PERFORCE change 105886 for review

Robert Watson rwatson at FreeBSD.org
Sat Sep 9 10:12:05 UTC 2006


http://perforce.freebsd.org/chv.cgi?CH=105886

Change 105886 by rwatson at rwatson_sesame on 2006/09/09 10:11:45

	Improve debugging output for auditd: mention what error caused a
	rename failure.  Remove \n's.
	
	Rename AUDIT_TRIGGER_OPEN_NEW to AUDIT_TRIGGER_ROTATE_USER, and
	add AUDIT_TRIGGER_ROTATE_KERNEL, to distinguish a rotate sourced
	from the user and from the kernel.
	
	Disable rate limiting on certain kernel-sourced triggers --
	specifically rotate, because it won't be retransmitted, so if we
	miss it, we won't see it again and the audit trail will grow
	indefinitely.  This is bad.  Maintain rate limiting for other
	space-related events.
	
	Don't generate a syslog event for sigchld.  It's boring.
	Likewise for a trigger read event, since we'll document the
	details of the event in a separate log message.
	
	Annotate a few bugs in how we handle mappings (we don't remove
	old ones if deleted), and that we need to incrementally update
	the kernel policy, not overwrite it, or we lose argc/argv/...
	flags.  We need those to be stored in audit_control at some
	point.
	
	Fix a typo in the AUDITOFF_WARN string.
	
	Update the maximum user record size to MAXAUDITDATA from 1k.

Affected files ...

.. //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#7 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#19 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#6 edit
.. //depot/projects/trustedbsd/openbsm/bsm/audit.h#20 edit

Differences ...

==== //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#7 (text+ko) ====

@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#6 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#7 $
  */
 /*
  * Program to trigger the audit daemon with a message that is either:
@@ -75,7 +75,7 @@
 		switch(ch) {
 
 		case 'n':
-			trigger = AUDIT_TRIGGER_OPEN_NEW;
+			trigger = AUDIT_TRIGGER_ROTATE_USER;
 			break;
 
 		case 's':

==== //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#19 (text+ko) ====

@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#18 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#19 $
  */
 
 #include <sys/types.h>
@@ -160,8 +160,9 @@
 			*ptr = '.';
 			strcpy(ptr+1, TS);
 			if (rename(oldname, lastfile) != 0)
-				syslog(LOG_ERR, "Could not rename %s to %s",
-				    oldname, lastfile);
+				syslog(LOG_ERR,
+				    "Could not rename %s to %s: %m", oldname,
+				    lastfile);
 			else
 				syslog(LOG_INFO, "renamed %s to %s",
 				    oldname, lastfile);
@@ -286,7 +287,7 @@
 		free(dirent->dirname);
 		free(dirent);
 	}
-	syslog(LOG_ERR, "Log directories exhausted\n");
+	syslog(LOG_ERR, "Log directories exhausted");
 	return (-1);
 }
 
@@ -343,7 +344,7 @@
 	 * XXX is generated here?
 	 */
 	if (0 == (ret = getacmin(&minval))) {
-		syslog(LOG_DEBUG, "min free = %d\n", minval);
+		syslog(LOG_DEBUG, "min free = %d", minval);
 		if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
 			syslog(LOG_ERR,
 			    "could not get audit queue settings");
@@ -494,31 +495,65 @@
 }
 
 /*
- * Suppress duplicate messages within a 30 second interval.   This should be
- * enough to time to rotate log files without thrashing from soft warnings
- * generated before the log is actually rotated.
+ * Handle the audit trigger event.
+ *
+ * We suppress (ignore) duplicated triggers in close succession in order to
+ * try to avoid thrashing-like behavior.  However, not all triggers can be
+ * ignored, as triggers generally represent edge triggers, not level
+ * triggers, and won't be retransmitted if the condition persists.  Of
+ * specific concern is the rotate trigger -- if one is dropped, then it will
+ * not be retransmitted, and the log file will grow in an unbounded fashion.
  */
 #define	DUPLICATE_INTERVAL	30
 static void
 handle_audit_trigger(int trigger)
 {
-	static int last_trigger;
+	static int last_trigger, last_warning;
 	static time_t last_time;
 	struct dir_ent *dirent;
+	struct timeval ts;
+	struct timezone tzp;
+	time_t tt;
 
 	/*
-	 * Suppres duplicate messages from the kernel within the specified
+	 * Suppress duplicate messages from the kernel within the specified
 	 * interval.
 	 */
-	struct timeval ts;
-	struct timezone tzp;
-	time_t tt;
-
 	if (gettimeofday(&ts, &tzp) == 0) {
 		tt = (time_t)ts.tv_sec;
-		if ((trigger == last_trigger) &&
-		    (tt < (last_time + DUPLICATE_INTERVAL)))
-			return;
+		switch (trigger) {
+		case AUDIT_TRIGGER_LOW_SPACE:
+		case AUDIT_TRIGGER_NO_SPACE:
+			/*
+			 * Triggers we can suppress.  Of course, we also need
+			 * to rate limit the warnings, so apply the same
+			 * interval limit on syslog messages.
+			 */
+			if ((trigger == last_trigger) &&
+			    (tt < (last_time + DUPLICATE_INTERVAL))) {
+				if (tt >= (last_warning + DUPLICATE_INTERVAL))
+					syslog(LOG_INFO,
+					    "Suppressing duplicate trigger %d",
+					    trigger);
+				return;
+			}
+			last_warning = tt;
+			break;
+
+		case AUDIT_TRIGGER_ROTATE_KERNEL:
+		case AUDIT_TRIGGER_ROTATE_USER:
+		case AUDIT_TRIGGER_READ_FILE:
+			/*
+			 * Triggers that we cannot suppress.
+			 */
+			break;
+		}
+
+		/*
+		 * Only update last_trigger after aborting due to a duplicate
+		 * trigger, not before, or we will never allow that trigger
+		 * again.
+		 */
 		last_trigger = trigger;
 		last_time = tt;
 	}
@@ -528,7 +563,6 @@
  	 */
 	dirent = TAILQ_FIRST(&dir_q);
 	switch(trigger) {
-
 	case AUDIT_TRIGGER_LOW_SPACE:
 		syslog(LOG_INFO, "Got low space trigger");
 		if (dirent && (dirent->softlim != 1)) {
@@ -554,7 +588,8 @@
 		} else {
 			/*
 			 * Continue auditing to the current file.  Also
-			 * generate  an allsoft warning.
+			 * generate an allsoft warning.
+			 *
 			 * XXX do we want to do this ?
 			 */
 			audit_warn_allsoft();
@@ -577,12 +612,14 @@
 		audit_warn_allhard(++allhardcount);
 		break;
 
-	case AUDIT_TRIGGER_OPEN_NEW:
+	case AUDIT_TRIGGER_ROTATE_KERNEL:
+	case AUDIT_TRIGGER_ROTATE_USER:
 		/*
 		 * Create a new file and swap with the one being used in
 		 * kernel
 		 */
-		syslog(LOG_INFO, "Got open new trigger");
+		syslog(LOG_INFO, "Got open new trigger from %s", trigger ==
+		    AUDIT_TRIGGER_ROTATE_KERNEL ? "kernel" : "user");
 		if (swap_audit_file() == -1)
 			syslog(LOG_ERR, "Error swapping audit file");
 		break;
@@ -656,10 +693,8 @@
 			syslog(LOG_DEBUG, "%s: SIGTERM", __FUNCTION__);
 			break;
 		}
-		if (sigchlds != sigchlds_handled) {
-			syslog(LOG_DEBUG, "%s: SIGCHLD", __FUNCTION__);
+		if (sigchlds != sigchlds_handled)
 			handle_sigchld();
-		}
 		if (sighups != sighups_handled) {
 			syslog(LOG_DEBUG, "%s: SIGHUP", __FUNCTION__);
 			handle_sighup();
@@ -670,7 +705,6 @@
 			syslog(LOG_ERR, "%s: read EOF", __FUNCTION__);
 			return (-1);
 		}
-		syslog(LOG_DEBUG, "%s: read %d", __FUNCTION__, trigger);
 		if (trigger == AUDIT_TRIGGER_CLOSE_AND_DIE)
 			break;
 		else
@@ -695,6 +729,7 @@
 	/*
 	 * Process the audit event file, obtaining a class mapping for each
 	 * event, and send that mapping into the kernel.
+	 *
 	 * XXX There's a risk here that the BSM library will return NULL
 	 * for an event when it can't properly map it to a class. In that
 	 * case, we will not process any events beyond the one that failed,
@@ -703,10 +738,17 @@
 	ev.ae_name = (char *)malloc(AU_EVENT_NAME_MAX);
 	ev.ae_desc = (char *)malloc(AU_EVENT_DESC_MAX);
 	if ((ev.ae_name == NULL) || (ev.ae_desc == NULL)) {
+		if (ev.ae_name != NULL)
+			free(ev.ae_name);
 		syslog(LOG_ERR,
 		    "Memory allocation error when configuring audit controls.");
 		return (-1);
 	}
+
+	/*
+	 * XXXRW: Currently we have no way to remove mappings from the kernel
+	 * when they are removed from the file-based mappings.
+	 */
 	evp = &ev;
 	setauevent();
 	while ((evp = getauevent_r(evp)) != NULL) {
@@ -747,6 +789,10 @@
 
 	/*
 	 * Set the audit policy flags based on passed in parameter values.
+	 *
+	 * XXXRW: This removes existing policy flags not related to cnt/ahlt.
+	 * We need a way to merge configuration policy and command line
+	 * argument policy.
 	 */
 	if (auditon(A_SETPOLICY, &global_flags, sizeof(global_flags)))
 		syslog(LOG_ERR, "Failed to set audit policy.");

==== //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#6 (text+ko) ====

@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#5 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#6 $
  */
 
 #ifndef _AUDITD_H_
@@ -61,7 +61,7 @@
 
 #define	HARDLIM_ALL_WARN	"allhard"
 #define	SOFTLIM_ALL_WARN	"allsoft"
-#define	AUDITOFF_WARN		"aditoff"
+#define	AUDITOFF_WARN		"auditoff"
 #define	EBUSY_WARN		"ebusy"
 #define	GETACDIR_WARN		"getacdir"
 #define	HARDLIM_WARN		"hard"

==== //depot/projects/trustedbsd/openbsm/bsm/audit.h#20 (text+ko) ====

@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#19 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#20 $
  */
 
 #ifndef _BSM_AUDIT_H
@@ -46,12 +46,13 @@
  * Triggers for the audit daemon.
  */
 #define	AUDIT_TRIGGER_MIN		1
-#define	AUDIT_TRIGGER_LOW_SPACE		1
-#define	AUDIT_TRIGGER_OPEN_NEW		2
-#define	AUDIT_TRIGGER_READ_FILE		3
-#define	AUDIT_TRIGGER_CLOSE_AND_DIE	4
-#define	AUDIT_TRIGGER_NO_SPACE		5
-#define	AUDIT_TRIGGER_MAX		5
+#define	AUDIT_TRIGGER_LOW_SPACE		1	/* Below low watermark. */
+#define	AUDIT_TRIGGER_ROTATE_KERNEL	2	/* Kernel requests rotate. */
+#define	AUDIT_TRIGGER_READ_FILE		3	/* Re-read config file. */
+#define	AUDIT_TRIGGER_CLOSE_AND_DIE	4	/* Terminate audit. */
+#define	AUDIT_TRIGGER_NO_SPACE		5	/* Below min free space. */
+#define	AUDIT_TRIGGER_ROTATE_USER	6	/* User requests roate. */
+#define	AUDIT_TRIGGER_MAX		6
 
 /*
  * Special file that will be read for trigger events from the kernel
@@ -164,12 +165,12 @@
 #define	AUDIT_PERZONE	0x2000
 
 /*
- * Audit queue control parameters.
+ * Default audit queue control parameters.
  */
 #define	AQ_HIWATER	100
 #define	AQ_MAXHIGH	10000
 #define	AQ_LOWATER	10
-#define	AQ_BUFSZ	1024
+#define	AQ_BUFSZ	MAXAUDITDATA
 #define	AQ_MAXBUFSZ	1048576
 
 /*


More information about the trustedbsd-cvs mailing list