PERFORCE change 91206 for review
Robert Watson
rwatson at FreeBSD.org
Mon Feb 6 01:10:58 GMT 2006
http://perforce.freebsd.org/chv.cgi?CH=91206
Change 91206 by rwatson at rwatson_peppercorn on 2006/02/06 01:10:14
Bring final OpenBSM 1.0 alpha 3 changes into TrustedBSD audit3
branch:
- More man page fixes.
- Audit review group.
- OpenBSM 1.0 alpha 3 notes.
- AUE_SYSARCH.
Affected files ...
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/CHANGELOG#6 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#4 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#2 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_kevents.h#19 integrate
Differences ...
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/CHANGELOG#6 (text+ko) ====
@@ -1,3 +1,12 @@
+OpenBSM 1.0 alpha 3
+
+- Man page formatting, cross reference, mlinks, and accuracy improvements.
+- auditd and tools now compile and run on FreeBSD/arm.
+- auditd will now fchown() the trail file to the audit review group, if
+ defined at compile-time.
+- Added AUE_SYSARCH for FreeBSD.
+- Definition of AUE_SETFSGID fixed for Linux.
+
OpenBSM 1.0 alpha 2
- Man page formatting improvements.
@@ -71,5 +80,6 @@
- Annotate BSM events with origin OS and compatibility information.
- auditd(8), audit(8) added to the OpenBSM distribution. auditd extended
to support reloading of kernel event table.
+- Allow comments in /etc/security configuration files.
-$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/CHANGELOG#5 $
+$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/CHANGELOG#6 $
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#4 (text+ko) ====
@@ -1,1 +1,1 @@
-OPENBSM_1_0_ALPHA_2
+OPENBSM_1_0_ALPHA_3
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#3 (text+ko) ====
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#2 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#3 $
*/
#include <sys/dirent.h>
@@ -46,6 +46,7 @@
#include <errno.h>
#include <fcntl.h>
+#include <grp.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
@@ -171,6 +172,34 @@
}
/*
+ * Create the new audit file with appropriate permissions and ownership. Try
+ * to clean up if something goes wrong.
+ */
+static int
+#ifdef AUDIT_REVIEW_GROUP
+open_trail(const char *fname, uid_t uid, gid_t gid)
+#else
+open_trail(const char *fname)
+#endif
+{
+ int error, fd;
+
+ fd = open(fname, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP);
+ if (fd < 0)
+ return (-1);
+#ifdef AUDIT_REVIEW_GROUP
+ if (fchown(fd, uid, gid) < 0) {
+ error = errno;
+ close(fd);
+ (void)unlink(fname);
+ errno = error;
+ return (-1);
+ }
+#endif
+ return (fd);
+}
+
+/*
* Create the new file name, swap with existing audit file.
*/
static int
@@ -180,7 +209,12 @@
char *fn;
char TS[POSTFIX_LEN];
struct dir_ent *dirent;
- int fd;
+#ifdef AUDIT_REVIEW_GROUP
+ struct group *grp;
+ gid_t gid;
+ uid_t uid;
+#endif
+ int error, fd;
if (getTSstr(TS, POSTFIX_LEN) != 0)
return (-1);
@@ -188,6 +222,22 @@
strcpy(timestr, TS);
strcat(timestr, NOT_TERMINATED);
+#ifdef AUDIT_REVIEW_GROUP
+ /*
+ * XXXRW: Currently, this code falls back to the daemon gid, which is
+ * likely the wheel group. Is there a better way to deal with this?
+ */
+ grp = getgrnam(AUDIT_REVIEW_GROUP);
+ if (grp == NULL) {
+ syslog(LOG_INFO,
+ "Audit review group '%s' not available, using daemon gid",
+ AUDIT_REVIEW_GROUP);
+ gid = -1;
+ } else
+ gid = grp->gr_gid;
+ uid = getuid();
+#endif
+
/* Try until we succeed. */
while ((dirent = TAILQ_FIRST(&dir_q))) {
if ((fn = affixdir(timestr, dirent)) == NULL) {
@@ -201,20 +251,27 @@
* kernel if all went well.
*/
syslog(LOG_INFO, "New audit file is %s\n", fn);
- fd = open(fn, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP);
+#ifdef AUDIT_REVIEW_GROUP
+ fd = open_trail(fn, uid, gid);
+#else
+ fd = open_trail(fn);
+#endif
if (fd < 0)
- perror("File open");
- else if (auditctl(fn) != 0) {
- syslog(LOG_ERR,
- "auditctl failed setting log file! : %s\n",
- strerror(errno));
- close(fd);
- } else {
- /* Success. */
- close_lastfile(TS);
- lastfile = fn;
- close(fd);
- return (0);
+ warn("open(%s)", fn);
+ if (fd >= 0) {
+ error = auditctl(fn);
+ if (error) {
+ syslog(LOG_ERR,
+ "auditctl failed setting log file! : %s\n",
+ strerror(errno));
+ close(fd);
+ } else {
+ /* Success. */
+ close_lastfile(TS);
+ lastfile = fn;
+ close(fd);
+ return (0);
+ }
}
/*
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#2 (text+ko) ====
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#1 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#2 $
*/
#ifndef _AUDITD_H_
@@ -43,6 +43,13 @@
#define MAX_DIR_SIZE 255
#define AUDITD_NAME "auditd"
+/*
+ * If defined, then the audit daemon will attempt to chown newly created logs
+ * to this group. Otherwise, they will be the default for the user running
+ * auditd, likely the audit group.
+ */
+#define AUDIT_REVIEW_GROUP "audit"
+
#define POSTFIX_LEN 16
#define NOT_TERMINATED ".not_terminated"
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_kevents.h#19 (text+ko) ====
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_kevents.h#18 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_kevents.h#19 $
*/
#ifndef _BSM_AUDIT_KEVENTS_H_
@@ -383,6 +383,7 @@
#define AUE_ACL_DELETE_FD 403 /* FreeBSD. */
#define AUE_ACL_CHECK_FILE 404 /* FreeBSD. */
#define AUE_ACL_CHECK_FD 405 /* FreeBSD. */
+#define AUE_SYSARCH 406 /* FreeBSD. */
/*
* Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list