PERFORCE change 154466 for review
Stacey Son
sson at FreeBSD.org
Wed Dec 10 14:35:43 PST 2008
http://perforce.freebsd.org/chv.cgi?CH=154466
Change 154466 by sson at sson_amd64 on 2008/12/10 22:35:02
Major auditd rewrite for launchd(8) support. This required:
(1) Adding libauditd library that is shared between launchd and auditd.
(2) Adding the AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i')
for (re)starting auditing under launchd(8) on Mac OS X.
(3) Separating Mac OS X and FreeBSD dependent code in auditd.c into
auditd_darwin.c and auditd_fbsd.c files.
This changeset also includes:
(1) Crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
(2) Add the event AUE_audit_recovery to indicated when an audit trail
file has been recovered from not being properly terminated. This
event is stored in the new audit trail file and includes the path
of recovered audit trail file.
(3) Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X
system calls.
(4) For Mac OS X, we use ASL(3) instead of syslog(3) for logging. Add
support for NOTICE level logging.
Affected files ...
.. //depot/projects/trustedbsd/openbsm/Makefile.am#4 edit
.. //depot/projects/trustedbsd/openbsm/Makefile.in#9 edit
.. //depot/projects/trustedbsd/openbsm/NEWS#21 edit
.. //depot/projects/trustedbsd/openbsm/bin/Makefile.in#9 edit
.. //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.am#5 edit
.. //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.in#10 edit
.. //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#12 edit
.. //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#12 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.am#5 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.in#10 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#10 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#15 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#40 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#12 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditd/auditd_darwin.c#1 add
.. //depot/projects/trustedbsd/openbsm/bin/auditd/auditd_fbsd.c#1 add
.. //depot/projects/trustedbsd/openbsm/bin/auditfilterd/Makefile.in#7 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditreduce/Makefile.in#9 edit
.. //depot/projects/trustedbsd/openbsm/bin/praudit/Makefile.in#9 edit
.. //depot/projects/trustedbsd/openbsm/bsm/Makefile.am#4 edit
.. //depot/projects/trustedbsd/openbsm/bsm/Makefile.in#9 edit
.. //depot/projects/trustedbsd/openbsm/bsm/audit_uevents.h#10 edit
.. //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#1 add
.. //depot/projects/trustedbsd/openbsm/configure#43 edit
.. //depot/projects/trustedbsd/openbsm/configure.ac#45 edit
.. //depot/projects/trustedbsd/openbsm/etc/audit_event#34 edit
.. //depot/projects/trustedbsd/openbsm/libauditd/Makefile.am#1 add
.. //depot/projects/trustedbsd/openbsm/libauditd/Makefile.in#1 add
.. //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#1 add
.. //depot/projects/trustedbsd/openbsm/libbsm/Makefile.in#12 edit
.. //depot/projects/trustedbsd/openbsm/man/Makefile.in#8 edit
.. //depot/projects/trustedbsd/openbsm/modules/Makefile.in#6 edit
.. //depot/projects/trustedbsd/openbsm/modules/auditfilter_noop/Makefile.in#7 edit
.. //depot/projects/trustedbsd/openbsm/sys/Makefile.in#3 edit
.. //depot/projects/trustedbsd/openbsm/sys/bsm/Makefile.in#4 edit
.. //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#2 edit
.. //depot/projects/trustedbsd/openbsm/sys/bsm/audit_kevents.h#4 edit
.. //depot/projects/trustedbsd/openbsm/test/Makefile.in#7 edit
.. //depot/projects/trustedbsd/openbsm/test/bsm/Makefile.in#7 edit
.. //depot/projects/trustedbsd/openbsm/tools/Makefile.in#10 edit
Differences ...
==== //depot/projects/trustedbsd/openbsm/Makefile.am#4 (text+ko) ====
@@ -1,15 +1,23 @@
#
-# $P4: //depot/projects/trustedbsd/openbsm/Makefile.am#3 $
+# $P4: //depot/projects/trustedbsd/openbsm/Makefile.am#4 $
#
SUBDIRS = \
- bsm \
+ bsm
+
+if HAVE_AUDIT_SYSCALLS
+SUBDIRS += \
+ libauditd
+endif
+
+SUBDIRS += \
libbsm \
bin \
man \
modules \
sys
+
EXTRA_DIST = \
CHANGELOG \
LICENSE \
==== //depot/projects/trustedbsd/openbsm/Makefile.in#9 (text+ko) ====
@@ -15,7 +15,7 @@
@SET_MAKE@
#
-# $P4: //depot/projects/trustedbsd/openbsm/Makefile.in#8 $
+# $P4: //depot/projects/trustedbsd/openbsm/Makefile.in#9 $
#
VPATH = @srcdir@
pkgdatadir = $(datadir)/@PACKAGE@
@@ -35,6 +35,9 @@
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
+ at HAVE_AUDIT_SYSCALLS_TRUE@am__append_1 = \
+ at HAVE_AUDIT_SYSCALLS_TRUE@ libauditd
+
subdir = .
DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
$(srcdir)/Makefile.in $(top_srcdir)/config/config.h.in \
@@ -63,7 +66,7 @@
distclean-recursive maintainer-clean-recursive
ETAGS = etags
CTAGS = ctags
-DIST_SUBDIRS = $(SUBDIRS)
+DIST_SUBDIRS = bsm libauditd libbsm bin man modules sys
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
top_distdir = $(distdir)
@@ -183,14 +186,7 @@
target_alias = @target_alias@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
-SUBDIRS = \
- bsm \
- libbsm \
- bin \
- man \
- modules \
- sys
-
+SUBDIRS = bsm $(am__append_1) libbsm bin man modules sys
EXTRA_DIST = \
CHANGELOG \
LICENSE \
==== //depot/projects/trustedbsd/openbsm/NEWS#21 (text+ko) ====
@@ -13,6 +13,22 @@
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error number
space.
+- Major auditd rewrite for launchd(8) support. Add libauditd library that is
+ shared between launchd and auditd.
+- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for (re)starting
+ auditing under launchd(8) on Mac OS X.
+- Add 'current' symlink to active audit trail.
+- Add crash recovery of previous audit trail file when detected on audit
+ startup that it has not been properly terminated.
+- Add the event AUE_audit_recovery to indicated when an audit trail file has
+ been recovered from not being properly terminated. This event is stored
+ in the new audit trail file and includes the path of recovered audit trail
+ file.
+- Mac OS X and FreeBSD dependent code in auditd.c is separated into
+ auditd_darwin.c and auditd_fbsd.c files.
+- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system calls.
+- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
+- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
@@ -377,4 +393,4 @@
to support reloading of kernel event table.
- Allow comments in /etc/security configuration files.
-$P4: //depot/projects/trustedbsd/openbsm/NEWS#20 $
+$P4: //depot/projects/trustedbsd/openbsm/NEWS#21 $
==== //depot/projects/trustedbsd/openbsm/bin/Makefile.in#9 (text+ko) ====
@@ -15,7 +15,7 @@
@SET_MAKE@
#
-# $P4: //depot/projects/trustedbsd/openbsm/bin/Makefile.in#8 $
+# $P4: //depot/projects/trustedbsd/openbsm/bin/Makefile.in#9 $
#
VPATH = @srcdir@
pkgdatadir = $(datadir)/@PACKAGE@
@@ -36,8 +36,8 @@
build_triplet = @build@
host_triplet = @host@
@HAVE_AUDIT_SYSCALLS_TRUE at am__append_1 = \
- at HAVE_AUDIT_SYSCALLS_TRUE@ audit \
- at HAVE_AUDIT_SYSCALLS_TRUE@ auditd
+ at HAVE_AUDIT_SYSCALLS_TRUE@ auditd \
+ at HAVE_AUDIT_SYSCALLS_TRUE@ audit
subdir = bin
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
@@ -61,7 +61,7 @@
distclean-recursive maintainer-clean-recursive
ETAGS = etags
CTAGS = ctags
-DIST_SUBDIRS = auditfilterd auditreduce praudit audit auditd
+DIST_SUBDIRS = auditfilterd auditreduce praudit auditd audit
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
==== //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.am#5 (text+ko) ====
@@ -1,5 +1,5 @@
#
-# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.am#4 $
+# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.am#5 $
#
if USE_NATIVE_INCLUDES
@@ -13,11 +13,11 @@
man8_MANS = audit.8
if USE_MACH_IPC
-audit_SOURCES = auditd_control_user.c audit.c
-CLEANFILES = auditd_control_user.c auditd_control_user.h
+audit_SOURCES = auditd_controlUser.c audit.c
+CLEANFILES = auditd_controlUser.c auditd_controlUser.h
-auditd_control_user.c: $(top_srcdir)/bin/auditd/auditd_control.defs
- $(MIG) -user auditd_control_user.c -header auditd_control_user.h -server /dev/null -sheader /dev/null $(top_srcdir)/bin/auditd/auditd_control.defs
+auditd_controlUser.c auditd_controlUser.h: $(top_srcdir)/bin/auditd/auditd_control.defs
+ $(MIG) -user auditd_controlUser.c -header auditd_controlUser.h -server /dev/null -sheader /dev/null $(top_srcdir)/bin/auditd/auditd_control.defs
else
audit_SOURCES = audit.c
endif
==== //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.in#10 (text+ko) ====
@@ -15,7 +15,7 @@
@SET_MAKE@
#
-# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.in#9 $
+# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.in#10 $
#
VPATH = @srcdir@
@@ -49,9 +49,9 @@
am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
PROGRAMS = $(sbin_PROGRAMS)
-am__audit_SOURCES_DIST = audit.c auditd_control_user.c
+am__audit_SOURCES_DIST = audit.c auditd_controlUser.c
@USE_MACH_IPC_FALSE at am_audit_OBJECTS = audit.$(OBJEXT)
- at USE_MACH_IPC_TRUE@am_audit_OBJECTS = auditd_control_user.$(OBJEXT) \
+ at USE_MACH_IPC_TRUE@am_audit_OBJECTS = auditd_controlUser.$(OBJEXT) \
@USE_MACH_IPC_TRUE@ audit.$(OBJEXT)
audit_OBJECTS = $(am_audit_OBJECTS)
audit_DEPENDENCIES = $(top_builddir)/libbsm/libbsm.la
@@ -188,8 +188,8 @@
audit_LDADD = $(top_builddir)/libbsm/libbsm.la
man8_MANS = audit.8
@USE_MACH_IPC_FALSE at audit_SOURCES = audit.c
- at USE_MACH_IPC_TRUE@audit_SOURCES = auditd_control_user.c audit.c
- at USE_MACH_IPC_TRUE@CLEANFILES = auditd_control_user.c auditd_control_user.h
+ at USE_MACH_IPC_TRUE@audit_SOURCES = auditd_controlUser.c audit.c
+ at USE_MACH_IPC_TRUE@CLEANFILES = auditd_controlUser.c auditd_controlUser.h
all: all-am
.SUFFIXES:
@@ -262,7 +262,7 @@
-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/audit.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_control_user.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_controlUser.Po at am__quote@
.c.o:
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -521,8 +521,8 @@
uninstall-sbinPROGRAMS
- at USE_MACH_IPC_TRUE@auditd_control_user.c: $(top_srcdir)/bin/auditd/auditd_control.defs
- at USE_MACH_IPC_TRUE@ $(MIG) -user auditd_control_user.c -header auditd_control_user.h -server /dev/null -sheader /dev/null $(top_srcdir)/bin/auditd/auditd_control.defs
+ at USE_MACH_IPC_TRUE@auditd_controlUser.c auditd_controlUser.h: $(top_srcdir)/bin/auditd/auditd_control.defs
+ at USE_MACH_IPC_TRUE@ $(MIG) -user auditd_controlUser.c -header auditd_controlUser.h -server /dev/null -sheader /dev/null $(top_srcdir)/bin/auditd/auditd_control.defs
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
==== //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#12 (text+ko) ====
@@ -25,7 +25,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#11 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#12 $
.\"
.Dd October 2, 2006
.Dt AUDIT 8
@@ -35,7 +35,7 @@
.Nd audit management utility
.Sh SYNOPSIS
.Nm
-.Fl n | s | t
+.Fl i | n | s | t
.Sh DESCRIPTION
The
.Nm
@@ -43,6 +43,10 @@
One of the following flags is required as an argument to
.Nm :
.Bl -tag -width indent
+.It Fl i
+Initializes and starts auditing. This option is currently for Mac OS X only
+and requires auditd to be configured to run under
+.Xr Launchd 8 .
.It Fl n
Forces the audit system to close the existing audit log file and rotate to
a new log file in a location specified in the audit control file.
@@ -58,7 +62,13 @@
.Sh NOTES
The
.Xr auditd 8
-daemon must already be running.
+daemon must already be running. Optionally, it can be configured to be started
+on-demand by
+.Xr Launchd 8
+(Mac OS X only).
+The
+.Nm
+utility requires audit administrator privileges for successful operation.
.Sh FILES
.Bl -tag -width ".Pa /etc/security/audit_control" -compact
.It Pa /etc/security/audit_control
@@ -67,7 +77,8 @@
.Sh SEE ALSO
.Xr audit 4 ,
.Xr audit_control 5 ,
-.Xr auditd 8
+.Xr auditd 8 ,
+.Xr launchd 8
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
==== //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#12 (text+ko) ====
@@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#11 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#12 $
*/
/*
* Program to trigger the audit daemon with a message that is either:
@@ -47,6 +47,7 @@
#include <bsm/libbsm.h>
+#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
@@ -64,7 +65,15 @@
#include <mach/host_special_ports.h>
#include <servers/bootstrap.h>
-#include "auditd_control_user.h"
+#include "auditd_controlUser.h"
+
+/*
+ * XXX the following is temporary until this can be added to the kernel
+ * audit.h header.
+ */
+#ifndef AUDIT_TRIGGER_INITIALIZE
+#define AUDIT_TRIGGER_INITIALIZE 7
+#endif
static int
send_trigger(unsigned int trigger)
@@ -74,7 +83,12 @@
error = host_get_audit_control_port(mach_host_self(), &serverPort);
if (error != KERN_SUCCESS) {
- mach_error("Cannot get auditd_control Mach port: ", error);
+ if (geteuid() != 0) {
+ errno = EPERM;
+ perror("audit requires root privileges");
+ } else
+ mach_error("Cannot get auditd_control Mach port:",
+ error);
return (-1);
}
@@ -96,7 +110,10 @@
error = auditon(A_SENDTRIGGER, &trigger, sizeof(trigger));
if (error != 0) {
- perror("Error sending trigger");
+ if (error == EPERM)
+ perror("audit requires root privileges");
+ else
+ perror("Error sending trigger");
return (-1);
}
@@ -108,7 +125,7 @@
usage(void)
{
- (void)fprintf(stderr, "Usage: audit -n | -s | -t \n");
+ (void)fprintf(stderr, "Usage: audit -i | -n | -s | -t \n");
exit(-1);
}
@@ -124,9 +141,13 @@
if (argc != 2)
usage();
- while ((ch = getopt(argc, argv, "nst")) != -1) {
+ while ((ch = getopt(argc, argv, "inst")) != -1) {
switch(ch) {
+ case 'i':
+ trigger = AUDIT_TRIGGER_INITIALIZE;
+ break;
+
case 'n':
trigger = AUDIT_TRIGGER_ROTATE_USER;
break;
==== //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.am#5 (text+ko) ====
@@ -1,5 +1,5 @@
#
-# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.am#4 $
+# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.am#5 $
#
if USE_NATIVE_INCLUDES
@@ -9,18 +9,18 @@
endif
sbin_PROGRAMS = auditd
-auditd_LDADD = $(top_builddir)/libbsm/libbsm.la
+auditd_LDADD = $(top_builddir)/libbsm/libbsm.la $(top_builddir)/libauditd/libauditd.la
man8_MANS = auditd.8
if USE_MACH_IPC
-auditd_SOURCES = auditd_control_server.c audit_triggers_server.c audit_warn.c auditd.c
-CLEANFILES = auditd_control_server.c auditd_control_server.h audit_triggers_server.c audit_triggers_server.h
+auditd_SOURCES = auditd_controlServer.c audit_triggersServer.c audit_warn.c auditd.c auditd_darwin.c
+CLEANFILES = auditd_control_server.c auditd_controlServer.h audit_triggersServer.c audit_triggersServer.h
-auditd_control_server.c: auditd_control.defs
- $(MIG) -user /dev/null -header /dev/null -server auditd_control_server.c -sheader auditd_control_server.h $(top_srcdir)/bin/auditd/auditd_control.defs
+auditd_controlServer.c auditd_controlServer.h: auditd_control.defs
+ $(MIG) -user /dev/null -header /dev/null -server auditd_controlServer.c -sheader auditd_controlServer.h $(top_srcdir)/bin/auditd/auditd_control.defs
-audit_triggers_server.c: audit_triggers.defs
- $(MIG) -user /dev/null -header /dev/null -server audit_triggers_server.c -sheader audit_triggers_server.h $(top_srcdir)/bin/auditd/audit_triggers.defs
+audit_triggersServer.c audit_triggersServer.h: audit_triggers.defs
+ $(MIG) -user /dev/null -header /dev/null -server audit_triggersServer.c -sheader audit_triggersServer.h $(top_srcdir)/bin/auditd/audit_triggers.defs
else
-auditd_SOURCES = audit_warn.c auditd.c
+auditd_SOURCES = audit_warn.c auditd.c auditd_fbsd.c
endif
==== //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.in#10 (text+ko) ====
@@ -15,7 +15,7 @@
@SET_MAKE@
#
-# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.in#9 $
+# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.in#10 $
#
VPATH = @srcdir@
@@ -49,16 +49,17 @@
am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
PROGRAMS = $(sbin_PROGRAMS)
-am__auditd_SOURCES_DIST = audit_warn.c auditd.c \
- auditd_control_server.c audit_triggers_server.c
+am__auditd_SOURCES_DIST = audit_warn.c auditd.c auditd_fbsd.c \
+ auditd_controlServer.c audit_triggersServer.c auditd_darwin.c
@USE_MACH_IPC_FALSE at am_auditd_OBJECTS = audit_warn.$(OBJEXT) \
- at USE_MACH_IPC_FALSE@ auditd.$(OBJEXT)
- at USE_MACH_IPC_TRUE@am_auditd_OBJECTS = \
- at USE_MACH_IPC_TRUE@ auditd_control_server.$(OBJEXT) \
- at USE_MACH_IPC_TRUE@ audit_triggers_server.$(OBJEXT) \
- at USE_MACH_IPC_TRUE@ audit_warn.$(OBJEXT) auditd.$(OBJEXT)
+ at USE_MACH_IPC_FALSE@ auditd.$(OBJEXT) auditd_fbsd.$(OBJEXT)
+ at USE_MACH_IPC_TRUE@am_auditd_OBJECTS = auditd_controlServer.$(OBJEXT) \
+ at USE_MACH_IPC_TRUE@ audit_triggersServer.$(OBJEXT) \
+ at USE_MACH_IPC_TRUE@ audit_warn.$(OBJEXT) auditd.$(OBJEXT) \
+ at USE_MACH_IPC_TRUE@ auditd_darwin.$(OBJEXT)
auditd_OBJECTS = $(am_auditd_OBJECTS)
-auditd_DEPENDENCIES = $(top_builddir)/libbsm/libbsm.la
+auditd_DEPENDENCIES = $(top_builddir)/libbsm/libbsm.la \
+ $(top_builddir)/libauditd/libauditd.la
DEFAULT_INCLUDES = -I. -I$(top_builddir)/config at am__isrc@
depcomp = $(SHELL) $(top_srcdir)/config/depcomp
am__depfiles_maybe = depfiles
@@ -189,11 +190,11 @@
top_srcdir = @top_srcdir@
@USE_NATIVE_INCLUDES_FALSE at INCLUDES = -I$(top_builddir) -I$(top_srcdir) -I$(top_srcdir)/sys
@USE_NATIVE_INCLUDES_TRUE at INCLUDES = -I$(top_builddir) -I$(top_srcdir)
-auditd_LDADD = $(top_builddir)/libbsm/libbsm.la
+auditd_LDADD = $(top_builddir)/libbsm/libbsm.la $(top_builddir)/libauditd/libauditd.la
man8_MANS = auditd.8
- at USE_MACH_IPC_FALSE@auditd_SOURCES = audit_warn.c auditd.c
- at USE_MACH_IPC_TRUE@auditd_SOURCES = auditd_control_server.c audit_triggers_server.c audit_warn.c auditd.c
- at USE_MACH_IPC_TRUE@CLEANFILES = auditd_control_server.c auditd_control_server.h audit_triggers_server.c audit_triggers_server.h
+ at USE_MACH_IPC_FALSE@auditd_SOURCES = audit_warn.c auditd.c auditd_fbsd.c
+ at USE_MACH_IPC_TRUE@auditd_SOURCES = auditd_controlServer.c audit_triggersServer.c audit_warn.c auditd.c auditd_darwin.c
+ at USE_MACH_IPC_TRUE@CLEANFILES = auditd_control_server.c auditd_controlServer.h audit_triggersServer.c audit_triggersServer.h
all: all-am
.SUFFIXES:
@@ -265,10 +266,12 @@
distclean-compile:
-rm -f *.tab.c
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/audit_triggers_server.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/audit_triggersServer.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/audit_warn.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_control_server.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_controlServer.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_darwin.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_fbsd.Po at am__quote@
.c.o:
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -527,11 +530,11 @@
uninstall-sbinPROGRAMS
- at USE_MACH_IPC_TRUE@auditd_control_server.c: auditd_control.defs
- at USE_MACH_IPC_TRUE@ $(MIG) -user /dev/null -header /dev/null -server auditd_control_server.c -sheader auditd_control_server.h $(top_srcdir)/bin/auditd/auditd_control.defs
+ at USE_MACH_IPC_TRUE@auditd_controlServer.c auditd_controlServer.h: auditd_control.defs
+ at USE_MACH_IPC_TRUE@ $(MIG) -user /dev/null -header /dev/null -server auditd_controlServer.c -sheader auditd_controlServer.h $(top_srcdir)/bin/auditd/auditd_control.defs
- at USE_MACH_IPC_TRUE@audit_triggers_server.c: audit_triggers.defs
- at USE_MACH_IPC_TRUE@ $(MIG) -user /dev/null -header /dev/null -server audit_triggers_server.c -sheader audit_triggers_server.h $(top_srcdir)/bin/auditd/audit_triggers.defs
+ at USE_MACH_IPC_TRUE@audit_triggersServer.c audit_triggersServer.h: audit_triggers.defs
+ at USE_MACH_IPC_TRUE@ $(MIG) -user /dev/null -header /dev/null -server audit_triggersServer.c -sheader audit_triggersServer.h $(top_srcdir)/bin/auditd/audit_triggers.defs
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
==== //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#10 (text+ko) ====
@@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#9 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#10 $
*/
#include <sys/types.h>
@@ -71,20 +71,15 @@
}
/*
- * Indicates that the hard limit for all filesystems has been exceeded count
- * times.
+ * Indicates that the hard limit for all filesystems has been exceeded.
*/
int
-audit_warn_allhard(int count)
+audit_warn_allhard(void)
{
- char intstr[12];
- char *args[3];
-
- snprintf(intstr, 12, "%d", count);
+ char *args[2];
args[0] = HARDLIM_ALL_WARN;
- args[1] = intstr;
- args[2] = NULL;
+ args[1] = NULL;
return (auditwarnlog(args));
}
==== //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#15 (text+ko) ====
@@ -25,7 +25,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#14 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#15 $
.\"
.Dd October 2, 2006
.Dt AUDITD 8
@@ -35,7 +35,7 @@
.Nd audit log management daemon
.Sh SYNOPSIS
.Nm
-.Op Fl d
+.Op Fl d | l
.Sh DESCRIPTION
The
.Nm
@@ -50,7 +50,15 @@
.Bl -tag -width indent
.It Fl d
Starts the daemon in debug mode \[em] it will not daemonize.
+.It Fl l
+This option is for when
+.Nm
+is configured to start on-demand using
+.Xr launchd 8 .
.El
+.Pp
+Optionally, the audit review group "audit" may be created. Non-privileged
+users that are members of this group may read the audit trail log files.
.Sh NOTE
To assure uninterrupted audit support, the
.Nm
@@ -63,20 +71,32 @@
.Pa audit_control
file.
.Pp
-.\" Sending a
-.\" .Dv SIGHUP
-.\" to a running
-.\" .Nm
-.\" daemon will force it to exit.
-Sending a
-.Dv SIGTERM
-to a running
+If
+.Nm
+is started on-demand by
+.Xr launchd 8
+then auditing should only be started and stopped with
+.Xr audit 8 .
+.Pp
+On Mac OS X,
.Nm
-daemon will force it to exit.
+uses the
+.Xr asl 3
+API for writing system log messages. Therefore, only the audit administrator
+and members of the audit review group will be able to read the
+system log enties.
.Sh FILES
-.Bl -tag -width ".Pa /var/audit" -compact
+.Bl -tag -width ".Pa /etc/security" -compact
.It Pa /var/audit
Default directory for storing audit log files.
+.Pp
+.It Pa /etc/security
+The directory containing the auditing configuration files
+.Xr audit_class 5 ,
+.Xr audit_control 5 ,
+.Xr audit_event 5 ,
+and
+.Xr audit_warn 5 .
.El
.Sh COMPATIBILITY
The historical
@@ -92,9 +112,14 @@
and are no longer available as arguments to
.Nm .
.Sh SEE ALSO
+.Xr asl 3 ,
.Xr audit 4 ,
+.Xr audit_class 5 ,
.Xr audit_control 5 ,
-.Xr audit 8
+.Xr audit_event 5 ,
+.Xr audit_warn 5 ,
+.Xr audit 8 ,
+.Xr launchd 8
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
==== //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#40 (text+ko) ====
@@ -26,30 +26,29 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#39 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#40 $
*/
-#include <sys/param.h>
+#include <sys/types.h>
#include <config/config.h>
#include <sys/dirent.h>
-#include <sys/mman.h>
-#include <sys/socket.h>
#ifdef HAVE_FULL_QUEUE_H
#include <sys/queue.h>
#else /* !HAVE_FULL_QUEUE_H */
#include <compat/queue.h>
#endif /* !HAVE_FULL_QUEUE_H */
+#include <sys/mman.h>
+#include <sys/param.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <bsm/audit.h>
#include <bsm/audit_uevents.h>
+#include <bsm/auditd_lib.h>
#include <bsm/libbsm.h>
-#include <netinet/in.h>
-
#include <err.h>
#include <errno.h>
#include <fcntl.h>
@@ -60,54 +59,54 @@
#include <unistd.h>
#include <signal.h>
#include <string.h>
-#include <syslog.h>
-#include <netdb.h>
#include "auditd.h"
-#ifdef USE_MACH_IPC
-#include <notify.h>
-#include <mach/port.h>
-#include <mach/mach_error.h>
-#include <mach/mach_traps.h>
-#include <mach/mach.h>
-#include <mach/host_special_ports.h>
-
-#include "auditd_control_server.h"
-#include "audit_triggers_server.h"
-#endif /* USE_MACH_IPC */
#ifndef HAVE_STRLCPY
#include <compat/strlcpy.h>
#endif
-#define NA_EVENT_STR_SIZE 25
-#define POL_STR_SIZE 128
-static int ret, minval;
-static char *lastfile = NULL;
-static int allhardcount = 0;
-static int sigchlds, sigchlds_handled;
-static int sighups, sighups_handled;
-#ifndef USE_MACH_IPC
-static int sigterms, sigterms_handled;
-static int triggerfd = 0;
+/*
+ * XXX the following is temporary until this can be added to the kernel
+ * audit.h header.
+ */
+#ifndef AUDIT_TRIGGER_INITIALIZE
+#define AUDIT_TRIGGER_INITIALIZE 7
+#endif
-#else /* USE_MACH_IPC */
+/*
+ * LaunchD flag (Mac OS X and, maybe, FreeBSD only.) See launchd(8) and
+ * http://wiki.freebsd.org/launchd for more information.
+ *
+ * In order for auditd to work "on demand" with launchd(8) it can't:
+ * call daemon(3)
+ * call fork and having the parent process exit
+ * change uids or gids.
+ * set up the current working directory or chroot.
+ * set the session id
+ * change stdio to /dev/null.
+ * call setrusage(2)
+ * call setpriority(2)
+ * Ignore SIGTERM.
+ * auditd (in 'launchd mode') is launched on demand so it must catch
+ * SIGTERM to exit cleanly.
+ */
+static int launchd_flag = 0;
-static mach_port_t control_port = MACH_PORT_NULL;
-static mach_port_t signal_port = MACH_PORT_NULL;
-static mach_port_t port_set = MACH_PORT_NULL;
+/*
+ * The GID of the audit review group (if used). The audit trail files and
+ * system logs (Mac OS X only) can only be reviewed by members of this group
+ * or the audit administrator (aka. "root").
+ */
+static gid_t audit_review_gid = -1;
-#ifndef __BSM_INTERNAL_NOTIFY_KEY
-#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change"
-#endif /* __BSM_INTERNAL_NOTIFY_KEY */
-#endif /* USE_MACH_IPC */
-
-static TAILQ_HEAD(, dir_ent) dir_q;
-
-static int config_audit_controls(void);
+/*
+ * The path and file name of the last audit trail file.
+ */
+static char *lastfile = NULL;
/*
- * Error starting auditd
+ * Error starting auditd. Run warn script and exit.
*/
static void
fail_exit(void)
@@ -118,60 +117,33 @@
}
/*
- * Free our local list of directory names.
+ * Follow the 'current' symlink to get the active trail file name.
*/
-static void
-free_dir_q(void)
+static char *
+get_curfile(void)
{
- struct dir_ent *dirent;
+ char *cf;
+ int len;
+
+ cf = malloc(MAXPATHLEN);
+ if (cf == NULL) {
+ auditd_log_err("malloc failed: %m");
+ return (NULL);
+ }
- while ((dirent = TAILQ_FIRST(&dir_q))) {
- TAILQ_REMOVE(&dir_q, dirent, dirs);
- free(dirent->dirname);
- free(dirent);
+ len = readlink(AUDIT_CURRENT_LINK, cf, MAXPATHLEN - 1);
+ if (len < 0) {
+ free(cf);
+ return (NULL);
}
-}
-/*
- * Generate the timestamp string.
- */
-static int
-getTSstr(char *buf, int len)
-{
- struct timeval ts;
- struct timezone tzp;
- time_t tt;
+ /* readlink() doesn't terminate string. */
+ cf[len] = '\0';
- if (gettimeofday(&ts, &tzp) != 0)
- return (-1);
- tt = (time_t)ts.tv_sec;
- if (!strftime(buf, len, "%Y%m%d%H%M%S", gmtime(&tt)))
- return (-1);
- return (0);
+ return (cf);
}
/*
- * Concat the directory name to the given file name.
- * XXX We should affix the hostname also
- */
-static char *
-affixdir(char *name, struct dir_ent *dirent)
-{
- char *fn = NULL;
-
- syslog(LOG_DEBUG, "dir = %s", dirent->dirname);
- /*
- * Sanity check on file name.
- */
- if (strlen(name) != (FILENAME_LEN - 1)) {
- syslog(LOG_ERR, "Invalid file name: %s", name);
- return (NULL);
- }
- asprintf(&fn, "%s/%s", dirent->dirname, name);
- return (fn);
-}
-
-/*
* Close the previous audit trail file.
*/
static int
@@ -181,6 +153,10 @@
char *oldname;
size_t len;
+ /* If lastfile is NULL try to get it from the 'current' link. */
+ if (lastfile == NULL)
+ lastfile = get_curfile();
+
if (lastfile != NULL) {
len = strlen(lastfile) + 1;
oldname = (char *)malloc(len);
@@ -192,16 +168,21 @@
if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) {
strlcpy(ptr, TS, TIMESTAMP_LEN);
if (rename(oldname, lastfile) != 0)
- syslog(LOG_ERR,
+ auditd_log_err(
"Could not rename %s to %s: %m", oldname,
lastfile);
else {
- syslog(LOG_INFO, "renamed %s to %s",
+ /*
+ * Remove the 'current' symlink since the link
+ * is now invalid.
+ */
+ (void) unlink(AUDIT_CURRENT_LINK);
+ auditd_log_notice( "renamed %s to %s",
oldname, lastfile);
audit_warn_closefile(lastfile);
}
} else
- syslog(LOG_ERR, "Could not rename %s to %s", oldname,
+ auditd_log_err( "Could not rename %s to %s", oldname,
lastfile);
free(lastfile);
free(oldname);
@@ -211,168 +192,81 @@
}
/*
- * Create the new audit file with appropriate permissions and ownership. Try
- * to clean up if something goes wrong.
- */
-static int
-#ifdef AUDIT_REVIEW_GROUP
-open_trail(const char *fname, uid_t uid, gid_t gid)
-#else
-open_trail(const char *fname)
-#endif
-{
- int error, fd;
-
- fd = open(fname, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP);
- if (fd < 0)
- return (-1);
-#ifdef AUDIT_REVIEW_GROUP
- if (fchown(fd, uid, gid) < 0) {
- error = errno;
- close(fd);
- (void)unlink(fname);
- errno = error;
- return (-1);
- }
-#endif
- return (fd);
-}
-
-/*
* Create the new file name, swap with existing audit file.
*/
static int
swap_audit_file(void)
{
- char timestr[FILENAME_LEN];
- char *fn;
+ int err;
+ char *newfile;
char TS[TIMESTAMP_LEN];
- struct dir_ent *dirent;
-#ifdef AUDIT_REVIEW_GROUP
- struct group *grp;
- gid_t gid;
- uid_t uid;
-#endif
- int error, fd;
+ time_t tt;
- if (getTSstr(TS, TIMESTAMP_LEN) != 0)
+ if (getTSstr(tt, TS, TIMESTAMP_LEN) != 0)
return (-1);
+ err = auditd_swap_trail(TS, &newfile, audit_review_gid,
+ audit_warn_getacdir);
+ if (err != ADE_NOERR) {
+ auditd_log_err( "%s: %m", auditd_strerror(err));
+ if (err != ADE_ACTL)
+ return (-1);
+ }
- snprintf(timestr, FILENAME_LEN, "%s.%s", TS, NOT_TERMINATED);
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the p4-projects
mailing list