Date: Sat, 26 Aug 2006 20:01:19 GMT From: "Christian S.J. Peron" <csjp@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 105138 for review Message-ID: <200608262001.k7QK1Jwr007685@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=105138 Change 105138 by csjp@csjp_xor on 2006/08/26 20:00:46 Write subject and return tokens. This is in preparation for some work around parsing of BSM records in the kernel. At minimum it will expect a header, subject, and return value so it can be properly preselected. Affected files ... .. //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#18 edit Differences ... ==== //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#18 (text+ko) ==== @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#17 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#18 $ */ #include <sys/types.h> @@ -366,6 +366,7 @@ static int close_all(void) { + struct auditinfo ai; int err_ret = 0; char TS[POSTFIX_LEN]; int aufd; @@ -378,6 +379,17 @@ else { if ((tok = au_to_text("auditd::Audit shutdown")) != NULL) au_write(aufd, tok); + /* + * XXX we need to implement extended subject tokens so we can + * effectively represent terminal lines with this token type. + */ + bzero(&ai, sizeof(ai)); + if ((tok = au_to_subject32(getuid(), geteuid(), getegid(), + getuid(), getgid(), getpid(), getpid(), &ai.ai_termid)) + != NULL) + au_write(aufd, tok); + if ((tok = au_to_return32(0, 0)) != NULL) + au_write(aufd, tok); if (au_close(aufd, 1, AUE_audit_shutdown) == -1) syslog(LOG_ERR, "Could not close audit shutdown event."); @@ -745,6 +757,7 @@ static void setup(void) { + struct auditinfo ai; auditinfo_t auinfo; int aufd; token_t *tok; @@ -781,8 +794,20 @@ if ((aufd = au_open()) == -1) syslog(LOG_ERR, "Could not create audit startup event."); else { + /* + * XXXCSJP Perhaps we wan't more robust audit records for + * audit start up and shutdown. This might include capturing + * failures to initialize the audit subsystem? + */ + bzero(&ai, sizeof(ai)); + if ((tok = au_to_subject32(getuid(), geteuid(), getegid(), + getuid(), getgid(), getpid(), getpid(), &ai.ai_termid)) + != NULL) + au_write(aufd, tok); if ((tok = au_to_text("auditd::Audit startup")) != NULL) au_write(aufd, tok); + if ((tok = au_to_return32(0, 0)) != NULL) + au_write(aufd, tok); if (au_close(aufd, 1, AUE_audit_startup) == -1) syslog(LOG_ERR, "Could not close audit startup event.");
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608262001.k7QK1Jwr007685>