Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 6 Feb 2006 01:10:58 GMT
From:      Robert Watson <rwatson@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 91206 for review
Message-ID:  <200602060110.k161Aw2J094833@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=91206

Change 91206 by rwatson@rwatson_peppercorn on 2006/02/06 01:10:14

	Bring final OpenBSM 1.0 alpha 3 changes into TrustedBSD audit3
	branch:
	
	- More man page fixes.
	- Audit review group.
	- OpenBSM 1.0 alpha 3 notes.
	- AUE_SYSARCH.

Affected files ...

.. //depot/projects/trustedbsd/audit3/contrib/openbsm/CHANGELOG#6 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#4 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#3 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#2 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_kevents.h#19 integrate

Differences ...

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/CHANGELOG#6 (text+ko) ====

@@ -1,3 +1,12 @@
+OpenBSM 1.0 alpha 3
+
+- Man page formatting, cross reference, mlinks, and accuracy improvements.
+- auditd and tools now compile and run on FreeBSD/arm.
+- auditd will now fchown() the trail file to the audit review group, if
+  defined at compile-time.
+- Added AUE_SYSARCH for FreeBSD.
+- Definition of AUE_SETFSGID fixed for Linux.
+
 OpenBSM 1.0 alpha 2
 
 - Man page formatting improvements.
@@ -71,5 +80,6 @@
 - Annotate BSM events with origin OS and compatibility information.
 - auditd(8), audit(8) added to the OpenBSM distribution.  auditd extended
   to support reloading of kernel event table.
+- Allow comments in /etc/security configuration files.
 
-$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/CHANGELOG#5 $
+$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/CHANGELOG#6 $

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#4 (text+ko) ====

@@ -1,1 +1,1 @@
-OPENBSM_1_0_ALPHA_2
+OPENBSM_1_0_ALPHA_3

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#3 (text+ko) ====

@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#2 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#3 $
  */
 
 #include <sys/dirent.h>
@@ -46,6 +46,7 @@
 
 #include <errno.h>
 #include <fcntl.h>
+#include <grp.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
@@ -171,6 +172,34 @@
 }
 
 /*
+ * Create the new audit file with appropriate permissions and ownership.  Try
+ * to clean up if something goes wrong.
+ */
+static int
+#ifdef AUDIT_REVIEW_GROUP
+open_trail(const char *fname, uid_t uid, gid_t gid)
+#else
+open_trail(const char *fname)
+#endif
+{
+	int error, fd;
+
+	fd = open(fname, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP);
+	if (fd < 0)
+		return (-1);
+#ifdef AUDIT_REVIEW_GROUP
+	if (fchown(fd, uid, gid) < 0) {
+		error = errno;
+		close(fd);
+		(void)unlink(fname);
+		errno = error;
+		return (-1);
+	}
+#endif
+	return (fd);
+}
+
+/*
  * Create the new file name, swap with existing audit file.
  */
 static int
@@ -180,7 +209,12 @@
 	char *fn;
 	char TS[POSTFIX_LEN];
 	struct dir_ent *dirent;
-	int fd;
+#ifdef AUDIT_REVIEW_GROUP
+	struct group *grp;
+	gid_t gid;
+	uid_t uid;
+#endif
+	int error, fd;
 
 	if (getTSstr(TS, POSTFIX_LEN) != 0)
 		return (-1);
@@ -188,6 +222,22 @@
 	strcpy(timestr, TS);
 	strcat(timestr, NOT_TERMINATED);
 
+#ifdef AUDIT_REVIEW_GROUP
+	/*
+	 * XXXRW: Currently, this code falls back to the daemon gid, which is
+	 * likely the wheel group.  Is there a better way to deal with this?
+	 */
+	grp = getgrnam(AUDIT_REVIEW_GROUP);
+	if (grp == NULL) {
+		syslog(LOG_INFO,
+		    "Audit review group '%s' not available, using daemon gid",
+		    AUDIT_REVIEW_GROUP);
+		gid = -1;
+	} else
+		gid = grp->gr_gid;
+	uid = getuid();
+#endif
+
 	/* Try until we succeed. */
 	while ((dirent = TAILQ_FIRST(&dir_q))) {
 		if ((fn = affixdir(timestr, dirent)) == NULL) {
@@ -201,20 +251,27 @@
 		 * kernel if all went well.
 		 */
 		syslog(LOG_INFO, "New audit file is %s\n", fn);
-		fd = open(fn, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP);
+#ifdef AUDIT_REVIEW_GROUP
+		fd = open_trail(fn, uid, gid);
+#else
+		fd = open_trail(fn);
+#endif
 		if (fd < 0)
-			perror("File open");
-		else if (auditctl(fn) != 0) {
-			syslog(LOG_ERR,
-			    "auditctl failed setting log file! : %s\n",
-			    strerror(errno));
-			close(fd);
-		} else {
-			/* Success. */
-			close_lastfile(TS);
-			lastfile = fn;
-			close(fd);
-			return (0);
+			warn("open(%s)", fn);
+		if (fd >= 0) {
+			error = auditctl(fn);
+			if (error) {
+				syslog(LOG_ERR,
+				    "auditctl failed setting log file! : %s\n",
+				    strerror(errno));
+				close(fd);
+			} else {
+				/* Success. */
+				close_lastfile(TS);
+				lastfile = fn;
+				close(fd);
+				return (0);
+			}
 		}
 
 		/*

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#2 (text+ko) ====

@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#1 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#2 $
  */
 
 #ifndef _AUDITD_H_
@@ -43,6 +43,13 @@
 #define	MAX_DIR_SIZE	255
 #define	AUDITD_NAME	"auditd"
 
+/*
+ * If defined, then the audit daemon will attempt to chown newly created logs
+ * to this group.  Otherwise, they will be the default for the user running
+ * auditd, likely the audit group.
+ */
+#define	AUDIT_REVIEW_GROUP	"audit"
+
 #define	POSTFIX_LEN		16
 #define	NOT_TERMINATED	".not_terminated"
 

==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_kevents.h#19 (text+ko) ====

@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_kevents.h#18 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_kevents.h#19 $
  */
 
 #ifndef _BSM_AUDIT_KEVENTS_H_
@@ -383,6 +383,7 @@
 #define	AUE_ACL_DELETE_FD		403	/* FreeBSD. */
 #define	AUE_ACL_CHECK_FILE		404	/* FreeBSD. */
 #define	AUE_ACL_CHECK_FD		405	/* FreeBSD. */
+#define	AUE_SYSARCH			406	/* FreeBSD. */
 
 /*
  * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200602060110.k161Aw2J094833>