PERFORCE change 62424 for review
Wayne Salamon
wsalamon at FreeBSD.org
Thu Sep 30 01:54:23 GMT 2004
http://perforce.freebsd.org/chv.cgi?CH=62424
Change 62424 by wsalamon at wsalamon_epi on 2004/09/30 01:53:35
Implement the audit daemon trigger mechanism as a FIFO. Update
the audit command to use this mechanism.
Affected files ...
.. //depot/projects/trustedbsd/audit3/contrib/audit_supt/audit/audit.c#3 edit
.. //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.c#4 edit
.. //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.h#3 edit
.. //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#5 edit
Differences ...
==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/audit/audit.c#3 (text+ko) ====
@@ -6,25 +6,14 @@
*
*/
-#include <mach/mach.h>
-#include <servers/netname.h>
-#include <mach/message.h>
-#include <mach/port.h>
-#include <mach/mach_error.h>
-#include <mach/host_special_ports.h>
-#include <servers/bootstrap.h>
-
-#include <auditd_control.h>
-#include <auditd.h>
-
+#include <fcntl.h>
#include <stdlib.h>
+#include <stdio.h>
#include <unistd.h>
-#include <stdio.h>
+#include <bsm/audit.h>
+#include <sys/types.h>
+#include <sys/uio.h>
-mach_port_t serverPort;
-mach_port_t bootstrapPort;
-
-void init();
void process(int flags);
/*
@@ -38,15 +27,15 @@
switch(ch) {
case 'n':
- flags = OPEN_NEW;
+ flags = AUDITD_TRIGGER_OPEN_NEW;
break;
case 's':
- flags = READ_FILE;
+ flags = AUDITD_TRIGGER_READ_FILE;
break;
case 't':
- flags = CLOSE_AND_DIE;
+ flags = AUDITD_TRIGGER_CLOSE_AND_DIE;
break;
case '?':
@@ -56,36 +45,26 @@
exit(1);
}
}
- init();
process(flags);
return 0;
}
/*
- * Program initialization:
- * Look up the server port and store it away.
- */
-void init()
-{
- if(host_get_audit_control_port(mach_host_self(), &serverPort) != KERN_SUCCESS) {
- fprintf(stderr, "Cannot get auditd_control\n");
- exit(1);
- }
-
- printf("Server port is %d\n", serverPort);
-}
-
-/*
* Do all the real work.
* Send a message to the audit daemon and check the return code.
*/
void process(int flags)
{
- kern_return_t retcode;
- retcode = auditd_control(serverPort, flags);
- if(retcode != KERN_SUCCESS) {
- mach_error("error doing IPC: ", retcode);
+ int fd;
+
+ fd = open(AUDITD_CTL_FILE, O_RDWR);
+ if (fd == -1) {
+ perror("error opening auditd control file");
exit(1);
}
+ if (write(fd, &flags, sizeof(flags)) == -1) {
+ perror("error doing write: ");
+ exit(-1);
+ }
printf("Client call successful\n");
}
==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.c#4 (text+ko) ====
@@ -23,11 +23,11 @@
*/
#include <sys/dirent.h>
-#include <sys/types.h>
#include <sys/mman.h>
#include <sys/queue.h>
#include <sys/stat.h>
#include <sys/syscall.h>
+#include <sys/types.h>
#include <sys/wait.h>
#include <fcntl.h>
@@ -51,6 +51,7 @@
static char *lastfile = NULL;
static int allhardcount = 0;
+static int controlfd = 0;
TAILQ_HEAD(, dir_ent) dir_q;
@@ -380,54 +381,39 @@
}
/*
- * React to input from the audit tool
+ * Signal handler for the SIGIO signal for events on the auditd control file.
*/
-int auditd_control(int flags)
+static void sigio_handler(int sig)
{
- int err_ret = 0;
+ int num;
+ int trigger;
- switch(flags) {
-
- case OPEN_NEW :
- /* create a new file and swap with the one being used in kernel */
- if(swap_audit_file() == -1) {
- syslog(LOG_ERR, "Error swapping audit file\n");
- }
- break;
-
- case READ_FILE :
- if(read_control_file() == -1) {
- syslog(LOG_ERR, "Error in audit control file\n");
- }
- break;
-
- case CLOSE_AND_DIE :
- err_ret = close_all();
- exit (err_ret);
- break;
-
- default :
- break;
+ num = read(controlfd, &trigger, sizeof(trigger));
+ if ((num == -1) && (errno != EINTR)) {
+ syslog(LOG_ERR, "sigio_handler(): error %d\n", errno);
+ return;
+ }
+ if (num == 0) {
+ syslog(LOG_INFO, "sigio_handler(): read EOF\n");
+ return;
}
+ syslog(LOG_INFO, "sigio_handler(): read %d\n", trigger);
+ handle_auditd_trigger(trigger);
+}
- return 0;
-}
/*
- * XXX This routine will eventually handle kernel messages to rotate the
- * audit log, etc.
- */
-/*
* Suppress duplicate messages within a 30 second interval.
* This should be enough to time to rotate log files without
* thrashing from soft warnings generated before the log is
* actually rotated.
*/
#define DUPLICATE_INTERVAL 30
-int audit_triggers(int flags)
+int handle_auditd_trigger(int flags)
{
static int last_flags;
static time_t last_time;
struct dir_ent *dirent;
+ int rc;
/*
* Suppres duplicate messages from the kernel within the specified
@@ -447,13 +433,15 @@
}
syslog(LOG_INFO,
- "audit_triggers() called within auditd with flags = %d\n",
+ "handle_audit_trigger() called within auditd with flags = %d\n",
flags);
/*
* XXX Message processing is done here
*/
dirent = TAILQ_FIRST(&dir_q);
- if(flags == AUDIT_TRIGGER_LOW_SPACE) {
+ switch(flags) {
+
+ case AUDITD_TRIGGER_LOW_SPACE:
if(dirent && (dirent->softlim != 1)) {
TAILQ_REMOVE(&dir_q, dirent, dirs);
/* add this node to the end of the list */
@@ -483,8 +471,8 @@
*/
audit_warn_allsoft();
}
- }
- else if (flags == AUDIT_TRIGGER_FILE_FULL) {
+ break;
+ case AUDITD_TRIGGER_FILE_FULL:
/* delete current dir, go on to next */
TAILQ_REMOVE(&dir_q, dirent, dirs);
@@ -493,11 +481,34 @@
free(dirent);
if(swap_audit_file() == -1) {
- syslog(LOG_ERR, "Error swapping audit file in response to AUDIT_TRIGGER_FILE_FULL message\n");
+ syslog(LOG_ERR, "Error swapping audit file in "
+ "response to AUDITD_TRIGGER_FILE_FULL message\n");
/* Nowhere to write to */
audit_warn_allhard(++allhardcount);
}
+ break;
+ case AUDITD_TRIGGER_OPEN_NEW :
+ /* create a new file and swap with the one being
+ * used in kernel */
+ if(swap_audit_file() == -1) {
+ syslog(LOG_ERR, "Error swapping audit file\n");
+ }
+ break;
+
+ case AUDITD_TRIGGER_READ_FILE :
+ if(read_control_file() == -1) {
+ syslog(LOG_ERR, "Error in audit control file\n");
+ }
+ break;
+
+ case AUDITD_TRIGGER_CLOSE_AND_DIE :
+ rc = close_all();
+ exit (rc);
+ break;
+
+ default :
+ break;
}
return 0;
}
@@ -596,10 +607,63 @@
return 0;
}
+/*
+ * Configure the IPC mechanism for receiving messages from the kernel
+ * concerning audit control events.
+ */
int config_auditd_ipc()
{
- int fd;
+ int rc;
+ struct stat sb;
+
+ rc = mkfifo(AUDITD_CTL_FILE, S_IRUSR | S_IWUSR);
+ if ((rc != 0) && (errno != EEXIST)) {
+ syslog(LOG_ERR,
+ "config_auditd_ipc() : error creating FIFO\n");
+ return rc;
+ }
+
+ rc = stat(AUDITD_CTL_FILE, &sb);
+ if ((rc != 0) || ((sb.st_mode & S_IFIFO) == 0)) {
+ syslog(LOG_ERR,
+ "config_auditd_ipc() : error stat of FIFO\n");
+ return rc;
+ }
+
+ /* Tell the kernel the name of the auditd control file */
+ /*else if (auditctl(AC_SETCTLFILE, fn, strlen(fn)) != 0) { */
+ if (syscall(SYS_auditctl, AC_SETCTLFILE, AUDITD_CTL_FILE,
+ strlen(AUDITD_CTL_FILE)) != 0) {
+ syslog(LOG_ERR,
+ "config_auditd_ipc() : failed sending control file "
+ " name to the kernel: %s\n",
+ strerror(errno));
+ }
+ /* Set up the signal hander */
+ if (signal(SIGIO, sigio_handler) == SIG_ERR) {
+ syslog(LOG_ERR,
+ "config_auditd_ipc() : error setting up signal handler\n");
+ return -1;
+ }
+
+ controlfd = open(AUDITD_CTL_FILE, O_RDONLY);
+ if (controlfd < 0) {
+ syslog(LOG_ERR,
+ "config_auditd_ipc() : error opening control file\n");
+ return -1;
+ }
+ if (fcntl(controlfd, F_SETOWN, getpid())) {
+ syslog(LOG_ERR,
+ "config_auditd_ipc() : error setting file ownership\n");
+ return -1;
+ }
+ if (fcntl(controlfd, F_SETFL, O_ASYNC)) {
+ syslog(LOG_ERR,
+ "config_auditd_ipc() : error setting file ASYNC\n");
+ return -1;
+ }
+ return 0;
}
void setup(long flags)
@@ -634,12 +698,11 @@
syslog(LOG_INFO, "Audit controls init failed\n");
if (config_auditd_ipc() == 0)
- syslog(LOG_INFO, "auditd control socket created\n");
+ syslog(LOG_INFO, "auditd control created\n");
else
- syslog(LOG_INFO, "auditd control socket not created\n");
+ syslog(LOG_ERR, "auditd control not created\n");
}
-
int main(int argc, char **argv)
{
char ch;
@@ -686,6 +749,9 @@
}
setup(flags);
+ while(1)
+ sleep(32768);
+
syslog(LOG_INFO, "exiting.\n");
exit(1);
==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.h#3 (text+ko) ====
@@ -7,7 +7,6 @@
#define MAX_DIR_SIZE 255
#define AUDITD_NAME "auditd"
-#define AUDITD_SOCK_FILE "/etc/security/auditd_control"
#define POSTFIX_LEN 16
#define NOT_TERMINATED ".not_terminated"
@@ -18,11 +17,6 @@
TAILQ_ENTRY(dir_ent) dirs;
};
-/* audit utility flags */
-#define OPEN_NEW 0x1
-#define READ_FILE 0x2
-#define CLOSE_AND_DIE 0x4
-
#define HARDLIM_ALL_WARN "allhard"
#define SOFTLIM_ALL_WARN "allsoft"
#define AUDITOFF_WARN "aditoff"
==== //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#5 (text+ko) ====
@@ -36,11 +36,19 @@
#define MAX_AUDIT_RECORD_SIZE 4096
#define MIN_AUDIT_FILE_SIZE 512 * 1024
+/*
+ * Control FIFO for the audit daemon
+ */
+#define AUDITD_CTL_FILE "/etc/security/auditd_control"
+
/*
* Triggers for the audit daemon
*/
-#define AUDIT_TRIGGER_LOW_SPACE 1
-#define AUDIT_TRIGGER_FILE_FULL 2
+#define AUDITD_TRIGGER_LOW_SPACE 1
+#define AUDITD_TRIGGER_FILE_FULL 2
+#define AUDITD_TRIGGER_OPEN_NEW 3
+#define AUDITD_TRIGGER_READ_FILE 4
+#define AUDITD_TRIGGER_CLOSE_AND_DIE 5
/*
* Pre-defined audit IDs
@@ -157,7 +165,7 @@
* auditctl(2) commands
*/
#define AC_SETLOGFILE 1
-#define AC_SETCTLFD 2
+#define AC_SETCTLFILE 2
__BEGIN_DECLS
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list