svn commit: r186647 - in head: contrib/openbsm contrib/openbsm/bin contrib/openbsm/bin/audit contrib/openbsm/bin/auditd contrib/openbsm/bin/auditfilterd contrib/openbsm/bin/auditreduce contrib/open...

Robert Watson rwatson at FreeBSD.org
Wed Dec 31 11:12:26 UTC 2008


Author: rwatson
Date: Wed Dec 31 11:12:24 2008
New Revision: 186647
URL: http://svn.freebsd.org/changeset/base/186647

Log:
  Merge OpenBSM alpha 4 from OpenBSM vendor branch to head, both
  contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
  merge).  Add libauditd build parts and add to auditd's linkage;
  force libbsm to build before libauditd.
  
  OpenBSM history for imported revisions below for reference.
  
  MFC after:      1 month
  Sponsored by:   Apple Inc.
  Obtained from:  TrustedBSD Project
  
  OpenBSM 1.1 alpha 4
  
  - With the addition of BSM error number mapping, we also need to map the
    local error number passed to audit_submit(3) to a BSM error number,
    rather than have the caller perform that conversion.
  - Reallocate user audit events to avoid collisions with Solaris; adopt a
    more formal allocation scheme, and add some events allocated in Solaris
    that will be of immediate use on other platforms.
  - Add an event for Calife.
  - Add au_strerror(3), which allows generating strings for BSM errors
    directly, rather than requiring applications to map to the local error
    space, which might not be able to entirely represent the BSM error
    number space.
  - Major auditd rewrite for launchd(8) support.  Add libauditd library
    that is shared between launchd and auditd.
  - Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
    (re)starting auditing under launchd(8) on Mac OS X.
  - Add 'current' symlink to active audit trail.
  - Add crash recovery of previous audit trail file when detected on audit
    startup that it has not been properly terminated.
  - Add the event AUE_audit_recovery to indicated when an audit trail file
    has been recovered from not being properly terminated.  This event is
    stored in the new audit trail file and includes the path of recovered
    audit trail file.
  - Mac OS X and FreeBSD dependent code in auditd.c is separated into
    auditd_darwin.c and auditd_fbsd.c files.
  - Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
    calls.
  - For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
  - Add support for NOTICE level logging.
  
  OpenBSM 1.1 alpha 3
  
  - Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
    between BSM error numbers (largely the Solaris definitions) and local
    errno(2) values for 32-bit and 64-bit return tokens.  This is required
    as operating systems don't agree on some of the values of more recent
    error numbers.
  - Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
    total size for the token.  This buge.
  - Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.

Added:
  head/contrib/openbsm/bin/auditd/auditd_darwin.c
     - copied unchanged from r186607, vendor/openbsm/dist/bin/auditd/auditd_darwin.c
  head/contrib/openbsm/bin/auditd/auditd_fbsd.c
     - copied unchanged from r186607, vendor/openbsm/dist/bin/auditd/auditd_fbsd.c
  head/contrib/openbsm/bsm/auditd_lib.h
     - copied unchanged from r186607, vendor/openbsm/dist/bsm/auditd_lib.h
  head/contrib/openbsm/libauditd/
     - copied from r186607, vendor/openbsm/dist/libauditd/
  head/contrib/openbsm/libbsm/au_errno.3
     - copied unchanged from r186607, vendor/openbsm/dist/libbsm/au_errno.3
  head/contrib/openbsm/libbsm/bsm_errno.c
     - copied unchanged from r186607, vendor/openbsm/dist/libbsm/bsm_errno.c
  head/contrib/openbsm/sys/bsm/audit_errno.h
     - copied unchanged from r186607, vendor/openbsm/dist/sys/bsm/audit_errno.h
  head/contrib/openbsm/test/reference/E2BIG_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/E2BIG_record
  head/contrib/openbsm/test/reference/EACCES_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EACCES_record
  head/contrib/openbsm/test/reference/EBADF_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EBADF_record
  head/contrib/openbsm/test/reference/EBUSY_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EBUSY_record
  head/contrib/openbsm/test/reference/ECHILD_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ECHILD_record
  head/contrib/openbsm/test/reference/EDEADLK_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EDEADLK_record
  head/contrib/openbsm/test/reference/EEXIST_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EEXIST_record
  head/contrib/openbsm/test/reference/EFAULT_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EFAULT_record
  head/contrib/openbsm/test/reference/EFBIG_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EFBIG_record
  head/contrib/openbsm/test/reference/EINTR_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EINTR_record
  head/contrib/openbsm/test/reference/EINVAL_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EINVAL_record
  head/contrib/openbsm/test/reference/EIO_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EIO_record
  head/contrib/openbsm/test/reference/EISDIR_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EISDIR_record
  head/contrib/openbsm/test/reference/EMFILE_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EMFILE_record
  head/contrib/openbsm/test/reference/EMLINK_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EMLINK_record
  head/contrib/openbsm/test/reference/ENFILE_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENFILE_record
  head/contrib/openbsm/test/reference/ENODEV_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENODEV_record
  head/contrib/openbsm/test/reference/ENOENT_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOENT_record
  head/contrib/openbsm/test/reference/ENOEXEC_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOEXEC_record
  head/contrib/openbsm/test/reference/ENOMEM_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOMEM_record
  head/contrib/openbsm/test/reference/ENOSPC_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOSPC_record
  head/contrib/openbsm/test/reference/ENOTBLK_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOTBLK_record
  head/contrib/openbsm/test/reference/ENOTDIR_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOTDIR_record
  head/contrib/openbsm/test/reference/ENOTTY_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENOTTY_record
  head/contrib/openbsm/test/reference/ENXIO_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ENXIO_record
  head/contrib/openbsm/test/reference/EPERM_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EPERM_record
  head/contrib/openbsm/test/reference/EPIPE_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EPIPE_record
  head/contrib/openbsm/test/reference/EROFS_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EROFS_record
  head/contrib/openbsm/test/reference/ESPIPE_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ESPIPE_record
  head/contrib/openbsm/test/reference/ESRCH_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ESRCH_record
  head/contrib/openbsm/test/reference/ETXTBSY_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/ETXTBSY_record
  head/contrib/openbsm/test/reference/EXDEV_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/EXDEV_record
  head/contrib/openbsm/test/reference/socketex_record
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/socketex_record
  head/contrib/openbsm/test/reference/socketex_token
     - copied unchanged from r186607, vendor/openbsm/dist/test/reference/socketex_token
  head/lib/libauditd/
  head/lib/libauditd/Makefile   (contents, props changed)
  head/sys/bsm/audit_errno.h   (contents, props changed)
  head/sys/security/audit/audit_bsm_errno.c   (contents, props changed)
Modified:
  head/contrib/openbsm/   (props changed)
  head/contrib/openbsm/Makefile.am
  head/contrib/openbsm/Makefile.in
  head/contrib/openbsm/NEWS
  head/contrib/openbsm/README
  head/contrib/openbsm/TODO
  head/contrib/openbsm/VERSION
  head/contrib/openbsm/bin/Makefile.in
  head/contrib/openbsm/bin/audit/Makefile.am
  head/contrib/openbsm/bin/audit/Makefile.in
  head/contrib/openbsm/bin/audit/audit.8
  head/contrib/openbsm/bin/audit/audit.c
  head/contrib/openbsm/bin/auditd/Makefile.am
  head/contrib/openbsm/bin/auditd/Makefile.in
  head/contrib/openbsm/bin/auditd/audit_warn.c
  head/contrib/openbsm/bin/auditd/auditd.8
  head/contrib/openbsm/bin/auditd/auditd.c
  head/contrib/openbsm/bin/auditd/auditd.h
  head/contrib/openbsm/bin/auditfilterd/Makefile.in
  head/contrib/openbsm/bin/auditreduce/Makefile.in
  head/contrib/openbsm/bin/auditreduce/auditreduce.c
  head/contrib/openbsm/bin/praudit/Makefile.in
  head/contrib/openbsm/bsm/Makefile.am
  head/contrib/openbsm/bsm/Makefile.in
  head/contrib/openbsm/bsm/audit_uevents.h
  head/contrib/openbsm/bsm/libbsm.h
  head/contrib/openbsm/compat/endian.h
  head/contrib/openbsm/config/config.h.in
  head/contrib/openbsm/configure
  head/contrib/openbsm/configure.ac
  head/contrib/openbsm/etc/audit_event
  head/contrib/openbsm/libbsm/Makefile.am
  head/contrib/openbsm/libbsm/Makefile.in
  head/contrib/openbsm/libbsm/au_token.3
  head/contrib/openbsm/libbsm/audit_submit.3
  head/contrib/openbsm/libbsm/bsm_audit.c
  head/contrib/openbsm/libbsm/bsm_class.c
  head/contrib/openbsm/libbsm/bsm_control.c
  head/contrib/openbsm/libbsm/bsm_event.c
  head/contrib/openbsm/libbsm/bsm_io.c
  head/contrib/openbsm/libbsm/bsm_mask.c
  head/contrib/openbsm/libbsm/bsm_token.c
  head/contrib/openbsm/libbsm/bsm_user.c
  head/contrib/openbsm/libbsm/bsm_wrappers.c
  head/contrib/openbsm/libbsm/libbsm.3
  head/contrib/openbsm/man/Makefile.in
  head/contrib/openbsm/man/audit.log.5
  head/contrib/openbsm/modules/Makefile.in
  head/contrib/openbsm/modules/auditfilter_noop/Makefile.in
  head/contrib/openbsm/sys/Makefile.in
  head/contrib/openbsm/sys/bsm/Makefile.am
  head/contrib/openbsm/sys/bsm/Makefile.in
  head/contrib/openbsm/sys/bsm/audit.h
  head/contrib/openbsm/sys/bsm/audit_internal.h
  head/contrib/openbsm/sys/bsm/audit_kevents.h
  head/contrib/openbsm/sys/bsm/audit_record.h
  head/contrib/openbsm/test/Makefile.in
  head/contrib/openbsm/test/bsm/Makefile.in
  head/contrib/openbsm/test/bsm/generate.c
  head/contrib/openbsm/test/reference/arg32_record
  head/contrib/openbsm/test/reference/data_record
  head/contrib/openbsm/test/reference/file_record
  head/contrib/openbsm/test/reference/header32_token
  head/contrib/openbsm/test/reference/in_addr_record
  head/contrib/openbsm/test/reference/ip_record
  head/contrib/openbsm/test/reference/ipc_record
  head/contrib/openbsm/test/reference/iport_record
  head/contrib/openbsm/test/reference/opaque_record
  head/contrib/openbsm/test/reference/path_record
  head/contrib/openbsm/test/reference/process32_record
  head/contrib/openbsm/test/reference/process32ex_record-IPv4
  head/contrib/openbsm/test/reference/process32ex_record-IPv6
  head/contrib/openbsm/test/reference/process64_record
  head/contrib/openbsm/test/reference/process64ex_record-IPv4
  head/contrib/openbsm/test/reference/process64ex_record-IPv6
  head/contrib/openbsm/test/reference/return32_record
  head/contrib/openbsm/test/reference/return32_token
  head/contrib/openbsm/test/reference/seq_record
  head/contrib/openbsm/test/reference/subject32_record
  head/contrib/openbsm/test/reference/subject32ex_record
  head/contrib/openbsm/test/reference/text_record
  head/contrib/openbsm/test/reference/zonename_record
  head/contrib/openbsm/tools/Makefile.in
  head/lib/Makefile
  head/lib/libbsm/Makefile
  head/share/mk/bsd.libnames.mk
  head/sys/bsm/audit.h
  head/sys/bsm/audit_internal.h
  head/sys/bsm/audit_kevents.h
  head/sys/bsm/audit_record.h
  head/sys/security/audit/audit_bsm_token.c
  head/usr.sbin/auditd/Makefile

Modified: head/contrib/openbsm/Makefile.am
==============================================================================
--- head/contrib/openbsm/Makefile.am	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/Makefile.am	Wed Dec 31 11:12:24 2008	(r186647)
@@ -1,15 +1,23 @@
 #
-# $P4: //depot/projects/trustedbsd/openbsm/Makefile.am#3 $
+# $P4: //depot/projects/trustedbsd/openbsm/Makefile.am#4 $
 #
 
 SUBDIRS =		\
-	bsm		\
+	bsm
+
+if HAVE_AUDIT_SYSCALLS
+SUBDIRS +=              \
+       	libauditd
+endif
+
+SUBDIRS +=              \
 	libbsm		\
 	bin		\
 	man		\
 	modules		\
 	sys
 
+
 EXTRA_DIST =		\
 	CHANGELOG	\
 	LICENSE		\

Modified: head/contrib/openbsm/Makefile.in
==============================================================================
--- head/contrib/openbsm/Makefile.in	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/Makefile.in	Wed Dec 31 11:12:24 2008	(r186647)
@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 #
-# $P4: //depot/projects/trustedbsd/openbsm/Makefile.in#8 $
+# $P4: //depot/projects/trustedbsd/openbsm/Makefile.in#9 $
 #
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
@@ -35,6 +35,9 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
+ at HAVE_AUDIT_SYSCALLS_TRUE@am__append_1 = \
+ at HAVE_AUDIT_SYSCALLS_TRUE@       	libauditd
+
 subdir = .
 DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in $(top_srcdir)/config/config.h.in \
@@ -63,7 +66,7 @@ RECURSIVE_CLEAN_TARGETS = mostlyclean-re
   distclean-recursive maintainer-clean-recursive
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = $(SUBDIRS)
+DIST_SUBDIRS = bsm libauditd libbsm bin man modules sys
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
@@ -183,14 +186,7 @@ sysconfdir = @sysconfdir@
 target_alias = @target_alias@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
-SUBDIRS = \
-	bsm		\
-	libbsm		\
-	bin		\
-	man		\
-	modules		\
-	sys
-
+SUBDIRS = bsm $(am__append_1) libbsm bin man modules sys
 EXTRA_DIST = \
 	CHANGELOG	\
 	LICENSE		\

Modified: head/contrib/openbsm/NEWS
==============================================================================
--- head/contrib/openbsm/NEWS	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/NEWS	Wed Dec 31 11:12:24 2008	(r186647)
@@ -1,5 +1,50 @@
 OpenBSM Version History
 
+OpenBSM 1.1 alpha 4
+
+- With the addition of BSM error number mapping, we also need to map the
+  local error number passed to audit_submit(3) to a BSM error number, rather
+  than have the caller perform that conversion.
+- Reallocate user audit events to avoid collisions with Solaris; adopt a more
+  formal allocation scheme, and add some events allocated in Solaris that
+  will be of immediate use on other platforms.
+- Add an event for Calife.
+- Add au_strerror(3), which allows generating strings for BSM errors
+  directly, rather than requiring applications to map to the local error
+  space, which might not be able to entirely represent the BSM error number
+  space.
+- Major auditd rewrite for launchd(8) support.  Add libauditd library that is
+  shared between launchd and auditd. 
+- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for (re)starting
+  auditing under launchd(8) on Mac OS X.
+- Add 'current' symlink to active audit trail.
+- Add crash recovery of previous audit trail file when detected on audit
+  startup that it has not been properly terminated.
+- Add the event AUE_audit_recovery to indicated when an audit trail file has
+  been recovered from not being properly terminated.  This event is stored
+  in the new audit trail file and includes the path of recovered audit trail
+  file.
+- Mac OS X and FreeBSD dependent code in auditd.c is separated into
+  auditd_darwin.c and auditd_fbsd.c files.
+- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system calls.
+- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
+- Add support for NOTICE level logging. 
+
+OpenBSM 1.1 alpha 3
+
+- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
+  between BSM error numbers (largely the Solaris definitions) and local
+  errno(2) values for 32-bit and 64-bit return tokens.  This is required as
+  operating systems don't agree on some of the values of more recent error
+  numbers.
+- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the total
+  size for the token.  This bug resulted in "unknown" tokens being printed
+  after the exec args/env tokens.
+- Support for AUT_SOCKET_EX extended socket tokens, which describe a socket
+  using a pair of IPv4/IPv6 and port tuples.
+- OpenBSM BSM file header version bumped for 1.1 release.
+- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
+
 OpenBSM 1.1 alpha 2
 
 - Include files in OpenBSM are now broken out into two parts: library builds
@@ -348,4 +393,4 @@ OpenBSM 1.0 alpha 1
   to support reloading of kernel event table.
 - Allow comments in /etc/security configuration files.
 
-$P4: //depot/projects/trustedbsd/openbsm/NEWS#9 $
+$P4: //depot/projects/trustedbsd/openbsm/NEWS#21 $

Modified: head/contrib/openbsm/README
==============================================================================
--- head/contrib/openbsm/README	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/README	Wed Dec 31 11:12:24 2008	(r186647)
@@ -1,4 +1,4 @@
-OpenBSM 1.1 alpha 1
+OpenBSM 1.1 alpha 4
 
   Introduction
 
@@ -19,6 +19,7 @@ OpenBSM consists of several directories:
     bsm/           Library include files for BSM
     compat/        Compatibility code to build on various OS's
     etc/           Sample /etc/security configuration files
+    libauditd      Common audit management functions for auditd and launchd
     libbsm/        Implementation of BSM library interfaces and man pages
     man/           System call and configuration file man pages
     modules/       Directory for auditfilterd module source
@@ -55,4 +56,4 @@ Information on TrustedBSD may be found o
 
     http://www.TrustedBSD.org/
 
-$P4: //depot/projects/trustedbsd/openbsm/README#32 $
+$P4: //depot/projects/trustedbsd/openbsm/README#34 $

Modified: head/contrib/openbsm/TODO
==============================================================================
--- head/contrib/openbsm/TODO	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/TODO	Wed Dec 31 11:12:24 2008	(r186647)
@@ -20,5 +20,7 @@ OpenBSM TODO
 - Document audit_warn event arguments.
 - Allow the path /etc/security to be configured at configure-time so that
   alternative locations can be used.
+- NLS support for au_strerror(3), which provides error strings for BSM errors
+  not available on the local OS platform.
 
-$P4: //depot/projects/trustedbsd/openbsm/TODO#11 $
+$P4: //depot/projects/trustedbsd/openbsm/TODO#12 $

Modified: head/contrib/openbsm/VERSION
==============================================================================
--- head/contrib/openbsm/VERSION	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/VERSION	Wed Dec 31 11:12:24 2008	(r186647)
@@ -1 +1 @@
-OPENBSM_1_1_ALPHA_2
+OPENBSM_1_1_ALPHA_4

Modified: head/contrib/openbsm/bin/Makefile.in
==============================================================================
--- head/contrib/openbsm/bin/Makefile.in	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/Makefile.in	Wed Dec 31 11:12:24 2008	(r186647)
@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 #
-# $P4: //depot/projects/trustedbsd/openbsm/bin/Makefile.in#8 $
+# $P4: //depot/projects/trustedbsd/openbsm/bin/Makefile.in#10 $
 #
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@

Modified: head/contrib/openbsm/bin/audit/Makefile.am
==============================================================================
--- head/contrib/openbsm/bin/audit/Makefile.am	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/audit/Makefile.am	Wed Dec 31 11:12:24 2008	(r186647)
@@ -1,5 +1,5 @@
 #
-# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.am#4 $
+# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.am#6 $
 #
 
 if USE_NATIVE_INCLUDES
@@ -13,11 +13,11 @@ audit_LDADD = $(top_builddir)/libbsm/lib
 man8_MANS = audit.8
 
 if USE_MACH_IPC
-audit_SOURCES = auditd_control_user.c audit.c
-CLEANFILES = auditd_control_user.c auditd_control_user.h
+audit_SOURCES = auditd_controlUser.c audit.c
+CLEANFILES = auditd_controlUser.c auditd_control.h
 
-auditd_control_user.c: $(top_srcdir)/bin/auditd/auditd_control.defs 
-	$(MIG)	-user auditd_control_user.c -header auditd_control_user.h -server /dev/null -sheader /dev/null $(top_srcdir)/bin/auditd/auditd_control.defs
+auditd_controlUser.c auditd_control.h: $(top_srcdir)/bin/auditd/auditd_control.defs 
+	$(MIG)	-user auditd_controlUser.c -header auditd_control.h -server /dev/null -sheader /dev/null $(top_srcdir)/bin/auditd/auditd_control.defs
 else
 audit_SOURCES = audit.c
 endif

Modified: head/contrib/openbsm/bin/audit/Makefile.in
==============================================================================
--- head/contrib/openbsm/bin/audit/Makefile.in	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/audit/Makefile.in	Wed Dec 31 11:12:24 2008	(r186647)
@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 #
-# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.in#9 $
+# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile.in#11 $
 #
 
 VPATH = @srcdir@
@@ -49,9 +49,9 @@ CONFIG_CLEAN_FILES =
 am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
 sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(sbin_PROGRAMS)
-am__audit_SOURCES_DIST = audit.c auditd_control_user.c
+am__audit_SOURCES_DIST = audit.c auditd_controlUser.c
 @USE_MACH_IPC_FALSE at am_audit_OBJECTS = audit.$(OBJEXT)
- at USE_MACH_IPC_TRUE@am_audit_OBJECTS = auditd_control_user.$(OBJEXT) \
+ at USE_MACH_IPC_TRUE@am_audit_OBJECTS = auditd_controlUser.$(OBJEXT) \
 @USE_MACH_IPC_TRUE@	audit.$(OBJEXT)
 audit_OBJECTS = $(am_audit_OBJECTS)
 audit_DEPENDENCIES = $(top_builddir)/libbsm/libbsm.la
@@ -188,8 +188,8 @@ top_srcdir = @top_srcdir@
 audit_LDADD = $(top_builddir)/libbsm/libbsm.la
 man8_MANS = audit.8
 @USE_MACH_IPC_FALSE at audit_SOURCES = audit.c
- at USE_MACH_IPC_TRUE@audit_SOURCES = auditd_control_user.c audit.c
- at USE_MACH_IPC_TRUE@CLEANFILES = auditd_control_user.c auditd_control_user.h
+ at USE_MACH_IPC_TRUE@audit_SOURCES = auditd_controlUser.c audit.c
+ at USE_MACH_IPC_TRUE@CLEANFILES = auditd_controlUser.c auditd_control.h
 all: all-am
 
 .SUFFIXES:
@@ -262,7 +262,7 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/audit.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_control_user.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_controlUser.Po at am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -521,8 +521,8 @@ uninstall-man: uninstall-man8
 	uninstall-sbinPROGRAMS
 
 
- at USE_MACH_IPC_TRUE@auditd_control_user.c: $(top_srcdir)/bin/auditd/auditd_control.defs 
- at USE_MACH_IPC_TRUE@	$(MIG)	-user auditd_control_user.c -header auditd_control_user.h -server /dev/null -sheader /dev/null $(top_srcdir)/bin/auditd/auditd_control.defs
+ at USE_MACH_IPC_TRUE@auditd_controlUser.c auditd_control.h: $(top_srcdir)/bin/auditd/auditd_control.defs 
+ at USE_MACH_IPC_TRUE@	$(MIG)	-user auditd_controlUser.c -header auditd_control.h -server /dev/null -sheader /dev/null $(top_srcdir)/bin/auditd/auditd_control.defs
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:

Modified: head/contrib/openbsm/bin/audit/audit.8
==============================================================================
--- head/contrib/openbsm/bin/audit/audit.8	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/audit/audit.8	Wed Dec 31 11:12:24 2008	(r186647)
@@ -25,9 +25,9 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#11 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#13 $
 .\"
-.Dd October 2, 2006
+.Dd December 11, 2008
 .Dt AUDIT 8
 .Os
 .Sh NAME
@@ -35,7 +35,7 @@
 .Nd audit management utility
 .Sh SYNOPSIS
 .Nm
-.Fl n | s | t
+.Fl i | n | s | t
 .Sh DESCRIPTION
 The
 .Nm
@@ -43,6 +43,13 @@ utility controls the state of the audit 
 One of the following flags is required as an argument to
 .Nm :
 .Bl -tag -width indent
+.It Fl i
+Initializes and starts auditing.
+This option is currently for Mac OS X only
+and requires
+.Xr auditd 8
+to be configured to run under 
+.Xr launchd 8 .
 .It Fl n
 Forces the audit system to close the existing audit log file and rotate to
 a new log file in a location specified in the audit control file.
@@ -59,6 +66,13 @@ and renamed to indicate the time of the 
 The
 .Xr auditd 8
 daemon must already be running.
+Optionally, it can be configured to be started
+on-demand by
+.Xr launchd 8
+(Mac OS X only).
+The
+.Nm 
+utility requires audit administrator privileges for successful operation.
 .Sh FILES
 .Bl -tag -width ".Pa /etc/security/audit_control" -compact
 .It Pa /etc/security/audit_control
@@ -67,7 +81,8 @@ Audit policy file used to configure the 
 .Sh SEE ALSO
 .Xr audit 4 ,
 .Xr audit_control 5 ,
-.Xr auditd 8
+.Xr auditd 8 ,
+.Xr launchd 8
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.

Modified: head/contrib/openbsm/bin/audit/audit.c
==============================================================================
--- head/contrib/openbsm/bin/audit/audit.c	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/audit/audit.c	Wed Dec 31 11:12:24 2008	(r186647)
@@ -26,7 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#11 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#13 $
  */
 /*
  * Program to trigger the audit daemon with a message that is either:
@@ -47,6 +47,7 @@
 
 #include <bsm/libbsm.h>
 
+#include <errno.h>
 #include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -64,7 +65,15 @@ static int send_trigger(unsigned int);
 #include <mach/host_special_ports.h>
 #include <servers/bootstrap.h>
 
-#include "auditd_control_user.h"
+#include "auditd_control.h"
+
+/* 
+ * XXX the following is temporary until this can be added to the kernel
+ * audit.h header. 
+ */
+#ifndef AUDIT_TRIGGER_INITIALIZE
+#define	AUDIT_TRIGGER_INITIALIZE	7
+#endif
 
 static int
 send_trigger(unsigned int trigger)
@@ -74,7 +83,12 @@ send_trigger(unsigned int trigger)
 
 	error = host_get_audit_control_port(mach_host_self(), &serverPort);
 	if (error != KERN_SUCCESS) {
-		mach_error("Cannot get auditd_control Mach port: ", error);
+		if (geteuid() != 0) {
+			errno = EPERM;
+			perror("audit requires root privileges"); 
+		} else 
+			mach_error("Cannot get auditd_control Mach port:",
+			    error);
 		return (-1);
 	}
 
@@ -96,7 +110,10 @@ send_trigger(unsigned int trigger)
 
 	error = auditon(A_SENDTRIGGER, &trigger, sizeof(trigger));
 	if (error != 0) {
-		perror("Error sending trigger");
+		if (error == EPERM)
+			perror("audit requires root privileges");
+		else
+			perror("Error sending trigger");
 		return (-1);
 	}
 
@@ -108,7 +125,7 @@ static void
 usage(void)
 {
 
-	(void)fprintf(stderr, "Usage: audit -n | -s | -t \n");
+	(void)fprintf(stderr, "Usage: audit -i | -n | -s | -t \n");
 	exit(-1);
 }
 
@@ -124,9 +141,13 @@ main(int argc, char **argv)
 	if (argc != 2)
 		usage();
 
-	while ((ch = getopt(argc, argv, "nst")) != -1) {
+	while ((ch = getopt(argc, argv, "inst")) != -1) {
 		switch(ch) {
 
+		case 'i':
+			trigger = AUDIT_TRIGGER_INITIALIZE;
+			break;
+
 		case 'n':
 			trigger = AUDIT_TRIGGER_ROTATE_USER;
 			break;

Modified: head/contrib/openbsm/bin/auditd/Makefile.am
==============================================================================
--- head/contrib/openbsm/bin/auditd/Makefile.am	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/auditd/Makefile.am	Wed Dec 31 11:12:24 2008	(r186647)
@@ -1,5 +1,5 @@
 #
-# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.am#4 $
+# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.am#5 $
 #
 
 if USE_NATIVE_INCLUDES
@@ -9,18 +9,18 @@ INCLUDES = -I$(top_builddir) -I$(top_src
 endif
 
 sbin_PROGRAMS = auditd
-auditd_LDADD = $(top_builddir)/libbsm/libbsm.la
+auditd_LDADD = $(top_builddir)/libbsm/libbsm.la $(top_builddir)/libauditd/libauditd.la
 man8_MANS = auditd.8
 
 if USE_MACH_IPC
-auditd_SOURCES = auditd_control_server.c audit_triggers_server.c audit_warn.c auditd.c
-CLEANFILES = auditd_control_server.c auditd_control_server.h audit_triggers_server.c audit_triggers_server.h
+auditd_SOURCES = auditd_controlServer.c audit_triggersServer.c audit_warn.c auditd.c auditd_darwin.c
+CLEANFILES = auditd_control_server.c auditd_controlServer.h audit_triggersServer.c audit_triggersServer.h
 
-auditd_control_server.c: auditd_control.defs
-	$(MIG) -user /dev/null -header /dev/null -server auditd_control_server.c -sheader auditd_control_server.h $(top_srcdir)/bin/auditd/auditd_control.defs
+auditd_controlServer.c auditd_controlServer.h: auditd_control.defs
+	$(MIG) -user /dev/null -header /dev/null -server auditd_controlServer.c -sheader auditd_controlServer.h $(top_srcdir)/bin/auditd/auditd_control.defs
 
-audit_triggers_server.c: audit_triggers.defs
-	$(MIG) -user /dev/null -header /dev/null -server audit_triggers_server.c -sheader audit_triggers_server.h $(top_srcdir)/bin/auditd/audit_triggers.defs
+audit_triggersServer.c audit_triggersServer.h: audit_triggers.defs
+	$(MIG) -user /dev/null -header /dev/null -server audit_triggersServer.c -sheader audit_triggersServer.h $(top_srcdir)/bin/auditd/audit_triggers.defs
 else
-auditd_SOURCES = audit_warn.c auditd.c
+auditd_SOURCES = audit_warn.c auditd.c auditd_fbsd.c
 endif

Modified: head/contrib/openbsm/bin/auditd/Makefile.in
==============================================================================
--- head/contrib/openbsm/bin/auditd/Makefile.in	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/auditd/Makefile.in	Wed Dec 31 11:12:24 2008	(r186647)
@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 #
-# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.in#9 $
+# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile.in#10 $
 #
 
 VPATH = @srcdir@
@@ -49,16 +49,17 @@ CONFIG_CLEAN_FILES =
 am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
 sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(sbin_PROGRAMS)
-am__auditd_SOURCES_DIST = audit_warn.c auditd.c \
-	auditd_control_server.c audit_triggers_server.c
+am__auditd_SOURCES_DIST = audit_warn.c auditd.c auditd_fbsd.c \
+	auditd_controlServer.c audit_triggersServer.c auditd_darwin.c
 @USE_MACH_IPC_FALSE at am_auditd_OBJECTS = audit_warn.$(OBJEXT) \
- at USE_MACH_IPC_FALSE@	auditd.$(OBJEXT)
- at USE_MACH_IPC_TRUE@am_auditd_OBJECTS =  \
- at USE_MACH_IPC_TRUE@	auditd_control_server.$(OBJEXT) \
- at USE_MACH_IPC_TRUE@	audit_triggers_server.$(OBJEXT) \
- at USE_MACH_IPC_TRUE@	audit_warn.$(OBJEXT) auditd.$(OBJEXT)
+ at USE_MACH_IPC_FALSE@	auditd.$(OBJEXT) auditd_fbsd.$(OBJEXT)
+ at USE_MACH_IPC_TRUE@am_auditd_OBJECTS = auditd_controlServer.$(OBJEXT) \
+ at USE_MACH_IPC_TRUE@	audit_triggersServer.$(OBJEXT) \
+ at USE_MACH_IPC_TRUE@	audit_warn.$(OBJEXT) auditd.$(OBJEXT) \
+ at USE_MACH_IPC_TRUE@	auditd_darwin.$(OBJEXT)
 auditd_OBJECTS = $(am_auditd_OBJECTS)
-auditd_DEPENDENCIES = $(top_builddir)/libbsm/libbsm.la
+auditd_DEPENDENCIES = $(top_builddir)/libbsm/libbsm.la \
+	$(top_builddir)/libauditd/libauditd.la
 DEFAULT_INCLUDES = -I. -I$(top_builddir)/config at am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/config/depcomp
 am__depfiles_maybe = depfiles
@@ -189,11 +190,11 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 @USE_NATIVE_INCLUDES_FALSE at INCLUDES = -I$(top_builddir) -I$(top_srcdir) -I$(top_srcdir)/sys
 @USE_NATIVE_INCLUDES_TRUE at INCLUDES = -I$(top_builddir) -I$(top_srcdir)
-auditd_LDADD = $(top_builddir)/libbsm/libbsm.la
+auditd_LDADD = $(top_builddir)/libbsm/libbsm.la $(top_builddir)/libauditd/libauditd.la
 man8_MANS = auditd.8
- at USE_MACH_IPC_FALSE@auditd_SOURCES = audit_warn.c auditd.c
- at USE_MACH_IPC_TRUE@auditd_SOURCES = auditd_control_server.c audit_triggers_server.c audit_warn.c auditd.c
- at USE_MACH_IPC_TRUE@CLEANFILES = auditd_control_server.c auditd_control_server.h audit_triggers_server.c audit_triggers_server.h
+ at USE_MACH_IPC_FALSE@auditd_SOURCES = audit_warn.c auditd.c auditd_fbsd.c
+ at USE_MACH_IPC_TRUE@auditd_SOURCES = auditd_controlServer.c audit_triggersServer.c audit_warn.c auditd.c auditd_darwin.c
+ at USE_MACH_IPC_TRUE@CLEANFILES = auditd_control_server.c auditd_controlServer.h audit_triggersServer.c audit_triggersServer.h
 all: all-am
 
 .SUFFIXES:
@@ -265,10 +266,12 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/audit_triggers_server.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/audit_triggersServer.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/audit_warn.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_control_server.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_controlServer.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_darwin.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/auditd_fbsd.Po at am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -527,11 +530,11 @@ uninstall-man: uninstall-man8
 	uninstall-sbinPROGRAMS
 
 
- at USE_MACH_IPC_TRUE@auditd_control_server.c: auditd_control.defs
- at USE_MACH_IPC_TRUE@	$(MIG) -user /dev/null -header /dev/null -server auditd_control_server.c -sheader auditd_control_server.h $(top_srcdir)/bin/auditd/auditd_control.defs
+ at USE_MACH_IPC_TRUE@auditd_controlServer.c auditd_controlServer.h: auditd_control.defs
+ at USE_MACH_IPC_TRUE@	$(MIG) -user /dev/null -header /dev/null -server auditd_controlServer.c -sheader auditd_controlServer.h $(top_srcdir)/bin/auditd/auditd_control.defs
 
- at USE_MACH_IPC_TRUE@audit_triggers_server.c: audit_triggers.defs
- at USE_MACH_IPC_TRUE@	$(MIG) -user /dev/null -header /dev/null -server audit_triggers_server.c -sheader audit_triggers_server.h $(top_srcdir)/bin/auditd/audit_triggers.defs
+ at USE_MACH_IPC_TRUE@audit_triggersServer.c audit_triggersServer.h: audit_triggers.defs
+ at USE_MACH_IPC_TRUE@	$(MIG) -user /dev/null -header /dev/null -server audit_triggersServer.c -sheader audit_triggersServer.h $(top_srcdir)/bin/auditd/audit_triggers.defs
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:

Modified: head/contrib/openbsm/bin/auditd/audit_warn.c
==============================================================================
--- head/contrib/openbsm/bin/auditd/audit_warn.c	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/auditd/audit_warn.c	Wed Dec 31 11:12:24 2008	(r186647)
@@ -26,7 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#9 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#10 $
  */
 
 #include <sys/types.h>
@@ -71,20 +71,15 @@ auditwarnlog(char *args[])
 }
 
 /*
- * Indicates that the hard limit for all filesystems has been exceeded count
- * times.
+ * Indicates that the hard limit for all filesystems has been exceeded.
  */
 int
-audit_warn_allhard(int count)
+audit_warn_allhard(void)
 {
-	char intstr[12];
-	char *args[3];
-
-	snprintf(intstr, 12, "%d", count);
+	char *args[2];
 
 	args[0] = HARDLIM_ALL_WARN;
-	args[1] = intstr;
-	args[2] = NULL;
+	args[1] = NULL;
 
 	return (auditwarnlog(args));
 }

Modified: head/contrib/openbsm/bin/auditd/auditd.8
==============================================================================
--- head/contrib/openbsm/bin/auditd/auditd.8	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/auditd/auditd.8	Wed Dec 31 11:12:24 2008	(r186647)
@@ -25,9 +25,9 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#14 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#16 $
 .\"
-.Dd October 2, 2006
+.Dd December 11, 2008
 .Dt AUDITD 8
 .Os
 .Sh NAME
@@ -35,7 +35,7 @@
 .Nd audit log management daemon
 .Sh SYNOPSIS
 .Nm
-.Op Fl d
+.Op Fl d | l
 .Sh DESCRIPTION
 The
 .Nm
@@ -50,7 +50,16 @@ The options are as follows:
 .Bl -tag -width indent
 .It Fl d
 Starts the daemon in debug mode \[em] it will not daemonize.
+.It Fl l
+This option is for when
+.Nm
+is configured to start on-demand using
+.Xr launchd 8 .
 .El
+.Pp
+Optionally, the audit review group "audit" may be created.
+Non-privileged
+users that are members of this group may read the audit trail log files. 
 .Sh NOTE
 To assure uninterrupted audit support, the
 .Nm
@@ -63,20 +72,33 @@ the
 .Pa audit_control
 file.
 .Pp
-.\" Sending a
-.\" .Dv SIGHUP
-.\" to a running
-.\" .Nm
-.\" daemon will force it to exit.
-Sending a
-.Dv SIGTERM
-to a running
+If 
+.Nm
+is started on-demand by
+.Xr launchd 8 
+then auditing should only be started and stopped with
+.Xr audit 8 .
+.Pp
+On Mac OS X, 
 .Nm
-daemon will force it to exit.
+uses the 
+.Xr asl 3
+API for writing system log messages.
+Therefore, only the audit administrator 
+and members of the audit review group will be able to read the
+system log entries. 
 .Sh FILES
-.Bl -tag -width ".Pa /var/audit" -compact
+.Bl -tag -width ".Pa /etc/security" -compact
 .It Pa /var/audit
 Default directory for storing audit log files.
+.Pp
+.It Pa /etc/security
+The directory containing the auditing configuration files 
+.Xr audit_class 5 ,
+.Xr audit_control 5 ,
+.Xr audit_event 5 ,
+and
+.Xr audit_warn 5 . 
 .El
 .Sh COMPATIBILITY
 The historical
@@ -92,9 +114,14 @@ and
 and are no longer available as arguments to
 .Nm .
 .Sh SEE ALSO
+.Xr asl 3 ,
 .Xr audit 4 ,
+.Xr audit_class 5 ,
 .Xr audit_control 5 ,
-.Xr audit 8
+.Xr audit_event 5 ,
+.Xr audit_warn 5 ,
+.Xr audit 8 ,
+.Xr launchd 8
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.

Modified: head/contrib/openbsm/bin/auditd/auditd.c
==============================================================================
--- head/contrib/openbsm/bin/auditd/auditd.c	Wed Dec 31 11:05:28 2008	(r186646)
+++ head/contrib/openbsm/bin/auditd/auditd.c	Wed Dec 31 11:12:24 2008	(r186647)
@@ -26,30 +26,29 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#39 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#40 $
  */
 
-#include <sys/param.h>
+#include <sys/types.h>
 
 #include <config/config.h>
 
 #include <sys/dirent.h>
-#include <sys/mman.h>
-#include <sys/socket.h>
 #ifdef HAVE_FULL_QUEUE_H
 #include <sys/queue.h>
 #else /* !HAVE_FULL_QUEUE_H */
 #include <compat/queue.h>
 #endif /* !HAVE_FULL_QUEUE_H */
+#include <sys/mman.h>
+#include <sys/param.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
 
 #include <bsm/audit.h>
 #include <bsm/audit_uevents.h>
+#include <bsm/auditd_lib.h>
 #include <bsm/libbsm.h>
 
-#include <netinet/in.h>
-
 #include <err.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -60,115 +59,88 @@
 #include <unistd.h>
 #include <signal.h>
 #include <string.h>
-#include <syslog.h>
-#include <netdb.h>
 
 #include "auditd.h"
-#ifdef USE_MACH_IPC
-#include <notify.h>
-#include <mach/port.h>
-#include <mach/mach_error.h>
-#include <mach/mach_traps.h>
-#include <mach/mach.h>
-#include <mach/host_special_ports.h>
-
-#include "auditd_control_server.h"
-#include "audit_triggers_server.h"
-#endif /* USE_MACH_IPC */
 
 #ifndef HAVE_STRLCPY
 #include <compat/strlcpy.h>
 #endif
 
-#define	NA_EVENT_STR_SIZE	25
-#define	POL_STR_SIZE		128
-static int	 ret, minval;
-static char	*lastfile = NULL;
-static int	 allhardcount = 0;
-static int	 sigchlds, sigchlds_handled;
-static int	 sighups, sighups_handled;
-#ifndef USE_MACH_IPC
-static int	 sigterms, sigterms_handled;
-static int	 triggerfd = 0;
-
-#else /* USE_MACH_IPC */
-
-static mach_port_t      control_port = MACH_PORT_NULL;
-static mach_port_t      signal_port = MACH_PORT_NULL;
-static mach_port_t      port_set = MACH_PORT_NULL;
-
-#ifndef __BSM_INTERNAL_NOTIFY_KEY
-#define	__BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change"
-#endif /* __BSM_INTERNAL_NOTIFY_KEY */
-#endif /* USE_MACH_IPC */
-
-static TAILQ_HEAD(, dir_ent)	dir_q;
-
-static int	config_audit_controls(void);
-
 /*
- * Error starting auditd
+ * XXX the following is temporary until this can be added to the kernel
+ * audit.h header.
  */
-static void
-fail_exit(void)
-{
-
-	audit_warn_nostart();
-	exit(1);
-}
+#ifndef	AUDIT_TRIGGER_INITIALIZE
+#define	AUDIT_TRIGGER_INITIALIZE	7
+#endif
 
 /*
- * Free our local list of directory names.
+ * LaunchD flag (Mac OS X and, maybe, FreeBSD only.)  See launchd(8) and 
+ * http://wiki.freebsd.org/launchd for more information.
+ *
+ *      In order for auditd to work "on demand" with launchd(8) it can't:
+ *              call daemon(3)
+ *              call fork and having the parent process exit
+ *              change uids or gids.
+ *              set up the current working directory or chroot.
+ *              set the session id
+ *              change stdio to /dev/null.
+ *              call setrusage(2)
+ *              call setpriority(2)
+ *              Ignore SIGTERM.
+ *      auditd (in 'launchd mode') is launched on demand so it must catch
+ *      SIGTERM to exit cleanly.
+ */
+static int	launchd_flag = 0;
+
+/*
+ * The GID of the audit review group (if used).  The audit trail files and
+ * system logs (Mac OS X only) can only be reviewed by members of this group
+ * or the audit administrator (aka. "root").
  */
-static void
-free_dir_q(void)
-{
-	struct dir_ent *dirent;
+static gid_t	audit_review_gid = -1;
 
-	while ((dirent = TAILQ_FIRST(&dir_q))) {
-		TAILQ_REMOVE(&dir_q, dirent, dirs);
-		free(dirent->dirname);
-		free(dirent);
-	}
-}
+/*
+ * The path and file name of the last audit trail file.
+ */
+static char	*lastfile = NULL;
 
 /*
- * Generate the timestamp string.
+ * Error starting auditd. Run warn script and exit.
  */
-static int
-getTSstr(char *buf, int len)
+static void
+fail_exit(void)
 {
-	struct timeval ts;
-	struct timezone tzp;
-	time_t tt;
 
-	if (gettimeofday(&ts, &tzp) != 0)
-		return (-1);
-	tt = (time_t)ts.tv_sec;
-	if (!strftime(buf, len, "%Y%m%d%H%M%S", gmtime(&tt)))
-		return (-1);
-	return (0);
+	audit_warn_nostart();
+	exit(1);
 }
 
 /*
- * Concat the directory name to the given file name.
- * XXX We should affix the hostname also
+ * Follow the 'current' symlink to get the active trail file name.
  */
 static char *
-affixdir(char *name, struct dir_ent *dirent)
+get_curfile(void)
 {
-	char *fn = NULL;
+	char *cf;
+	int len;
 
-	syslog(LOG_DEBUG, "dir = %s", dirent->dirname);
-	/* 
-	 * Sanity check on file name.
-	 */
-	if (strlen(name) != (FILENAME_LEN - 1)) {
-		syslog(LOG_ERR, "Invalid file name: %s", name);
+	cf = malloc(MAXPATHLEN);
+	if (cf == NULL) {
+		auditd_log_err("malloc failed: %m");
+		return (NULL);
+	}	
+
+	len = readlink(AUDIT_CURRENT_LINK, cf, MAXPATHLEN - 1);
+	if (len < 0) {
+		free(cf);
 		return (NULL);
 	}
-	asprintf(&fn, "%s/%s", dirent->dirname, name);
-	return (fn);
+
+	/* readlink() doesn't terminate string. */
+	cf[len] = '\0';	
+
+	return (cf);
 }
 
 /*
@@ -181,6 +153,10 @@ close_lastfile(char *TS)
 	char *oldname;
 	size_t len;
 
+	/* If lastfile is NULL try to get it from the 'current' link.  */
+	if (lastfile == NULL)
+		lastfile = get_curfile();
+	
 	if (lastfile != NULL) {
 		len = strlen(lastfile) + 1;
 		oldname = (char *)malloc(len);
@@ -192,16 +168,21 @@ close_lastfile(char *TS)
 		if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) {
 			strlcpy(ptr, TS, TIMESTAMP_LEN);
 			if (rename(oldname, lastfile) != 0)
-				syslog(LOG_ERR,
+				auditd_log_err(
 				    "Could not rename %s to %s: %m", oldname,
 				    lastfile);
 			else {
-				syslog(LOG_INFO, "renamed %s to %s",
+				/* 
+				 * Remove the 'current' symlink since the link
+				 * is now invalid. 
+				 */
+				(void) unlink(AUDIT_CURRENT_LINK);
+				auditd_log_notice( "renamed %s to %s",
 				    oldname, lastfile);
 				audit_warn_closefile(lastfile);
 			}
 		} else 
-			syslog(LOG_ERR, "Could not rename %s to %s", oldname,
+			auditd_log_err( "Could not rename %s to %s", oldname,
 			    lastfile);
 		free(lastfile);
 		free(oldname);
@@ -211,168 +192,81 @@ close_lastfile(char *TS)
 }
 
 /*
- * Create the new audit file with appropriate permissions and ownership.  Try
- * to clean up if something goes wrong.
- */
-static int
-#ifdef AUDIT_REVIEW_GROUP
-open_trail(const char *fname, uid_t uid, gid_t gid)
-#else
-open_trail(const char *fname)
-#endif
-{
-	int error, fd;
-
-	fd = open(fname, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP);
-	if (fd < 0)
-		return (-1);
-#ifdef AUDIT_REVIEW_GROUP
-	if (fchown(fd, uid, gid) < 0) {
-		error = errno;
-		close(fd);
-		(void)unlink(fname);
-		errno = error;
-		return (-1);
-	}
-#endif
-	return (fd);
-}
-
-/*
  * Create the new file name, swap with existing audit file.
  */
 static int
 swap_audit_file(void)
 {
-	char timestr[FILENAME_LEN];
-	char *fn;
+	int err;
+	char *newfile;
 	char TS[TIMESTAMP_LEN];
-	struct dir_ent *dirent;
-#ifdef AUDIT_REVIEW_GROUP
-	struct group *grp;
-	gid_t gid;
-	uid_t uid;
-#endif
-	int error, fd;
+	time_t tt;
 
-	if (getTSstr(TS, TIMESTAMP_LEN) != 0)
+	if (getTSstr(tt, TS, TIMESTAMP_LEN) != 0)
 		return (-1);
+	err = auditd_swap_trail(TS, &newfile, audit_review_gid,
+	    audit_warn_getacdir);
+	if (err != ADE_NOERR) {
+		auditd_log_err( "%s: %m", auditd_strerror(err));
+		if (err != ADE_ACTL)
+			return (-1);
+	}
 
-	snprintf(timestr, FILENAME_LEN, "%s.%s", TS, NOT_TERMINATED);
-
-#ifdef AUDIT_REVIEW_GROUP
 	/*
-	 * XXXRW: Currently, this code falls back to the daemon gid, which is
-	 * likely the wheel group.  Is there a better way to deal with this?
+	 * Only close the last file if were in an auditing state before
+	 * calling swap_audit_file().  We may need to recover from a crash.
 	 */
-	grp = getgrnam(AUDIT_REVIEW_GROUP);
-	if (grp == NULL) {
-		syslog(LOG_INFO,
-		    "Audit review group '%s' not available, using daemon gid",
-		    AUDIT_REVIEW_GROUP);
-		gid = -1;
-	} else
-		gid = grp->gr_gid;
-	uid = getuid();
-#endif
+	if (auditd_get_state() == AUD_STATE_ENABLED)
+		close_lastfile(TS);
 
-	/* Try until we succeed. */
-	while ((dirent = TAILQ_FIRST(&dir_q))) {
-		if ((fn = affixdir(timestr, dirent)) == NULL) {
-			syslog(LOG_INFO, "Failed to swap log at time %s",
-				timestr);
-			return (-1);
-		}

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***


More information about the svn-src-all mailing list