Minor heads up: OpenBSM parts updated

Robert Watson rwatson at FreeBSD.org
Wed Dec 31 16:28:13 UTC 2008


Just a minor heads up that I've done an import of OpenBSM 1.1 alpha 4 into 
head, with the intent of shaking out bugs so that we can ship OpenBSM 1.1 in 
7.2-RELEASE in a few months.  There are a number of changes in 1.1, including 
a libauditd so that launchd on Mac OS X can link parts of auditd into it 
directly, binary format changes (largely enhancements), etc.  Please send 
feedback to trustedbsd-audit at TrustedBSD.org if you run into any issues.

Robert N M Watson
Computer Laboratory
University of Cambridge

---------- Forwarded message ----------
Date: Wed, 31 Dec 2008 11:12:24 +0000 (UTC)
From: Robert Watson <rwatson at FreeBSD.org>
To: src-committers at freebsd.org, svn-src-all at freebsd.org,
     svn-src-head at freebsd.org
Subject: svn commit: r186647 - in head: contrib/openbsm contrib/openbsm/bin
     contrib/openbsm/bin/audit contrib/openbsm/bin/auditd
     contrib/openbsm/bin/auditfilterd contrib/openbsm/bin/auditreduce
     contrib/open...

Author: rwatson
Date: Wed Dec 31 11:12:24 2008
New Revision: 186647
URL: http://svn.freebsd.org/changeset/base/186647

Log:
   Merge OpenBSM alpha 4 from OpenBSM vendor branch to head, both
   contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
   merge).  Add libauditd build parts and add to auditd's linkage;
   force libbsm to build before libauditd.

   OpenBSM history for imported revisions below for reference.

   MFC after:      1 month
   Sponsored by:   Apple Inc.
   Obtained from:  TrustedBSD Project

   OpenBSM 1.1 alpha 4

   - With the addition of BSM error number mapping, we also need to map the
     local error number passed to audit_submit(3) to a BSM error number,
     rather than have the caller perform that conversion.
   - Reallocate user audit events to avoid collisions with Solaris; adopt a
     more formal allocation scheme, and add some events allocated in Solaris
     that will be of immediate use on other platforms.
   - Add an event for Calife.
   - Add au_strerror(3), which allows generating strings for BSM errors
     directly, rather than requiring applications to map to the local error
     space, which might not be able to entirely represent the BSM error
     number space.
   - Major auditd rewrite for launchd(8) support.  Add libauditd library
     that is shared between launchd and auditd.
   - Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
     (re)starting auditing under launchd(8) on Mac OS X.
   - Add 'current' symlink to active audit trail.
   - Add crash recovery of previous audit trail file when detected on audit
     startup that it has not been properly terminated.
   - Add the event AUE_audit_recovery to indicated when an audit trail file
     has been recovered from not being properly terminated.  This event is
     stored in the new audit trail file and includes the path of recovered
     audit trail file.
   - Mac OS X and FreeBSD dependent code in auditd.c is separated into
     auditd_darwin.c and auditd_fbsd.c files.
   - Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
     calls.
   - For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
   - Add support for NOTICE level logging.

   OpenBSM 1.1 alpha 3

   - Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
     between BSM error numbers (largely the Solaris definitions) and local
     errno(2) values for 32-bit and 64-bit return tokens.  This is required
     as operating systems don't agree on some of the values of more recent
     error numbers.
   - Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
     total size for the token.  This buge.
   - Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.

Added:
   head/contrib/openbsm/bin/auditd/auditd_darwin.c
      - copied unchanged from r186607, vendor/openbsm/dist/bin/auditd/auditd_darwin.c
   head/contrib/openbsm/bin/auditd/auditd_fbsd.c
      - copied unchanged from r186607, vendor/openbsm/dist/bin/auditd/auditd_fbsd.c
   head/contrib/openbsm/bsm/auditd_lib.h
      - copied unchanged from r186607, vendor/openbsm/dist/bsm/auditd_lib.h
   head/contrib/openbsm/libauditd/
      - copied from r186607, vendor/openbsm/dist/libauditd/
   head/contrib/openbsm/libbsm/au_errno.3
      - copied unchanged from r186607, vendor/openbsm/dist/libbsm/au_errno.3
   head/contrib/openbsm/libbsm/bsm_errno.c
      - copied unchanged from r186607, vendor/openbsm/dist/libbsm/bsm_errno.c
   head/contrib/openbsm/sys/bsm/audit_errno.h
      - copied unchanged from r186607, vendor/openbsm/dist/sys/bsm/audit_errno.h
   head/contrib/openbsm/test/reference/E2BIG_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/E2BIG_record
   head/contrib/openbsm/test/reference/EACCES_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EACCES_record
   head/contrib/openbsm/test/reference/EBADF_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EBADF_record
   head/contrib/openbsm/test/reference/EBUSY_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EBUSY_record
   head/contrib/openbsm/test/reference/ECHILD_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ECHILD_record
   head/contrib/openbsm/test/reference/EDEADLK_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EDEADLK_record
   head/contrib/openbsm/test/reference/EEXIST_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EEXIST_record
   head/contrib/openbsm/test/reference/EFAULT_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EFAULT_record
   head/contrib/openbsm/test/reference/EFBIG_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EFBIG_record
   head/contrib/openbsm/test/reference/EINTR_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EINTR_record
   head/contrib/openbsm/test/reference/EINVAL_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EINVAL_record
   head/contrib/openbsm/test/reference/EIO_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EIO_record
   head/contrib/openbsm/test/reference/EISDIR_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EISDIR_record
   head/contrib/openbsm/test/reference/EMFILE_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EMFILE_record
   head/contrib/openbsm/test/reference/EMLINK_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EMLINK_record
   head/contrib/openbsm/test/reference/ENFILE_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENFILE_record
   head/contrib/openbsm/test/reference/ENODEV_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENODEV_record
   head/contrib/openbsm/test/reference/ENOENT_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOENT_record
   head/contrib/openbsm/test/reference/ENOEXEC_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOEXEC_record
   head/contrib/openbsm/test/reference/ENOMEM_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOMEM_record
   head/contrib/openbsm/test/reference/ENOSPC_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOSPC_record
   head/contrib/openbsm/test/reference/ENOTBLK_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOTBLK_record
   head/contrib/openbsm/test/reference/ENOTDIR_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOTDIR_record
   head/contrib/openbsm/test/reference/ENOTTY_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOTTY_record
   head/contrib/openbsm/test/reference/ENXIO_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENXIO_record
   head/contrib/openbsm/test/reference/EPERM_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EPERM_record
   head/contrib/openbsm/test/reference/EPIPE_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EPIPE_record
   head/contrib/openbsm/test/reference/EROFS_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EROFS_record
   head/contrib/openbsm/test/reference/ESPIPE_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ESPIPE_record
   head/contrib/openbsm/test/reference/ESRCH_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ESRCH_record
   head/contrib/openbsm/test/reference/ETXTBSY_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ETXTBSY_record
   head/contrib/openbsm/test/reference/EXDEV_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EXDEV_record
   head/contrib/openbsm/test/reference/socketex_record
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/socketex_record
   head/contrib/openbsm/test/reference/socketex_token
      - copied unchanged from r186607, vendor/openbsm/dist/test/reference/socketex_token
   head/lib/libauditd/
   head/lib/libauditd/Makefile   (contents, props changed)
   head/sys/bsm/audit_errno.h   (contents, props changed)
   head/sys/security/audit/audit_bsm_errno.c   (contents, props changed)
Modified:
   head/contrib/openbsm/   (props changed)
   head/contrib/openbsm/Makefile.am
   head/contrib/openbsm/Makefile.in
   head/contrib/openbsm/NEWS
   head/contrib/openbsm/README
   head/contrib/openbsm/TODO
   head/contrib/openbsm/VERSION
   head/contrib/openbsm/bin/Makefile.in
   head/contrib/openbsm/bin/audit/Makefile.am
   head/contrib/openbsm/bin/audit/Makefile.in
   head/contrib/openbsm/bin/audit/audit.8
   head/contrib/openbsm/bin/audit/audit.c
   head/contrib/openbsm/bin/auditd/Makefile.am
   head/contrib/openbsm/bin/auditd/Makefile.in
   head/contrib/openbsm/bin/auditd/audit_warn.c
   head/contrib/openbsm/bin/auditd/auditd.8
   head/contrib/openbsm/bin/auditd/auditd.c
   head/contrib/openbsm/bin/auditd/auditd.h
   head/contrib/openbsm/bin/auditfilterd/Makefile.in
   head/contrib/openbsm/bin/auditreduce/Makefile.in
   head/contrib/openbsm/bin/auditreduce/auditreduce.c
   head/contrib/openbsm/bin/praudit/Makefile.in
   head/contrib/openbsm/bsm/Makefile.am
   head/contrib/openbsm/bsm/Makefile.in
   head/contrib/openbsm/bsm/audit_uevents.h
   head/contrib/openbsm/bsm/libbsm.h
   head/contrib/openbsm/compat/endian.h
   head/contrib/openbsm/config/config.h.in
   head/contrib/openbsm/configure
   head/contrib/openbsm/configure.ac
   head/contrib/openbsm/etc/audit_event
   head/contrib/openbsm/libbsm/Makefile.am
   head/contrib/openbsm/libbsm/Makefile.in
   head/contrib/openbsm/libbsm/au_token.3
   head/contrib/openbsm/libbsm/audit_submit.3
   head/contrib/openbsm/libbsm/bsm_audit.c
   head/contrib/openbsm/libbsm/bsm_class.c
   head/contrib/openbsm/libbsm/bsm_control.c
   head/contrib/openbsm/libbsm/bsm_event.c
   head/contrib/openbsm/libbsm/bsm_io.c
   head/contrib/openbsm/libbsm/bsm_mask.c
   head/contrib/openbsm/libbsm/bsm_token.c
   head/contrib/openbsm/libbsm/bsm_user.c
   head/contrib/openbsm/libbsm/bsm_wrappers.c
   head/contrib/openbsm/libbsm/libbsm.3
   head/contrib/openbsm/man/Makefile.in
   head/contrib/openbsm/man/audit.log.5
   head/contrib/openbsm/modules/Makefile.in
   head/contrib/openbsm/modules/auditfilter_noop/Makefile.in
   head/contrib/openbsm/sys/Makefile.in
   head/contrib/openbsm/sys/bsm/Makefile.am
   head/contrib/openbsm/sys/bsm/Makefile.in
   head/contrib/openbsm/sys/bsm/audit.h
   head/contrib/openbsm/sys/bsm/audit_internal.h
   head/contrib/openbsm/sys/bsm/audit_kevents.h
   head/contrib/openbsm/sys/bsm/audit_record.h
   head/contrib/openbsm/test/Makefile.in
   head/contrib/openbsm/test/bsm/Makefile.in
   head/contrib/openbsm/test/bsm/generate.c
   head/contrib/openbsm/test/reference/arg32_record
   head/contrib/openbsm/test/reference/data_record
   head/contrib/openbsm/test/reference/file_record
   head/contrib/openbsm/test/reference/header32_token
   head/contrib/openbsm/test/reference/in_addr_record
   head/contrib/openbsm/test/reference/ip_record
   head/contrib/openbsm/test/reference/ipc_record
   head/contrib/openbsm/test/reference/iport_record
   head/contrib/openbsm/test/reference/opaque_record
   head/contrib/openbsm/test/reference/path_record
   head/contrib/openbsm/test/reference/process32_record
   head/contrib/openbsm/test/reference/process32ex_record-IPv4
   head/contrib/openbsm/test/reference/process32ex_record-IPv6
   head/contrib/openbsm/test/reference/process64_record
   head/contrib/openbsm/test/reference/process64ex_record-IPv4
   head/contrib/openbsm/test/reference/process64ex_record-IPv6
   head/contrib/openbsm/test/reference/return32_record
   head/contrib/openbsm/test/reference/return32_token
   head/contrib/openbsm/test/reference/seq_record
   head/contrib/openbsm/test/reference/subject32_record
   head/contrib/openbsm/test/reference/subject32ex_record
   head/contrib/openbsm/test/reference/text_record
   head/contrib/openbsm/test/reference/zonename_record
   head/contrib/openbsm/tools/Makefile.in
   head/lib/Makefile
   head/lib/libbsm/Makefile
   head/share/mk/bsd.libnames.mk
   head/sys/bsm/audit.h
   head/sys/bsm/audit_internal.h
   head/sys/bsm/audit_kevents.h
   head/sys/bsm/audit_record.h
   head/sys/security/audit/audit_bsm_token.c
   head/usr.sbin/auditd/Makefile

Modified: head/contrib/openbsm/Makefile.am
==============================================================================
--- head/contrib/openbsm/Makefile.am	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/Makefile.am	Wed Dec 31 11:12:24 2008	(r186647)
@@ -1,15 +1,23 @@
  #
-# $P4: //depot/projects/trustedbsd/openbsm/Makefile.am#3 $
+# $P4: //depot/projects/trustedbsd/openbsm/Makefile.am#4 $
  #

  SUBDIRS =		\
-	bsm		\
+	bsm
+
+if HAVE_AUDIT_SYSCALLS
+SUBDIRS +=              \
+       	libauditd
+endif
+
+SUBDIRS +=              \
  	libbsm		\
  	bin		\
  	man		\
  	modules		\
  	sys

+
  EXTRA_DIST =		\
  	CHANGELOG	\
  	LICENSE		\

Modified: head/contrib/openbsm/Makefile.in
==============================================================================
--- head/contrib/openbsm/Makefile.in	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/Makefile.in	Wed Dec 31 11:12:24 2008	(r186647)
@@ -15,7 +15,7 @@
  @SET_MAKE@

  #
-# $P4: //depot/projects/trustedbsd/openbsm/Makefile.in#8 $
+# $P4: //depot/projects/trustedbsd/openbsm/Makefile.in#9 $
  #
  VPATH = @srcdir@
  pkgdatadir = $(datadir)/@PACKAGE@
@@ -35,6 +35,9 @@ PRE_UNINSTALL = :
  POST_UNINSTALL = :
  build_triplet = @build@
  host_triplet = @host@
+ at HAVE_AUDIT_SYSCALLS_TRUE@am__append_1 = \
+ at HAVE_AUDIT_SYSCALLS_TRUE@       	libauditd
+
  subdir = .
  DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
  	$(srcdir)/Makefile.in $(top_srcdir)/config/config.h.in \
@@ -63,7 +66,7 @@ RECURSIVE_CLEAN_TARGETS = mostlyclean-re
    distclean-recursive maintainer-clean-recursive
  ETAGS = etags
  CTAGS = ctags
-DIST_SUBDIRS = $(SUBDIRS)
+DIST_SUBDIRS = bsm libauditd libbsm bin man modules sys
  DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
  distdir = $(PACKAGE)-$(VERSION)
  top_distdir = $(distdir)
@@ -183,14 +186,7 @@ sysconfdir = @sysconfdir@
  target_alias = @target_alias@
  top_builddir = @top_builddir@
  top_srcdir = @top_srcdir@
-SUBDIRS = \
-	bsm		\
-	libbsm		\
-	bin		\
-	man		\
-	modules		\
-	sys
-
+SUBDIRS = bsm $(am__append_1) libbsm bin man modules sys
  EXTRA_DIST = \
  	CHANGELOG	\
  	LICENSE		\

Modified: head/contrib/openbsm/NEWS
==============================================================================
--- head/contrib/openbsm/NEWS	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/NEWS	Wed Dec 31 11:12:24 2008	(r186647)
@@ -1,5 +1,50 @@
  OpenBSM Version History

+OpenBSM 1.1 alpha 4
+
+- With the addition of BSM error number mapping, we also need to map the
+  local error number passed to audit_submit(3) to a BSM error number, rather
+  than have the caller perform that conversion.
+- Reallocate user audit events to avoid collisions with Solaris; adopt a more
+  formal allocation scheme, and add some events allocated in Solaris that
+  will be of immediate use on other platforms.
+- Add an event for Calife.
+- Add au_strerror(3), which allows generating strings for BSM errors
+  directly, rather than requiring applications to map to the local error
+  space, which might not be able to entirely represent the BSM error number
+  space.
+- Major auditd rewrite for launchd(8) support.  Add libauditd library that is
+  shared between launchd and auditd.
+- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for (re)starting
+  auditing under launchd(8) on Mac OS X.
+- Add 'current' symlink to active audit trail.
+- Add crash recovery of previous audit trail file when detected on audit
+  startup that it has not been properly terminated.
+- Add the event AUE_audit_recovery to indicated when an audit trail file has
+  been recovered from not being properly terminated.  This event is stored
+  in the new audit trail file and includes the path of recovered audit trail
+  file.
+- Mac OS X and FreeBSD dependent code in auditd.c is separated into
+  auditd_darwin.c and auditd_fbsd.c files.
+- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system calls.
+- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
+- Add support for NOTICE level logging.
+
+OpenBSM 1.1 alpha 3
+
+- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
+  between BSM error numbers (largely the Solaris definitions) and local
+  errno(2) values for 32-bit and 64-bit return tokens.  This is required as
+  operating systems don't agree on some of the values of more recent error
+  numbers.
+- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the total
+  size for the token.  This bug resulted in "unknown" tokens being printed
+  after the exec args/env tokens.
+- Support for AUT_SOCKET_EX extended socket tokens, which describe a socket
+  using a pair of IPv4/IPv6 and port tuples.
+- OpenBSM BSM file header version bumped for 1.1 release.
+- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
+
  OpenBSM 1.1 alpha 2

  - Include files in OpenBSM are now broken out into two parts: library builds
@@ -348,4 +393,4 @@ OpenBSM 1.0 alpha 1
    to support reloading of kernel event table.
  - Allow comments in /etc/security configuration files.

-$P4: //depot/projects/trustedbsd/openbsm/NEWS#9 $
+$P4: //depot/projects/trustedbsd/openbsm/NEWS#21 $

Modified: head/contrib/openbsm/README
==============================================================================
--- head/contrib/openbsm/README	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/README	Wed Dec 31 11:12:24 2008	(r186647)
@@ -1,4 +1,4 @@
-OpenBSM 1.1 alpha 1
+OpenBSM 1.1 alpha 4

    Introduction

@@ -19,6 +19,7 @@ OpenBSM consists of several directories:
      bsm/           Library include files for BSM
      compat/        Compatibility code to build on various OS's
      etc/           Sample /etc/security configuration files
+    libauditd      Common audit management functions for auditd and launchd
      libbsm/        Implementation of BSM library interfaces and man pages
      man/           System call and configuration file man pages
      modules/       Directory for auditfilterd module source
@@ -55,4 +56,4 @@ Information on TrustedBSD may be found o

      http://www.TrustedBSD.org/

-$P4: //depot/projects/trustedbsd/openbsm/README#32 $
+$P4: //depot/projects/trustedbsd/openbsm/README#34 $

Modified: head/contrib/openbsm/TODO
==============================================================================
--- head/contrib/openbsm/TODO	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/TODO	Wed Dec 31 11:12:24 2008	(r186647)
@@ -20,5 +20,7 @@ OpenBSM TODO
  - Document audit_warn event arguments.
  - Allow the path /etc/security to be configured at configure-time so that
    alternative locations can be used.
+- NLS support for au_strerror(3), which provides error strings for BSM errors
+  not available on the local OS platform.

-$P4: //depot/projects/trustedbsd/openbsm/TODO#11 $
+$P4: //depot/projects/trustedbsd/openbsm/TODO#12 $

Modified: head/contrib/openbsm/VERSION
==============================================================================
--- head/contrib/openbsm/VERSION	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/VERSION	Wed Dec 31 11:12:24 2008	(r186647)
@@ -1 +1 @@
-OPENBSM_1_1_ALPHA_2
+OPENBSM_1_1_ALPHA_4

Modified: head/contrib/openbsm/bin/Makefile.in
==============================================================================
--- head/contrib/openbsm/bin/Makefile.in	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/Makefile.in	Wed Dec 31 11:12:24 2008	(r186647)
@@ -15,7 +15,7 @@
  @SET_MAKE@

  #
-# $P4: //depot/projects/trustedbsd/openbsm/bin/Makefile.in#8 $
+# $P4: //depot/projects/trustedbsd/openbsm/bin/Makefile.in#10 $
  #
  VPATH = @srcdir@
  pkgdatadir = $(datadir)/@PACKAGE@

Modified: head/contrib/openbsm/bin/audit/Makefile.am
==============================================================================
--- head/contrib/openbsm/bin/audit/Makefile.am	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/audit/Makefile.am	Wed Dec 31 11:12:24 2008	(r186647)
@@ -1,5 +1,5 @@
  #
-# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.am#4 $
+# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.am#6 $
  #

  if USE_NATIVE_INCLUDES
@@ -13,11 +13,11 @@ audit_LDADD = $(top_builddir)/libbsm/lib
  man8_MANS = audit.8

  if USE_MACH_IPC
-audit_SOURCES = auditd_control_user.c audit.c
-CLEANFILES = auditd_control_user.c auditd_control_user.h
+audit_SOURCES = auditd_controlUser.c audit.c
+CLEANFILES = auditd_controlUser.c auditd_control.h

-auditd_control_user.c: $(top_srcdir)/bin/auditd/auditd_control.defs
-	$(MIG)	-user auditd_control_user.c -header auditd_control_user.h -server /dev/null -sheader /dev/null $(top_srcdir)/bin/auditd/auditd_control.defs
+auditd_controlUser.c auditd_control.h: $(top_srcdir)/bin/auditd/auditd_control.defs
+	$(MIG)	-user auditd_controlUser.c -header auditd_control.h -server /dev/null -sheader /dev/null $(top_srcdir)/bin/auditd/auditd_control.defs
  else
  audit_SOURCES = audit.c
  endif

Modified: head/contrib/openbsm/bin/audit/Makefile.in
==============================================================================
--- head/contrib/openbsm/bin/audit/Makefile.in	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/audit/Makefile.in	Wed Dec 31 11:12:24 2008	(r186647)
@@ -15,7 +15,7 @@
  @SET_MAKE@

  #
-# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.in#9 $
+# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.in#11 $
  #

  VPATH = @srcdir@
@@ -49,9 +49,9 @@ CONFIG_CLEAN_FILES =
  am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
  sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
  PROGRAMS = $(sbin_PROGRAMS)
-am__audit_SOURCES_DIST = audit.c auditd_control_user.c
+am__audit_SOURCES_DIST = audit.c auditd_controlUser.c
  @USE_MACH_IPC_FALSE at am_audit_OBJECTS = audit.$(OBJEXT)
- at USE_MACH_IPC_TRUE@am_audit_OBJECTS = auditd_control_user.$(OBJEXT) \
+ at USE_MACH_IPC_TRUE@am_audit_OBJECTS = auditd_controlUser.$(OBJEXT) \
  @USE_MACH_IPC_TRUE@	audit.$(OBJEXT)
  audit_OBJECTS = $(am_audit_OBJECTS)
  audit_DEPENDENCIES = $(top_builddir)/libbsm/libbsm.la
@@ -188,8 +188,8 @@ top_srcdir = @top_srcdir@
  audit_LDADD = $(top_builddir)/libbsm/libbsm.la
  man8_MANS = audit.8
  @USE_MACH_IPC_FALSE at audit_SOURCES = audit.c
- at USE_MACH_IPC_TRUE@audit_SOURCES = auditd_control_user.c audit.c
- at USE_MACH_IPC_TRUE@CLEANFILES = auditd_control_user.c auditd_control_user.h
+ at USE_MACH_IPC_TRUE@audit_SOURCES = auditd_controlUser.c audit.c
+ at USE_MACH_IPC_TRUE@CLEANFILES = auditd_controlUser.c auditd_control.h
  all: all-am

  .SUFFIXES:
@@ -262,7 +262,7 @@ distclean-compile:
  	-rm -f *.tab.c

  @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/audit.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_control_user.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_controlUser.Po at am__quote@

  .c.o:
  @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -521,8 +521,8 @@ uninstall-man: uninstall-man8
  	uninstall-sbinPROGRAMS


- at USE_MACH_IPC_TRUE@auditd_control_user.c: $(top_srcdir)/bin/auditd/auditd_control.defs
- at USE_MACH_IPC_TRUE@	$(MIG)	-user auditd_control_user.c -header auditd_control_user.h -server /dev/null -sheader /dev/null $(top_srcdir)/bin/auditd/auditd_control.defs
+ at USE_MACH_IPC_TRUE@auditd_controlUser.c auditd_control.h: $(top_srcdir)/bin/auditd/auditd_control.defs
+ at USE_MACH_IPC_TRUE@	$(MIG)	-user auditd_controlUser.c -header auditd_control.h -server /dev/null -sheader /dev/null $(top_srcdir)/bin/auditd/auditd_control.defs
  # Tell versions [3.59,3.63) of GNU make to not export all variables.
  # Otherwise a system limit (for SysV at least) may be exceeded.
  .NOEXPORT:

Modified: head/contrib/openbsm/bin/audit/audit.8
==============================================================================
--- head/contrib/openbsm/bin/audit/audit.8	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/audit/audit.8	Wed Dec 31 11:12:24 2008	(r186647)
@@ -25,9 +25,9 @@
  .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#11 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#13 $
  .\"
-.Dd October 2, 2006
+.Dd December 11, 2008
  .Dt AUDIT 8
  .Os
  .Sh NAME
@@ -35,7 +35,7 @@
  .Nd audit management utility
  .Sh SYNOPSIS
  .Nm
-.Fl n | s | t
+.Fl i | n | s | t
  .Sh DESCRIPTION
  The
  .Nm
@@ -43,6 +43,13 @@ utility controls the state of the audit
  One of the following flags is required as an argument to
  .Nm :
  .Bl -tag -width indent
+.It Fl i
+Initializes and starts auditing.
+This option is currently for Mac OS X only
+and requires
+.Xr auditd 8
+to be configured to run under
+.Xr launchd 8 .
  .It Fl n
  Forces the audit system to close the existing audit log file and rotate to
  a new log file in a location specified in the audit control file.
@@ -59,6 +66,13 @@ and renamed to indicate the time of the
  The
  .Xr auditd 8
  daemon must already be running.
+Optionally, it can be configured to be started
+on-demand by
+.Xr launchd 8
+(Mac OS X only).
+The
+.Nm
+utility requires audit administrator privileges for successful operation.
  .Sh FILES
  .Bl -tag -width ".Pa /etc/security/audit_control" -compact
  .It Pa /etc/security/audit_control
@@ -67,7 +81,8 @@ Audit policy file used to configure the
  .Sh SEE ALSO
  .Xr audit 4 ,
  .Xr audit_control 5 ,
-.Xr auditd 8
+.Xr auditd 8 ,
+.Xr launchd 8
  .Sh HISTORY
  The OpenBSM implementation was created by McAfee Research, the security
  division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.

Modified: head/contrib/openbsm/bin/audit/audit.c
==============================================================================
--- head/contrib/openbsm/bin/audit/audit.c	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/audit/audit.c	Wed Dec 31 11:12:24 2008	(r186647)
@@ -26,7 +26,7 @@
   * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#11 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#13 $
   */
  /*
   * Program to trigger the audit daemon with a message that is either:
@@ -47,6 +47,7 @@

  #include <bsm/libbsm.h>

+#include <errno.h>
  #include <fcntl.h>
  #include <stdio.h>
  #include <stdlib.h>
@@ -64,7 +65,15 @@ static int send_trigger(unsigned int);
  #include <mach/host_special_ports.h>
  #include <servers/bootstrap.h>

-#include "auditd_control_user.h"
+#include "auditd_control.h"
+
+/*
+ * XXX the following is temporary until this can be added to the kernel
+ * audit.h header.
+ */
+#ifndef AUDIT_TRIGGER_INITIALIZE
+#define	AUDIT_TRIGGER_INITIALIZE	7
+#endif

  static int
  send_trigger(unsigned int trigger)
@@ -74,7 +83,12 @@ send_trigger(unsigned int trigger)

  	error = host_get_audit_control_port(mach_host_self(), &serverPort);
  	if (error != KERN_SUCCESS) {
-		mach_error("Cannot get auditd_control Mach port: ", error);
+		if (geteuid() != 0) {
+			errno = EPERM;
+			perror("audit requires root privileges");
+		} else
+			mach_error("Cannot get auditd_control Mach port:",
+			    error);
  		return (-1);
  	}

@@ -96,7 +110,10 @@ send_trigger(unsigned int trigger)

  	error = auditon(A_SENDTRIGGER, &trigger, sizeof(trigger));
  	if (error != 0) {
-		perror("Error sending trigger");
+		if (error == EPERM)
+			perror("audit requires root privileges");
+		else
+			perror("Error sending trigger");
  		return (-1);
  	}

@@ -108,7 +125,7 @@ static void
  usage(void)
  {

-	(void)fprintf(stderr, "Usage: audit -n | -s | -t \n");
+	(void)fprintf(stderr, "Usage: audit -i | -n | -s | -t \n");
  	exit(-1);
  }

@@ -124,9 +141,13 @@ main(int argc, char **argv)
  	if (argc != 2)
  		usage();

-	while ((ch = getopt(argc, argv, "nst")) != -1) {
+	while ((ch = getopt(argc, argv, "inst")) != -1) {
  		switch(ch) {

+		case 'i':
+			trigger = AUDIT_TRIGGER_INITIALIZE;
+			break;
+
  		case 'n':
  			trigger = AUDIT_TRIGGER_ROTATE_USER;
  			break;

Modified: head/contrib/openbsm/bin/auditd/Makefile.am
==============================================================================
--- head/contrib/openbsm/bin/auditd/Makefile.am	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/auditd/Makefile.am	Wed Dec 31 11:12:24 2008	(r186647)
@@ -1,5 +1,5 @@
  #
-# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.am#4 $
+# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.am#5 $
  #

  if USE_NATIVE_INCLUDES
@@ -9,18 +9,18 @@ INCLUDES = -I$(top_builddir) -I$(top_src
  endif

  sbin_PROGRAMS = auditd
-auditd_LDADD = $(top_builddir)/libbsm/libbsm.la
+auditd_LDADD = $(top_builddir)/libbsm/libbsm.la $(top_builddir)/libauditd/libauditd.la
  man8_MANS = auditd.8

  if USE_MACH_IPC
-auditd_SOURCES = auditd_control_server.c audit_triggers_server.c audit_warn.c auditd.c
-CLEANFILES = auditd_control_server.c auditd_control_server.h audit_triggers_server.c audit_triggers_server.h
+auditd_SOURCES = auditd_controlServer.c audit_triggersServer.c audit_warn.c auditd.c auditd_darwin.c
+CLEANFILES = auditd_control_server.c auditd_controlServer.h audit_triggersServer.c audit_triggersServer.h

-auditd_control_server.c: auditd_control.defs
-	$(MIG) -user /dev/null -header /dev/null -server auditd_control_server.c -sheader auditd_control_server.h $(top_srcdir)/bin/auditd/auditd_control.defs
+auditd_controlServer.c auditd_controlServer.h: auditd_control.defs
+	$(MIG) -user /dev/null -header /dev/null -server auditd_controlServer.c -sheader auditd_controlServer.h $(top_srcdir)/bin/auditd/auditd_control.defs

-audit_triggers_server.c: audit_triggers.defs
-	$(MIG) -user /dev/null -header /dev/null -server audit_triggers_server.c -sheader audit_triggers_server.h $(top_srcdir)/bin/auditd/audit_triggers.defs
+audit_triggersServer.c audit_triggersServer.h: audit_triggers.defs
+	$(MIG) -user /dev/null -header /dev/null -server audit_triggersServer.c -sheader audit_triggersServer.h $(top_srcdir)/bin/auditd/audit_triggers.defs
  else
-auditd_SOURCES = audit_warn.c auditd.c
+auditd_SOURCES = audit_warn.c auditd.c auditd_fbsd.c
  endif

Modified: head/contrib/openbsm/bin/auditd/Makefile.in
==============================================================================
--- head/contrib/openbsm/bin/auditd/Makefile.in	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/auditd/Makefile.in	Wed Dec 31 11:12:24 2008	(r186647)
@@ -15,7 +15,7 @@
  @SET_MAKE@

  #
-# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.in#9 $
+# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.in#10 $
  #

  VPATH = @srcdir@
@@ -49,16 +49,17 @@ CONFIG_CLEAN_FILES =
  am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
  sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
  PROGRAMS = $(sbin_PROGRAMS)
-am__auditd_SOURCES_DIST = audit_warn.c auditd.c \
-	auditd_control_server.c audit_triggers_server.c
+am__auditd_SOURCES_DIST = audit_warn.c auditd.c auditd_fbsd.c \
+	auditd_controlServer.c audit_triggersServer.c auditd_darwin.c
  @USE_MACH_IPC_FALSE at am_auditd_OBJECTS = audit_warn.$(OBJEXT) \
- at USE_MACH_IPC_FALSE@	auditd.$(OBJEXT)
- at USE_MACH_IPC_TRUE@am_auditd_OBJECTS =  \
- at USE_MACH_IPC_TRUE@	auditd_control_server.$(OBJEXT) \
- at USE_MACH_IPC_TRUE@	audit_triggers_server.$(OBJEXT) \
- at USE_MACH_IPC_TRUE@	audit_warn.$(OBJEXT) auditd.$(OBJEXT)
+ at USE_MACH_IPC_FALSE@	auditd.$(OBJEXT) auditd_fbsd.$(OBJEXT)
+ at USE_MACH_IPC_TRUE@am_auditd_OBJECTS = auditd_controlServer.$(OBJEXT) \
+ at USE_MACH_IPC_TRUE@	audit_triggersServer.$(OBJEXT) \
+ at USE_MACH_IPC_TRUE@	audit_warn.$(OBJEXT) auditd.$(OBJEXT) \
+ at USE_MACH_IPC_TRUE@	auditd_darwin.$(OBJEXT)
  auditd_OBJECTS = $(am_auditd_OBJECTS)
-auditd_DEPENDENCIES = $(top_builddir)/libbsm/libbsm.la
+auditd_DEPENDENCIES = $(top_builddir)/libbsm/libbsm.la \
+	$(top_builddir)/libauditd/libauditd.la
  DEFAULT_INCLUDES = -I. -I$(top_builddir)/config at am__isrc@
  depcomp = $(SHELL) $(top_srcdir)/config/depcomp
  am__depfiles_maybe = depfiles
@@ -189,11 +190,11 @@ top_builddir = @top_builddir@
  top_srcdir = @top_srcdir@
  @USE_NATIVE_INCLUDES_FALSE at INCLUDES = -I$(top_builddir) -I$(top_srcdir) -I$(top_srcdir)/sys
  @USE_NATIVE_INCLUDES_TRUE at INCLUDES = -I$(top_builddir) -I$(top_srcdir)
-auditd_LDADD = $(top_builddir)/libbsm/libbsm.la
+auditd_LDADD = $(top_builddir)/libbsm/libbsm.la $(top_builddir)/libauditd/libauditd.la
  man8_MANS = auditd.8
- at USE_MACH_IPC_FALSE@auditd_SOURCES = audit_warn.c auditd.c
- at USE_MACH_IPC_TRUE@auditd_SOURCES = auditd_control_server.c audit_triggers_server.c audit_warn.c auditd.c
- at USE_MACH_IPC_TRUE@CLEANFILES = auditd_control_server.c auditd_control_server.h audit_triggers_server.c audit_triggers_server.h
+ at USE_MACH_IPC_FALSE@auditd_SOURCES = audit_warn.c auditd.c auditd_fbsd.c
+ at USE_MACH_IPC_TRUE@auditd_SOURCES = auditd_controlServer.c audit_triggersServer.c audit_warn.c auditd.c auditd_darwin.c
+ at USE_MACH_IPC_TRUE@CLEANFILES = auditd_control_server.c auditd_controlServer.h audit_triggersServer.c audit_triggersServer.h
  all: all-am

  .SUFFIXES:
@@ -265,10 +266,12 @@ mostlyclean-compile:
  distclean-compile:
  	-rm -f *.tab.c

- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/audit_triggers_server.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/audit_triggersServer.Po at am__quote@
  @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/audit_warn.Po at am__quote@
  @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_control_server.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_controlServer.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_darwin.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_fbsd.Po at am__quote@

  .c.o:
  @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -527,11 +530,11 @@ uninstall-man: uninstall-man8
  	uninstall-sbinPROGRAMS


- at USE_MACH_IPC_TRUE@auditd_control_server.c: auditd_control.defs
- at USE_MACH_IPC_TRUE@	$(MIG) -user /dev/null -header /dev/null -server auditd_control_server.c -sheader auditd_control_server.h $(top_srcdir)/bin/auditd/auditd_control.defs
+ at USE_MACH_IPC_TRUE@auditd_controlServer.c auditd_controlServer.h: auditd_control.defs
+ at USE_MACH_IPC_TRUE@	$(MIG) -user /dev/null -header /dev/null -server auditd_controlServer.c -sheader auditd_controlServer.h $(top_srcdir)/bin/auditd/auditd_control.defs

- at USE_MACH_IPC_TRUE@audit_triggers_server.c: audit_triggers.defs
- at USE_MACH_IPC_TRUE@	$(MIG) -user /dev/null -header /dev/null -server audit_triggers_server.c -sheader audit_triggers_server.h $(top_srcdir)/bin/auditd/audit_triggers.defs
+ at USE_MACH_IPC_TRUE@audit_triggersServer.c audit_triggersServer.h: audit_triggers.defs
+ at USE_MACH_IPC_TRUE@	$(MIG) -user /dev/null -header /dev/null -server audit_triggersServer.c -sheader audit_triggersServer.h $(top_srcdir)/bin/auditd/audit_triggers.defs
  # Tell versions [3.59,3.63) of GNU make to not export all variables.
  # Otherwise a system limit (for SysV at least) may be exceeded.
  .NOEXPORT:

Modified: head/contrib/openbsm/bin/auditd/audit_warn.c
==============================================================================
--- head/contrib/openbsm/bin/auditd/audit_warn.c	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/auditd/audit_warn.c	Wed Dec 31 11:12:24 2008	(r186647)
@@ -26,7 +26,7 @@
   * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#9 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#10 $
   */

  #include <sys/types.h>
@@ -71,20 +71,15 @@ auditwarnlog(char *args[])
  }

  /*
- * Indicates that the hard limit for all filesystems has been exceeded count
- * times.
+ * Indicates that the hard limit for all filesystems has been exceeded.
   */
  int
-audit_warn_allhard(int count)
+audit_warn_allhard(void)
  {
-	char intstr[12];
-	char *args[3];
-
-	snprintf(intstr, 12, "%d", count);
+	char *args[2];

  	args[0] = HARDLIM_ALL_WARN;
-	args[1] = intstr;
-	args[2] = NULL;
+	args[1] = NULL;

  	return (auditwarnlog(args));
  }

Modified: head/contrib/openbsm/bin/auditd/auditd.8
==============================================================================
--- head/contrib/openbsm/bin/auditd/auditd.8	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/auditd/auditd.8	Wed Dec 31 11:12:24 2008	(r186647)
@@ -25,9 +25,9 @@
  .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#14 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#16 $
  .\"
-.Dd October 2, 2006
+.Dd December 11, 2008
  .Dt AUDITD 8
  .Os
  .Sh NAME
@@ -35,7 +35,7 @@
  .Nd audit log management daemon
  .Sh SYNOPSIS
  .Nm
-.Op Fl d
+.Op Fl d | l
  .Sh DESCRIPTION
  The
  .Nm
@@ -50,7 +50,16 @@ The options are as follows:
  .Bl -tag -width indent
  .It Fl d
  Starts the daemon in debug mode \[em] it will not daemonize.
+.It Fl l
+This option is for when
+.Nm
+is configured to start on-demand using
+.Xr launchd 8 .
  .El
+.Pp
+Optionally, the audit review group "audit" may be created.
+Non-privileged
+users that are members of this group may read the audit trail log files.
  .Sh NOTE
  To assure uninterrupted audit support, the
  .Nm
@@ -63,20 +72,33 @@ the
  .Pa audit_control
  file.
  .Pp
-.\" Sending a
-.\" .Dv SIGHUP
-.\" to a running
-.\" .Nm
-.\" daemon will force it to exit.
-Sending a
-.Dv SIGTERM
-to a running
+If
+.Nm
+is started on-demand by
+.Xr launchd 8
+then auditing should only be started and stopped with
+.Xr audit 8 .
+.Pp
+On Mac OS X,
  .Nm
-daemon will force it to exit.
+uses the
+.Xr asl 3
+API for writing system log messages.
+Therefore, only the audit administrator
+and members of the audit review group will be able to read the
+system log entries.
  .Sh FILES
-.Bl -tag -width ".Pa /var/audit" -compact
+.Bl -tag -width ".Pa /etc/security" -compact
  .It Pa /var/audit
  Default directory for storing audit log files.
+.Pp
+.It Pa /etc/security
+The directory containing the auditing configuration files
+.Xr audit_class 5 ,
+.Xr audit_control 5 ,
+.Xr audit_event 5 ,
+and
+.Xr audit_warn 5 .
  .El
  .Sh COMPATIBILITY
  The historical
@@ -92,9 +114,14 @@ and
  and are no longer available as arguments to
  .Nm .
  .Sh SEE ALSO
+.Xr asl 3 ,
  .Xr audit 4 ,
+.Xr audit_class 5 ,
  .Xr audit_control 5 ,
-.Xr audit 8
+.Xr audit_event 5 ,
+.Xr audit_warn 5 ,
+.Xr audit 8 ,
+.Xr launchd 8
  .Sh HISTORY
  The OpenBSM implementation was created by McAfee Research, the security
  division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.

Modified: head/contrib/openbsm/bin/auditd/auditd.c
==============================================================================
--- head/contrib/openbsm/bin/auditd/auditd.c	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/auditd/auditd.c	Wed Dec 31 11:12:24 2008	(r186647)
@@ -26,30 +26,29 @@
   * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#39 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#40 $
   */

-#include <sys/param.h>
+#include <sys/types.h>

  #include <config/config.h>

  #include <sys/dirent.h>
-#include <sys/mman.h>
-#include <sys/socket.h>
  #ifdef HAVE_FULL_QUEUE_H
  #include <sys/queue.h>
  #else /* !HAVE_FULL_QUEUE_H */
  #include <compat/queue.h>
  #endif /* !HAVE_FULL_QUEUE_H */
+#include <sys/mman.h>
+#include <sys/param.h>
  #include <sys/stat.h>
  #include <sys/wait.h>

  #include <bsm/audit.h>
  #include <bsm/audit_uevents.h>
+#include <bsm/auditd_lib.h>
  #include <bsm/libbsm.h>

-#include <netinet/in.h>
-
  #include <err.h>
  #include <errno.h>
  #include <fcntl.h>
@@ -60,115 +59,88 @@
  #include <unistd.h>
  #include <signal.h>
  #include <string.h>
-#include <syslog.h>
-#include <netdb.h>

  #include "auditd.h"
-#ifdef USE_MACH_IPC
-#include <notify.h>
-#include <mach/port.h>
-#include <mach/mach_error.h>
-#include <mach/mach_traps.h>
-#include <mach/mach.h>
-#include <mach/host_special_ports.h>
-
-#include "auditd_control_server.h"
-#include "audit_triggers_server.h"
-#endif /* USE_MACH_IPC */

  #ifndef HAVE_STRLCPY
  #include <compat/strlcpy.h>
  #endif

-#define	NA_EVENT_STR_SIZE	25
-#define	POL_STR_SIZE		128
-static int	 ret, minval;
-static char	*lastfile = NULL;
-static int	 allhardcount = 0;
-static int	 sigchlds, sigchlds_handled;
-static int	 sighups, sighups_handled;
-#ifndef USE_MACH_IPC
-static int	 sigterms, sigterms_handled;
-static int	 triggerfd = 0;
-
-#else /* USE_MACH_IPC */
-
-static mach_port_t      control_port = MACH_PORT_NULL;
-static mach_port_t      signal_port = MACH_PORT_NULL;
-static mach_port_t      port_set = MACH_PORT_NULL;
-
-#ifndef __BSM_INTERNAL_NOTIFY_KEY
-#define	__BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change"
-#endif /* __BSM_INTERNAL_NOTIFY_KEY */
-#endif /* USE_MACH_IPC */
-
-static TAILQ_HEAD(, dir_ent)	dir_q;
-
-static int	config_audit_controls(void);
-
  /*
- * Error starting auditd
+ * XXX the following is temporary until this can be added to the kernel
+ * audit.h header.
   */
-static void
-fail_exit(void)
-{
-
-	audit_warn_nostart();
-	exit(1);
-}
+#ifndef	AUDIT_TRIGGER_INITIALIZE
+#define	AUDIT_TRIGGER_INITIALIZE	7
+#endif

  /*
- * Free our local list of directory names.
+ * LaunchD flag (Mac OS X and, maybe, FreeBSD only.)  See launchd(8) and
+ * http://wiki.freebsd.org/launchd for more information.
+ *
+ *      In order for auditd to work "on demand" with launchd(8) it can't:
+ *              call daemon(3)
+ *              call fork and having the parent process exit
+ *              change uids or gids.
+ *              set up the current working directory or chroot.
+ *              set the session id
+ *              change stdio to /dev/null.
+ *              call setrusage(2)
+ *              call setpriority(2)
+ *              Ignore SIGTERM.
+ *      auditd (in 'launchd mode') is launched on demand so it must catch
+ *      SIGTERM to exit cleanly.
+ */
+static int	launchd_flag = 0;
+
+/*
+ * The GID of the audit review group (if used).  The audit trail files and
+ * system logs (Mac OS X only) can only be reviewed by members of this group
+ * or the audit administrator (aka. "root").
   */
-static void
-free_dir_q(void)
-{
-	struct dir_ent *dirent;
+static gid_t	audit_review_gid = -1;

-	while ((dirent = TAILQ_FIRST(&dir_q))) {
-		TAILQ_REMOVE(&dir_q, dirent, dirs);
-		free(dirent->dirname);
-		free(dirent);
-	}
-}
+/*
+ * The path and file name of the last audit trail file.
+ */
+static char	*lastfile = NULL;

  /*
- * Generate the timestamp string.
+ * Error starting auditd. Run warn script and exit.
   */
-static int
-getTSstr(char *buf, int len)
+static void
+fail_exit(void)
  {
-	struct timeval ts;
-	struct timezone tzp;
-	time_t tt;

-	if (gettimeofday(&ts, &tzp) != 0)
-		return (-1);
-	tt = (time_t)ts.tv_sec;
-	if (!strftime(buf, len, "%Y%m%d%H%M%S", gmtime(&tt)))
-		return (-1);
-	return (0);
+	audit_warn_nostart();
+	exit(1);
  }

  /*
- * Concat the directory name to the given file name.
- * XXX We should affix the hostname also
+ * Follow the 'current' symlink to get the active trail file name.
   */
  static char *
-affixdir(char *name, struct dir_ent *dirent)
+get_curfile(void)
  {
-	char *fn = NULL;
+	char *cf;
+	int len;

-	syslog(LOG_DEBUG, "dir = %s", dirent->dirname);
-	/*
-	 * Sanity check on file name.
-	 */
-	if (strlen(name) != (FILENAME_LEN - 1)) {
-		syslog(LOG_ERR, "Invalid file name: %s", name);
+	cf = malloc(MAXPATHLEN);
+	if (cf == NULL) {
+		auditd_log_err("malloc failed: %m");
+		return (NULL);
+	}
+
+	len = readlink(AUDIT_CURRENT_LINK, cf, MAXPATHLEN - 1);
+	if (len < 0) {
+		free(cf);
  		return (NULL);
  	}
-	asprintf(&fn, "%s/%s", dirent->dirname, name);
-	return (fn);
+
+	/* readlink() doesn't terminate string. */
+	cf[len] = '\0';
+
+	return (cf);
  }

  /*
@@ -181,6 +153,10 @@ close_lastfile(char *TS)
  	char *oldname;
  	size_t len;

+	/* If lastfile is NULL try to get it from the 'current' link.  */
+	if (lastfile == NULL)
+		lastfile = get_curfile();
+
  	if (lastfile != NULL) {
  		len = strlen(lastfile) + 1;
  		oldname = (char *)malloc(len);
@@ -192,16 +168,21 @@ close_lastfile(char *TS)
  		if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) {
  			strlcpy(ptr, TS, TIMESTAMP_LEN);
  			if (rename(oldname, lastfile) != 0)
-				syslog(LOG_ERR,
+				auditd_log_err(
  				    "Could not rename %s to %s: %m", oldname,
  				    lastfile);
  			else {
-				syslog(LOG_INFO, "renamed %s to %s",
+				/*
+				 * Remove the 'current' symlink since the link
+				 * is now invalid.
+				 */
+				(void) unlink(AUDIT_CURRENT_LINK);
+				auditd_log_notice( "renamed %s to %s",
  				    oldname, lastfile);
  				audit_warn_closefile(lastfile);
  			}
  		} else
-			syslog(LOG_ERR, "Could not rename %s to %s", oldname,
+			auditd_log_err( "Could not rename %s to %s", oldname,
  			    lastfile);
  		free(lastfile);
  		free(oldname);
@@ -211,168 +192,81 @@ close_lastfile(char *TS)
  }

  /*
- * Create the new audit file with appropriate permissions and ownership.  Try
- * to clean up if something goes wrong.
- */
-static int
-#ifdef AUDIT_REVIEW_GROUP
-open_trail(const char *fname, uid_t uid, gid_t gid)
-#else
-open_trail(const char *fname)
-#endif
-{
-	int error, fd;
-
-	fd = open(fname, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP);
-	if (fd < 0)
-		return (-1);
-#ifdef AUDIT_REVIEW_GROUP
-	if (fchown(fd, uid, gid) < 0) {
-		error = errno;
-		close(fd);
-		(void)unlink(fname);
-		errno = error;
-		return (-1);
-	}
-#endif
-	return (fd);
-}
-
-/*
   * Create the new file name, swap with existing audit file.
   */
  static int
  swap_audit_file(void)
  {
-	char timestr[FILENAME_LEN];
-	char *fn;
+	int err;
+	char *newfile;
  	char TS[TIMESTAMP_LEN];
-	struct dir_ent *dirent;
-#ifdef AUDIT_REVIEW_GROUP
-	struct group *grp;
-	gid_t gid;
-	uid_t uid;
-#endif
-	int error, fd;
+	time_t tt;

-	if (getTSstr(TS, TIMESTAMP_LEN) != 0)
+	if (getTSstr(tt, TS, TIMESTAMP_LEN) != 0)
  		return (-1);
+	err = auditd_swap_trail(TS, &newfile, audit_review_gid,
+	    audit_warn_getacdir);
+	if (err != ADE_NOERR) {
+		auditd_log_err( "%s: %m", auditd_strerror(err));
+		if (err != ADE_ACTL)
+			return (-1);
+	}

-	snprintf(timestr, FILENAME_LEN, "%s.%s", TS, NOT_TERMINATED);
-
-#ifdef AUDIT_REVIEW_GROUP
  	/*
-	 * XXXRW: Currently, this code falls back to the daemon gid, which is
-	 * likely the wheel group.  Is there a better way to deal with this?
+	 * Only close the last file if were in an auditing state before
+	 * calling swap_audit_file().  We may need to recover from a crash.
  	 */
-	grp = getgrnam(AUDIT_REVIEW_GROUP);
-	if (grp == NULL) {
-		syslog(LOG_INFO,
-		    "Audit review group '%s' not available, using daemon gid",
-		    AUDIT_REVIEW_GROUP);
-		gid = -1;
-	} else
-		gid = grp->gr_gid;
-	uid = getuid();
-#endif
+	if (auditd_get_state() == AUD_STATE_ENABLED)
+		close_lastfile(TS);

-	/* Try until we succeed. */
-	while ((dirent = TAILQ_FIRST(&dir_q))) {
-		if ((fn = affixdir(timestr, dirent)) == NULL) {
-			syslog(LOG_INFO, "Failed to swap log at time %s",
-				timestr);
-			return (-1);
-		}

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***


More information about the freebsd-current mailing list