From owner-svn-src-all@FreeBSD.ORG Mon Mar 2 13:29:19 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A43F1065676; Mon, 2 Mar 2009 13:29:19 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 34C108FC20; Mon, 2 Mar 2009 13:29:19 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n22DTJtQ077169; Mon, 2 Mar 2009 13:29:19 GMT (envelope-from rwatson@svn.freebsd.org) Received: (from rwatson@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n22DTIe3077152; Mon, 2 Mar 2009 13:29:18 GMT (envelope-from rwatson@svn.freebsd.org) Message-Id: <200903021329.n22DTIe3077152@svn.freebsd.org> From: Robert Watson Date: Mon, 2 Mar 2009 13:29:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r189279 - in head: contrib/openbsm contrib/openbsm/bin/audit contrib/openbsm/bin/auditd contrib/openbsm/bsm contrib/openbsm/etc contrib/openbsm/libauditd contrib/openbsm/libbsm contrib/... X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 13:29:19 -0000 Author: rwatson Date: Mon Mar 2 13:29:18 2009 New Revision: 189279 URL: http://svn.freebsd.org/changeset/base/189279 Log: Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual merge). OpenBSM history for imported revision below for reference. MFC after: 1 month Sponsored by: Apple, Inc. Obtained from: TrustedBSD Project OpenBSM 1.1 beta 1 - The filesz parameter in audit_control(5) now accepts suffixes: 'B' for Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes. For legacy support no suffix defaults to bytes. - Audit trail log expiration support added. It is configured in audit_control(5) with the expire-after parameter. If there is no expire-after parameter in audit_control(5), the default, then the audit trail files are not expired and removed. See audit_control(5) for more information. - Change defaults in audit_control: warn at 5% rather than 20% free for audit partitions, rotate automatically at 2mb, and set the default policy to cnt,argv rather than cnt so that execve(2) arguments are captured if AUE_EXECVE events are audited. These may provide more usable defaults for many users. - Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert au_to_socket_ex(3) arguments to BSM format. - Fix error encoding AUT_IPC_PERM tokens. Modified: head/contrib/openbsm/ (props changed) head/contrib/openbsm/CREDITS head/contrib/openbsm/NEWS head/contrib/openbsm/README head/contrib/openbsm/VERSION head/contrib/openbsm/bin/audit/audit.8 head/contrib/openbsm/bin/audit/audit.c head/contrib/openbsm/bin/auditd/audit_warn.c head/contrib/openbsm/bin/auditd/auditd.c head/contrib/openbsm/bin/auditd/auditd.h head/contrib/openbsm/bsm/auditd_lib.h head/contrib/openbsm/bsm/libbsm.h head/contrib/openbsm/configure head/contrib/openbsm/configure.ac head/contrib/openbsm/etc/audit_control head/contrib/openbsm/etc/audit_event head/contrib/openbsm/libauditd/auditd_lib.c head/contrib/openbsm/libbsm/au_control.3 head/contrib/openbsm/libbsm/au_domain.3 head/contrib/openbsm/libbsm/au_errno.3 head/contrib/openbsm/libbsm/bsm_control.c head/contrib/openbsm/libbsm/bsm_errno.c head/contrib/openbsm/libbsm/bsm_io.c head/contrib/openbsm/libbsm/bsm_token.c head/contrib/openbsm/man/audit_control.5 head/contrib/openbsm/man/auditon.2 head/contrib/openbsm/sys/bsm/audit.h head/contrib/openbsm/sys/bsm/audit_kevents.h head/contrib/openbsm/tools/audump.c head/sys/bsm/audit.h head/sys/bsm/audit_kevents.h head/sys/security/audit/audit_bsm_errno.c head/sys/security/audit/audit_bsm_token.c Modified: head/contrib/openbsm/CREDITS ============================================================================== --- head/contrib/openbsm/CREDITS Mon Mar 2 10:48:15 2009 (r189278) +++ head/contrib/openbsm/CREDITS Mon Mar 2 13:29:18 2009 (r189279) @@ -27,6 +27,7 @@ the development of OpenBSM: Eric Hall Xin LI Stacey Son + Todd Heberlein In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel Software's FlexeLint tool were used to identify a number of bugs in the Modified: head/contrib/openbsm/NEWS ============================================================================== --- head/contrib/openbsm/NEWS Mon Mar 2 10:48:15 2009 (r189278) +++ head/contrib/openbsm/NEWS Mon Mar 2 13:29:18 2009 (r189279) @@ -1,5 +1,24 @@ OpenBSM Version History +OpenBSM 1.1 beta 1 + +- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for + Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes. + For legacy support no suffix defaults to bytes. +- Audit trail log expiration support added. It is configured in + audit_control(5) with the expire-after parameter. If there is no + expire-after parameter in audit_control(5), the default, then the audit + trail files are not expired and removed. See audit_control(5) for + more information. +- Change defaults in audit_control: warn at 5% rather than 20% free for audit + partitions, rotate automatically at 2mb, and set the default policy to + cnt,argv rather than cnt so that execve(2) arguments are captured if + AUE_EXECVE events are audited. These may provide more usable defaults for + many users. +- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert + au_to_socket_ex(3) arguments to BSM format. +- Fix error encoding AUT_IPC_PERM tokens. + OpenBSM 1.1 alpha 5 - Stub libauditd(3) man page added. @@ -412,4 +431,4 @@ OpenBSM 1.0 alpha 1 to support reloading of kernel event table. - Allow comments in /etc/security configuration files. -$P4: //depot/projects/trustedbsd/openbsm/NEWS#27 $ +$P4: //depot/projects/trustedbsd/openbsm/NEWS#32 $ Modified: head/contrib/openbsm/README ============================================================================== --- head/contrib/openbsm/README Mon Mar 2 10:48:15 2009 (r189278) +++ head/contrib/openbsm/README Mon Mar 2 13:29:18 2009 (r189279) @@ -1,4 +1,4 @@ -OpenBSM 1.1 alpha 4 +OpenBSM 1.1 beta 1 Introduction @@ -56,4 +56,4 @@ Information on TrustedBSD may be found o http://www.TrustedBSD.org/ -$P4: //depot/projects/trustedbsd/openbsm/README#34 $ +$P4: //depot/projects/trustedbsd/openbsm/README#35 $ Modified: head/contrib/openbsm/VERSION ============================================================================== --- head/contrib/openbsm/VERSION Mon Mar 2 10:48:15 2009 (r189278) +++ head/contrib/openbsm/VERSION Mon Mar 2 13:29:18 2009 (r189279) @@ -1 +1 @@ -OPENBSM_1_1_ALPHA_5 +OPENBSM_1_1_BETA_1 Modified: head/contrib/openbsm/bin/audit/audit.8 ============================================================================== --- head/contrib/openbsm/bin/audit/audit.8 Mon Mar 2 10:48:15 2009 (r189278) +++ head/contrib/openbsm/bin/audit/audit.8 Mon Mar 2 13:29:18 2009 (r189279) @@ -1,4 +1,4 @@ -.\" Copyright (c) 2004 Apple Inc. +.\" Copyright (c) 2004-2009 Apple Inc. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -25,9 +25,9 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#13 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#15 $ .\" -.Dd December 11, 2008 +.Dd January 29, 2009 .Dt AUDIT 8 .Os .Sh NAME @@ -35,7 +35,7 @@ .Nd audit management utility .Sh SYNOPSIS .Nm -.Fl i | n | s | t +.Fl e | i | n | s | t .Sh DESCRIPTION The .Nm @@ -43,6 +43,10 @@ utility controls the state of the audit One of the following flags is required as an argument to .Nm : .Bl -tag -width indent +.It Fl e +Forces the audit system to immediately remove audit log files that +meet the expiration criteria specified in the audit control file without +doing a log rotation. .It Fl i Initializes and starts auditing. This option is currently for Mac OS X only @@ -53,6 +57,8 @@ to be configured to run under .It Fl n Forces the audit system to close the existing audit log file and rotate to a new log file in a location specified in the audit control file. +Also, audit log files that meet the expiration criteria specified in the +audit control file will be removed. .It Fl s Specifies that the audit system should [re]synchronize its configuration from the audit control file. Modified: head/contrib/openbsm/bin/audit/audit.c ============================================================================== --- head/contrib/openbsm/bin/audit/audit.c Mon Mar 2 10:48:15 2009 (r189278) +++ head/contrib/openbsm/bin/audit/audit.c Mon Mar 2 13:29:18 2009 (r189279) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2005-2008 Apple Inc. + * Copyright (c) 2005-2009 Apple Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -26,7 +26,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#13 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#14 $ */ /* * Program to trigger the audit daemon with a message that is either: @@ -68,12 +68,15 @@ static int send_trigger(unsigned int); #include "auditd_control.h" /* - * XXX the following is temporary until this can be added to the kernel + * XXX The following are temporary until these can be added to the kernel * audit.h header. */ #ifndef AUDIT_TRIGGER_INITIALIZE #define AUDIT_TRIGGER_INITIALIZE 7 #endif +#ifndef AUDIT_TRIGGER_EXPIRE_TRAILS +#define AUDIT_TRIGGER_EXPIRE_TRAILS 8 +#endif static int send_trigger(unsigned int trigger) @@ -125,7 +128,7 @@ static void usage(void) { - (void)fprintf(stderr, "Usage: audit -i | -n | -s | -t \n"); + (void)fprintf(stderr, "Usage: audit -e | -i | -n | -s | -t \n"); exit(-1); } @@ -141,9 +144,13 @@ main(int argc, char **argv) if (argc != 2) usage(); - while ((ch = getopt(argc, argv, "inst")) != -1) { + while ((ch = getopt(argc, argv, "einst")) != -1) { switch(ch) { + case 'e': + trigger = AUDIT_TRIGGER_EXPIRE_TRAILS; + break; + case 'i': trigger = AUDIT_TRIGGER_INITIALIZE; break; Modified: head/contrib/openbsm/bin/auditd/audit_warn.c ============================================================================== --- head/contrib/openbsm/bin/auditd/audit_warn.c Mon Mar 2 10:48:15 2009 (r189278) +++ head/contrib/openbsm/bin/auditd/audit_warn.c Mon Mar 2 13:29:18 2009 (r189279) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2005 Apple Inc. + * Copyright (c) 2005-2009 Apple Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -26,7 +26,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#10 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#11 $ */ #include @@ -236,3 +236,18 @@ audit_warn_tmpfile(void) return (auditwarnlog(args)); } + +/* + * Indicates that this trail file has expired and was removed. + */ +int +audit_warn_expired(char *filename) +{ + char *args[3]; + + args[0] = EXPIRED_WARN; + args[1] = filename; + args[2] = NULL; + + return (auditwarnlog(args)); +} Modified: head/contrib/openbsm/bin/auditd/auditd.c ============================================================================== --- head/contrib/openbsm/bin/auditd/auditd.c Mon Mar 2 10:48:15 2009 (r189278) +++ head/contrib/openbsm/bin/auditd/auditd.c Mon Mar 2 13:29:18 2009 (r189279) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2004-2008 Apple Inc. + * Copyright (c) 2004-2009 Apple Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -26,7 +26,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#41 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#43 $ */ #include @@ -67,12 +67,16 @@ #endif /* - * XXX the following is temporary until this can be added to the kernel + * XXX The following are temporary until these can be added to the kernel * audit.h header. */ #ifndef AUDIT_TRIGGER_INITIALIZE #define AUDIT_TRIGGER_INITIALIZE 7 #endif +#ifndef AUDIT_TRIGGER_EXPIRE_TRAILS +#define AUDIT_TRIGGER_EXPIRE_TRAILS 8 +#endif + /* * LaunchD flag (Mac OS X and, maybe, FreeBSD only.) See launchd(8) and @@ -166,7 +170,7 @@ close_lastfile(char *TS) /* Rename the last file -- append timestamp. */ if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) { - strlcpy(ptr, TS, TIMESTAMP_LEN); + memcpy(ptr, TS, POSTFIX_LEN); if (rename(oldname, lastfile) != 0) auditd_log_err( "Could not rename %s to %s: %m", oldname, @@ -275,6 +279,14 @@ do_trail_file(void) return (-1); } + /* + * Finally, see if there are any trail files to expire. + */ + err = auditd_expire_trails(audit_warn_expired); + if (err) + auditd_log_err("auditd_expire_trails(): %s", + auditd_strerror(err)); + return (0); } @@ -550,6 +562,14 @@ auditd_handle_trigger(int trigger) audit_setup(); break; + case AUDIT_TRIGGER_EXPIRE_TRAILS: + auditd_log_info("Got audit expire trails trigger"); + err = auditd_expire_trails(audit_warn_expired); + if (err) + auditd_log_err("auditd_expire_trails(): %s", + auditd_strerror(err)); + break; + default: auditd_log_err("Got unknown trigger %d", trigger); break; @@ -669,13 +689,18 @@ auditd_config_controls(void) */ err = auditd_set_host(); if (err) { - auditd_log_err("auditd_set_host() %s: %m", - auditd_strerror(err)); - ret = -1; + if (err == ADE_PARSE) { + auditd_log_notice( + "audit_control(5) may be missing 'host:' field"); + } else { + auditd_log_err("auditd_set_host() %s: %m", + auditd_strerror(err)); + ret = -1; + } } else auditd_log_debug( "Set audit host address information in kernel."); - + return (ret); } Modified: head/contrib/openbsm/bin/auditd/auditd.h ============================================================================== --- head/contrib/openbsm/bin/auditd/auditd.h Mon Mar 2 10:48:15 2009 (r189278) +++ head/contrib/openbsm/bin/auditd/auditd.h Mon Mar 2 13:29:18 2009 (r189279) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2005 Apple Inc. + * Copyright (c) 2005-2009 Apple Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -26,7 +26,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#12 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#13 $ */ #ifndef _AUDITD_H_ @@ -57,6 +57,7 @@ #define POSTSIGTERM_WARN "postsigterm" #define SOFTLIM_WARN "soft" #define TMPFILE_WARN "tmpfile" +#define EXPIRED_WARN "expired" #define AUDITWARN_SCRIPT "/etc/security/audit_warn" #define AUDITD_PIDFILE "/var/run/auditd.pid" @@ -76,6 +77,7 @@ int audit_warn_nostart(void); int audit_warn_postsigterm(void); int audit_warn_soft(char *filename); int audit_warn_tmpfile(void); +int audit_warn_expired(char *filename); void auditd_openlog(int debug, gid_t gid); void auditd_log_err(const char *fmt, ...); Modified: head/contrib/openbsm/bsm/auditd_lib.h ============================================================================== --- head/contrib/openbsm/bsm/auditd_lib.h Mon Mar 2 10:48:15 2009 (r189278) +++ head/contrib/openbsm/bsm/auditd_lib.h Mon Mar 2 13:29:18 2009 (r189279) @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#3 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#4 $ */ #ifndef _BSM_AUDITD_LIB_H_ @@ -81,12 +81,14 @@ #define ADE_INVAL -16 /* Invalid argument. */ #define ADE_GETADDR -17 /* Error resolving address from hostname. */ #define ADE_ADDRFAM -18 /* Address family not supported. */ +#define ADE_EXPIRE -19 /* Error expiring audit trail files. */ /* * auditd_lib functions. */ const char *auditd_strerror(int errcode); int auditd_set_minfree(void); +int auditd_expire_trails(int (*warn_expired)(char *)); int auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *)); void auditd_close_dirs(void); int auditd_set_evcmap(void); Modified: head/contrib/openbsm/bsm/libbsm.h ============================================================================== --- head/contrib/openbsm/bsm/libbsm.h Mon Mar 2 10:48:15 2009 (r189278) +++ head/contrib/openbsm/bsm/libbsm.h Mon Mar 2 13:29:18 2009 (r189279) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2004-2008 Apple Inc. + * Copyright (c) 2004-2009 Apple Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#41 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#42 $ */ #ifndef _LIBBSM_H_ @@ -76,13 +76,14 @@ #define AUDIT_CONTROL_FILE "/etc/security/audit_control" #define AUDIT_USER_FILE "/etc/security/audit_user" -#define DIR_CONTROL_ENTRY "dir" -#define MINFREE_CONTROL_ENTRY "minfree" -#define FILESZ_CONTROL_ENTRY "filesz" -#define FLAGS_CONTROL_ENTRY "flags" -#define NA_CONTROL_ENTRY "naflags" -#define POLICY_CONTROL_ENTRY "policy" +#define DIR_CONTROL_ENTRY "dir" +#define MINFREE_CONTROL_ENTRY "minfree" +#define FILESZ_CONTROL_ENTRY "filesz" +#define FLAGS_CONTROL_ENTRY "flags" +#define NA_CONTROL_ENTRY "naflags" +#define POLICY_CONTROL_ENTRY "policy" #define AUDIT_HOST_CONTROL_ENTRY "host" +#define EXPIRE_AFTER_CONTROL_ENTRY "expire-after" #define AU_CLASS_NAME_MAX 8 #define AU_CLASS_DESC_MAX 72 @@ -766,6 +767,7 @@ int getacflg(char *auditstr, int len) int getacna(char *auditstr, int len); int getacpol(char *auditstr, size_t len); int getachost(char *auditstr, size_t len); +int getacexpire(int *andflg, time_t *age, size_t *size); int getauditflagsbin(char *auditstr, au_mask_t *masks); int getauditflagschar(char *auditstr, au_mask_t *masks, int verbose); Modified: head/contrib/openbsm/configure ============================================================================== --- head/contrib/openbsm/configure Mon Mar 2 10:48:15 2009 (r189278) +++ head/contrib/openbsm/configure Mon Mar 2 13:29:18 2009 (r189279) @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#49 . # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.61 for OpenBSM 1.1alpha5. +# Generated by GNU Autoconf 2.61 for OpenBSM 1.1beta1. # # Report bugs to . # @@ -729,8 +729,8 @@ SHELL=${CONFIG_SHELL-/bin/sh} # Identity of this package. PACKAGE_NAME='OpenBSM' PACKAGE_TARNAME='openbsm' -PACKAGE_VERSION='1.1alpha5' -PACKAGE_STRING='OpenBSM 1.1alpha5' +PACKAGE_VERSION='1.1beta1' +PACKAGE_STRING='OpenBSM 1.1beta1' PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org' ac_unique_file="bin/auditreduce/auditreduce.c" @@ -1404,7 +1404,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures OpenBSM 1.1alpha5 to adapt to many kinds of systems. +\`configure' configures OpenBSM 1.1beta1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1474,7 +1474,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of OpenBSM 1.1alpha5:";; + short | recursive ) echo "Configuration of OpenBSM 1.1beta1:";; esac cat <<\_ACEOF @@ -1580,7 +1580,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -OpenBSM configure 1.1alpha5 +OpenBSM configure 1.1beta1 generated by GNU Autoconf 2.61 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -1594,7 +1594,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by OpenBSM $as_me 1.1alpha5, which was +It was created by OpenBSM $as_me 1.1beta1, which was generated by GNU Autoconf 2.61. Invocation command line was $ $0 $@ @@ -19076,7 +19076,7 @@ fi # Define the identity of the package. PACKAGE=OpenBSM - VERSION=1.1alpha5 + VERSION=1.1beta1 cat >>confdefs.h <<_ACEOF @@ -23584,7 +23584,7 @@ exec 6>&1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by OpenBSM $as_me 1.1alpha5, which was +This file was extended by OpenBSM $as_me 1.1beta1, which was generated by GNU Autoconf 2.61. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -23637,7 +23637,7 @@ Report bugs to ." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -OpenBSM config.status 1.1alpha5 +OpenBSM config.status 1.1beta1 configured by $0, generated by GNU Autoconf 2.61, with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" Modified: head/contrib/openbsm/configure.ac ============================================================================== --- head/contrib/openbsm/configure.ac Mon Mar 2 10:48:15 2009 (r189278) +++ head/contrib/openbsm/configure.ac Mon Mar 2 13:29:18 2009 (r189279) @@ -2,8 +2,8 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.59) -AC_INIT([OpenBSM], [1.1alpha5], [trustedbsd-audit@TrustesdBSD.org],[openbsm]) -AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#49 $]) +AC_INIT([OpenBSM], [1.1beta1], [trustedbsd-audit@TrustesdBSD.org],[openbsm]) +AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#50 $]) AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c]) AC_CONFIG_AUX_DIR(config) AC_CONFIG_HEADER([config/config.h]) Modified: head/contrib/openbsm/etc/audit_control ============================================================================== --- head/contrib/openbsm/etc/audit_control Mon Mar 2 10:48:15 2009 (r189278) +++ head/contrib/openbsm/etc/audit_control Mon Mar 2 13:29:18 2009 (r189279) @@ -1,10 +1,10 @@ # -# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#5 $ +# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#6 $ # $FreeBSD$ # dir:/var/audit flags:lo -minfree:20 +minfree:5 naflags:lo -policy:cnt -filesz:0 +policy:cnt,argv +filesz:2097152 Modified: head/contrib/openbsm/etc/audit_event ============================================================================== --- head/contrib/openbsm/etc/audit_event Mon Mar 2 10:48:15 2009 (r189278) +++ head/contrib/openbsm/etc/audit_event Mon Mar 2 13:29:18 2009 (r189279) @@ -1,5 +1,5 @@ # -# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#34 $ +# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#36 $ # $FreeBSD$ # # The mapping between event identifiers and values is also hard-coded in @@ -491,7 +491,7 @@ 43128:AUE_MAC_GET_PID:mac_get_pid(2):pc 43129:AUE_MAC_GET_LINK:mac_get_link(2):fa 43130:AUE_MAC_SET_LINK:mac_set_link(2):fm -43131:AUE_MAC_EXECVE:mac_exeve(2):ex,pc +43131:AUE_MAC_EXECVE:mac_execve(2):ex,pc 43132:AUE_GETPATH_FROMFD:getpath_fromfd(2):fa 43133:AUE_GETPATH_FROMADDR:getpath_fromaddr(2):fa 43134:AUE_MQ_OPEN:mq_open(2):ip @@ -552,6 +552,8 @@ 43189:AUE_CAP_GETMODE:cap_getmode(2):pc 43190:AUE_POSIX_SPAWN:posix_spawn(2):pc 43191:AUE_FSGETPATH:fsgetpath(2):ot +43192:AUE_PREAD:pread(2):no +43193:AUE_PWRITE:pwrite(2):no # # Solaris userspace events. # Modified: head/contrib/openbsm/libauditd/auditd_lib.c ============================================================================== --- head/contrib/openbsm/libauditd/auditd_lib.c Mon Mar 2 10:48:15 2009 (r189278) +++ head/contrib/openbsm/libauditd/auditd_lib.c Mon Mar 2 13:29:18 2009 (r189279) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2008 Apple Inc. + * Copyright (c) 2008-2009 Apple Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#2 $ + * $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#7 $ */ #include @@ -52,6 +52,7 @@ #include #include +#include #include #include #include @@ -77,6 +78,11 @@ #define AUDIT_HARD_LIMIT_FREE_BLOCKS 4 #endif +/* + * Number of seconds to January 1, 2000 + */ +#define JAN_01_2000 946598400 + struct dir_ent { char *dirname; uint8_t softlim; @@ -85,7 +91,19 @@ struct dir_ent { }; static TAILQ_HEAD(, dir_ent) dir_q; -static int minval = -1; + +struct audit_trail { + time_t at_time; + char *at_path; + off_t at_size; + + TAILQ_ENTRY(audit_trail) at_trls; +}; + +static int auditd_minval = -1; + +static char auditd_host[MAXHOSTNAMELEN]; +static int auditd_hostlen = -1; static char *auditd_errmsg[] = { "no error", /* ADE_NOERR ( 0) */ @@ -107,6 +125,7 @@ static char *auditd_errmsg[] = { "invalid argument", /* ADE_INVAL (16) */ "could not resolve hostname to address", /* ADE_GETADDR (17) */ "address family not supported", /* ADE_ADDRFAM (18) */ + "error expiring audit trail files", /* ADE_EXPIRE (19) */ }; #define MAXERRCODE (sizeof(auditd_errmsg) / sizeof(auditd_errmsg[0])) @@ -165,7 +184,13 @@ affixdir(char *name, struct dir_ent *dir return (NULL); } - asprintf(&fn, "%s/%s", dirent->dirname, name); + /* + * If the host is set then also add the hostname to the filename. + */ + if (auditd_hostlen != -1) + asprintf(&fn, "%s/%s.%s", dirent->dirname, name, auditd_host); + else + asprintf(&fn, "%s/%s", dirent->dirname, name); return (fn); } @@ -204,16 +229,14 @@ insert_orderly(struct dir_ent *denew) int auditd_set_host(void) { - char hoststr[MAXHOSTNAMELEN]; struct sockaddr_in6 *sin6; struct sockaddr_in *sin; struct addrinfo *res; struct auditinfo_addr aia; int error, ret = ADE_NOERR; - if (getachost(hoststr, MAXHOSTNAMELEN) != 0) { - - ret = ADE_PARSE; + if (getachost(auditd_host, sizeof(auditd_host)) != 0) { + ret = ADE_PARSE; /* * To maintain reverse compatability with older audit_control @@ -229,7 +252,8 @@ auditd_set_host(void) ret = ADE_AUDITON; return (ret); } - error = getaddrinfo(hoststr, NULL, NULL, &res); + auditd_hostlen = strlen(auditd_host); + error = getaddrinfo(auditd_host, NULL, NULL, &res); if (error) return (ADE_GETADDR); switch (res->ai_family) { @@ -271,14 +295,14 @@ auditd_set_minfree(void) { au_qctrl_t qctrl; - if (getacmin(&minval) != 0) + if (getacmin(&auditd_minval) != 0) return (ADE_PARSE); if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) return (ADE_AUDITON); - if (qctrl.aq_minfree != minval) { - qctrl.aq_minfree = minval; + if (qctrl.aq_minfree != auditd_minval) { + qctrl.aq_minfree = auditd_minval; if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0) return (ADE_AUDITON); } @@ -287,9 +311,259 @@ auditd_set_minfree(void) } /* + * Convert a trailname into a timestamp (seconds). Return 0 if the conversion + * was successful. + */ +static int +trailname_to_tstamp(char *fn, time_t *tstamp) +{ + struct tm tm; + char ts[TIMESTAMP_LEN]; + char *p; + + *tstamp = 0; + + /* + * Get the ending time stamp. + */ + if ((p = strchr(fn, '.')) == NULL) + return (1); + strlcpy(ts, ++p, TIMESTAMP_LEN); + if (strlen(ts) != POSTFIX_LEN) + return (1); + + bzero(&tm, sizeof(tm)); + + /* seconds (0-60) */ + p = ts + POSTFIX_LEN - 2; + tm.tm_sec = atol(p); + if (tm.tm_sec < 0 || tm.tm_sec > 60) + return (1); + + /* minutes (0-59) */ + *p = '\0'; p -= 2; + tm.tm_min = atol(p); + if (tm.tm_min < 0 || tm.tm_min > 59) + return (1); + + /* hours (0 - 23) */ + *p = '\0'; p -= 2; + tm.tm_hour = atol(p); + if (tm.tm_hour < 0 || tm.tm_hour > 23) + return (1); + + /* day of month (1-31) */ + *p = '\0'; p -= 2; + tm.tm_mday = atol(p); + if (tm.tm_mday < 1 || tm.tm_mday > 31) + return (1); + + /* month (0 - 11) */ + *p = '\0'; p -= 2; + tm.tm_mon = atol(p) - 1; + if (tm.tm_mon < 0 || tm.tm_mon > 11) + return (1); + + /* year (year - 1900) */ + *p = '\0'; p -= 4; + tm.tm_year = atol(p) - 1900; + if (tm.tm_year < 0) + return (1); + + *tstamp = timegm(&tm); + + return (0); +} + +/* + * Remove audit trails files according to the expiration conditions. Returns: + * ADE_NOERR on success or there is nothing to do. + * ADE_PARSE if error parsing audit_control(5). + * ADE_NOMEM if could not allocate memory. + * ADE_EXPIRE if there was an unespected error. + */ +int +auditd_expire_trails(int (*warn_expired)(char *)) +{ + int andflg, ret = ADE_NOERR; + size_t expire_size, total_size = 0L; + time_t expire_age, oldest_time, current_time = time(NULL); + struct dir_ent *traildir; + struct audit_trail *at; + char *afnp, *pn; + TAILQ_HEAD(au_trls_head, audit_trail) head = + TAILQ_HEAD_INITIALIZER(head); + struct stat stbuf; + char activefn[MAXPATHLEN]; + + /* + * Read the expiration conditions. If no conditions then return no + * error. + */ + if (getacexpire(&andflg, &expire_age, &expire_size) < 0) + return (ADE_PARSE); + if (!expire_age && !expire_size) + return (ADE_NOERR); + + /* + * Read the 'current' trail file name. Trim off directory path. + */ + activefn[0] = '\0'; + readlink(AUDIT_CURRENT_LINK, activefn, MAXPATHLEN - 1); + if ((afnp = strrchr(activefn, '/')) != NULL) + afnp++; + + + /* + * Build tail queue of the trail files. + */ + TAILQ_FOREACH(traildir, &dir_q, dirs) { + DIR *dirp; + struct dirent *dp; + + dirp = opendir(traildir->dirname); + while ((dp = readdir(dirp)) != NULL) { + time_t tstamp = 0; + struct audit_trail *new; + + /* + * Quickly filter non-trail files. + */ + if (dp->d_namlen != (FILENAME_LEN - 1) || +#ifdef DT_REG + dp->d_type != DT_REG || +#endif + dp->d_name[POSTFIX_LEN] != '.') + continue; + + if (asprintf(&pn, "%s/%s", traildir->dirname, + dp->d_name) < 0) { + ret = ADE_NOMEM; + break; + } + + if (stat(pn, &stbuf) < 0 || !S_ISREG(stbuf.st_mode)) { + free(pn); + continue; + } + + total_size += stbuf.st_size; + + /* + * If this is the 'current' audit trail then + * don't add it to the tail queue. + */ + if (NULL != afnp && + strncmp(dp->d_name, afnp, FILENAME_LEN) == 0) { + free(pn); + continue; + } + + /* + * Get the ending time stamp encoded in the trail + * name. If we can't read it or if it is older + * than Jan 1, 2000 then use the mtime. + */ + if (trailname_to_tstamp(dp->d_name, &tstamp) != 0 || + tstamp < JAN_01_2000) + tstamp = stbuf.st_mtime; + + /* + * If the time stamp is older than Jan 1, 2000 then + * update the mtime of the trail file to the current + * time. This is so we don't prematurely remove a trail + * file that was created while the system clock reset + * to the * "beginning of time" but later the system + * clock is set to the correct current time. + */ + if (current_time >= JAN_01_2000 && + tstamp < JAN_01_2000) { + struct timeval tv[2]; + + tstamp = stbuf.st_mtime = current_time; + TIMESPEC_TO_TIMEVAL(&tv[0], + &stbuf.st_atimespec); + TIMESPEC_TO_TIMEVAL(&tv[1], + &stbuf.st_mtimespec); + utimes(pn, tv); + } + + /* + * Allocate and populate the new entry. + */ + new = malloc(sizeof(*new)); + if (NULL == new) { + free(pn); + ret = ADE_NOMEM; + break; + } + new->at_time = tstamp; + new->at_size = stbuf.st_size; + new->at_path = pn; + + /* + * Check to see if we have a new head. Otherwise, + * walk the tailq from the tail first and do a simple + * insertion sort. + */ + if (TAILQ_EMPTY(&head) || + (new->at_time <= TAILQ_FIRST(&head)->at_time)) { + TAILQ_INSERT_HEAD(&head, new, at_trls); + continue; + } + + TAILQ_FOREACH_REVERSE(at, &head, au_trls_head, at_trls) + if (new->at_time >= at->at_time) { + TAILQ_INSERT_AFTER(&head, at, new, + at_trls); + break; + } + + } + } + + oldest_time = current_time - expire_age; + + /* + * Expire trail files, oldest (mtime) first, if the given + * conditions are met. + */ + at = TAILQ_FIRST(&head); + while (NULL != at) { + struct audit_trail *at_next = TAILQ_NEXT(at, at_trls); + + if (andflg) { + if ((expire_size && total_size > expire_size) && + (expire_age && at->at_time < oldest_time)) { + if (warn_expired) + (*warn_expired)(at->at_path); + if (unlink(at->at_path) < 0) + ret = ADE_EXPIRE; + total_size -= at->at_size; + } + } else { + if ((expire_size && total_size > expire_size) || + (expire_age && at->at_time < oldest_time)) { + if (warn_expired) + (*warn_expired)(at->at_path); + if (unlink(at->at_path) < 0) + ret = ADE_EXPIRE; + total_size -= at->at_size; + } + } + + free(at->at_path); + free(at); + at = at_next; + } + + return (ret); +} + +/* * Parses the "dir" entry in audit_control(5) into an ordered list. Also, will - * set the minfree value if not already set. Arguments include function - * pointers to audit_warn functions for soft and hard limits. Returns: + * set the minfree and host values if not already set. Arguments include + * function pointers to audit_warn functions for soft and hard limits. Returns: * ADE_NOERR on success, * ADE_PARSE error parsing audit_control(5), * ADE_AUDITON error getting/setting auditon(2) value, @@ -309,9 +583,12 @@ auditd_read_dirs(int (*warn_soft)(char * int scnt = 0; int hcnt = 0; - if (minval == -1 && (err = auditd_set_minfree()) != 0) + if (auditd_minval == -1 && (err = auditd_set_minfree()) != 0) return (err); + if (auditd_hostlen == -1) + auditd_set_host(); + /* * Init directory q. Force a re-read of the file the next time. */ @@ -329,7 +606,8 @@ auditd_read_dirs(int (*warn_soft)(char * while (getacdir(cur_dir, MAXNAMLEN) >= 0) { if (statfs(cur_dir, &sfs) < 0) continue; /* XXX should warn */ - soft = (sfs.f_bfree < (sfs.f_blocks / (100 / minval))) ? 1 : 0; + soft = (sfs.f_bfree < (sfs.f_blocks / (100 / auditd_minval))) ? + 1 : 0; hard = (sfs.f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) ? 1 : 0; if (soft) { if (warn_soft) @@ -367,7 +645,8 @@ void auditd_close_dirs(void) { free_dir_q(); - minval = -1; + auditd_minval = -1; + auditd_hostlen = -1; } @@ -549,7 +828,7 @@ auditd_swap_trail(char *TS, char **newfi } /* Try until we succeed. */ - while ((dirent = TAILQ_FIRST(&dir_q))) { + TAILQ_FOREACH(dirent, &dir_q, dirs) { if (dirent->hardlim) continue; if ((fn = affixdir(timestr, dirent)) == NULL) @@ -606,6 +885,28 @@ auditd_swap_trail(char *TS, char **newfi * ADE_NOERR on success, * ADE_SETAUDIT if setaudit(2) fails. */ +#ifdef __APPLE__ +int +auditd_prevent_audit(void) +{ + auditinfo_addr_t aia; + + /* + * To prevent event feedback cycles and avoid audit becoming stalled if *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***