Date: Thu, 1 Jun 2006 22:12:10 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 98281 for review Message-ID: <200606012212.k51MCA1x093259@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=98281 Change 98281 by rwatson@rwatson_zoo on 2006/06/01 22:11:59 Modify auditfilterd to separately handle pipe files vs. audit trail files, as their buffering semantics are quite different. Affected files ... .. //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#6 edit .. //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.h#3 edit .. //depot/projects/trustedbsd/openbsm/bsm/audit_filter.h#2 edit Differences ... ==== //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#6 (text+ko) ==== @@ -25,10 +25,11 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#5 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#6 $ */ #include <sys/types.h> +#include <sys/stat.h> #include <sys/time.h> #include <config/config.h> @@ -66,12 +67,14 @@ usage(void) { - fprintf(stderr, "auditfilterd [-c conffile] [-d] [-t trailfile]\n"); + fprintf(stderr, "auditfilterd [-c conffile] [-d] [-p pipefile]" + " [-t trailfile]\n"); fprintf(stderr, " -c Specify configuration file (default: %s)\n", AUDITFILTERD_CONFFILE); fprintf(stderr, " -d Debugging mode, don't daemonize\n"); - fprintf(stderr, " -t Specify audit trail file (default: %s)", - AUDITFILTERD_TRAILFILE); + fprintf(stderr, " -p Specify pipe file (default: %s)\n", + AUDITFILTERD_PIPEFILE); + fprintf(stderr, " -t Specify audit trail file (default: none)\n"); exit(-1); } @@ -147,7 +150,7 @@ * them to modules for processing. */ static void -mainloop(const char *conffile, const char *trailfile, FILE *trail_fp) +mainloop_file(const char *conffile, const char *trailfile, FILE *trail_fp) { struct timespec ts; FILE *conf_fp; @@ -184,10 +187,8 @@ * more at the right blocking and signal behavior here. */ reclen = au_read_rec(trail_fp, &buf); - if (reclen == -1) { - sleep(1); + if (reclen == -1) continue; - } if (clock_gettime(CLOCK_REALTIME, &ts) < 0) err(-1, "clock_gettime"); present_bsmrecord(&ts, buf, reclen); @@ -196,16 +197,68 @@ } } +/* + * The main loop spins pulling records out of the record source and passing + * them to modules for processing. This version of the function accepts + * discrete record input from a file descriptor, as opposed to buffered input + * from a file stream. + */ +static void +mainloop_pipe(const char *conffile, const char *pipefile, int pipe_fd) +{ + u_char record[MAX_AUDIT_RECORD_SIZE]; + struct timespec ts; + FILE *conf_fp; + int reclen; + + while (1) { + /* + * On SIGHUP, we reread the configuration file. Unlike with + * a trail file, we don't reopen the pipe, as we don't want + * to miss records which will be flushed if we do. + */ + if (reread_config) { + reread_config = 0; + warnx("rereading configuration"); + conf_fp = fopen(conffile, "r"); + if (conf_fp == NULL) + err(-1, "%s", conffile); + auditfilterd_conf(conffile, conf_fp); + fclose(conf_fp); + } + if (quit) { + warnx("quitting"); + break; + } + + /* + * For now, be relatively unrobust about incomplete records, + * but in the future will want to do better. Need to look + * more at the right blocking and signal behavior here. + */ + reclen = read(pipe_fd, record, MAX_AUDIT_RECORD_SIZE); + if (reclen < 0) + continue; + if (clock_gettime(CLOCK_REALTIME, &ts) < 0) + err(-1, "clock_gettime"); + present_bsmrecord(&ts, record, reclen); + present_tokens(&ts, record, reclen); + } +} + int main(int argc, char *argv[]) { - const char *trailfile, *conffile; + const char *pipefile, *trailfile, *conffile; FILE *trail_fp, *conf_fp; + struct stat sb; + int pipe_fd; int ch; conffile = AUDITFILTERD_CONFFILE; - trailfile = AUDITFILTERD_TRAILFILE; - while ((ch = getopt(argc, argv, "c:dt:")) != -1) { + trailfile = NULL; + pipefile = NULL; + while ((ch = getopt(argc, argv, "c:dp:t:")) != -1) { switch (ch) { case 'c': conffile = optarg; @@ -216,9 +269,17 @@ break; case 't': + if (trailfile != NULL || pipefile != NULL) + usage(); trailfile = optarg; break; + case 'p': + if (pipefile != NULL || trailfile != NULL) + usage(); + pipefile = optarg; + break; + default: usage(); } @@ -230,9 +291,26 @@ if (argc != 0) usage(); - trail_fp = fopen(trailfile, "r"); - if (trail_fp == NULL) - err(-1, "%s", trailfile); + /* + * We allow only one of a pipe or a trail to be used. If none is + * specified, we provide a default pipe path. + */ + if (pipefile == NULL && trailfile == NULL) + pipefile = AUDITFILTERD_PIPEFILE; + + if (pipefile != NULL) { + pipe_fd = open(pipefile, O_RDONLY); + if (pipe_fd < 0) + err(-1, "open:%s", pipefile); + if (fstat(pipe_fd, &sb) < 0) + err(-1, "stat: %s", pipefile); + if (!S_ISCHR(sb.st_mode)) + errx(-1, "fstat: %s not device", pipefile); + } else { + trail_fp = fopen(trailfile, "r"); + if (trail_fp == NULL) + err(-1, "%s", trailfile); + } conf_fp = fopen(conffile, "r"); if (conf_fp == NULL) @@ -253,7 +331,10 @@ signal(SIGQUIT, signal_handler); signal(SIGTERM, signal_handler); - mainloop(conffile, trailfile, trail_fp); + if (pipefile != NULL) + mainloop_pipe(conffile, pipefile, pipe_fd); + else + mainloop_file(conffile, trailfile, trail_fp); auditfilterd_conf_shutdown(); return (0); ==== //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.h#3 (text+ko) ==== @@ -25,11 +25,11 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.h#2 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.h#3 $ */ #define AUDITFILTERD_CONFFILE "/etc/security/audit_filter" -#define AUDITFILTERD_TRAILFILE "/dev/auditpipe" +#define AUDITFILTERD_PIPEFILE "/dev/auditpipe" /* * Limit on the number of arguments that can appear in an audit_filterd ==== //depot/projects/trustedbsd/openbsm/bsm/audit_filter.h#2 (text+ko) ==== @@ -25,7 +25,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_filter.h#1 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_filter.h#2 $ */ #ifndef _BSM_AUDIT_FILTER_H_ @@ -48,7 +48,7 @@ typedef int (*audit_filter_attach_t)(void **instance, int argc, char *argv[]); typedef int (*audit_filter_reinit_t)(void *instance, int argc, char *argv[]); typedef void (*audit_filter_record_t)(void *instance, struct timespec *ts, - int token_count, const tokenstr_t *tok[]); + int token_count, const tokenstr_t tok[]); typedef void (*audit_filter_bsmrecord_t)(void *instance, struct timespec *ts, void *data, u_int len); typedef void (*audit_filter_detach_t)(void *instance);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200606012212.k51MCA1x093259>