE_SETAUDIT if setaudit(2) fails.
*/
+#ifdef __APPLE__
+int
+auditd_prevent_audit(void)
+{
+ auditinfo_addr_t aia;
+
+ /*
+ * To prevent event feedback cycles and avoid audit becoming stalled if
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-head
mailing list