Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 2 Mar 2009 10:46:23 +0000 (UTC)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org
Subject:   svn commit: r189277 - in vendor/openbsm/dist: . bin/audit bin/auditd bsm etc libauditd libbsm man sys/bsm tools
Message-ID:  <200903021046.n22AkNQA072425@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: rwatson
Date: Mon Mar  2 10:46:23 2009
New Revision: 189277
URL: http://svn.freebsd.org/changeset/base/189277

Log:
  Vendor import of OpenBSM 1.1 beta1, which incorporates the following
  changes since the last imported OpenBSM release:
  
  OpenBSM 1.1 beta 1
  
  - The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
    Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
    For legacy support no suffix defaults to bytes.
  - Audit trail log expiration support added.  It is configured in
    audit_control(5) with the expire-after parameter.  If there is no
    expire-after parameter in audit_control(5), the default, then the audit
    trail files are not expired and removed.  See audit_control(5) for
    more information.
  - Change defaults in audit_control: warn at 5% rather than 20% free for audit
    partitions, rotate automatically at 2mb, and set the default policy to
    cnt,argv rather than cnt so that execve(2) arguments are captured if
    AUE_EXECVE events are audited.  These may provide more usable defaults for
    many users.
  - Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
    au_to_socket_ex(3) arguments to BSM format.
  - Fix error encoding AUT_IPC_PERM tokens.
  
  Obtained from:    TrustedBSD Project
  Sponsored by:     Apple Inc.

Modified:
  vendor/openbsm/dist/CREDITS
  vendor/openbsm/dist/NEWS
  vendor/openbsm/dist/README
  vendor/openbsm/dist/VERSION
  vendor/openbsm/dist/bin/audit/audit.8
  vendor/openbsm/dist/bin/audit/audit.c
  vendor/openbsm/dist/bin/auditd/audit_warn.c
  vendor/openbsm/dist/bin/auditd/auditd.c
  vendor/openbsm/dist/bin/auditd/auditd.h
  vendor/openbsm/dist/bsm/auditd_lib.h
  vendor/openbsm/dist/bsm/libbsm.h
  vendor/openbsm/dist/configure
  vendor/openbsm/dist/configure.ac
  vendor/openbsm/dist/etc/audit_control
  vendor/openbsm/dist/etc/audit_event
  vendor/openbsm/dist/libauditd/auditd_lib.c
  vendor/openbsm/dist/libbsm/au_control.3
  vendor/openbsm/dist/libbsm/au_domain.3
  vendor/openbsm/dist/libbsm/au_errno.3
  vendor/openbsm/dist/libbsm/bsm_control.c
  vendor/openbsm/dist/libbsm/bsm_errno.c
  vendor/openbsm/dist/libbsm/bsm_io.c
  vendor/openbsm/dist/libbsm/bsm_token.c
  vendor/openbsm/dist/man/audit_control.5
  vendor/openbsm/dist/man/auditon.2
  vendor/openbsm/dist/sys/bsm/audit.h
  vendor/openbsm/dist/sys/bsm/audit_kevents.h
  vendor/openbsm/dist/tools/audump.c

Modified: vendor/openbsm/dist/CREDITS
==============================================================================
--- vendor/openbsm/dist/CREDITS	Mon Mar  2 05:46:25 2009	(r189276)
+++ vendor/openbsm/dist/CREDITS	Mon Mar  2 10:46:23 2009	(r189277)
@@ -27,6 +27,7 @@ the development of OpenBSM:
     Eric Hall
     Xin LI
     Stacey Son
+    Todd Heberlein
 
 In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
 Software's FlexeLint tool were used to identify a number of bugs in the

Modified: vendor/openbsm/dist/NEWS
==============================================================================
--- vendor/openbsm/dist/NEWS	Mon Mar  2 05:46:25 2009	(r189276)
+++ vendor/openbsm/dist/NEWS	Mon Mar  2 10:46:23 2009	(r189277)
@@ -1,5 +1,24 @@
 OpenBSM Version History
 
+OpenBSM 1.1 beta 1
+
+- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
+  Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
+  For legacy support no suffix defaults to bytes.
+- Audit trail log expiration support added.  It is configured in
+  audit_control(5) with the expire-after parameter.  If there is no 
+  expire-after parameter in audit_control(5), the default, then the audit
+  trail files are not expired and removed.  See audit_control(5) for
+  more information.
+- Change defaults in audit_control: warn at 5% rather than 20% free for audit
+  partitions, rotate automatically at 2mb, and set the default policy to
+  cnt,argv rather than cnt so that execve(2) arguments are captured if
+  AUE_EXECVE events are audited.  These may provide more usable defaults for
+  many users.
+- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
+  au_to_socket_ex(3) arguments to BSM format.
+- Fix error encoding AUT_IPC_PERM tokens.
+
 OpenBSM 1.1 alpha 5
 
 - Stub libauditd(3) man page added.
@@ -412,4 +431,4 @@ OpenBSM 1.0 alpha 1
   to support reloading of kernel event table.
 - Allow comments in /etc/security configuration files.
 
-$P4: //depot/projects/trustedbsd/openbsm/NEWS#27 $
+$P4: //depot/projects/trustedbsd/openbsm/NEWS#32 $

Modified: vendor/openbsm/dist/README
==============================================================================
--- vendor/openbsm/dist/README	Mon Mar  2 05:46:25 2009	(r189276)
+++ vendor/openbsm/dist/README	Mon Mar  2 10:46:23 2009	(r189277)
@@ -1,4 +1,4 @@
-OpenBSM 1.1 alpha 4
+OpenBSM 1.1 beta 1
 
   Introduction
 
@@ -56,4 +56,4 @@ Information on TrustedBSD may be found o
 
     http://www.TrustedBSD.org/
 
-$P4: //depot/projects/trustedbsd/openbsm/README#34 $
+$P4: //depot/projects/trustedbsd/openbsm/README#35 $

Modified: vendor/openbsm/dist/VERSION
==============================================================================
--- vendor/openbsm/dist/VERSION	Mon Mar  2 05:46:25 2009	(r189276)
+++ vendor/openbsm/dist/VERSION	Mon Mar  2 10:46:23 2009	(r189277)
@@ -1 +1 @@
-OPENBSM_1_1_ALPHA_5
+OPENBSM_1_1_BETA_1

Modified: vendor/openbsm/dist/bin/audit/audit.8
==============================================================================
--- vendor/openbsm/dist/bin/audit/audit.8	Mon Mar  2 05:46:25 2009	(r189276)
+++ vendor/openbsm/dist/bin/audit/audit.8	Mon Mar  2 10:46:23 2009	(r189277)
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2004 Apple Inc.
+.\" Copyright (c) 2004-2009 Apple Inc.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -25,9 +25,9 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#13 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#15 $
 .\"
-.Dd December 11, 2008
+.Dd January 29, 2009
 .Dt AUDIT 8
 .Os
 .Sh NAME
@@ -35,7 +35,7 @@
 .Nd audit management utility
 .Sh SYNOPSIS
 .Nm
-.Fl i | n | s | t
+.Fl e | i | n | s | t
 .Sh DESCRIPTION
 The
 .Nm
@@ -43,6 +43,10 @@ utility controls the state of the audit 
 One of the following flags is required as an argument to
 .Nm :
 .Bl -tag -width indent
+.It Fl e
+Forces the audit system to immediately remove audit log files that
+meet the expiration criteria specified in the audit control file without
+doing a log rotation. 
 .It Fl i
 Initializes and starts auditing.
 This option is currently for Mac OS X only
@@ -53,6 +57,8 @@ to be configured to run under 
 .It Fl n
 Forces the audit system to close the existing audit log file and rotate to
 a new log file in a location specified in the audit control file.
+Also, audit log files that meet the expiration criteria specified in the 
+audit control file will be removed.
 .It Fl s
 Specifies that the audit system should [re]synchronize its
 configuration from the audit control file.

Modified: vendor/openbsm/dist/bin/audit/audit.c
==============================================================================
--- vendor/openbsm/dist/bin/audit/audit.c	Mon Mar  2 05:46:25 2009	(r189276)
+++ vendor/openbsm/dist/bin/audit/audit.c	Mon Mar  2 10:46:23 2009	(r189277)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2005-2008 Apple Inc.
+ * Copyright (c) 2005-2009 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#13 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#14 $
  */
 /*
  * Program to trigger the audit daemon with a message that is either:
@@ -68,12 +68,15 @@ static int send_trigger(unsigned int);
 #include "auditd_control.h"
 
 /* 
- * XXX the following is temporary until this can be added to the kernel
+ * XXX The following are temporary until these can be added to the kernel
  * audit.h header. 
  */
 #ifndef AUDIT_TRIGGER_INITIALIZE
 #define	AUDIT_TRIGGER_INITIALIZE	7
 #endif
+#ifndef AUDIT_TRIGGER_EXPIRE_TRAILS
+#define	AUDIT_TRIGGER_EXPIRE_TRAILS	8
+#endif
 
 static int
 send_trigger(unsigned int trigger)
@@ -125,7 +128,7 @@ static void
 usage(void)
 {
 
-	(void)fprintf(stderr, "Usage: audit -i | -n | -s | -t \n");
+	(void)fprintf(stderr, "Usage: audit -e | -i | -n | -s | -t \n");
 	exit(-1);
 }
 
@@ -141,9 +144,13 @@ main(int argc, char **argv)
 	if (argc != 2)
 		usage();
 
-	while ((ch = getopt(argc, argv, "inst")) != -1) {
+	while ((ch = getopt(argc, argv, "einst")) != -1) {
 		switch(ch) {
 
+		case 'e':
+			trigger = AUDIT_TRIGGER_EXPIRE_TRAILS;
+			break;
+
 		case 'i':
 			trigger = AUDIT_TRIGGER_INITIALIZE;
 			break;

Modified: vendor/openbsm/dist/bin/auditd/audit_warn.c
==============================================================================
--- vendor/openbsm/dist/bin/auditd/audit_warn.c	Mon Mar  2 05:46:25 2009	(r189276)
+++ vendor/openbsm/dist/bin/auditd/audit_warn.c	Mon Mar  2 10:46:23 2009	(r189277)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2005 Apple Inc.
+ * Copyright (c) 2005-2009 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#10 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#11 $
  */
 
 #include <sys/types.h>
@@ -236,3 +236,18 @@ audit_warn_tmpfile(void)
 
 	return (auditwarnlog(args));
 }
+
+/*
+ * Indicates that this trail file has expired and was removed.
+ */
+int
+audit_warn_expired(char *filename)
+{
+	char *args[3];
+
+	args[0] = EXPIRED_WARN;
+	args[1] = filename;
+	args[2] = NULL;
+
+	return (auditwarnlog(args));
+}

Modified: vendor/openbsm/dist/bin/auditd/auditd.c
==============================================================================
--- vendor/openbsm/dist/bin/auditd/auditd.c	Mon Mar  2 05:46:25 2009	(r189276)
+++ vendor/openbsm/dist/bin/auditd/auditd.c	Mon Mar  2 10:46:23 2009	(r189277)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2004-2008 Apple Inc.
+ * Copyright (c) 2004-2009 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#41 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#43 $
  */
 
 #include <sys/types.h>
@@ -67,12 +67,16 @@
 #endif
 
 /*
- * XXX the following is temporary until this can be added to the kernel
+ * XXX The following are temporary until these can be added to the kernel
  * audit.h header.
  */
 #ifndef	AUDIT_TRIGGER_INITIALIZE
 #define	AUDIT_TRIGGER_INITIALIZE	7
 #endif
+#ifndef	AUDIT_TRIGGER_EXPIRE_TRAILS
+#define	AUDIT_TRIGGER_EXPIRE_TRAILS	8
+#endif
+
 
 /*
  * LaunchD flag (Mac OS X and, maybe, FreeBSD only.)  See launchd(8) and 
@@ -166,7 +170,7 @@ close_lastfile(char *TS)
 
 		/* Rename the last file -- append timestamp. */
 		if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) {
-			strlcpy(ptr, TS, TIMESTAMP_LEN);
+			memcpy(ptr, TS, POSTFIX_LEN);
 			if (rename(oldname, lastfile) != 0)
 				auditd_log_err(
 				    "Could not rename %s to %s: %m", oldname,
@@ -275,6 +279,14 @@ do_trail_file(void)
 		return (-1);
 	}
 
+	/*
+	 * Finally, see if there are any trail files to expire.
+	 */
+	err = auditd_expire_trails(audit_warn_expired);
+	if (err)
+		auditd_log_err("auditd_expire_trails(): %s",
+		    auditd_strerror(err));
+
 	return (0);
 }
 
@@ -550,6 +562,14 @@ auditd_handle_trigger(int trigger)
 			audit_setup();
 		break;
 
+	case AUDIT_TRIGGER_EXPIRE_TRAILS:
+		auditd_log_info("Got audit expire trails trigger");
+		err = auditd_expire_trails(audit_warn_expired);
+		if (err)
+			auditd_log_err("auditd_expire_trails(): %s",
+		    	    auditd_strerror(err));
+		break;
+
 	default:
 		auditd_log_err("Got unknown trigger %d", trigger);
 		break;
@@ -669,13 +689,18 @@ auditd_config_controls(void)
 	 */
 	err = auditd_set_host();
 	if (err) {
-		auditd_log_err("auditd_set_host() %s: %m",
-		    auditd_strerror(err));
-		ret = -1;
+		if (err == ADE_PARSE) {
+			auditd_log_notice(
+			    "audit_control(5) may be missing 'host:' field");
+		} else {
+			auditd_log_err("auditd_set_host() %s: %m",
+			    auditd_strerror(err));
+			ret = -1;
+		}
 	} else
 		auditd_log_debug(
 		    "Set audit host address information in kernel.");
-	
+
 	return (ret);
 }
 

Modified: vendor/openbsm/dist/bin/auditd/auditd.h
==============================================================================
--- vendor/openbsm/dist/bin/auditd/auditd.h	Mon Mar  2 05:46:25 2009	(r189276)
+++ vendor/openbsm/dist/bin/auditd/auditd.h	Mon Mar  2 10:46:23 2009	(r189277)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2005 Apple Inc.
+ * Copyright (c) 2005-2009 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#12 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#13 $
  */
 
 #ifndef _AUDITD_H_
@@ -57,6 +57,7 @@
 #define	POSTSIGTERM_WARN	"postsigterm"
 #define	SOFTLIM_WARN		"soft"
 #define	TMPFILE_WARN		"tmpfile"
+#define	EXPIRED_WARN		"expired"
 
 #define	AUDITWARN_SCRIPT	"/etc/security/audit_warn"
 #define	AUDITD_PIDFILE		"/var/run/auditd.pid"
@@ -76,6 +77,7 @@ int	audit_warn_nostart(void);
 int	audit_warn_postsigterm(void);
 int	audit_warn_soft(char *filename);
 int	audit_warn_tmpfile(void);
+int	audit_warn_expired(char *filename);
 
 void	auditd_openlog(int debug, gid_t gid);
 void	auditd_log_err(const char *fmt, ...);

Modified: vendor/openbsm/dist/bsm/auditd_lib.h
==============================================================================
--- vendor/openbsm/dist/bsm/auditd_lib.h	Mon Mar  2 05:46:25 2009	(r189276)
+++ vendor/openbsm/dist/bsm/auditd_lib.h	Mon Mar  2 10:46:23 2009	(r189277)
@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#3 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#4 $
  */
 
 #ifndef _BSM_AUDITD_LIB_H_
@@ -81,12 +81,14 @@
 #define	ADE_INVAL	-16	/* Invalid argument. */
 #define	ADE_GETADDR	-17	/* Error resolving address from hostname. */
 #define	ADE_ADDRFAM	-18	/* Address family not supported. */
+#define	ADE_EXPIRE	-19	/* Error expiring audit trail files. */
 
 /*
  * auditd_lib functions.
  */
 const char *auditd_strerror(int errcode);
 int auditd_set_minfree(void);
+int auditd_expire_trails(int (*warn_expired)(char *));
 int auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *));
 void auditd_close_dirs(void);
 int auditd_set_evcmap(void);

Modified: vendor/openbsm/dist/bsm/libbsm.h
==============================================================================
--- vendor/openbsm/dist/bsm/libbsm.h	Mon Mar  2 05:46:25 2009	(r189276)
+++ vendor/openbsm/dist/bsm/libbsm.h	Mon Mar  2 10:46:23 2009	(r189277)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2004-2008 Apple Inc.
+ * Copyright (c) 2004-2009 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#41 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#42 $
  */
 
 #ifndef _LIBBSM_H_
@@ -76,13 +76,14 @@
 #define	AUDIT_CONTROL_FILE	"/etc/security/audit_control"
 #define	AUDIT_USER_FILE		"/etc/security/audit_user"
 
-#define	DIR_CONTROL_ENTRY	"dir"
-#define	MINFREE_CONTROL_ENTRY	"minfree"
-#define	FILESZ_CONTROL_ENTRY	"filesz"
-#define	FLAGS_CONTROL_ENTRY	"flags"
-#define	NA_CONTROL_ENTRY	"naflags"
-#define	POLICY_CONTROL_ENTRY	"policy"
+#define	DIR_CONTROL_ENTRY		"dir"
+#define	MINFREE_CONTROL_ENTRY		"minfree"
+#define	FILESZ_CONTROL_ENTRY		"filesz"
+#define	FLAGS_CONTROL_ENTRY		"flags"
+#define	NA_CONTROL_ENTRY		"naflags"
+#define	POLICY_CONTROL_ENTRY		"policy"
 #define	AUDIT_HOST_CONTROL_ENTRY	"host"
+#define	EXPIRE_AFTER_CONTROL_ENTRY	"expire-after"
 
 #define	AU_CLASS_NAME_MAX	8
 #define	AU_CLASS_DESC_MAX	72
@@ -766,6 +767,7 @@ int			 getacflg(char *auditstr, int len)
 int			 getacna(char *auditstr, int len);
 int			 getacpol(char *auditstr, size_t len);
 int			 getachost(char *auditstr, size_t len);
+int			 getacexpire(int *andflg, time_t *age, size_t *size);
 int			 getauditflagsbin(char *auditstr, au_mask_t *masks);
 int			 getauditflagschar(char *auditstr, au_mask_t *masks,
 			    int verbose);

Modified: vendor/openbsm/dist/configure
==============================================================================
--- vendor/openbsm/dist/configure	Mon Mar  2 05:46:25 2009	(r189276)
+++ vendor/openbsm/dist/configure	Mon Mar  2 10:46:23 2009	(r189277)
@@ -1,7 +1,7 @@
 #! /bin/sh
 # From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#49 .
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for OpenBSM 1.1alpha5.
+# Generated by GNU Autoconf 2.61 for OpenBSM 1.1beta1.
 #
 # Report bugs to <trustedbsd-audit@TrustesdBSD.org>.
 #
@@ -729,8 +729,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # Identity of this package.
 PACKAGE_NAME='OpenBSM'
 PACKAGE_TARNAME='openbsm'
-PACKAGE_VERSION='1.1alpha5'
-PACKAGE_STRING='OpenBSM 1.1alpha5'
+PACKAGE_VERSION='1.1beta1'
+PACKAGE_STRING='OpenBSM 1.1beta1'
 PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org'
 
 ac_unique_file="bin/auditreduce/auditreduce.c"
@@ -1404,7 +1404,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures OpenBSM 1.1alpha5 to adapt to many kinds of systems.
+\`configure' configures OpenBSM 1.1beta1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1474,7 +1474,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of OpenBSM 1.1alpha5:";;
+     short | recursive ) echo "Configuration of OpenBSM 1.1beta1:";;
    esac
   cat <<\_ACEOF
 
@@ -1580,7 +1580,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-OpenBSM configure 1.1alpha5
+OpenBSM configure 1.1beta1
 generated by GNU Autoconf 2.61
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1594,7 +1594,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by OpenBSM $as_me 1.1alpha5, which was
+It was created by OpenBSM $as_me 1.1beta1, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   $ $0 $@
@@ -19076,7 +19076,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE=OpenBSM
- VERSION=1.1alpha5
+ VERSION=1.1beta1
 
 
 cat >>confdefs.h <<_ACEOF
@@ -23584,7 +23584,7 @@ exec 6>&1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by OpenBSM $as_me 1.1alpha5, which was
+This file was extended by OpenBSM $as_me 1.1beta1, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -23637,7 +23637,7 @@ Report bugs to <bug-autoconf@gnu.org>."
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-OpenBSM config.status 1.1alpha5
+OpenBSM config.status 1.1beta1
 configured by $0, generated by GNU Autoconf 2.61,
   with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 

Modified: vendor/openbsm/dist/configure.ac
==============================================================================
--- vendor/openbsm/dist/configure.ac	Mon Mar  2 05:46:25 2009	(r189276)
+++ vendor/openbsm/dist/configure.ac	Mon Mar  2 10:46:23 2009	(r189277)
@@ -2,8 +2,8 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ(2.59)
-AC_INIT([OpenBSM], [1.1alpha5], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
-AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#49 $])
+AC_INIT([OpenBSM], [1.1beta1], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
+AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#50 $])
 AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c])
 AC_CONFIG_AUX_DIR(config)
 AC_CONFIG_HEADER([config/config.h])

Modified: vendor/openbsm/dist/etc/audit_control
==============================================================================
--- vendor/openbsm/dist/etc/audit_control	Mon Mar  2 05:46:25 2009	(r189276)
+++ vendor/openbsm/dist/etc/audit_control	Mon Mar  2 10:46:23 2009	(r189277)
@@ -1,9 +1,9 @@
 #
-# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#5 $
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#6 $
 #
 dir:/var/audit
 flags:lo
-minfree:20
+minfree:5
 naflags:lo
-policy:cnt
-filesz:0
+policy:cnt,argv
+filesz:2097152

Modified: vendor/openbsm/dist/etc/audit_event
==============================================================================
--- vendor/openbsm/dist/etc/audit_event	Mon Mar  2 05:46:25 2009	(r189276)
+++ vendor/openbsm/dist/etc/audit_event	Mon Mar  2 10:46:23 2009	(r189277)
@@ -1,5 +1,5 @@
 #
-# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#34 $
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#36 $
 #
 # The mapping between event identifiers and values is also hard-coded in
 # audit_kevents.h and audit_uevents.h, so changes must occur in both places,
@@ -490,7 +490,7 @@
 43128:AUE_MAC_GET_PID:mac_get_pid(2):pc
 43129:AUE_MAC_GET_LINK:mac_get_link(2):fa
 43130:AUE_MAC_SET_LINK:mac_set_link(2):fm
-43131:AUE_MAC_EXECVE:mac_exeve(2):ex,pc
+43131:AUE_MAC_EXECVE:mac_execve(2):ex,pc
 43132:AUE_GETPATH_FROMFD:getpath_fromfd(2):fa
 43133:AUE_GETPATH_FROMADDR:getpath_fromaddr(2):fa
 43134:AUE_MQ_OPEN:mq_open(2):ip
@@ -551,6 +551,8 @@
 43189:AUE_CAP_GETMODE:cap_getmode(2):pc
 43190:AUE_POSIX_SPAWN:posix_spawn(2):pc
 43191:AUE_FSGETPATH:fsgetpath(2):ot
+43192:AUE_PREAD:pread(2):no
+43193:AUE_PWRITE:pwrite(2):no
 #
 # Solaris userspace events.
 #

Modified: vendor/openbsm/dist/libauditd/auditd_lib.c
==============================================================================
--- vendor/openbsm/dist/libauditd/auditd_lib.c	Mon Mar  2 05:46:25 2009	(r189276)
+++ vendor/openbsm/dist/libauditd/auditd_lib.c	Mon Mar  2 10:46:23 2009	(r189277)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2008 Apple Inc.
+ * Copyright (c) 2008-2009 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#2 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#7 $
  */
 
 #include <sys/param.h>
@@ -52,6 +52,7 @@
 #include <bsm/auditd_lib.h>
 #include <bsm/libbsm.h>
 
+#include <dirent.h>
 #include <err.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -77,6 +78,11 @@
 #define	AUDIT_HARD_LIMIT_FREE_BLOCKS	4
 #endif
 
+/*
+ * Number of seconds to January 1, 2000
+ */
+#define	JAN_01_2000	946598400
+
 struct dir_ent {
 	char			*dirname;
 	uint8_t			 softlim;
@@ -85,7 +91,19 @@ struct dir_ent {
 };
 
 static TAILQ_HEAD(, dir_ent)	dir_q;
-static int minval = -1;
+
+struct audit_trail {
+	time_t			 at_time;
+	char			*at_path;
+	off_t			 at_size;
+
+	TAILQ_ENTRY(audit_trail) at_trls;
+};
+
+static int auditd_minval = -1;
+
+static char auditd_host[MAXHOSTNAMELEN];
+static int auditd_hostlen = -1;
 
 static char *auditd_errmsg[] = {
 	"no error",					/* ADE_NOERR 	( 0) */
@@ -107,6 +125,7 @@ static char *auditd_errmsg[] = {
 	"invalid argument",				/* ADE_INVAL	(16) */
 	"could not resolve hostname to address",	/* ADE_GETADDR	(17) */
 	"address family not supported",			/* ADE_ADDRFAM	(18) */
+	"error expiring audit trail files",		/* ADE_EXPIRE	(19) */
 };
 
 #define MAXERRCODE (sizeof(auditd_errmsg) / sizeof(auditd_errmsg[0]))
@@ -165,7 +184,13 @@ affixdir(char *name, struct dir_ent *dir
                 return (NULL);
 	}
 
-	asprintf(&fn, "%s/%s", dirent->dirname, name);
+	/*
+	 * If the host is set then also add the hostname to the filename.
+	 */
+	if (auditd_hostlen != -1)
+		asprintf(&fn, "%s/%s.%s", dirent->dirname, name, auditd_host);
+	else
+		asprintf(&fn, "%s/%s", dirent->dirname, name);
 	return (fn);
 }
 
@@ -204,16 +229,14 @@ insert_orderly(struct dir_ent *denew)
 int
 auditd_set_host(void)
 {
-	char hoststr[MAXHOSTNAMELEN];
 	struct sockaddr_in6 *sin6;
 	struct sockaddr_in *sin;
 	struct addrinfo *res;
 	struct auditinfo_addr aia;
 	int error, ret = ADE_NOERR;
 
-	if (getachost(hoststr, MAXHOSTNAMELEN) != 0) {
-
-		ret = ADE_PARSE;
+	if (getachost(auditd_host, sizeof(auditd_host)) != 0) {
+		ret = ADE_PARSE;	
 	
 		/*
 		 * To maintain reverse compatability with older audit_control
@@ -229,7 +252,8 @@ auditd_set_host(void)
 			ret = ADE_AUDITON;
 		return (ret);
 	}
-	error = getaddrinfo(hoststr, NULL, NULL, &res);
+	auditd_hostlen = strlen(auditd_host);
+	error = getaddrinfo(auditd_host, NULL, NULL, &res);
 	if (error)
 		return (ADE_GETADDR);
 	switch (res->ai_family) {
@@ -271,14 +295,14 @@ auditd_set_minfree(void)
 {
 	au_qctrl_t qctrl;
 
-	if (getacmin(&minval) != 0)
+	if (getacmin(&auditd_minval) != 0)
 		return (ADE_PARSE);
 	
 	if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0)
 		return (ADE_AUDITON);
 
-	if (qctrl.aq_minfree != minval) {
-		qctrl.aq_minfree = minval;
+	if (qctrl.aq_minfree != auditd_minval) {
+		qctrl.aq_minfree = auditd_minval;
 		if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0)
 			return (ADE_AUDITON);
 	}
@@ -287,9 +311,259 @@ auditd_set_minfree(void)
 }
 
 /*
+ * Convert a trailname into a timestamp (seconds).  Return 0 if the conversion
+ * was successful.
+ */
+static int
+trailname_to_tstamp(char *fn, time_t *tstamp)
+{
+	struct tm tm;
+	char ts[TIMESTAMP_LEN];
+	char *p;
+
+	*tstamp = 0;
+
+	/*
+	 * Get the ending time stamp.
+	 */
+	if ((p = strchr(fn, '.')) == NULL)
+		return (1);
+	strlcpy(ts, ++p, TIMESTAMP_LEN);
+	if (strlen(ts) != POSTFIX_LEN)
+		return (1);
+
+	bzero(&tm, sizeof(tm));
+
+	/* seconds (0-60) */
+	p = ts + POSTFIX_LEN - 2;
+	tm.tm_sec = atol(p);
+	if (tm.tm_sec < 0 || tm.tm_sec > 60)
+		return (1);
+
+	/* minutes (0-59) */ 
+	*p = '\0'; p -= 2;
+	tm.tm_min = atol(p);
+	if (tm.tm_min < 0 || tm.tm_min > 59)
+		return (1);
+
+	/* hours (0 - 23) */
+	*p = '\0'; p -= 2;
+	tm.tm_hour = atol(p);
+	if (tm.tm_hour < 0 || tm.tm_hour > 23)
+		return (1);
+
+	/* day of month (1-31) */
+	*p = '\0'; p -= 2;
+	tm.tm_mday = atol(p);
+	if (tm.tm_mday < 1 || tm.tm_mday > 31)
+		return (1);
+
+	/* month (0 - 11) */
+	*p = '\0'; p -= 2;
+	tm.tm_mon = atol(p) - 1;
+	if (tm.tm_mon < 0 || tm.tm_mon > 11)
+		return (1);
+
+	/* year (year - 1900) */
+	*p = '\0'; p -= 4;
+	tm.tm_year = atol(p) - 1900;
+	if (tm.tm_year < 0)
+		return (1);
+
+	*tstamp = timegm(&tm);
+
+	return (0);
+}
+
+/*
+ * Remove audit trails files according to the expiration conditions.  Returns:
+ * 	ADE_NOERR	on success or there is nothing to do.
+ * 	ADE_PARSE	if error parsing audit_control(5).
+ * 	ADE_NOMEM	if could not allocate memory.
+ * 	ADE_EXPIRE	if there was an unespected error.
+ */
+int
+auditd_expire_trails(int (*warn_expired)(char *))
+{
+	int andflg, ret = ADE_NOERR;
+	size_t expire_size, total_size = 0L;
+	time_t expire_age, oldest_time, current_time = time(NULL);
+	struct dir_ent *traildir;
+	struct audit_trail *at;
+	char *afnp, *pn;
+	TAILQ_HEAD(au_trls_head, audit_trail) head =
+	    TAILQ_HEAD_INITIALIZER(head);
+	struct stat stbuf;
+	char activefn[MAXPATHLEN];
+
+	/*
+	 * Read the expiration conditions.  If no conditions then return no
+	 * error.
+	 */
+	if (getacexpire(&andflg, &expire_age, &expire_size) < 0)
+		return (ADE_PARSE);
+	if (!expire_age && !expire_size)
+		return (ADE_NOERR);
+
+	/*
+	 * Read the 'current' trail file name.  Trim off directory path.
+	 */
+	activefn[0] = '\0';
+	readlink(AUDIT_CURRENT_LINK, activefn, MAXPATHLEN - 1);
+	if ((afnp = strrchr(activefn, '/')) != NULL) 
+		afnp++;
+
+
+	/*
+	 * Build tail queue of the trail files.
+	 */
+	TAILQ_FOREACH(traildir, &dir_q, dirs) {
+		DIR *dirp;
+		struct dirent *dp;
+
+		dirp = opendir(traildir->dirname);
+		while ((dp = readdir(dirp)) != NULL) {
+			time_t tstamp = 0;
+			struct audit_trail *new;
+
+			/*
+			 * Quickly filter non-trail files.
+			 */
+			if (dp->d_namlen != (FILENAME_LEN - 1) ||
+#ifdef DT_REG
+			    dp->d_type != DT_REG || 
+#endif
+			    dp->d_name[POSTFIX_LEN] != '.')
+				continue;
+
+			if (asprintf(&pn, "%s/%s", traildir->dirname,
+				dp->d_name) < 0) {
+				ret = ADE_NOMEM;
+				break;
+			}
+
+			if (stat(pn, &stbuf) < 0 || !S_ISREG(stbuf.st_mode)) {
+				free(pn);
+				continue;
+			}
+
+			total_size += stbuf.st_size;
+
+			/*
+			 * If this is the 'current' audit trail then
+			 * don't add it to the tail queue.
+			 */
+			if (NULL != afnp &&
+			    strncmp(dp->d_name, afnp, FILENAME_LEN) == 0) {
+				free(pn);
+				continue;
+			}
+
+			/*
+			 * Get the ending time stamp encoded in the trail
+			 * name.  If we can't read it or if it is older
+			 * than Jan 1, 2000 then use the mtime.
+			 */
+			if (trailname_to_tstamp(dp->d_name, &tstamp) != 0 ||
+			    tstamp < JAN_01_2000)
+				tstamp = stbuf.st_mtime;
+
+			/*
+			 * If the time stamp is older than Jan 1, 2000 then
+			 * update the mtime of the trail file to the current
+			 * time. This is so we don't prematurely remove a trail
+			 * file that was created while the system clock reset
+			 * to the * "beginning of time" but later the system
+			 * clock is set to the correct current time.
+			 */
+			if (current_time >= JAN_01_2000 &&
+			    tstamp < JAN_01_2000) {
+				struct timeval tv[2];
+
+				tstamp = stbuf.st_mtime = current_time;
+				TIMESPEC_TO_TIMEVAL(&tv[0], 
+				    &stbuf.st_atimespec);
+				TIMESPEC_TO_TIMEVAL(&tv[1], 
+				    &stbuf.st_mtimespec);
+				utimes(pn, tv);
+			}
+
+			/*
+			 * Allocate and populate the new entry.
+			 */
+			new = malloc(sizeof(*new));
+			if (NULL == new) {
+				free(pn);
+				ret = ADE_NOMEM;
+				break;
+			}
+			new->at_time = tstamp;
+			new->at_size = stbuf.st_size;
+			new->at_path = pn;
+
+			/*
+			 * Check to see if we have a new head.  Otherwise,
+			 * walk the tailq from the tail first and do a simple
+			 * insertion sort.
+			 */
+			if (TAILQ_EMPTY(&head) ||
+			    (new->at_time <= TAILQ_FIRST(&head)->at_time)) {
+				TAILQ_INSERT_HEAD(&head, new, at_trls);
+				continue;
+			}
+
+			TAILQ_FOREACH_REVERSE(at, &head, au_trls_head, at_trls)
+				if (new->at_time >= at->at_time) {
+					TAILQ_INSERT_AFTER(&head, at, new,
+					    at_trls);
+					break;
+				}
+
+		}
+	}
+
+	oldest_time = current_time - expire_age;
+
+	/* 
+	 * Expire trail files, oldest (mtime) first, if the given
+	 * conditions are met.
+	 */
+	at = TAILQ_FIRST(&head);
+	while (NULL != at) {
+		struct audit_trail *at_next = TAILQ_NEXT(at, at_trls);
+
+		if (andflg) {
+			if ((expire_size && total_size > expire_size) &&
+			    (expire_age && at->at_time < oldest_time)) {
+				if (warn_expired)
+				    (*warn_expired)(at->at_path);
+				if (unlink(at->at_path) < 0)
+					ret = ADE_EXPIRE;
+				total_size -= at->at_size;
+			}
+		} else {
+			if ((expire_size && total_size > expire_size) ||
+			    (expire_age && at->at_time < oldest_time)) {
+				if (warn_expired)
+				    (*warn_expired)(at->at_path);
+				if (unlink(at->at_path) < 0)
+					ret = ADE_EXPIRE;
+				total_size -= at->at_size;
+			}
+		}
+
+		free(at->at_path);
+		free(at);
+		at = at_next;
+	}
+
+	return (ret);
+}
+
+/*
  * Parses the "dir" entry in audit_control(5) into an ordered list.  Also, will
- * set the minfree value if not already set.  Arguments include function
- * pointers to audit_warn functions for soft and hard limits. Returns:
+ * set the minfree and host values if not already set.  Arguments include
+ * function pointers to audit_warn functions for soft and hard limits. Returns:
  *	ADE_NOERR	on success,
  *	ADE_PARSE	error parsing audit_control(5),
  *	ADE_AUDITON	error getting/setting auditon(2) value,
@@ -309,9 +583,12 @@ auditd_read_dirs(int (*warn_soft)(char *
 	int scnt = 0;
 	int hcnt = 0;
 
-	if (minval == -1 && (err = auditd_set_minfree()) != 0)
+	if (auditd_minval == -1 && (err = auditd_set_minfree()) != 0)
 		return (err);
 
+	if (auditd_hostlen == -1)
+		auditd_set_host();
+
         /*
          * Init directory q.  Force a re-read of the file the next time.
          */
@@ -329,7 +606,8 @@ auditd_read_dirs(int (*warn_soft)(char *
 	while (getacdir(cur_dir, MAXNAMLEN) >= 0) {
 		if (statfs(cur_dir, &sfs) < 0)
 			continue;  /* XXX should warn */
-		soft = (sfs.f_bfree < (sfs.f_blocks / (100 / minval))) ? 1 : 0;
+		soft = (sfs.f_bfree < (sfs.f_blocks / (100 / auditd_minval))) ?
+		    1 : 0;
 		hard = (sfs.f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) ? 1 : 0;
 		if (soft) {
 			if (warn_soft) 
@@ -367,7 +645,8 @@ void
 auditd_close_dirs(void)
 {
 	free_dir_q();
-	minval = -1;
+	auditd_minval = -1;
+	auditd_hostlen = -1;
 }
 
 
@@ -549,7 +828,7 @@ auditd_swap_trail(char *TS, char **newfi
 	}
                 
 	/* Try until we succeed. */
-	while ((dirent = TAILQ_FIRST(&dir_q))) {
+	TAILQ_FOREACH(dirent, &dir_q, dirs) {
 		if (dirent->hardlim) 
 			continue;
 		if ((fn = affixdir(timestr, dirent)) == NULL)
@@ -606,6 +885,28 @@ auditd_swap_trail(char *TS, char **newfi
  *	ADE_NOERR	on success,
  *	ADE_SETAUDIT	if setaudit(2) fails.
  */
+#ifdef __APPLE__
+int
+auditd_prevent_audit(void)
+{
+	auditinfo_addr_t aia;
+
+	/* 
+	 * To prevent event feedback cycles and avoid audit becoming stalled if
+	 * auditing is suspended we mask this processes events from being

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200903021046.n22AkNQA072425>