aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobert Watson <rwatson@FreeBSD.org>2009-03-02 10:46:23 +0000
committerRobert Watson <rwatson@FreeBSD.org>2009-03-02 10:46:23 +0000
commit694dcf49ac5cf33f6cbf6e1a4687a1eb9a2dc0ce (patch)
treea5ce36d3531eaaae9f5cf6c822527f47a238e1e9
parenta4bd134433fd2aaa1d814163ac7b29acc444654a (diff)
downloadsrc-694dcf49ac5cf33f6cbf6e1a4687a1eb9a2dc0ce.tar.gz
src-694dcf49ac5cf33f6cbf6e1a4687a1eb9a2dc0ce.zip
Vendor import of OpenBSM 1.1 beta1, which incorporates the followingvendor/openbsm/1.1-BETA-1
changes since the last imported OpenBSM release: OpenBSM 1.1 beta 1 - The filesz parameter in audit_control(5) now accepts suffixes: 'B' for Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes. For legacy support no suffix defaults to bytes. - Audit trail log expiration support added. It is configured in audit_control(5) with the expire-after parameter. If there is no expire-after parameter in audit_control(5), the default, then the audit trail files are not expired and removed. See audit_control(5) for more information. - Change defaults in audit_control: warn at 5% rather than 20% free for audit partitions, rotate automatically at 2mb, and set the default policy to cnt,argv rather than cnt so that execve(2) arguments are captured if AUE_EXECVE events are audited. These may provide more usable defaults for many users. - Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert au_to_socket_ex(3) arguments to BSM format. - Fix error encoding AUT_IPC_PERM tokens. Obtained from: TrustedBSD Project Sponsored by: Apple Inc.
Notes
Notes: svn path=/vendor/openbsm/dist/; revision=189277 svn path=/vendor/openbsm/1.1-BETA-1/; revision=189278; tag=vendor/openbsm/1.1-BETA-1
-rw-r--r--CREDITS1
-rw-r--r--NEWS21
-rw-r--r--README4
-rw-r--r--VERSION2
-rw-r--r--bin/audit/audit.814
-rw-r--r--bin/audit/audit.c17
-rw-r--r--bin/auditd/audit_warn.c19
-rw-r--r--bin/auditd/auditd.c41
-rw-r--r--bin/auditd/auditd.h6
-rw-r--r--bsm/auditd_lib.h4
-rw-r--r--bsm/libbsm.h18
-rwxr-xr-xconfigure20
-rw-r--r--configure.ac4
-rw-r--r--etc/audit_control8
-rw-r--r--etc/audit_event6
-rw-r--r--libauditd/auditd_lib.c369
-rw-r--r--libbsm/au_control.324
-rw-r--r--libbsm/au_domain.33
-rw-r--r--libbsm/au_errno.35
-rw-r--r--libbsm/bsm_control.c420
-rw-r--r--libbsm/bsm_errno.c4
-rw-r--r--libbsm/bsm_io.c4
-rw-r--r--libbsm/bsm_token.c17
-rw-r--r--man/audit_control.578
-rw-r--r--man/auditon.211
-rw-r--r--sys/bsm/audit.h7
-rw-r--r--sys/bsm/audit_kevents.h22
-rw-r--r--tools/audump.c30
28 files changed, 890 insertions, 289 deletions
diff --git a/CREDITS b/CREDITS
index 634a625536cf..53e2481b3268 100644
--- a/CREDITS
+++ b/CREDITS
@@ -27,6 +27,7 @@ the development of OpenBSM:
Eric Hall
Xin LI
Stacey Son
+ Todd Heberlein
In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
Software's FlexeLint tool were used to identify a number of bugs in the
diff --git a/NEWS b/NEWS
index aeafc8c036c4..42a11d53755b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,24 @@
OpenBSM Version History
+OpenBSM 1.1 beta 1
+
+- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
+ Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
+ For legacy support no suffix defaults to bytes.
+- Audit trail log expiration support added. It is configured in
+ audit_control(5) with the expire-after parameter. If there is no
+ expire-after parameter in audit_control(5), the default, then the audit
+ trail files are not expired and removed. See audit_control(5) for
+ more information.
+- Change defaults in audit_control: warn at 5% rather than 20% free for audit
+ partitions, rotate automatically at 2mb, and set the default policy to
+ cnt,argv rather than cnt so that execve(2) arguments are captured if
+ AUE_EXECVE events are audited. These may provide more usable defaults for
+ many users.
+- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
+ au_to_socket_ex(3) arguments to BSM format.
+- Fix error encoding AUT_IPC_PERM tokens.
+
OpenBSM 1.1 alpha 5
- Stub libauditd(3) man page added.
@@ -412,4 +431,4 @@ OpenBSM 1.0 alpha 1
to support reloading of kernel event table.
- Allow comments in /etc/security configuration files.
-$P4: //depot/projects/trustedbsd/openbsm/NEWS#27 $
+$P4: //depot/projects/trustedbsd/openbsm/NEWS#32 $
diff --git a/README b/README
index 25e5dca0bd62..d70645195edf 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-OpenBSM 1.1 alpha 4
+OpenBSM 1.1 beta 1
Introduction
@@ -56,4 +56,4 @@ Information on TrustedBSD may be found on the TrustedBSD home page:
http://www.TrustedBSD.org/
-$P4: //depot/projects/trustedbsd/openbsm/README#34 $
+$P4: //depot/projects/trustedbsd/openbsm/README#35 $
diff --git a/VERSION b/VERSION
index eb86d90e8721..9cd5a2a7619d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-OPENBSM_1_1_ALPHA_5
+OPENBSM_1_1_BETA_1
diff --git a/bin/audit/audit.8 b/bin/audit/audit.8
index b0276d40da6a..ff3c52d08dbc 100644
--- a/bin/audit/audit.8
+++ b/bin/audit/audit.8
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2004 Apple Inc.
+.\" Copyright (c) 2004-2009 Apple Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -25,9 +25,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#13 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#15 $
.\"
-.Dd December 11, 2008
+.Dd January 29, 2009
.Dt AUDIT 8
.Os
.Sh NAME
@@ -35,7 +35,7 @@
.Nd audit management utility
.Sh SYNOPSIS
.Nm
-.Fl i | n | s | t
+.Fl e | i | n | s | t
.Sh DESCRIPTION
The
.Nm
@@ -43,6 +43,10 @@ utility controls the state of the audit system.
One of the following flags is required as an argument to
.Nm :
.Bl -tag -width indent
+.It Fl e
+Forces the audit system to immediately remove audit log files that
+meet the expiration criteria specified in the audit control file without
+doing a log rotation.
.It Fl i
Initializes and starts auditing.
This option is currently for Mac OS X only
@@ -53,6 +57,8 @@ to be configured to run under
.It Fl n
Forces the audit system to close the existing audit log file and rotate to
a new log file in a location specified in the audit control file.
+Also, audit log files that meet the expiration criteria specified in the
+audit control file will be removed.
.It Fl s
Specifies that the audit system should [re]synchronize its
configuration from the audit control file.
diff --git a/bin/audit/audit.c b/bin/audit/audit.c
index 3a07aa75966d..f9148ca406c2 100644
--- a/bin/audit/audit.c
+++ b/bin/audit/audit.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2005-2008 Apple Inc.
+ * Copyright (c) 2005-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#13 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#14 $
*/
/*
* Program to trigger the audit daemon with a message that is either:
@@ -68,12 +68,15 @@ static int send_trigger(unsigned int);
#include "auditd_control.h"
/*
- * XXX the following is temporary until this can be added to the kernel
+ * XXX The following are temporary until these can be added to the kernel
* audit.h header.
*/
#ifndef AUDIT_TRIGGER_INITIALIZE
#define AUDIT_TRIGGER_INITIALIZE 7
#endif
+#ifndef AUDIT_TRIGGER_EXPIRE_TRAILS
+#define AUDIT_TRIGGER_EXPIRE_TRAILS 8
+#endif
static int
send_trigger(unsigned int trigger)
@@ -125,7 +128,7 @@ static void
usage(void)
{
- (void)fprintf(stderr, "Usage: audit -i | -n | -s | -t \n");
+ (void)fprintf(stderr, "Usage: audit -e | -i | -n | -s | -t \n");
exit(-1);
}
@@ -141,9 +144,13 @@ main(int argc, char **argv)
if (argc != 2)
usage();
- while ((ch = getopt(argc, argv, "inst")) != -1) {
+ while ((ch = getopt(argc, argv, "einst")) != -1) {
switch(ch) {
+ case 'e':
+ trigger = AUDIT_TRIGGER_EXPIRE_TRAILS;
+ break;
+
case 'i':
trigger = AUDIT_TRIGGER_INITIALIZE;
break;
diff --git a/bin/auditd/audit_warn.c b/bin/auditd/audit_warn.c
index 6dfb3bd2f7b0..22806e24b41c 100644
--- a/bin/auditd/audit_warn.c
+++ b/bin/auditd/audit_warn.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2005 Apple Inc.
+ * Copyright (c) 2005-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#10 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#11 $
*/
#include <sys/types.h>
@@ -236,3 +236,18 @@ audit_warn_tmpfile(void)
return (auditwarnlog(args));
}
+
+/*
+ * Indicates that this trail file has expired and was removed.
+ */
+int
+audit_warn_expired(char *filename)
+{
+ char *args[3];
+
+ args[0] = EXPIRED_WARN;
+ args[1] = filename;
+ args[2] = NULL;
+
+ return (auditwarnlog(args));
+}
diff --git a/bin/auditd/auditd.c b/bin/auditd/auditd.c
index 20300c14a8a0..1fc766b5cdde 100644
--- a/bin/auditd/auditd.c
+++ b/bin/auditd/auditd.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2004-2008 Apple Inc.
+ * Copyright (c) 2004-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#41 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#43 $
*/
#include <sys/types.h>
@@ -67,12 +67,16 @@
#endif
/*
- * XXX the following is temporary until this can be added to the kernel
+ * XXX The following are temporary until these can be added to the kernel
* audit.h header.
*/
#ifndef AUDIT_TRIGGER_INITIALIZE
#define AUDIT_TRIGGER_INITIALIZE 7
#endif
+#ifndef AUDIT_TRIGGER_EXPIRE_TRAILS
+#define AUDIT_TRIGGER_EXPIRE_TRAILS 8
+#endif
+
/*
* LaunchD flag (Mac OS X and, maybe, FreeBSD only.) See launchd(8) and
@@ -166,7 +170,7 @@ close_lastfile(char *TS)
/* Rename the last file -- append timestamp. */
if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) {
- strlcpy(ptr, TS, TIMESTAMP_LEN);
+ memcpy(ptr, TS, POSTFIX_LEN);
if (rename(oldname, lastfile) != 0)
auditd_log_err(
"Could not rename %s to %s: %m", oldname,
@@ -275,6 +279,14 @@ do_trail_file(void)
return (-1);
}
+ /*
+ * Finally, see if there are any trail files to expire.
+ */
+ err = auditd_expire_trails(audit_warn_expired);
+ if (err)
+ auditd_log_err("auditd_expire_trails(): %s",
+ auditd_strerror(err));
+
return (0);
}
@@ -550,6 +562,14 @@ auditd_handle_trigger(int trigger)
audit_setup();
break;
+ case AUDIT_TRIGGER_EXPIRE_TRAILS:
+ auditd_log_info("Got audit expire trails trigger");
+ err = auditd_expire_trails(audit_warn_expired);
+ if (err)
+ auditd_log_err("auditd_expire_trails(): %s",
+ auditd_strerror(err));
+ break;
+
default:
auditd_log_err("Got unknown trigger %d", trigger);
break;
@@ -669,13 +689,18 @@ auditd_config_controls(void)
*/
err = auditd_set_host();
if (err) {
- auditd_log_err("auditd_set_host() %s: %m",
- auditd_strerror(err));
- ret = -1;
+ if (err == ADE_PARSE) {
+ auditd_log_notice(
+ "audit_control(5) may be missing 'host:' field");
+ } else {
+ auditd_log_err("auditd_set_host() %s: %m",
+ auditd_strerror(err));
+ ret = -1;
+ }
} else
auditd_log_debug(
"Set audit host address information in kernel.");
-
+
return (ret);
}
diff --git a/bin/auditd/auditd.h b/bin/auditd/auditd.h
index 0351a0ec1507..f952181b33e6 100644
--- a/bin/auditd/auditd.h
+++ b/bin/auditd/auditd.h
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2005 Apple Inc.
+ * Copyright (c) 2005-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#12 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#13 $
*/
#ifndef _AUDITD_H_
@@ -57,6 +57,7 @@
#define POSTSIGTERM_WARN "postsigterm"
#define SOFTLIM_WARN "soft"
#define TMPFILE_WARN "tmpfile"
+#define EXPIRED_WARN "expired"
#define AUDITWARN_SCRIPT "/etc/security/audit_warn"
#define AUDITD_PIDFILE "/var/run/auditd.pid"
@@ -76,6 +77,7 @@ int audit_warn_nostart(void);
int audit_warn_postsigterm(void);
int audit_warn_soft(char *filename);
int audit_warn_tmpfile(void);
+int audit_warn_expired(char *filename);
void auditd_openlog(int debug, gid_t gid);
void auditd_log_err(const char *fmt, ...);
diff --git a/bsm/auditd_lib.h b/bsm/auditd_lib.h
index 7c6ab407ea69..087cb0c9b7e8 100644
--- a/bsm/auditd_lib.h
+++ b/bsm/auditd_lib.h
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#3 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#4 $
*/
#ifndef _BSM_AUDITD_LIB_H_
@@ -81,12 +81,14 @@
#define ADE_INVAL -16 /* Invalid argument. */
#define ADE_GETADDR -17 /* Error resolving address from hostname. */
#define ADE_ADDRFAM -18 /* Address family not supported. */
+#define ADE_EXPIRE -19 /* Error expiring audit trail files. */
/*
* auditd_lib functions.
*/
const char *auditd_strerror(int errcode);
int auditd_set_minfree(void);
+int auditd_expire_trails(int (*warn_expired)(char *));
int auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *));
void auditd_close_dirs(void);
int auditd_set_evcmap(void);
diff --git a/bsm/libbsm.h b/bsm/libbsm.h
index 4e74f57d742c..8713b4a813e2 100644
--- a/bsm/libbsm.h
+++ b/bsm/libbsm.h
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2004-2008 Apple Inc.
+ * Copyright (c) 2004-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#41 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#42 $
*/
#ifndef _LIBBSM_H_
@@ -76,13 +76,14 @@
#define AUDIT_CONTROL_FILE "/etc/security/audit_control"
#define AUDIT_USER_FILE "/etc/security/audit_user"
-#define DIR_CONTROL_ENTRY "dir"
-#define MINFREE_CONTROL_ENTRY "minfree"
-#define FILESZ_CONTROL_ENTRY "filesz"
-#define FLAGS_CONTROL_ENTRY "flags"
-#define NA_CONTROL_ENTRY "naflags"
-#define POLICY_CONTROL_ENTRY "policy"
+#define DIR_CONTROL_ENTRY "dir"
+#define MINFREE_CONTROL_ENTRY "minfree"
+#define FILESZ_CONTROL_ENTRY "filesz"
+#define FLAGS_CONTROL_ENTRY "flags"
+#define NA_CONTROL_ENTRY "naflags"
+#define POLICY_CONTROL_ENTRY "policy"
#define AUDIT_HOST_CONTROL_ENTRY "host"
+#define EXPIRE_AFTER_CONTROL_ENTRY "expire-after"
#define AU_CLASS_NAME_MAX 8
#define AU_CLASS_DESC_MAX 72
@@ -766,6 +767,7 @@ int getacflg(char *auditstr, int len);
int getacna(char *auditstr, int len);
int getacpol(char *auditstr, size_t len);
int getachost(char *auditstr, size_t len);
+int getacexpire(int *andflg, time_t *age, size_t *size);
int getauditflagsbin(char *auditstr, au_mask_t *masks);
int getauditflagschar(char *auditstr, au_mask_t *masks,
int verbose);
diff --git a/configure b/configure
index 073b507d597c..9f97395200ed 100755
--- a/configure
+++ b/configure
@@ -1,7 +1,7 @@
#! /bin/sh
# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#49 .
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for OpenBSM 1.1alpha5.
+# Generated by GNU Autoconf 2.61 for OpenBSM 1.1beta1.
#
# Report bugs to <trustedbsd-audit@TrustesdBSD.org>.
#
@@ -729,8 +729,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
# Identity of this package.
PACKAGE_NAME='OpenBSM'
PACKAGE_TARNAME='openbsm'
-PACKAGE_VERSION='1.1alpha5'
-PACKAGE_STRING='OpenBSM 1.1alpha5'
+PACKAGE_VERSION='1.1beta1'
+PACKAGE_STRING='OpenBSM 1.1beta1'
PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org'
ac_unique_file="bin/auditreduce/auditreduce.c"
@@ -1404,7 +1404,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures OpenBSM 1.1alpha5 to adapt to many kinds of systems.
+\`configure' configures OpenBSM 1.1beta1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1474,7 +1474,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of OpenBSM 1.1alpha5:";;
+ short | recursive ) echo "Configuration of OpenBSM 1.1beta1:";;
esac
cat <<\_ACEOF
@@ -1580,7 +1580,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-OpenBSM configure 1.1alpha5
+OpenBSM configure 1.1beta1
generated by GNU Autoconf 2.61
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1594,7 +1594,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by OpenBSM $as_me 1.1alpha5, which was
+It was created by OpenBSM $as_me 1.1beta1, which was
generated by GNU Autoconf 2.61. Invocation command line was
$ $0 $@
@@ -19076,7 +19076,7 @@ fi
# Define the identity of the package.
PACKAGE=OpenBSM
- VERSION=1.1alpha5
+ VERSION=1.1beta1
cat >>confdefs.h <<_ACEOF
@@ -23584,7 +23584,7 @@ exec 6>&1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by OpenBSM $as_me 1.1alpha5, which was
+This file was extended by OpenBSM $as_me 1.1beta1, which was
generated by GNU Autoconf 2.61. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -23637,7 +23637,7 @@ Report bugs to <bug-autoconf@gnu.org>."
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-OpenBSM config.status 1.1alpha5
+OpenBSM config.status 1.1beta1
configured by $0, generated by GNU Autoconf 2.61,
with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
diff --git a/configure.ac b/configure.ac
index 8ec65582faa7..2950620169a6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,8 +2,8 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.59)
-AC_INIT([OpenBSM], [1.1alpha5], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
-AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#49 $])
+AC_INIT([OpenBSM], [1.1beta1], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
+AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#50 $])
AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c])
AC_CONFIG_AUX_DIR(config)
AC_CONFIG_HEADER([config/config.h])
diff --git a/etc/audit_control b/etc/audit_control
index a350e50cdc7d..381c4f698a7a 100644
--- a/etc/audit_control
+++ b/etc/audit_control
@@ -1,9 +1,9 @@
#
-# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#5 $
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#6 $
#
dir:/var/audit
flags:lo
-minfree:20
+minfree:5
naflags:lo
-policy:cnt
-filesz:0
+policy:cnt,argv
+filesz:2097152
diff --git a/etc/audit_event b/etc/audit_event
index 577d92af1784..d12c0b41e61e 100644
--- a/etc/audit_event
+++ b/etc/audit_event
@@ -1,5 +1,5 @@
#
-# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#34 $
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#36 $
#
# The mapping between event identifiers and values is also hard-coded in
# audit_kevents.h and audit_uevents.h, so changes must occur in both places,
@@ -490,7 +490,7 @@
43128:AUE_MAC_GET_PID:mac_get_pid(2):pc
43129:AUE_MAC_GET_LINK:mac_get_link(2):fa
43130:AUE_MAC_SET_LINK:mac_set_link(2):fm
-43131:AUE_MAC_EXECVE:mac_exeve(2):ex,pc
+43131:AUE_MAC_EXECVE:mac_execve(2):ex,pc
43132:AUE_GETPATH_FROMFD:getpath_fromfd(2):fa
43133:AUE_GETPATH_FROMADDR:getpath_fromaddr(2):fa
43134:AUE_MQ_OPEN:mq_open(2):ip
@@ -551,6 +551,8 @@
43189:AUE_CAP_GETMODE:cap_getmode(2):pc
43190:AUE_POSIX_SPAWN:posix_spawn(2):pc
43191:AUE_FSGETPATH:fsgetpath(2):ot
+43192:AUE_PREAD:pread(2):no
+43193:AUE_PWRITE:pwrite(2):no
#
# Solaris userspace events.
#
diff --git a/libauditd/auditd_lib.c b/libauditd/auditd_lib.c
index d19d17409a95..7a3f3f2982fe 100644
--- a/libauditd/auditd_lib.c
+++ b/libauditd/auditd_lib.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2008 Apple Inc.
+ * Copyright (c) 2008-2009 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#2 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#7 $
*/
#include <sys/param.h>
@@ -52,6 +52,7 @@
#include <bsm/auditd_lib.h>
#include <bsm/libbsm.h>
+#include <dirent.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
@@ -77,6 +78,11 @@
#define AUDIT_HARD_LIMIT_FREE_BLOCKS 4
#endif
+/*
+ * Number of seconds to January 1, 2000
+ */
+#define JAN_01_2000 946598400
+
struct dir_ent {
char *dirname;
uint8_t softlim;
@@ -85,7 +91,19 @@ struct dir_ent {
};
static TAILQ_HEAD(, dir_ent) dir_q;
-static int minval = -1;
+
+struct audit_trail {
+ time_t at_time;
+ char *at_path;
+ off_t at_size;
+
+ TAILQ_ENTRY(audit_trail) at_trls;
+};
+
+static int auditd_minval = -1;
+
+static char auditd_host[MAXHOSTNAMELEN];
+static int auditd_hostlen = -1;
static char *auditd_errmsg[] = {
"no error", /* ADE_NOERR ( 0) */
@@ -107,6 +125,7 @@ static char *auditd_errmsg[] = {
"invalid argument", /* ADE_INVAL (16) */
"could not resolve hostname to address", /* ADE_GETADDR (17) */
"address family not supported", /* ADE_ADDRFAM (18) */
+ "error expiring audit trail files", /* ADE_EXPIRE (19) */
};
#define MAXERRCODE (sizeof(auditd_errmsg) / sizeof(auditd_errmsg[0]))
@@ -165,7 +184,13 @@ affixdir(char *name, struct dir_ent *dirent)
return (NULL);
}
- asprintf(&fn, "%s/%s", dirent->dirname, name);
+ /*
+ * If the host is set then also add the hostname to the filename.
+ */
+ if (auditd_hostlen != -1)
+ asprintf(&fn, "%s/%s.%s", dirent->dirname, name, auditd_host);
+ else
+ asprintf(&fn, "%s/%s", dirent->dirname, name);
return (fn);
}
@@ -204,16 +229,14 @@ insert_orderly(struct dir_ent *denew)
int
auditd_set_host(void)
{
- char hoststr[MAXHOSTNAMELEN];
struct sockaddr_in6 *sin6;
struct sockaddr_in *sin;
struct addrinfo *res;
struct auditinfo_addr aia;
int error, ret = ADE_NOERR;
- if (getachost(hoststr, MAXHOSTNAMELEN) != 0) {
-
- ret = ADE_PARSE;
+ if (getachost(auditd_host, sizeof(auditd_host)) != 0) {
+ ret = ADE_PARSE;
/*
* To maintain reverse compatability with older audit_control
@@ -229,7 +252,8 @@ auditd_set_host(void)
ret = ADE_AUDITON;
return (ret);
}
- error = getaddrinfo(hoststr, NULL, NULL, &res);
+ auditd_hostlen = strlen(auditd_host);
+ error = getaddrinfo(auditd_host, NULL, NULL, &res);
if (error)
return (ADE_GETADDR);
switch (res->ai_family) {
@@ -271,14 +295,14 @@ auditd_set_minfree(void)
{
au_qctrl_t qctrl;
- if (getacmin(&minval) != 0)
+ if (getacmin(&auditd_minval) != 0)
return (ADE_PARSE);
if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0)
return (ADE_AUDITON);
- if (qctrl.aq_minfree != minval) {
- qctrl.aq_minfree = minval;
+ if (qctrl.aq_minfree != auditd_minval) {
+ qctrl.aq_minfree = auditd_minval;
if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0)
return (ADE_AUDITON);
}
@@ -287,9 +311,259 @@ auditd_set_minfree(void)
}
/*
+ * Convert a trailname into a timestamp (seconds). Return 0 if the conversion
+ * was successful.
+ */
+static int
+trailname_to_tstamp(char *fn, time_t *tstamp)
+{
+ struct tm tm;
+ char ts[TIMESTAMP_LEN];
+ char *p;
+
+ *tstamp = 0;
+
+ /*
+ * Get the ending time stamp.
+ */
+ if ((p = strchr(fn, '.')) == NULL)
+ return (1);
+ strlcpy(ts, ++p, TIMESTAMP_LEN);
+ if (strlen(ts) != POSTFIX_LEN)
+ return (1);
+
+ bzero(&tm, sizeof(tm));
+
+ /* seconds (0-60) */
+ p = ts + POSTFIX_LEN - 2;
+ tm.tm_sec = atol(p);
+ if (tm.tm_sec < 0 || tm.tm_sec > 60)
+ return (1);
+
+ /* minutes (0-59) */
+ *p = '\0'; p -= 2;
+ tm.tm_min = atol(p);
+ if (tm.tm_min < 0 || tm.tm_min > 59)
+ return (1);
+
+ /* hours (0 - 23) */
+ *p = '\0'; p -= 2;
+ tm.tm_hour = atol(p);
+ if (tm.tm_hour < 0 || tm.tm_hour > 23)
+ return (1);
+
+ /* day of month (1-31) */
+ *p = '\0'; p -= 2;
+ tm.tm_mday = atol(p);
+ if (tm.tm_mday < 1 || tm.tm_mday > 31)
+ return (1);
+
+ /* month (0 - 11) */
+ *p = '\0'; p -= 2;
+ tm.tm_mon = atol(p) - 1;
+ if (tm.tm_mon < 0 || tm.tm_mon > 11)
+ return (1);
+
+ /* year (year - 1900) */
+ *p = '\0'; p -= 4;
+ tm.tm_year = atol(p) - 1900;
+ if (tm.tm_year < 0)
+ return (1);
+
+ *tstamp = timegm(&tm);
+
+ return (0);
+}
+
+/*
+ * Remove audit trails files according to the expiration conditions. Returns:
+ * ADE_NOERR on success or there is nothing to do.
+ * ADE_PARSE if error parsing audit_control(5).
+ * ADE_NOMEM if could not allocate memory.
+ * ADE_EXPIRE if there was an unespected error.
+ */
+int
+auditd_expire_trails(int (*warn_expired)(char *))
+{
+ int andflg, ret = ADE_NOERR;
+ size_t expire_size, total_size = 0L;
+ time_t expire_age, oldest_time, current_time = time(NULL);
+ struct dir_ent *traildir;
+ struct audit_trail *at;
+ char *afnp, *pn;
+ TAILQ_HEAD(au_trls_head, audit_trail) head =
+ TAILQ_HEAD_INITIALIZER(head);
+ struct stat stbuf;
+ char activefn[MAXPATHLEN];
+
+ /*
+ * Read the expiration conditions. If no conditions then return no
+ * error.
+ */
+ if (getacexpire(&andflg, &expire_age, &expire_size) < 0)
+ return (ADE_PARSE);
+ if (!expire_age && !expire_size)
+ return (ADE_NOERR);
+
+ /*
+ * Read the 'current' trail file name. Trim off directory path.
+ */
+ activefn[0] = '\0';
+ readlink(AUDIT_CURRENT_LINK, activefn, MAXPATHLEN - 1);
+ if ((afnp = strrchr(activefn, '/')) != NULL)
+ afnp++;
+
+
+ /*
+ * Build tail queue of the trail files.
+ */
+ TAILQ_FOREACH(traildir, &dir_q, dirs) {
+ DIR *dirp;
+ struct dirent *dp;
+
+ dirp = opendir(traildir->dirname);
+ while ((dp = readdir(dirp)) != NULL) {
+ time_t tstamp = 0;
+ struct audit_trail *new;
+
+ /*
+ * Quickly filter non-trail files.
+ */
+ if (dp->d_namlen != (FILENAME_LEN - 1) ||
+#ifdef DT_REG
+ dp->d_type != DT_REG ||
+#endif
+ dp->d_name[POSTFIX_LEN] != '.')
+ continue;
+
+ if (asprintf(&pn, "%s/%s", traildir->dirname,
+ dp->d_name) < 0) {
+ ret = ADE_NOMEM;
+ break;
+ }
+
+ if (stat(pn, &stbuf) < 0 || !S_ISREG(stbuf.st_mode)) {
+ free(pn);
+ continue;
+ }
+
+ total_size += stbuf.st_size;
+
+ /*
+ * If this is the 'current' audit trail then
+ * don't add it to the tail queue.
+ */
+ if (NULL != afnp &&
+ strncmp(dp->d_name, afnp, FILENAME_LEN) == 0) {
+ free(pn);
+ continue;
+ }
+
+ /*
+ * Get the ending time stamp encoded in the trail
+ * name. If we can't read it or if it is older
+ * than Jan 1, 2000 then use the mtime.
+ */
+ if (trailname_to_tstamp(dp->d_name, &tstamp) != 0 ||
+ tstamp < JAN_01_2000)
+ tstamp = stbuf.st_mtime;
+
+ /*
+ * If the time stamp is older than Jan 1, 2000 then
+ * update the mtime of the trail file to the current
+ * time. This is so we don't prematurely remove a trail
+ * file that was created while the system clock reset
+ * to the * "beginning of time" but later the system
+ * clock is set to the correct current time.
+ */
+ if (current_time >= JAN_01_2000 &&
+ tstamp < JAN_01_2000) {
+ struct timeval tv[2];
+
+ tstamp = stbuf.st_mtime = current_time;
+ TIMESPEC_TO_TIMEVAL(&tv[0],
+ &stbuf.st_atimespec);
+ TIMESPEC_TO_TIMEVAL(&tv[1],
+ &stbuf.st_mtimespec);
+ utimes(pn, tv);
+ }
+
+ /*
+ * Allocate and populate the new entry.
+ */
+ new = malloc(sizeof(*new));
+ if (NULL == new) {
+ free(pn);
+ ret = ADE_NOMEM;
+ break;
+ }
+ new->at_time = tstamp;
+ new->at_size = stbuf.st_size;
+ new->at_path = pn;
+
+ /*
+ * Check to see if we have a new head. Otherwise,
+ * walk the tailq from the tail first and do a simple
+ * insertion sort.
+ */
+ if (TAILQ_EMPTY(&head) ||
+ (new->at_time <= TAILQ_FIRST(&head)->at_time)) {
+ TAILQ_INSERT_HEAD(&head, new, at_trls);
+ continue;
+ }
+
+ TAILQ_FOREACH_REVERSE(at, &head, au_trls_head, at_trls)
+ if (new->at_time >= at->at_time) {
+ TAILQ_INSERT_AFTER(&head, at, new,
+ at_trls);
+ break;
+ }
+
+ }
+ }
+
+ oldest_time = current_time - expire_age;
+
+ /*
+ * Expire trail files, oldest (mtime) first, if the given
+ * conditions are met.
+ */
+ at = TAILQ_FIRST(&head);
+ while (NULL != at) {
+ struct audit_trail *at_next = TAILQ_NEXT(at, at_trls);
+
+ if (andflg) {
+ if ((expire_size && total_size > expire_size) &&
+ (expire_age && at->at_time < oldest_time)) {
+ if (warn_expired)
+ (*warn_expired)(at->at_path);
+ if (unlink(at->at_path) < 0)
+ ret = ADE_EXPIRE;
+ total_size -= at->at_size;
+ }
+ } else {
+ if ((expire_size && total_size > expire_size) ||
+ (expire_age && at->at_time < oldest_time)) {
+ if (warn_expired)
+ (*warn_expired)(at->at_path);
+ if (unlink(at->at_path) < 0)
+ ret = ADE_EXPIRE;
+ total_size -= at->at_size;
+ }
+ }
+
+ free(at->at_path);
+ free(at);
+ at = at_next;
+ }
+
+ return (ret);
+}
+
+/*
* Parses the "dir" entry in audit_control(5) into an ordered list. Also, will
- * set the minfree value if not already set. Arguments include function
- * pointers to audit_warn functions for soft and hard limits. Returns:
+ * set the minfree and host values if not already set. Arguments include
+ * function pointers to audit_warn functions for soft and hard limits. Returns:
* ADE_NOERR on success,
* ADE_PARSE error parsing audit_control(5),
* ADE_AUDITON error getting/setting auditon(2) value,
@@ -309,9 +583,12 @@ auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *))
int scnt = 0;
int hcnt = 0;
- if (minval == -1 && (err = auditd_set_minfree()) != 0)
+ if (auditd_minval == -1 && (err = auditd_set_minfree()) != 0)
return (err);
+ if (auditd_hostlen == -1)
+ auditd_set_host();
+
/*
* Init directory q. Force a re-read of the file the next time.
*/
@@ -329,7 +606,8 @@ auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *))
while (getacdir(cur_dir, MAXNAMLEN) >= 0) {
if (statfs(cur_dir, &sfs) < 0)
continue; /* XXX should warn */
- soft = (sfs.f_bfree < (sfs.f_blocks / (100 / minval))) ? 1 : 0;
+ soft = (sfs.f_bfree < (sfs.f_blocks / (100 / auditd_minval))) ?
+ 1 : 0;
hard = (sfs.f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) ? 1 : 0;
if (soft) {
if (warn_soft)
@@ -367,7 +645,8 @@ void
auditd_close_dirs(void)
{
free_dir_q();
- minval = -1;
+ auditd_minval = -1;
+ auditd_hostlen = -1;
}
@@ -549,7 +828,7 @@ auditd_swap_trail(char *TS, char **newfile, gid_t gid,
}
/* Try until we succeed. */
- while ((dirent = TAILQ_FIRST(&dir_q))) {
+ TAILQ_FOREACH(dirent, &dir_q, dirs) {
if (dirent->hardlim)
continue;
if ((fn = affixdir(timestr, dirent)) == NULL)
@@ -606,6 +885,28 @@ auditd_swap_trail(char *TS, char **newfile, gid_t gid,
* ADE_NOERR on success,
* ADE_SETAUDIT if setaudit(2) fails.
*/
+#ifdef __APPLE__
+int
+auditd_prevent_audit(void)
+{
+ auditinfo_addr_t aia;
+
+ /*
+ * To prevent event feedback cycles and avoid audit becoming stalled if
+ * auditing is suspended we mask this processes events from being
+ * audited. We allow the uid, tid, and mask fields to be implicitly
+ * set to zero, but do set the audit session ID to the PID.
+ *
+ * XXXRW: Is there more to it than this?
+ */
+ bzero(&aia, sizeof(aia));
+ aia.ai_asid = AU_ASSIGN_ASID;
+ aia.ai_termid.at_type = AU_IPv4;
+ if (setaudit_addr(&aia, sizeof(aia)) != 0)
+ return (ADE_SETAUDIT);
+ return (ADE_NOERR);
+}
+#else
int
auditd_prevent_audit(void)
{
@@ -625,6 +926,7 @@ auditd_prevent_audit(void)
return (ADE_SETAUDIT);
return (ADE_NOERR);
}
+#endif /* __APPLE__ */
/*
* Generate and submit audit record for audit startup or shutdown. The event
@@ -713,7 +1015,7 @@ auditd_new_curlink(char *curfile)
strlcpy(newname, recoveredname, MAXPATHLEN);
if ((ptr = strstr(newname, NOT_TERMINATED)) != NULL) {
- strlcpy(ptr, CRASH_RECOVERY, TIMESTAMP_LEN);
+ memcpy(ptr, CRASH_RECOVERY, POSTFIX_LEN);
if (rename(recoveredname, newname) != 0)
return (ADE_RENAME);
} else
@@ -750,9 +1052,10 @@ int
audit_quick_start(void)
{
int err;
- char *newfile;
+ char *newfile = NULL;
time_t tt;
char TS[TIMESTAMP_LEN];
+ int ret = 0;
/*
* Mask auditing of this process.
@@ -773,20 +1076,26 @@ audit_quick_start(void)
if (getTSstr(tt, TS, TIMESTAMP_LEN) != 0)
return (-1);
err = auditd_swap_trail(TS, &newfile, getgid(), NULL);
- if (err != ADE_NOERR && err != ADE_ACTL)
- return (-1);
+ if (err != ADE_NOERR && err != ADE_ACTL) {
+ ret = -1;
+ goto out;
+ }
/*
* Add the current symlink and recover from crash, if needed.
*/
- if (auditd_new_curlink(newfile) != 0)
- return(-1);
+ if (auditd_new_curlink(newfile) != 0) {
+ ret = -1;
+ goto out;
+ }
/*
* At this point auditing has started so generate audit start-up record.
*/
- if (auditd_gen_record(AUE_audit_startup, NULL) != 0)
- return (-1);
+ if (auditd_gen_record(AUE_audit_startup, NULL) != 0) {
+ ret = -1;
+ goto out;
+ }
/*
* Configure the audit controls.
@@ -798,7 +1107,11 @@ audit_quick_start(void)
(void) auditd_set_minfree();
(void) auditd_set_host();
- return (0);
+out:
+ if (newfile != NULL)
+ free(newfile);
+
+ return (ret);
}
/*
@@ -855,7 +1168,7 @@ audit_quick_stop(void)
strlcpy(newname, oldname, len);
if ((ptr = strstr(newname, NOT_TERMINATED)) != NULL) {
- strlcpy(ptr, TS, TIMESTAMP_LEN);
+ memcpy(ptr, TS, POSTFIX_LEN);
if (rename(oldname, newname) != 0)
return (-1);
} else
diff --git a/libbsm/au_control.3 b/libbsm/au_control.3
index e17ae16e12ae..8cad121af213 100644
--- a/libbsm/au_control.3
+++ b/libbsm/au_control.3
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#9 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#10 $
.\"
.Dd April 19, 2005
.Dt AU_CONTROL 3
@@ -33,6 +33,7 @@
.Nm endac ,
.Nm getacdir ,
.Nm getacmin ,
+.Nm getacexpire ,
.Nm getacfilesz ,
.Nm getacflg ,
.Nm getacna ,
@@ -53,6 +54,8 @@
.Ft int
.Fn getacmin "int *min_val"
.Ft int
+.Fn getacexpire "int *andflg, time_t *age, size_t *size"
+.Ft int
.Fn getacfilesz "size_t *size_val"
.Ft int
.Fn getacflg "char *auditstr" "int len"
@@ -101,6 +104,24 @@ the passed
variable.
.Pp
The
+.Fn getacexpire
+function
+returns the audit trail file expiration parameters in the passed
+.Vt int
+buffer
+.Fa andflg ,
+.Vt time_t
+buffer
+.Fa age
+and
+.Vt size_t
+buffer
+.Fa size .
+If the parameter is not specified in the
+.Xr audit_control 5
+file it is set to zero.
+.Pp
+The
.Fn getacfilesz
function
returns the audit trail rotation size in the passed
@@ -153,6 +174,7 @@ to a numeric audit policy mask returned via
The
.Fn getacdir ,
.Fn getacmin ,
+.Fn getacexpire ,
.Fn getacflg ,
.Fn getacna ,
.Fn getacpol ,
diff --git a/libbsm/au_domain.3 b/libbsm/au_domain.3
index 14ac45a30cd0..6d57d2b53042 100644
--- a/libbsm/au_domain.3
+++ b/libbsm/au_domain.3
@@ -26,7 +26,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_domain.3#1 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_domain.3#2 $
.\"
.Dd December 28, 2008
.Dt AU_BSM_TO_DOMAIN 3
@@ -59,6 +59,7 @@ This call will fail if the BSM domain cannot be mapped into a local domain,
which may occur if the socket token was generated on another operating
system.
.Pp
+The
.Fn au_domain_to_bsm
function accepts a local domain, and returns the BSM domain for it.
This call cannot fail, and instead returns a BSM domain indicating to a later
diff --git a/libbsm/au_errno.3 b/libbsm/au_errno.3
index f7ff8a0c7a1f..3680a4ee3e0d 100644
--- a/libbsm/au_errno.3
+++ b/libbsm/au_errno.3
@@ -26,7 +26,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_errno.3#3 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_errno.3#4 $
.\"
.Dd December 8, 2008
.Dt AU_BSM_TO_ERRNO 3
@@ -64,6 +64,7 @@ This call will fail if the BSM error cannot be mapped into a local error
number, which may occur if the return token was generated on another
operating system.
.Pp
+The
.Fn au_errno_to_bsm
function accepts a local
.Xr errno 2
@@ -73,7 +74,7 @@ a later decoder that the error could not be encoded.
.Pp
The
.Fn au_strerror
-converts a BSM error value to a string, generally by converting first to a
+function converts a BSM error value to a string, generally by converting first to a
local error number and using the local
.Xr strerror 3
function, but will also work for errors that are not locally defined.
diff --git a/libbsm/bsm_control.c b/libbsm/bsm_control.c
index 4fed3ff1c2d4..4b8a1d100783 100644
--- a/libbsm/bsm_control.c
+++ b/libbsm/bsm_control.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2004 Apple Inc.
+ * Copyright (c) 2004,2009 Apple Inc.
* Copyright (c) 2006 Robert N. M. Watson
* All rights reserved.
*
@@ -27,13 +27,14 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#24 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#28 $
*/
#include <config/config.h>
#include <bsm/libbsm.h>
+#include <ctype.h>
#include <errno.h>
#include <string.h>
#ifdef HAVE_PTHREAD_MUTEX_LOCK
@@ -65,6 +66,32 @@ static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
#endif
/*
+ * Audit policy string token table for au_poltostr() and au_strtopol().
+ */
+struct audit_polstr {
+ long ap_policy;
+ const char *ap_str;
+};
+
+static struct audit_polstr au_polstr[] = {
+ { AUDIT_CNT, "cnt" },
+ { AUDIT_AHLT, "ahlt" },
+ { AUDIT_ARGV, "argv" },
+ { AUDIT_ARGE, "arge" },
+ { AUDIT_SEQ, "seq" },
+ { AUDIT_WINDATA, "windata" },
+ { AUDIT_USER, "user" },
+ { AUDIT_GROUP, "group" },
+ { AUDIT_TRAIL, "trail" },
+ { AUDIT_PATH, "path" },
+ { AUDIT_SCNT, "scnt" },
+ { AUDIT_PUBLIC, "public" },
+ { AUDIT_ZONENAME, "zonename" },
+ { AUDIT_PERZONE, "perzone" },
+ { -1, NULL }
+};
+
+/*
* Returns the string value corresponding to the given label from the
* configuration file.
*
@@ -112,6 +139,82 @@ getstrfromtype_locked(char *name, char **str)
}
/*
+ * Convert a given time value with a multiplier (seconds, hours, days, years) to
+ * seconds. Return 0 on success.
+ */
+static int
+au_timetosec(time_t *seconds, u_long value, char mult)
+{
+ if (NULL == seconds)
+ return (-1);
+
+ switch(mult) {
+ case 's':
+ /* seconds */
+ *seconds = (time_t)value;
+ break;
+
+ case 'h':
+ /* hours */
+ *seconds = (time_t)value * 60 * 60;
+ break;
+
+ case 'd':
+ /* days */
+ *seconds = (time_t)value * 60 * 60 * 24;
+ break;
+
+ case 'y':
+ /* years. Add a day for each 4th (leap) year. */
+ *seconds = (time_t)value * 60 * 60 * 24 * 364 +
+ ((time_t)value / 4) * 60 * 60 * 24;
+ break;
+
+ default:
+ return (-1);
+ }
+ return (0);
+}
+
+/*
+ * Convert a given disk space value with a multiplier (bytes, kilobytes,
+ * megabytes, gigabytes) to bytes. Return 0 on success.
+ */
+static int
+au_spacetobytes(size_t *bytes, u_long value, char mult)
+{
+ if (NULL == bytes)
+ return (-1);
+
+ switch(mult) {
+ case 'B':
+ case ' ':
+ /* Bytes */
+ *bytes = (size_t)value;
+ break;
+
+ case 'K':
+ /* Kilobytes */
+ *bytes = (size_t)value * 1024;
+ break;
+
+ case 'M':
+ /* Megabytes */
+ *bytes = (size_t)value * 1024 * 1024;
+ break;
+
+ case 'G':
+ /* Gigabytes */
+ *bytes = (size_t)value * 1024 * 1024 * 1024;
+ break;
+
+ default:
+ return (-1);
+ }
+ return (0);
+}
+
+/*
* Convert a policy to a string. Return -1 on failure, or >= 0 representing
* the actual size of the string placed in the buffer (excluding terminating
* nul).
@@ -119,135 +222,24 @@ getstrfromtype_locked(char *name, char **str)
ssize_t
au_poltostr(long policy, size_t maxsize, char *buf)
{
- int first;
+ int first = 1;
+ int i = 0;
if (maxsize < 1)
return (-1);
- first = 1;
buf[0] = '\0';
- if (policy & AUDIT_CNT) {
- if (strlcat(buf, "cnt", maxsize) >= maxsize)
- return (-1);
- first = 0;
- }
- if (policy & AUDIT_AHLT) {
- if (!first) {
- if (strlcat(buf, ",", maxsize) >= maxsize)
+ do {
+ if (policy & au_polstr[i].ap_policy) {
+ if (!first && strlcat(buf, ",", maxsize) >= maxsize)
return (-1);
- }
- if (strlcat(buf, "ahlt", maxsize) >= maxsize)
- return (-1);
- first = 0;
- }
- if (policy & AUDIT_ARGV) {
- if (!first) {
- if (strlcat(buf, ",", maxsize) >= maxsize)
- return (-1);
- }
- if (strlcat(buf, "argv", maxsize) >= maxsize)
- return (-1);
- first = 0;
- }
- if (policy & AUDIT_ARGE) {
- if (!first) {
- if (strlcat(buf, ",", maxsize) >= maxsize)
- return (-1);
- }
- if (strlcat(buf, "arge", maxsize) >= maxsize)
- return (-1);
- first = 0;
- }
- if (policy & AUDIT_SEQ) {
- if (!first) {
- if (strlcat(buf, ",", maxsize) >= maxsize)
+ if (strlcat(buf, au_polstr[i].ap_str, maxsize) >=
+ maxsize)
return (-1);
+ first = 0;
}
- if (strlcat(buf, "seq", maxsize) >= maxsize)
- return (-1);
- first = 0;
- }
- if (policy & AUDIT_WINDATA) {
- if (!first) {
- if (strlcat(buf, ",", maxsize) >= maxsize)
- return (-1);
- }
- if (strlcat(buf, "windata", maxsize) >= maxsize)
- return (-1);
- first = 0;
- }
- if (policy & AUDIT_USER) {
- if (!first) {
- if (strlcat(buf, ",", maxsize) >= maxsize)
- return (-1);
- }
- if (strlcat(buf, "user", maxsize) >= maxsize)
- return (-1);
- first = 0;
- }
- if (policy & AUDIT_GROUP) {
- if (!first) {
- if (strlcat(buf, ",", maxsize) >= maxsize)
- return (-1);
- }
- if (strlcat(buf, "group", maxsize) >= maxsize)
- return (-1);
- first = 0;
- }
- if (policy & AUDIT_TRAIL) {
- if (!first) {
- if (strlcat(buf, ",", maxsize) >= maxsize)
- return (-1);
- }
- if (strlcat(buf, "trail", maxsize) >= maxsize)
- return (-1);
- first = 0;
- }
- if (policy & AUDIT_PATH) {
- if (!first) {
- if (strlcat(buf, ",", maxsize) >= maxsize)
- return (-1);
- }
- if (strlcat(buf, "path", maxsize) >= maxsize)
- return (-1);
- first = 0;
- }
- if (policy & AUDIT_SCNT) {
- if (!first) {
- if (strlcat(buf, ",", maxsize) >= maxsize)
- return (-1);
- }
- if (strlcat(buf, "scnt", maxsize) >= maxsize)
- return (-1);
- first = 0;
- }
- if (policy & AUDIT_PUBLIC) {
- if (!first) {
- if (strlcat(buf, ",", maxsize) >= maxsize)
- return (-1);
- }
- if (strlcat(buf, "public", maxsize) >= maxsize)
- return (-1);
- first = 0;
- }
- if (policy & AUDIT_ZONENAME) {
- if (!first) {
- if (strlcat(buf, ",", maxsize) >= maxsize)
- return (-1);
- }
- if (strlcat(buf, "zonename", maxsize) >= maxsize)
- return (-1);
- first = 0;
- }
- if (policy & AUDIT_PERZONE) {
- if (!first) {
- if (strlcat(buf, ",", maxsize) >= maxsize)
- return (-1);
- }
- if (strlcat(buf, "perzone", maxsize) >= maxsize)
- return (-1);
- first = 0;
- }
+ } while (NULL != au_polstr[++i].ap_str);
+
return (strlen(buf));
}
@@ -260,6 +252,7 @@ au_strtopol(const char *polstr, long *policy)
{
char *bufp, *string;
char *buffer;
+ int i, matched;
*policy = 0;
buffer = strdup(polstr);
@@ -268,35 +261,17 @@ au_strtopol(const char *polstr, long *policy)
bufp = buffer;
while ((string = strsep(&bufp, ",")) != NULL) {
- if (strcmp(string, "cnt") == 0)
- *policy |= AUDIT_CNT;
- else if (strcmp(string, "ahlt") == 0)
- *policy |= AUDIT_AHLT;
- else if (strcmp(string, "argv") == 0)
- *policy |= AUDIT_ARGV;
- else if (strcmp(string, "arge") == 0)
- *policy |= AUDIT_ARGE;
- else if (strcmp(string, "seq") == 0)
- *policy |= AUDIT_SEQ;
- else if (strcmp(string, "winau_fstat") == 0)
- *policy |= AUDIT_WINDATA;
- else if (strcmp(string, "user") == 0)
- *policy |= AUDIT_USER;
- else if (strcmp(string, "group") == 0)
- *policy |= AUDIT_GROUP;
- else if (strcmp(string, "trail") == 0)
- *policy |= AUDIT_TRAIL;
- else if (strcmp(string, "path") == 0)
- *policy |= AUDIT_PATH;
- else if (strcmp(string, "scnt") == 0)
- *policy |= AUDIT_SCNT;
- else if (strcmp(string, "public") == 0)
- *policy |= AUDIT_PUBLIC;
- else if (strcmp(string, "zonename") == 0)
- *policy |= AUDIT_ZONENAME;
- else if (strcmp(string, "perzone") == 0)
- *policy |= AUDIT_PERZONE;
- else {
+ matched = i = 0;
+
+ do {
+ if (strcmp(string, au_polstr[i].ap_str) == 0) {
+ *policy |= au_polstr[i].ap_policy;
+ matched = 1;
+ break;
+ }
+ } while (NULL != au_polstr[++i].ap_str);
+
+ if (!matched) {
free(buffer);
errno = EINVAL;
return (-1);
@@ -435,46 +410,65 @@ getacmin(int *min_val)
int
getacfilesz(size_t *filesz_val)
{
- char *filesz, *dummy;
- long long ll;
+ char *str;
+ size_t val;
+ char mult;
+ int nparsed;
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_lock(&mutex);
#endif
setac_locked();
- if (getstrfromtype_locked(FILESZ_CONTROL_ENTRY, &filesz) < 0) {
+ if (getstrfromtype_locked(FILESZ_CONTROL_ENTRY, &str) < 0) {
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
return (-2);
}
- if (filesz == NULL) {
+ if (str == NULL) {
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
errno = EINVAL;
return (1);
}
- ll = strtoll(filesz, &dummy, 10);
- if (*dummy != '\0') {
+
+ /* Trim off any leading white space. */
+ while (*str == ' ' || *str == '\t')
+ str++;
+
+ nparsed = sscanf(str, "%ju%c", (uintmax_t *)&val, &mult);
+
+ switch (nparsed) {
+ case 1:
+ /* If no multiplier then assume 'B' (bytes). */
+ mult = 'B';
+ /* fall through */
+ case 2:
+ if (au_spacetobytes(filesz_val, val, mult) == 0)
+ break;
+ /* fall through */
+ default:
+ errno = EINVAL;
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
- errno = EINVAL;
return (-1);
}
+
/*
* The file size must either be 0 or >= MIN_AUDIT_FILE_SIZE. 0
* indicates no rotation size.
*/
- if (ll < 0 || (ll > 0 && ll < MIN_AUDIT_FILE_SIZE)) {
+ if (*filesz_val < 0 || (*filesz_val > 0 &&
+ *filesz_val < MIN_AUDIT_FILE_SIZE)) {
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
+ filesz_val = 0L;
errno = EINVAL;
return (-1);
}
- *filesz_val = ll;
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
@@ -619,7 +613,109 @@ getachost(char *auditstr, size_t len)
#endif
return (-3);
}
- strcpy(auditstr, str);
+ strlcpy(auditstr, str, len);
+#ifdef HAVE_PTHREAD_MUTEX_LOCK
+ pthread_mutex_unlock(&mutex);
+#endif
+ return (0);
+}
+
+/*
+ * Set expiration conditions.
+ */
+static int
+setexpirecond(time_t *age, size_t *size, u_long value, char mult)
+{
+
+ if (isupper(mult) || ' ' == mult)
+ return (au_spacetobytes(size, value, mult));
+ else
+ return (au_timetosec(age, value, mult));
+}
+
+/*
+ * Return the expire-after field from the audit control file.
+ */
+int
+getacexpire(int *andflg, time_t *age, size_t *size)
+{
+ char *str;
+ int nparsed;
+ u_long val1, val2;
+ char mult1, mult2;
+ char andor[AU_LINE_MAX];
+
+ *age = 0L;
+ *size = 0LL;
+ *andflg = 0;
+
+#ifdef HAVE_PTHREAD_MUTEX_LOCK
+ pthread_mutex_lock(&mutex);
+#endif
+ setac_locked();
+ if (getstrfromtype_locked(EXPIRE_AFTER_CONTROL_ENTRY, &str) < 0) {
+#ifdef HAVE_PTHREAD_MUTEX_LOCK
+ pthread_mutex_unlock(&mutex);
+#endif
+ return (-2);
+ }
+ if (str == NULL) {
+#ifdef HAVE_PTHREAD_MUTEX_LOCK
+ pthread_mutex_unlock(&mutex);
+#endif
+ return (1);
+ }
+
+ /* First, trim off any leading white space. */
+ while (*str == ' ' || *str == '\t')
+ str++;
+
+ nparsed = sscanf(str, "%lu%c%[ \tadnorADNOR]%lu%c", &val1, &mult1,
+ andor, &val2, &mult2);
+
+ switch (nparsed) {
+ case 1:
+ /* If no multiplier then assume 'B' (Bytes). */
+ mult1 = 'B';
+ /* fall through */
+ case 2:
+ /* One expiration condition. */
+ if (setexpirecond(age, size, val1, mult1) != 0) {
+#ifdef HAVE_PTHREAD_MUTEX_LOCK
+ pthread_mutex_unlock(&mutex);
+#endif
+ return (-1);
+ }
+ break;
+
+ case 5:
+ /* Two expiration conditions. */
+ if (setexpirecond(age, size, val1, mult1) != 0 ||
+ setexpirecond(age, size, val2, mult2) != 0) {
+#ifdef HAVE_PTHREAD_MUTEX_LOCK
+ pthread_mutex_unlock(&mutex);
+#endif
+ return (-1);
+ }
+ if (strcasestr(andor, "and") != NULL)
+ *andflg = 1;
+ else if (strcasestr(andor, "or") != NULL)
+ *andflg = 0;
+ else {
+#ifdef HAVE_PTHREAD_MUTEX_LOCK
+ pthread_mutex_unlock(&mutex);
+#endif
+ return (-1);
+ }
+ break;
+
+ default:
+#ifdef HAVE_PTHREAD_MUTEX_LOCK
+ pthread_mutex_unlock(&mutex);
+#endif
+ return (-1);
+ }
+
#ifdef HAVE_PTHREAD_MUTEX_LOCK
pthread_mutex_unlock(&mutex);
#endif
diff --git a/libbsm/bsm_errno.c b/libbsm/bsm_errno.c
index 78aad9782b6c..b750341e51f0 100644
--- a/libbsm/bsm_errno.c
+++ b/libbsm/bsm_errno.c
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_errno.c#16 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_errno.c#17 $
*/
#include <sys/types.h>
@@ -494,7 +494,7 @@ static const struct bsm_errno bsm_errnos[] = {
#else
ERRNO_NO_LOCAL_MAPPING,
#endif
- ES("Malfored Macho file") },
+ ES("Malformed Macho file") },
{ BSM_ERRNO_EPOLICY,
#ifdef EPOLICY
EPOLICY,
diff --git a/libbsm/bsm_io.c b/libbsm/bsm_io.c
index eb56827e443b..ce07a660ff6e 100644
--- a/libbsm/bsm_io.c
+++ b/libbsm/bsm_io.c
@@ -32,7 +32,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#60 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#61 $
*/
#include <sys/types.h>
@@ -193,7 +193,7 @@ print_mem(FILE *fp, u_char *data, size_t len)
if (len > 0) {
fprintf(fp, "0x");
for (i = 0; i < len; i++)
- fprintf(fp, "%x", data[i]);
+ fprintf(fp, "%02x", data[i]);
}
}
diff --git a/libbsm/bsm_token.c b/libbsm/bsm_token.c
index 430e09b073e6..b33d8d764dcc 100644
--- a/libbsm/bsm_token.c
+++ b/libbsm/bsm_token.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2004-2008 Apple Inc.
+ * Copyright (c) 2004-2009 Apple Inc.
* Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
*
@@ -30,7 +30,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#86 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#90 $
*/
#include <sys/types.h>
@@ -168,7 +168,7 @@ au_to_attr32(struct vnode_au_info *vni)
token_t *t;
u_char *dptr = NULL;
u_int16_t pad0_16 = 0;
- u_int16_t pad0_32 = 0;
+ u_int32_t pad0_32 = 0;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
@@ -217,7 +217,7 @@ au_to_attr64(struct vnode_au_info *vni)
token_t *t;
u_char *dptr = NULL;
u_int16_t pad0_16 = 0;
- u_int16_t pad0_32 = 0;
+ u_int32_t pad0_32 = 0;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
@@ -487,7 +487,8 @@ au_to_ipc_perm(struct ipc_perm *perm)
u_char *dptr = NULL;
u_int16_t pad0 = 0;
- GET_TOKEN_AREA(t, dptr, 12 * sizeof(u_int16_t) + sizeof(u_int32_t));
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) +
+ sizeof(u_int32_t));
if (t == NULL)
return (NULL);
@@ -962,15 +963,15 @@ au_to_socket_ex(u_short so_domain, u_short so_type,
5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
else if (so_domain == AF_INET6)
GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
- 5 * sizeof(u_int16_t) + 16 * sizeof(u_int32_t));
+ 5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t));
else {
errno = EINVAL;
return (NULL);
}
ADD_U_CHAR(dptr, AUT_SOCKET_EX);
- ADD_U_INT16(dptr, so_domain); /* XXXRW: explicitly convert? */
- ADD_U_INT16(dptr, so_type); /* XXXRW: explicitly convert? */
+ ADD_U_INT16(dptr, au_domain_to_bsm(so_domain));
+ ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type));
if (so_domain == AF_INET) {
ADD_U_INT16(dptr, AU_IPv4);
sin = (struct sockaddr_in *)sa_local;
diff --git a/man/audit_control.5 b/man/audit_control.5
index be89a12db2fc..bed9cd89b28c 100644
--- a/man/audit_control.5
+++ b/man/audit_control.5
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2004 Apple Inc.
+.\" Copyright (c) 2004-2009 Apple Inc.
.\" Copyright (c) 2006 Robert N. M. Watson
.\" All rights reserved.
.\"
@@ -26,9 +26,9 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#20 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#22 $
.\"
-.Dd January 4, 2006
+.Dd January 29, 2009
.Dt AUDIT_CONTROL 5
.Os
.Sh NAME
@@ -86,6 +86,18 @@ rotate the audit trail file at around this size.
Sizes less than the minimum trail size (default of 512K) will be rejected as
invalid.
If 0, trail files will not be automatically rotated based on file size.
+For convenience, the trail size may be expressed with suffix letters:
+B (Bytes), K (Kilobytes), M (Megabytes), or G (Gigabytes).
+For example, 2M is the same as 2097152.
+.It Va expire-after
+Specifies when audit log files will expire and be removed.
+This may be after a time period has passed since the file was last
+written to or when the aggregate of all the trail files have reached a
+specified size or a combination of both.
+If no expire-after parameter is given then audit log files with not
+expire and be removed by the audit control system.
+See the information below for the format of the expiration
+specification.
.El
.Sh AUDIT FLAGS
Audit flags are a comma-delimited list of audit classes as defined in the
@@ -170,6 +182,51 @@ flag but not
.Cm ahlt
flag unless it is intended that audit logs exceeding available disk space
halt the system.
+.Sh AUDIT LOG EXPIRATION SPECIFICATION
+The expiration specification can be one value or two values with the
+logical conjunction of AND/OR between them.
+Values for the audit log file age are numbers with the following
+suffixes:
+.Pp
+.Bl -tag -width "(space) or" -compact -offset indent
+.It Li s
+Log file age in seconds.
+.It Li h
+Log file age in hours.
+.It Li d
+Log file age in days.
+.It Li y
+Log file age in years.
+.El
+.Pp
+Values for the disk space used are numbers with the following suffixes:
+.Pp
+.Bl -tag -width "(space) or" -compact -offset indent
+.It (space) or
+.It Li B
+Disk space used in Bytes.
+.It Li K
+Disk space used in Kilobytes.
+.It Li M
+Disk space used in Megabytes.
+.It Li G
+Disk space used in Gigabytes.
+.El
+.Pp
+The suffixes on the values are case sensitive.
+If both an age and disk space value are used they are seperated by
+AND or OR and both values are used to determine when audit
+log files expire.
+In the case of AND, both the age and disk space conditions must be meet
+before the log file is removed.
+In the case of OR, either condition may expire the log file.
+For example:
+.Bd -literal -offset indent
+expire-after: 60d AND 1G
+.Ed
+.Pp
+will expire files that are older than 60 days but only if 1
+gigabyte of disk space total is being used by the audit logs.
.Sh DEFAULT
The following settings appear in the default
.Nm
@@ -177,10 +234,10 @@ file:
.Bd -literal -offset indent
dir:/var/audit
flags:lo
-minfree:20
+minfree:5
naflags:lo
-policy:cnt
-filesz:0
+policy:cnt,argv
+filesz:2097152
.Ed
.Pp
The
@@ -190,9 +247,12 @@ events.
The
.Va policy
parameter specifies that the system should neither fail stop nor suspend
-processes when the audit store fills.
-The trail file will not be automatically rotated by the audit daemon based on
-file size.
+processes when the audit store fills and that command line arguments should
+be audited for
+.Dv AUE_EXECVE
+events.
+The trail file will be automatically rotated by the audit daemon when the
+file size reaches approximately 2MB.
.Sh FILES
.Bl -tag -width ".Pa /etc/security/audit_control" -compact
.It Pa /etc/security/audit_control
diff --git a/man/auditon.2 b/man/auditon.2
index e47bbb8922fe..9a0a9a1dd799 100644
--- a/man/auditon.2
+++ b/man/auditon.2
@@ -1,4 +1,5 @@
.\"-
+.\" Copyright (c) 2008-2009 Apple Inc.
.\" Copyright (c) 2005 Robert N. M. Watson
.\" Copyright (c) 2005 Tom Rhodes
.\" Copyright (c) 2005 Wayne J. Salamon
@@ -25,7 +26,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#14 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#15 $
.\"
.Dd July 10, 2008
.Dt AUDITON 2
@@ -405,9 +406,15 @@ trigger values:
file),
.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
(close the current log file and exit),
-or
.Dv AUDIT_TRIGGER_NO_SPACE
(no disk space left for audit log file).
+.Dv AUDIT_TRIGGER_ROTATE_USER
+(request audit log file rotation).
+.Dv AUDIT_TRIGGER_INITIALIZE
+(initialize audit subsystem for Mac OS X only).
+or
+.Dv AUDIT_TRIGGER_EXPIRE_TRAILS
+(request audit log file expiration).
.El
.Sh RETURN VALUES
.Rv -std
diff --git a/sys/bsm/audit.h b/sys/bsm/audit.h
index 3b22b033635e..b39de0a6a6d4 100644
--- a/sys/bsm/audit.h
+++ b/sys/bsm/audit.h
@@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#4 $
+ * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#5 $
*/
#ifndef _BSM_AUDIT_H
@@ -65,8 +65,9 @@
#define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */
#define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */
#define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests rotate. */
-#define AUDIT_TRIGGER_INITIALIZE 7 /* Initialize audit. */
-#define AUDIT_TRIGGER_MAX 7
+#define AUDIT_TRIGGER_INITIALIZE 7 /* User initialize of auditd. */
+#define AUDIT_TRIGGER_EXPIRE_TRAILS 8 /* User expiration of trails. */
+#define AUDIT_TRIGGER_MAX 8
/*
* The special device filename (FreeBSD).
diff --git a/sys/bsm/audit_kevents.h b/sys/bsm/audit_kevents.h
index 57351b5ea7b9..a86621cdb8ae 100644
--- a/sys/bsm/audit_kevents.h
+++ b/sys/bsm/audit_kevents.h
@@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_kevents.h#4 $
+ * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_kevents.h#5 $
*/
#ifndef _BSM_AUDIT_KEVENTS_H_
@@ -586,6 +586,8 @@
#define AUE_CAP_GETMODE 43189 /* TrustedBSD. */
#define AUE_POSIX_SPAWN 43190 /* Darwin. */
#define AUE_FSGETPATH 43191 /* Darwin. */
+#define AUE_PREAD 43192 /* Darwin/FreeBSD. */
+#define AUE_PWRITE 43193 /* Darwin/FreeBSD. */
/*
* Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
@@ -657,7 +659,6 @@
/*
* Possible desired future values based on review of BSD/Darwin system calls.
*/
-#define AUE_ACCESSEXTENDED AUE_NULL
#define AUE_ATGETMSG AUE_NULL
#define AUE_ATPUTMSG AUE_NULL
#define AUE_ATSOCKET AUE_NULL
@@ -668,11 +669,9 @@
#define AUE_BSDTHREADCREATE AUE_NULL
#define AUE_BSDTHREADTERMINATE AUE_NULL
#define AUE_BSDTHREADREGISTER AUE_NULL
-#define AUE_CHMODEXTENDED AUE_NULL
#define AUE_CHUD AUE_NULL
#define AUE_CSOPS AUE_NULL
#define AUE_DUP AUE_NULL
-#define AUE_FCHMODEXTENDED AUE_NULL
#define AUE_FDATASYNC AUE_NULL
#define AUE_FFSCTL AUE_NULL
#define AUE_FGETATTRLIST AUE_NULL
@@ -682,11 +681,10 @@
#define AUE_FSCTL AUE_NULL
#define AUE_FSETATTRLIST AUE_NULL
#define AUE_FSETXATTR AUE_NULL
-#define AUE_FSTATEXTENDED AUE_NULL
#define AUE_FSTATFS64 AUE_NULL
#define AUE_FSTATV AUE_NULL
#define AUE_FSTAT64 AUE_NULL
-#define AUE_FSTAT64EXTENDED AUE_NULL
+#define AUE_FSTAT64_EXTENDED AUE_NULL
#define AUE_GCCONTROL AUE_NULL
#define AUE_GETDIRENTRIES64 AUE_NULL
#define AUE_GETDTABLESIZE AUE_NULL
@@ -720,21 +718,15 @@
#define AUE_ISSETUGID AUE_NULL
#define AUE_LIOLISTIO AUE_NULL
#define AUE_LISTXATTR AUE_NULL
-#define AUE_LSTATEXTENDED AUE_NULL
#define AUE_LSTATV AUE_NULL
#define AUE_LSTAT64 AUE_NULL
-#define AUE_LSTAT64EXTENDED AUE_NULL
+#define AUE_LSTAT64_EXTENDED AUE_NULL
#define AUE_MADVISE AUE_NULL
#define AUE_MINCORE AUE_NULL
#define AUE_MKCOMPLEX AUE_NULL
-#define AUE_MKDIREXTENDED AUE_NULL
-#define AUE_MKFIFOEXTENDED AUE_NULL
#define AUE_MODWATCH AUE_NULL
#define AUE_MSGCL AUE_NULL
#define AUE_MSYNC AUE_NULL
-#define AUE_OPENEXTENDED AUE_NULL
-#define AUE_PREAD AUE_NULL
-#define AUE_PWRITE AUE_NULL
#define AUE_PREADV AUE_NULL
#define AUE_PROCINFO AUE_NULL
#define AUE_PTHREADCANCELED AUE_NULL
@@ -778,15 +770,13 @@
#define AUE_SIGWAIT AUE_NULL
#define AUE_SSTK AUE_NULL
#define AUE_STACKSNAPSHOT AUE_NULL
-#define AUE_STATEXTENDED AUE_NULL
#define AUE_STATFS64 AUE_NULL
#define AUE_STATV AUE_NULL
#define AUE_STAT64 AUE_NULL
-#define AUE_STAT64EXTENDED AUE_NULL
+#define AUE_STAT64_EXTENDED AUE_NULL
#define AUE_SYNC AUE_NULL
#define AUE_SYSCALL AUE_NULL
#define AUE_TABLE AUE_NULL
-#define AUE_UMASKEXTENDED AUE_NULL
#define AUE_VMPRESSUREMONITOR AUE_NULL
#define AUE_WAITEVENT AUE_NULL
#define AUE_WAITID AUE_NULL
diff --git a/tools/audump.c b/tools/audump.c
index 65dc87abba06..a5f4b6d0602b 100644
--- a/tools/audump.c
+++ b/tools/audump.c
@@ -23,7 +23,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#7 $
+ * $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#8 $
*/
#include <bsm/libbsm.h>
@@ -80,6 +80,8 @@ audump_control(void)
char string[PATH_MAX], string2[PATH_MAX];
int ret, val;
long policy;
+ time_t age;
+ size_t size;
ret = getacflg(string, PATH_MAX);
if (ret == -2)
@@ -126,6 +128,32 @@ audump_control(void)
if (au_poltostr(policy, PATH_MAX, string2) < 0)
err(-1, "au_poltostr");
printf("policy:%s\n", string2);
+
+ ret = getacfilesz(&size);
+ if (ret == -2)
+ err(-1, "getacfilesz");
+ if (ret != 0)
+ err(-1, "getacfilesz: %d", ret);
+
+ printf("filesz:%ldB\n", size);
+
+
+ ret = getachost(string, PATH_MAX);
+ if (ret == -2)
+ err(-1, "getachost");
+ if (ret == -3)
+ err(-1, "getachost: %d", ret);
+ if (ret == 0 && ret != 1)
+ printf("host:%s\n", string);
+
+ ret = getacexpire(&val, &age, &size);
+ if (ret == -2)
+ err(-1, "getacexpire");
+ if (ret == -1)
+ err(-1, "getacexpire: %d", ret);
+ if (ret == 0 && ret != 1)
+ printf("expire-after:%ldB %s %lds\n", size,
+ val ? "AND" : "OR", age);
}
static void