PERFORCE change 106617 for review
Robert Watson
rwatson at FreeBSD.org
Sun Sep 24 13:31:26 PDT 2006
http://perforce.freebsd.org/chv.cgi?CH=106617
Change 106617 by rwatson at rwatson_zoo on 2006/09/24 20:30:27
Integrate OpenBSM 1.0 alpha 12 into TrustedBSD audit3 branch.
Affected files ...
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#16 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#11 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#14 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/audit_warn.c#5 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#16 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#5 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.1#8 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.c#9 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.h#4 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#19 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/configure#14 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#15 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#7 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#17 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#6 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#11 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/libbsm.3#9 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_control.5#9 integrate
.. //depot/projects/trustedbsd/audit3/sys/bsm/audit_kevents.h#29 integrate
Differences ...
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#16 (text+ko) ====
@@ -1,3 +1,24 @@
+OpenBSM 1.0 alpha 12
+
+- Correct bug in auditreduce which prevented the -c option from working
+ correctly when the user specifies to process successful or failed events.
+ The problem stemmed from not having access to the return token at the time
+ the initial preselection occurred, but now a second preselection process
+ occurs while processing the return token.
+- getacfilesz(3) API added to read new audit_control(5) filesz setting,
+ which auditd(8) now sets the kernel audit trail rotation size to.
+- auditreduce(1) now uses stdin if no file names are specified on the command
+ line; this was the documented behavior previously, but it was not
+ implemented. Be more specific in auditreduce(1)'s examples section about
+ what might be done with the output of auditreduce.
+- Add audit_warn(5) closefile event so that administrators can hook
+ termination of an audit trail file. For example, this might be used to
+ compress the trail file after it is closed.
+- auditreduce(1) now uses regular expressions for pathname matching. Users can
+ now supply one or more (comma delimited) regular expressions for searching
+ the pathnames. If one of the regular expressions is prefixed with a tilde
+ (~), and a path matches, it will be excluded from the search results.
+
OpenBSM 1.0 alpha 11
- Reclassify certain read/write operations as having no class rather than the
@@ -243,4 +264,4 @@
to support reloading of kernel event table.
- Allow comments in /etc/security configuration files.
-$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#15 $
+$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#16 $
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#11 (text+ko) ====
@@ -17,10 +17,7 @@
just at the beginning of a record. This will make it easier to use
praudit in test suites processing single-token files without header and
trailer context.
-- Teach auditd how to notify a script when it is done with trail files so
- that the script can archive them, compress them, delete them, whatever.
- It should walk any trail files found at startup also, assuming it
- successfully registers.
- Put hostname in trail file name.
+- Document audit_warn event arguments.
-$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#10 $
+$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#11 $
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#14 (text+ko) ====
@@ -1,1 +1,1 @@
-OPENBSM_1_0_ALPHA_11
+OPENBSM_1_0_ALPHA_12
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/audit_warn.c#5 (text+ko) ====
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/audit_warn.c#4 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/audit_warn.c#5 $
*/
#include <sys/types.h>
@@ -125,6 +125,21 @@
}
/*
+ * Indicate that a trail file has been closed, so can now be post-processed.
+ */
+int
+audit_warn_closefile(char *filename)
+{
+ char *args[3];
+
+ args[0] = CLOSEFILE_WARN;
+ args[1] = filename;
+ args[2] = NULL;
+
+ return (auditwarnlog(args));
+}
+
+/*
* Indicates that the audit deammn is already running
*/
int
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#16 (text+ko) ====
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#15 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#16 $
*/
#include <sys/types.h>
@@ -163,9 +163,11 @@
syslog(LOG_ERR,
"Could not rename %s to %s: %m", oldname,
lastfile);
- else
+ else {
syslog(LOG_INFO, "renamed %s to %s",
oldname, lastfile);
+ audit_warn_closefile(lastfile);
+ }
}
free(lastfile);
free(oldname);
@@ -727,6 +729,8 @@
char naeventstr[NA_EVENT_STR_SIZE];
char polstr[POL_STR_SIZE];
long policy;
+ au_fstat_t au_fstat;
+ size_t filesz;
/*
* Process the audit event file, obtaining a class mapping for each
@@ -806,6 +810,17 @@
"Failed to set default audit policy: %m");
}
+ /*
+ * Set trail rotation size.
+ */
+ if (getacfilesz(&filesz) == 0) {
+ bzero(&au_fstat, sizeof(au_fstat));
+ au_fstat.af_filesz = filesz;
+ if (auditon(A_SETFSIZE, &au_fstat, sizeof(au_fstat)) < 0)
+ syslog(LOG_ERR, "Failed to set filesz: %m");
+ } else
+ syslog(LOG_ERR, "Failed to obtain filesz: %m");
+
return (0);
}
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#5 (text+ko) ====
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#4 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#5 $
*/
#ifndef _AUDITD_H_
@@ -62,6 +62,7 @@
#define HARDLIM_ALL_WARN "allhard"
#define SOFTLIM_ALL_WARN "allsoft"
#define AUDITOFF_WARN "auditoff"
+#define CLOSEFILE_WARN "closefile"
#define EBUSY_WARN "ebusy"
#define GETACDIR_WARN "getacdir"
#define HARDLIM_WARN "hard"
@@ -76,6 +77,7 @@
int audit_warn_allhard(int count);
int audit_warn_allsoft(void);
int audit_warn_auditoff(void);
+int audit_warn_closefile(char *filename);
int audit_warn_ebusy(void);
int audit_warn_getacdir(char *filename);
int audit_warn_hard(char *filename);
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.1#8 (text+ko) ====
@@ -25,7 +25,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.1#7 $
+.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.1#8 $
.\"
.Dd January 24, 2004
.Dt AUDITREDUCE 1
@@ -105,12 +105,17 @@
.It Fl o Ar object=value
.Bl -tag -width Ds
.It Nm file
-Select records containing the given path name.
-file="/usr" matches paths
-starting with
-.Pa usr .
-file="~/usr" matches paths not starting with
-.Pa usr .
+Select records containing path tokens, where the pathname matches
+one of the comma delimited extended regular expression contained in
+given specification.
+Regular expressions which are prefixed with a tilde (~) are excluded
+from the search results.
+These extended regular expressions are processed from left to right,
+and a path will either be selected or deslected based on the first match.
+.Pp
+Since commas are used to delimit the regular expressions, a backslash (\\)
+character should be used to escape the comma if it's a part of the search
+pattern.
.It Nm msgqid
Select records containing the given message queue id.
.It Nm pid
@@ -136,6 +141,30 @@
.Pp
.Nm
-m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
+.Pp
+Output from the above command lines will typically be piped to a new trail
+file, or via standard output to the
+.Xr praudit 1
+command.
+.Pp
+Select all records containing a path token where the pathname contains
+.Pa /etc/master.passwd
+.Pp
+.Nm
+-ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634
+.Pp
+Select all records containing path tokens, where the pathname is a TTY
+device:
+.Pp
+.Nm
+-ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+.Pp
+Select all records containing path tokens, where the pathname is a TTY
+except for
+.Pa /dev/ttyp2
+.Pp
+.Nm
+-ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
.Sh SEE ALSO
.Xr praudit 1 ,
.Xr audit_control 5 ,
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.c#9 (text+ko) ====
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.c#8 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.c#9 $
*/
/*
@@ -40,6 +40,13 @@
* XXX the records present within the file and between the files themselves
*/
+#include <config/config.h>
+#ifdef HAVE_FULL_QUEUE_H
+#include <sys/queue.h>
+#else
+#include <compat/queue.h>
+#endif
+
#include <bsm/libbsm.h>
#include <err.h>
@@ -51,9 +58,14 @@
#include <string.h>
#include <time.h>
#include <unistd.h>
+#include <regex.h>
+#include <errno.h>
#include "auditreduce.h"
+static TAILQ_HEAD(tailhead, re_entry) re_head =
+ TAILQ_HEAD_INITIALIZER(re_head);
+
extern char *optarg;
extern int optind, optopt, opterr,optreset;
@@ -81,10 +93,57 @@
static uint32_t opttochk = 0;
static void
+parse_regexp(char *re_string)
+{
+ char *orig, *copy, re_error[64];
+ struct re_entry *rep;
+ int error, nstrs, i, len;
+
+ copy = strdup(re_string);
+ orig = copy;
+ len = strlen(copy);
+ for (nstrs = 0, i = 0; i < len; i++) {
+ if (copy[i] == ',' && i > 0) {
+ if (copy[i - 1] == '\\')
+ strcpy(©[i - 1], ©[i]);
+ else {
+ nstrs++;
+ copy[i] = '\0';
+ }
+ }
+ }
+ TAILQ_INIT(&re_head);
+ for (i = 0; i < nstrs + 1; i++) {
+ rep = calloc(1, sizeof(*rep));
+ if (rep == NULL) {
+ (void) fprintf(stderr, "calloc: %s\n",
+ strerror(errno));
+ exit(1);
+ }
+ if (*copy == '~') {
+ copy++;
+ rep->re_negate = 1;
+ }
+ rep->re_pattern = strdup(copy);
+ error = regcomp(&rep->re_regexp, rep->re_pattern,
+ REG_EXTENDED | REG_NOSUB);
+ if (error != 0) {
+ regerror(error, &rep->re_regexp, re_error, 64);
+ (void) fprintf(stderr, "regcomp: %s\n", re_error);
+ exit(1);
+ }
+ TAILQ_INSERT_TAIL(&re_head, rep, re_glue);
+ len = strlen(copy);
+ copy += len + 1;
+ }
+ free(orig);
+}
+
+static void
usage(const char *msg)
{
fprintf(stderr, "%s\n", msg);
- fprintf(stderr, "Usage: auditreduce [options] audit-trail-file [....] \n");
+ fprintf(stderr, "Usage: auditreduce [options] [file ...]\n");
fprintf(stderr, "\tOptions are : \n");
fprintf(stderr, "\t-A : all records\n");
fprintf(stderr, "\t-a YYYYMMDD[HH[[MM[SS]]] : after date\n");
@@ -258,23 +317,20 @@
static int
select_filepath(char *path, uint32_t *optchkd)
{
- char *loc;
+ struct re_entry *rep;
+ int match;
SETOPT((*optchkd), OPT_of);
+ match = 1;
if (ISOPTSET(opttochk, OPT_of)) {
- if (p_fileobj[0] == '~') {
- /* Object should not be in path. */
- loc = strstr(path, p_fileobj + 1);
- if ((loc != NULL) && (loc == path))
- return (0);
- } else {
- /* Object should be in path. */
- loc = strstr(path, p_fileobj);
- if ((loc == NULL) || (loc != path))
- return (0);
+ match = 0;
+ TAILQ_FOREACH(rep, &re_head, re_glue) {
+ if (regexec(&rep->re_regexp, path, 0, NULL,
+ 0) != REG_NOMATCH)
+ return (!rep->re_negate);
}
}
- return (1);
+ return (match);
}
/*
@@ -328,6 +384,24 @@
return (1);
}
+static int
+select_return32(tokenstr_t tok_ret32, tokenstr_t tok_hdr32, uint32_t *optchkd)
+{
+ int sorf;
+
+ SETOPT((*optchkd), (OPT_c));
+ if (tok_ret32.tt.ret32.status == 0)
+ sorf = AU_PRS_SUCCESS;
+ else
+ sorf = AU_PRS_FAILURE;
+ if (ISOPTSET(opttochk, OPT_c)) {
+ if (au_preselect(tok_hdr32.tt.hdr32.e_type, &maskp, sorf,
+ AU_PRS_USECACHE) != 1)
+ return (0);
+ }
+ return (1);
+}
+
/*
* Return 1 if checks for the the following succeed
* auid,
@@ -395,6 +469,7 @@
static int
select_records(FILE *fp)
{
+ tokenstr_t tok_hdr32_copy;
u_char *buf;
tokenstr_t tok;
int reclen;
@@ -423,6 +498,8 @@
case AU_HEADER_32_TOKEN:
selected = select_hdr32(tok,
&optchkd);
+ bcopy(&tok, &tok_hdr32_copy,
+ sizeof(tok));
break;
case AU_PROCESS_32_TOKEN:
@@ -451,6 +528,11 @@
tok.tt.path.path, &optchkd);
break;
+ case AU_RETURN_32_TOKEN:
+ selected = select_return32(tok,
+ tok_hdr32_copy, &optchkd);
+ break;
+
/*
* The following tokens dont have any relevant
* attributes that we can select upon.
@@ -465,7 +547,6 @@
case AU_IPCPERM_TOKEN:
case AU_IPORT_TOKEN:
case AU_OPAQUE_TOKEN:
- case AU_RETURN_32_TOKEN:
case AU_SEQ_TOKEN:
case AU_TEXT_TOKEN:
case AU_ARB_TOKEN:
@@ -500,6 +581,7 @@
if (!strcmp(name, FILEOBJ)) {
p_fileobj = val;
+ parse_regexp(val);
SETOPT(opttochk, OPT_of);
} else if (!strcmp(name, MSGQIDOBJ)) {
p_msgqobj = val;
@@ -679,8 +761,12 @@
argv += optind;
argc -= optind;
- if (argc == 0)
- usage("Filename needed");
+ if (argc == 0) {
+ if (select_records(stdin) == -1)
+ errx(EXIT_FAILURE,
+ "Couldn't select records from stdin");
+ exit(EXIT_SUCCESS);
+ }
/*
* XXX: We should actually be merging records here.
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.h#4 (text+ko) ====
@@ -26,13 +26,20 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.h#3 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.h#4 $
*/
#ifndef _AUDITREDUCE_H_
#define _AUDITREDUCE_H_
+struct re_entry {
+ char *re_pattern;
+ int re_negate;
+ regex_t re_regexp;
+ TAILQ_ENTRY(re_entry) re_glue;
+};
+
#define OPT_a 0x00000001
#define OPT_b 0x00000002
#define OPT_c 0x00000004
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#19 (text+ko) ====
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#18 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#19 $
*/
#ifndef _LIBBSM_H_
@@ -78,6 +78,7 @@
#define DIR_CONTROL_ENTRY "dir"
#define MINFREE_CONTROL_ENTRY "minfree"
+#define FILESZ_CONTROL_ENTRY "filesz"
#define FLAGS_CONTROL_ENTRY "flags"
#define NA_CONTROL_ENTRY "naflags"
#define POLICY_CONTROL_ENTRY "policy"
@@ -719,6 +720,7 @@
void endac(void);
int getacdir(char *name, int len);
int getacmin(int *min_val);
+int getacfilesz(size_t *size_val);
int getacflg(char *auditstr, int len);
int getacna(char *auditstr, int len);
int getacpol(char *auditstr, size_t len);
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/configure#14 (xtext) ====
@@ -1,7 +1,7 @@
#! /bin/sh
-# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#31 .
+# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 .
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a11.
+# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a12.
#
# Report bugs to <trustedbsd-audit at TrustesdBSD.org>.
#
@@ -424,8 +424,8 @@
# Identity of this package.
PACKAGE_NAME='OpenBSM'
PACKAGE_TARNAME='openbsm'
-PACKAGE_VERSION='1.0a11'
-PACKAGE_STRING='OpenBSM 1.0a11'
+PACKAGE_VERSION='1.0a12'
+PACKAGE_STRING='OpenBSM 1.0a12'
PACKAGE_BUGREPORT='trustedbsd-audit at TrustesdBSD.org'
ac_unique_file="bin/auditreduce/auditreduce.c"
@@ -955,7 +955,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures OpenBSM 1.0a11 to adapt to many kinds of systems.
+\`configure' configures OpenBSM 1.0a12 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1021,7 +1021,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of OpenBSM 1.0a11:";;
+ short | recursive ) echo "Configuration of OpenBSM 1.0a12:";;
esac
cat <<\_ACEOF
@@ -1162,7 +1162,7 @@
test -n "$ac_init_help" && exit 0
if $ac_init_version; then
cat <<\_ACEOF
-OpenBSM configure 1.0a11
+OpenBSM configure 1.0a12
generated by GNU Autoconf 2.59
Copyright (C) 2003 Free Software Foundation, Inc.
@@ -1176,7 +1176,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by OpenBSM $as_me 1.0a11, which was
+It was created by OpenBSM $as_me 1.0a12, which was
generated by GNU Autoconf 2.59. Invocation command line was
$ $0 $@
@@ -19278,7 +19278,7 @@
# Define the identity of the package.
PACKAGE=OpenBSM
- VERSION=1.0a11
+ VERSION=1.0a12
cat >>confdefs.h <<_ACEOF
@@ -23479,7 +23479,7 @@
} >&5
cat >&5 <<_CSEOF
-This file was extended by OpenBSM $as_me 1.0a11, which was
+This file was extended by OpenBSM $as_me 1.0a12, which was
generated by GNU Autoconf 2.59. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -23542,7 +23542,7 @@
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-OpenBSM config.status 1.0a11
+OpenBSM config.status 1.0a12
configured by $0, generated by GNU Autoconf 2.59,
with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#15 (text+ko) ====
@@ -2,8 +2,8 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.59)
-AC_INIT([OpenBSM], [1.0a11], [trustedbsd-audit at TrustesdBSD.org],[openbsm])
-AC_REVISION([$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#14 $])
+AC_INIT([OpenBSM], [1.0a12], [trustedbsd-audit at TrustesdBSD.org],[openbsm])
+AC_REVISION([$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#15 $])
AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c])
AC_CONFIG_AUX_DIR(config)
AC_CONFIG_HEADER([config/config.h])
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#7 (text+ko) ====
@@ -1,5 +1,5 @@
#
-# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#6 $
+# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#7 $
# $FreeBSD: src/contrib/openbsm/etc/audit_control,v 1.2 2006/03/26 01:44:35 rwatson Exp $
#
dir:/var/audit
@@ -7,3 +7,4 @@
minfree:20
naflags:lo
policy:cnt
+filesz:0
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#17 (text+ko) ====
@@ -1,5 +1,5 @@
#
-# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#16 $
+# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#17 $
# $FreeBSD: src/contrib/openbsm/etc/audit_event,v 1.3 2006/06/27 18:09:54 rwatson Exp $
#
0:AUE_NULL:indir system call:no
@@ -419,6 +419,10 @@
43114:AUE_KENV:kenv(8):ad
43115:AUE_JAIL_ATTACH:jail_attach(2):ad
43116:AUE_SYSCTL_WRITE:sysctl(3):ad
+43117:AUE_IOPERM:linux ioperm:ad
+43118:AUE_READDIR:readdir(3):no
+43119:AUE_IOPL:linux iopl:ad
+43120:AUE_VM86:linux vm86:pc
#
# User space system events.
#
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#6 (text+ko) ====
@@ -1,5 +1,5 @@
.\"-
-.\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#5 $
+.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#6 $
.\"
.Dd April 19, 2005
.Dt AU_CONTROL 3
@@ -33,6 +33,7 @@
.Nm endac ,
.Nm getacdir ,
.Nm getacmin ,
+.Nm getacfilesz ,
.Nm getacflg ,
.Nm getacna ,
.Nm getacpol ,
@@ -52,6 +53,8 @@
.Ft int
.Fn getacmin "int *min_val"
.Ft int
+.Fn getacfilesz "size_t *size_val"
+.Ft int
.Fn getacflg "char *auditstr" "int len"
.Ft int
.Fn getacna "char *auditstr" "int len"
@@ -88,6 +91,10 @@
.Va min_val
variable.
.Pp
+.Fn getacfilesz
+returns the audit trail rotation size in the passed size_t buffer
+.Fa size_val .
+.Pp
.Fn getacflg
returns the audit system flags via the the passed character buffer
.Va auditstr
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#11 (text+ko) ====
@@ -27,7 +27,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#10 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#11 $
*/
#include <bsm/libbsm.h>
@@ -396,6 +396,46 @@
}
/*
+ * Return the desired trail rotation size from the audit control file.
+ */
+int
+getacfilesz(size_t *filesz_val)
+{
+ char *filesz, *dummy;
+ long long ll;
+
+ pthread_mutex_lock(&mutex);
+ setac_locked();
+ if (getstrfromtype_locked(FILESZ_CONTROL_ENTRY, &filesz) < 0) {
+ pthread_mutex_unlock(&mutex);
+ return (-2);
+ }
+ if (filesz == NULL) {
+ pthread_mutex_unlock(&mutex);
+ errno = EINVAL;
+ return (1);
+ }
+ ll = strtoll(filesz, &dummy, 10);
+ if (*dummy != '\0') {
+ pthread_mutex_unlock(&mutex);
+ errno = EINVAL;
+ return (-1);
+ }
+ /*
+ * The file size must either be 0 or >= MIN_AUDIT_FILE_SIZE. 0
+ * indicates no rotation size.
+ */
+ if (ll < 0 || (ll > 0 && ll < MIN_AUDIT_FILE_SIZE)) {
+ pthread_mutex_unlock(&mutex);
+ errno = EINVAL;
+ return (-1);
+ }
+ *filesz_val = ll;
+ pthread_mutex_unlock(&mutex);
+ return (0);
+}
+
+/*
* Return the system audit value from the audit contol file.
*/
int
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/libbsm.3#9 (text+ko) ====
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/libbsm.3#8 $
+.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/libbsm.3#9 $
.\"
.Dd April 19, 2005
.Dt LIBBSM 3
@@ -84,6 +84,7 @@
.Xr endac 3 ,
.Xr setac 3 ,
.Xr getacdir 3 ,
+.Xr getacfilesz 3 ,
.Xr getacflg 3 ,
.Xr getacmin 3 ,
.Xr getacna 3 ,
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_control.5#9 (text+ko) ====
@@ -1,4 +1,5 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" Copyright (c) 2006 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -25,7 +26,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_control.5#8 $
+.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_control.5#9 $
.\"
.Dd January 4, 2006
.Dt AUDIT_CONTROL 5
@@ -66,6 +67,12 @@
.It Va policy
A list of global audit policy flags specifying various behaviors, such as
fail stop, auditing of paths and arguments, etc.
+.It Va filesz
+Maximum trail size in bytes; if set to a non-0 value, the audit daemon will
+rotate the audit trail file at around this size.
+Sizes less than the minimum trail size (default of 512K) will be rejected as
+invalid.
+If 0, trail files will not be automatically rotated based on file size.
.El
.Sh AUDIT FLAGS
Audit flags are a comma-delimited list of audit classes as defined in the
@@ -78,12 +85,14 @@
The following prefixes may be used for each class:
.Pp
.Bl -tag -width Ds -compact -offset indent
+.It (none)
+Record both successful and failed events
.It +
Record successful events
.It -
Record failed events
.It ^
-Record both successful and failed events
+Record neither successful nor failed events
.It ^+
Do not record successful events
.It ^-
@@ -146,6 +155,7 @@
minfree:20
naflags:lo
policy:cnt
+filesz:0
.Ed
.Pp
The
@@ -156,7 +166,8 @@
.Va policy
parameter specifies that the system should neither fail stop nor suspend
processes when the audit store fills.
-will be audited.
+The trail file will not be automatically rotated by the audit daemon based on
+file size.
.Sh FILES
.Bl -tag -width "/etc/security/audit_control" -compact
.It Pa /etc/security/audit_control
==== //depot/projects/trustedbsd/audit3/sys/bsm/audit_kevents.h#29 (text+ko) ====
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit_kevents.h#28 $
+ * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit_kevents.h#29 $
* $FreeBSD: src/sys/bsm/audit_kevents.h,v 1.7 2006/08/26 08:17:58 rwatson Exp $
*/
@@ -471,6 +471,10 @@
#define AUE_KENV 43114 /* FreeBSD. */
#define AUE_JAIL_ATTACH 43115 /* FreeBSD. */
#define AUE_SYSCTL_WRITE 43116 /* FreeBSD. */
+#define AUE_IOPERM 43117 /* Linux. */
+#define AUE_READDIR 43118 /* Linux. */
+#define AUE_IOPL 43119 /* Linux. */
+#define AUE_VM86 43120 /* Linux. */
/*
* Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
More information about the p4-projects
mailing list