Audit log from Solaris

Robert Watson rwatson at FreeBSD.org
Wed Apr 27 16:08:59 GMT 2005 

On Wed, 27 Apr 2005, Wayne Salamon wrote:

>> Yeah.  Did you give the OpenBSM version of libbsm and praudit a try to see 
>> if that worked any better?
>
> No, these logs were kernel generated. I'll have to write a program to 
> generate some records/logs and test them. Give me a few days or so.

The au_close_buffer() API I added makes this a bit easier to do.  We 
probably need to work out a better API for the assembly and committing of 
audit records so that it's easier to create audit record processing 
pipelines for reduction, matching, etc.  Code fragment based on that new 
API below.  I'm not sure what the origin of the current au_fetch_tok(), 
au_print_tok(), au_read_tok(), au_open(), au_write(), au_close() APIs is 
-- whether those were in the BSM documentation on Sun's web site, derived 
from SSH's BSM patches, or created specifically for Darwin.

Robert N M Watson

         aufd = au_open();
         if (aufd == -1)
                 err(-1, "au_open");

         if (getaudit(&auditinfo) < 0) {
                 error = errno;
                 au_close(aufd, 0, AUE_NULL);
                 errno = error;
                 err(-1, "getaudit");
         }

         euid = geteuid();
         ruid = getuid();

         egid = geteuid();
         rgid = getgid();

         pid = getpid();
         sid = auditinfo.ai_asid;

                 subject = au_to_subject32(auid, euid, egid, ruid, rgid, 
pid,
                     sid, &tid);
                 if (subject == NULL) {
                         error = errno;
                         au_close(aufd, 0, AUE_NULL);
                         errno = error;
                         err(-1, "au_to_subject32");
                 }

                 if (au_write(aufd, subject) < 0) {
                         error = errno;
                         au_free_token(subject);
                         au_close(aufd, 0, AUE_NULL);
                         errno = error;
                         err(-1, "au_write");
                 }

         buflen = MAX_AUDIT_RECORD_SIZE;
         au_close_buffer(aufd, AUE_NULL, buffer, &buflen);
         printf("Resulting record was %d bytes\n", buflen);

         fd = open("trail", O_WRONLY | O_CREAT, 0600);
         if (fd == -1)
                 err(-1, "open: trail");
         ret = write(fd, buffer, buflen);
         if (ret == -1)
                 err(-1, "write");
         if (ret != buflen)
                 errx(-1, "write: %d returned from write %d", ret, buflen);
         close(fd);

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list