aboutsummaryrefslogtreecommitdiffstats
path: root/contrib/openbsm
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/openbsm')
-rw-r--r--contrib/openbsm/HISTORY23
-rw-r--r--contrib/openbsm/TODO7
-rw-r--r--contrib/openbsm/VERSION2
-rw-r--r--contrib/openbsm/bin/auditd/audit_warn.c17
-rw-r--r--contrib/openbsm/bin/auditd/auditd.c19
-rw-r--r--contrib/openbsm/bin/auditd/auditd.h4
-rw-r--r--contrib/openbsm/bin/auditreduce/auditreduce.143
-rw-r--r--contrib/openbsm/bin/auditreduce/auditreduce.c120
-rw-r--r--contrib/openbsm/bin/auditreduce/auditreduce.h9
-rw-r--r--contrib/openbsm/bsm/audit_kevents.h6
-rw-r--r--contrib/openbsm/bsm/libbsm.h4
-rwxr-xr-xcontrib/openbsm/configure22
-rw-r--r--contrib/openbsm/configure.ac4
-rw-r--r--contrib/openbsm/etc/audit_control3
-rw-r--r--contrib/openbsm/etc/audit_event6
-rw-r--r--contrib/openbsm/libbsm/au_control.311
-rw-r--r--contrib/openbsm/libbsm/bsm_control.c42
-rw-r--r--contrib/openbsm/libbsm/libbsm.33
-rw-r--r--contrib/openbsm/man/audit_control.517
19 files changed, 302 insertions, 60 deletions
diff --git a/contrib/openbsm/HISTORY b/contrib/openbsm/HISTORY
index e9093001a557..0b44df261e08 100644
--- a/contrib/openbsm/HISTORY
+++ b/contrib/openbsm/HISTORY
@@ -1,3 +1,24 @@
+OpenBSM 1.0 alpha 12
+
+- Correct bug in auditreduce which prevented the -c option from working
+ correctly when the user specifies to process successful or failed events.
+ The problem stemmed from not having access to the return token at the time
+ the initial preselection occurred, but now a second preselection process
+ occurs while processing the return token.
+- getacfilesz(3) API added to read new audit_control(5) filesz setting,
+ which auditd(8) now sets the kernel audit trail rotation size to.
+- auditreduce(1) now uses stdin if no file names are specified on the command
+ line; this was the documented behavior previously, but it was not
+ implemented. Be more specific in auditreduce(1)'s examples section about
+ what might be done with the output of auditreduce.
+- Add audit_warn(5) closefile event so that administrators can hook
+ termination of an audit trail file. For example, this might be used to
+ compress the trail file after it is closed.
+- auditreduce(1) now uses regular expressions for pathname matching. Users can
+ now supply one or more (comma delimited) regular expressions for searching
+ the pathnames. If one of the regular expressions is prefixed with a tilde
+ (~), and a path matches, it will be excluded from the search results.
+
OpenBSM 1.0 alpha 11
- Reclassify certain read/write operations as having no class rather than the
@@ -243,4 +264,4 @@ OpenBSM 1.0 alpha 1
to support reloading of kernel event table.
- Allow comments in /etc/security configuration files.
-$P4: //depot/projects/trustedbsd/openbsm/HISTORY#33 $
+$P4: //depot/projects/trustedbsd/openbsm/HISTORY#39 $
diff --git a/contrib/openbsm/TODO b/contrib/openbsm/TODO
index 5e0b9c3ae318..696974340819 100644
--- a/contrib/openbsm/TODO
+++ b/contrib/openbsm/TODO
@@ -17,10 +17,7 @@
just at the beginning of a record. This will make it easier to use
praudit in test suites processing single-token files without header and
trailer context.
-- Teach auditd how to notify a script when it is done with trail files so
- that the script can archive them, compress them, delete them, whatever.
- It should walk any trail files found at startup also, assuming it
- successfully registers.
- Put hostname in trail file name.
+- Document audit_warn event arguments.
-$P4: //depot/projects/trustedbsd/openbsm/TODO#7 $
+$P4: //depot/projects/trustedbsd/openbsm/TODO#8 $
diff --git a/contrib/openbsm/VERSION b/contrib/openbsm/VERSION
index 12b10e099a6e..b27583b27697 100644
--- a/contrib/openbsm/VERSION
+++ b/contrib/openbsm/VERSION
@@ -1 +1 @@
-OPENBSM_1_0_ALPHA_11
+OPENBSM_1_0_ALPHA_12
diff --git a/contrib/openbsm/bin/auditd/audit_warn.c b/contrib/openbsm/bin/auditd/audit_warn.c
index 7fa5eb927254..3239b67c7e3e 100644
--- a/contrib/openbsm/bin/auditd/audit_warn.c
+++ b/contrib/openbsm/bin/auditd/audit_warn.c
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#6 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#7 $
*/
#include <sys/types.h>
@@ -125,6 +125,21 @@ audit_warn_auditoff(void)
}
/*
+ * Indicate that a trail file has been closed, so can now be post-processed.
+ */
+int
+audit_warn_closefile(char *filename)
+{
+ char *args[3];
+
+ args[0] = CLOSEFILE_WARN;
+ args[1] = filename;
+ args[2] = NULL;
+
+ return (auditwarnlog(args));
+}
+
+/*
* Indicates that the audit deammn is already running
*/
int
diff --git a/contrib/openbsm/bin/auditd/auditd.c b/contrib/openbsm/bin/auditd/auditd.c
index 86cf2335c28f..7ca2123bdb56 100644
--- a/contrib/openbsm/bin/auditd/auditd.c
+++ b/contrib/openbsm/bin/auditd/auditd.c
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#21 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#23 $
*/
#include <sys/types.h>
@@ -163,9 +163,11 @@ close_lastfile(char *TS)
syslog(LOG_ERR,
"Could not rename %s to %s: %m", oldname,
lastfile);
- else
+ else {
syslog(LOG_INFO, "renamed %s to %s",
oldname, lastfile);
+ audit_warn_closefile(lastfile);
+ }
}
free(lastfile);
free(oldname);
@@ -727,6 +729,8 @@ config_audit_controls(void)
char naeventstr[NA_EVENT_STR_SIZE];
char polstr[POL_STR_SIZE];
long policy;
+ au_fstat_t au_fstat;
+ size_t filesz;
/*
* Process the audit event file, obtaining a class mapping for each
@@ -806,6 +810,17 @@ config_audit_controls(void)
"Failed to set default audit policy: %m");
}
+ /*
+ * Set trail rotation size.
+ */
+ if (getacfilesz(&filesz) == 0) {
+ bzero(&au_fstat, sizeof(au_fstat));
+ au_fstat.af_filesz = filesz;
+ if (auditon(A_SETFSIZE, &au_fstat, sizeof(au_fstat)) < 0)
+ syslog(LOG_ERR, "Failed to set filesz: %m");
+ } else
+ syslog(LOG_ERR, "Failed to obtain filesz: %m");
+
return (0);
}
diff --git a/contrib/openbsm/bin/auditd/auditd.h b/contrib/openbsm/bin/auditd/auditd.h
index 11bf9d4ce176..9c5ae287c17b 100644
--- a/contrib/openbsm/bin/auditd/auditd.h
+++ b/contrib/openbsm/bin/auditd/auditd.h
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#6 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#7 $
*/
#ifndef _AUDITD_H_
@@ -62,6 +62,7 @@ struct dir_ent {
#define HARDLIM_ALL_WARN "allhard"
#define SOFTLIM_ALL_WARN "allsoft"
#define AUDITOFF_WARN "auditoff"
+#define CLOSEFILE_WARN "closefile"
#define EBUSY_WARN "ebusy"
#define GETACDIR_WARN "getacdir"
#define HARDLIM_WARN "hard"
@@ -76,6 +77,7 @@ struct dir_ent {
int audit_warn_allhard(int count);
int audit_warn_allsoft(void);
int audit_warn_auditoff(void);
+int audit_warn_closefile(char *filename);
int audit_warn_ebusy(void);
int audit_warn_getacdir(char *filename);
int audit_warn_hard(char *filename);
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.1 b/contrib/openbsm/bin/auditreduce/auditreduce.1
index 9ae97263aa64..f590e35f0717 100644
--- a/contrib/openbsm/bin/auditreduce/auditreduce.1
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.1
@@ -25,7 +25,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#10 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $
.\"
.Dd January 24, 2004
.Dt AUDITREDUCE 1
@@ -105,12 +105,17 @@ for a description of audit event names and numbers.
.It Fl o Ar object=value
.Bl -tag -width Ds
.It Nm file
-Select records containing the given path name.
-file="/usr" matches paths
-starting with
-.Pa usr .
-file="~/usr" matches paths not starting with
-.Pa usr .
+Select records containing path tokens, where the pathname matches
+one of the comma delimited extended regular expression contained in
+given specification.
+Regular expressions which are prefixed with a tilde (~) are excluded
+from the search results.
+These extended regular expressions are processed from left to right,
+and a path will either be selected or deslected based on the first match.
+.Pp
+Since commas are used to delimit the regular expressions, a backslash (\\)
+character should be used to escape the comma if it's a part of the search
+pattern.
.It Nm msgqid
Select records containing the given message queue id.
.It Nm pid
@@ -136,6 +141,30 @@ events from that log:
.Pp
.Nm
-m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
+.Pp
+Output from the above command lines will typically be piped to a new trail
+file, or via standard output to the
+.Xr praudit 1
+command.
+.Pp
+Select all records containing a path token where the pathname contains
+.Pa /etc/master.passwd
+.Pp
+.Nm
+-ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634
+.Pp
+Select all records containing path tokens, where the pathname is a TTY
+device:
+.Pp
+.Nm
+-ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+.Pp
+Select all records containing path tokens, where the pathname is a TTY
+except for
+.Pa /dev/ttyp2
+.Pp
+.Nm
+-ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
.Sh SEE ALSO
.Xr praudit 1 ,
.Xr audit_control 5 ,
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.c b/contrib/openbsm/bin/auditreduce/auditreduce.c
index 25a14ff453a5..31bd8922e41c 100644
--- a/contrib/openbsm/bin/auditreduce/auditreduce.c
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.c
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#14 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#18 $
*/
/*
@@ -40,6 +40,13 @@
* XXX the records present within the file and between the files themselves
*/
+#include <config/config.h>
+#ifdef HAVE_FULL_QUEUE_H
+#include <sys/queue.h>
+#else
+#include <compat/queue.h>
+#endif
+
#include <bsm/libbsm.h>
#include <err.h>
@@ -51,9 +58,14 @@
#include <string.h>
#include <time.h>
#include <unistd.h>
+#include <regex.h>
+#include <errno.h>
#include "auditreduce.h"
+static TAILQ_HEAD(tailhead, re_entry) re_head =
+ TAILQ_HEAD_INITIALIZER(re_head);
+
extern char *optarg;
extern int optind, optopt, opterr,optreset;
@@ -81,10 +93,57 @@ static char *p_sockobj = NULL;
static uint32_t opttochk = 0;
static void
+parse_regexp(char *re_string)
+{
+ char *orig, *copy, re_error[64];
+ struct re_entry *rep;
+ int error, nstrs, i, len;
+
+ copy = strdup(re_string);
+ orig = copy;
+ len = strlen(copy);
+ for (nstrs = 0, i = 0; i < len; i++) {
+ if (copy[i] == ',' && i > 0) {
+ if (copy[i - 1] == '\\')
+ strcpy(&copy[i - 1], &copy[i]);
+ else {
+ nstrs++;
+ copy[i] = '\0';
+ }
+ }
+ }
+ TAILQ_INIT(&re_head);
+ for (i = 0; i < nstrs + 1; i++) {
+ rep = calloc(1, sizeof(*rep));
+ if (rep == NULL) {
+ (void) fprintf(stderr, "calloc: %s\n",
+ strerror(errno));
+ exit(1);
+ }
+ if (*copy == '~') {
+ copy++;
+ rep->re_negate = 1;
+ }
+ rep->re_pattern = strdup(copy);
+ error = regcomp(&rep->re_regexp, rep->re_pattern,
+ REG_EXTENDED | REG_NOSUB);
+ if (error != 0) {
+ regerror(error, &rep->re_regexp, re_error, 64);
+ (void) fprintf(stderr, "regcomp: %s\n", re_error);
+ exit(1);
+ }
+ TAILQ_INSERT_TAIL(&re_head, rep, re_glue);
+ len = strlen(copy);
+ copy += len + 1;
+ }
+ free(orig);
+}
+
+static void
usage(const char *msg)
{
fprintf(stderr, "%s\n", msg);
- fprintf(stderr, "Usage: auditreduce [options] audit-trail-file [....] \n");
+ fprintf(stderr, "Usage: auditreduce [options] [file ...]\n");
fprintf(stderr, "\tOptions are : \n");
fprintf(stderr, "\t-A : all records\n");
fprintf(stderr, "\t-a YYYYMMDD[HH[[MM[SS]]] : after date\n");
@@ -258,23 +317,20 @@ select_ipcobj(u_char type, uint32_t id, uint32_t *optchkd)
static int
select_filepath(char *path, uint32_t *optchkd)
{
- char *loc;
+ struct re_entry *rep;
+ int match;
SETOPT((*optchkd), OPT_of);
+ match = 1;
if (ISOPTSET(opttochk, OPT_of)) {
- if (p_fileobj[0] == '~') {
- /* Object should not be in path. */
- loc = strstr(path, p_fileobj + 1);
- if ((loc != NULL) && (loc == path))
- return (0);
- } else {
- /* Object should be in path. */
- loc = strstr(path, p_fileobj);
- if ((loc == NULL) || (loc != path))
- return (0);
+ match = 0;
+ TAILQ_FOREACH(rep, &re_head, re_glue) {
+ if (regexec(&rep->re_regexp, path, 0, NULL,
+ 0) != REG_NOMATCH)
+ return (!rep->re_negate);
}
}
- return (1);
+ return (match);
}
/*
@@ -328,6 +384,24 @@ select_hdr32(tokenstr_t tok, uint32_t *optchkd)
return (1);
}
+static int
+select_return32(tokenstr_t tok_ret32, tokenstr_t tok_hdr32, uint32_t *optchkd)
+{
+ int sorf;
+
+ SETOPT((*optchkd), (OPT_c));
+ if (tok_ret32.tt.ret32.status == 0)
+ sorf = AU_PRS_SUCCESS;
+ else
+ sorf = AU_PRS_FAILURE;
+ if (ISOPTSET(opttochk, OPT_c)) {
+ if (au_preselect(tok_hdr32.tt.hdr32.e_type, &maskp, sorf,
+ AU_PRS_USECACHE) != 1)
+ return (0);
+ }
+ return (1);
+}
+
/*
* Return 1 if checks for the the following succeed
* auid,
@@ -395,6 +469,7 @@ select_subj32(tokenstr_t tok, uint32_t *optchkd)
static int
select_records(FILE *fp)
{
+ tokenstr_t tok_hdr32_copy;
u_char *buf;
tokenstr_t tok;
int reclen;
@@ -423,6 +498,8 @@ select_records(FILE *fp)
case AU_HEADER_32_TOKEN:
selected = select_hdr32(tok,
&optchkd);
+ bcopy(&tok, &tok_hdr32_copy,
+ sizeof(tok));
break;
case AU_PROCESS_32_TOKEN:
@@ -451,6 +528,11 @@ select_records(FILE *fp)
tok.tt.path.path, &optchkd);
break;
+ case AU_RETURN_32_TOKEN:
+ selected = select_return32(tok,
+ tok_hdr32_copy, &optchkd);
+ break;
+
/*
* The following tokens dont have any relevant
* attributes that we can select upon.
@@ -465,7 +547,6 @@ select_records(FILE *fp)
case AU_IPCPERM_TOKEN:
case AU_IPORT_TOKEN:
case AU_OPAQUE_TOKEN:
- case AU_RETURN_32_TOKEN:
case AU_SEQ_TOKEN:
case AU_TEXT_TOKEN:
case AU_ARB_TOKEN:
@@ -500,6 +581,7 @@ parse_object_type(char *name, char *val)
if (!strcmp(name, FILEOBJ)) {
p_fileobj = val;
+ parse_regexp(val);
SETOPT(opttochk, OPT_of);
} else if (!strcmp(name, MSGQIDOBJ)) {
p_msgqobj = val;
@@ -679,8 +761,12 @@ main(int argc, char **argv)
argv += optind;
argc -= optind;
- if (argc == 0)
- usage("Filename needed");
+ if (argc == 0) {
+ if (select_records(stdin) == -1)
+ errx(EXIT_FAILURE,
+ "Couldn't select records from stdin");
+ exit(EXIT_SUCCESS);
+ }
/*
* XXX: We should actually be merging records here.
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.h b/contrib/openbsm/bin/auditreduce/auditreduce.h
index 698e27605b0f..f69dc16f8389 100644
--- a/contrib/openbsm/bin/auditreduce/auditreduce.h
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.h
@@ -26,13 +26,20 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#4 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#5 $
*/
#ifndef _AUDITREDUCE_H_
#define _AUDITREDUCE_H_
+struct re_entry {
+ char *re_pattern;
+ int re_negate;
+ regex_t re_regexp;
+ TAILQ_ENTRY(re_entry) re_glue;
+};
+
#define OPT_a 0x00000001
#define OPT_b 0x00000002
#define OPT_c 0x00000004
diff --git a/contrib/openbsm/bsm/audit_kevents.h b/contrib/openbsm/bsm/audit_kevents.h
index ef0f47b01485..434452a3091a 100644
--- a/contrib/openbsm/bsm/audit_kevents.h
+++ b/contrib/openbsm/bsm/audit_kevents.h
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#42 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#43 $
*/
#ifndef _BSM_AUDIT_KEVENTS_H_
@@ -470,6 +470,10 @@
#define AUE_KENV 43114 /* FreeBSD. */
#define AUE_JAIL_ATTACH 43115 /* FreeBSD. */
#define AUE_SYSCTL_WRITE 43116 /* FreeBSD. */
+#define AUE_IOPERM 43117 /* Linux. */
+#define AUE_READDIR 43118 /* Linux. */
+#define AUE_IOPL 43119 /* Linux. */
+#define AUE_VM86 43120 /* Linux. */
/*
* Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
diff --git a/contrib/openbsm/bsm/libbsm.h b/contrib/openbsm/bsm/libbsm.h
index 34d9dbc062f0..2d76c3993317 100644
--- a/contrib/openbsm/bsm/libbsm.h
+++ b/contrib/openbsm/bsm/libbsm.h
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#29 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#30 $
*/
#ifndef _LIBBSM_H_
@@ -78,6 +78,7 @@
#define DIR_CONTROL_ENTRY "dir"
#define MINFREE_CONTROL_ENTRY "minfree"
+#define FILESZ_CONTROL_ENTRY "filesz"
#define FLAGS_CONTROL_ENTRY "flags"
#define NA_CONTROL_ENTRY "naflags"
#define POLICY_CONTROL_ENTRY "policy"
@@ -719,6 +720,7 @@ void setac(void);
void endac(void);
int getacdir(char *name, int len);
int getacmin(int *min_val);
+int getacfilesz(size_t *size_val);
int getacflg(char *auditstr, int len);
int getacna(char *auditstr, int len);
int getacpol(char *auditstr, size_t len);
diff --git a/contrib/openbsm/configure b/contrib/openbsm/configure
index 26af770f4151..d680c434032a 100755
--- a/contrib/openbsm/configure
+++ b/contrib/openbsm/configure
@@ -1,7 +1,7 @@
#! /bin/sh
-# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#31 .
+# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 .
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a11.
+# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a12.
#
# Report bugs to <trustedbsd-audit@TrustesdBSD.org>.
#
@@ -424,8 +424,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
# Identity of this package.
PACKAGE_NAME='OpenBSM'
PACKAGE_TARNAME='openbsm'
-PACKAGE_VERSION='1.0a11'
-PACKAGE_STRING='OpenBSM 1.0a11'
+PACKAGE_VERSION='1.0a12'
+PACKAGE_STRING='OpenBSM 1.0a12'
PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org'
ac_unique_file="bin/auditreduce/auditreduce.c"
@@ -955,7 +955,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures OpenBSM 1.0a11 to adapt to many kinds of systems.
+\`configure' configures OpenBSM 1.0a12 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1021,7 +1021,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of OpenBSM 1.0a11:";;
+ short | recursive ) echo "Configuration of OpenBSM 1.0a12:";;
esac
cat <<\_ACEOF
@@ -1162,7 +1162,7 @@ fi
test -n "$ac_init_help" && exit 0
if $ac_init_version; then
cat <<\_ACEOF
-OpenBSM configure 1.0a11
+OpenBSM configure 1.0a12
generated by GNU Autoconf 2.59
Copyright (C) 2003 Free Software Foundation, Inc.
@@ -1176,7 +1176,7 @@ cat >&5 <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by OpenBSM $as_me 1.0a11, which was
+It was created by OpenBSM $as_me 1.0a12, which was
generated by GNU Autoconf 2.59. Invocation command line was
$ $0 $@
@@ -19278,7 +19278,7 @@ fi
# Define the identity of the package.
PACKAGE=OpenBSM
- VERSION=1.0a11
+ VERSION=1.0a12
cat >>confdefs.h <<_ACEOF
@@ -23479,7 +23479,7 @@ _ASBOX
} >&5
cat >&5 <<_CSEOF
-This file was extended by OpenBSM $as_me 1.0a11, which was
+This file was extended by OpenBSM $as_me 1.0a12, which was
generated by GNU Autoconf 2.59. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -23542,7 +23542,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-OpenBSM config.status 1.0a11
+OpenBSM config.status 1.0a12
configured by $0, generated by GNU Autoconf 2.59,
with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
diff --git a/contrib/openbsm/configure.ac b/contrib/openbsm/configure.ac
index 8547245c0e44..a8428f97f282 100644
--- a/contrib/openbsm/configure.ac
+++ b/contrib/openbsm/configure.ac
@@ -2,8 +2,8 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.59)
-AC_INIT([OpenBSM], [1.0a11], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
-AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#31 $])
+AC_INIT([OpenBSM], [1.0a12], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
+AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 $])
AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c])
AC_CONFIG_AUX_DIR(config)
AC_CONFIG_HEADER([config/config.h])
diff --git a/contrib/openbsm/etc/audit_control b/contrib/openbsm/etc/audit_control
index 2db3e1fa049e..a350e50cdc7d 100644
--- a/contrib/openbsm/etc/audit_control
+++ b/contrib/openbsm/etc/audit_control
@@ -1,8 +1,9 @@
#
-# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#4 $
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#5 $
#
dir:/var/audit
flags:lo
minfree:20
naflags:lo
policy:cnt
+filesz:0
diff --git a/contrib/openbsm/etc/audit_event b/contrib/openbsm/etc/audit_event
index 346dff7a22af..fcc89fca8ec2 100644
--- a/contrib/openbsm/etc/audit_event
+++ b/contrib/openbsm/etc/audit_event
@@ -1,5 +1,5 @@
#
-# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#15 $
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#16 $
#
0:AUE_NULL:indir system call:no
1:AUE_EXIT:exit(2):pc
@@ -418,6 +418,10 @@
43114:AUE_KENV:kenv(8):ad
43115:AUE_JAIL_ATTACH:jail_attach(2):ad
43116:AUE_SYSCTL_WRITE:sysctl(3):ad
+43117:AUE_IOPERM:linux ioperm:ad
+43118:AUE_READDIR:readdir(3):no
+43119:AUE_IOPL:linux iopl:ad
+43120:AUE_VM86:linux vm86:pc
#
# User space system events.
#
diff --git a/contrib/openbsm/libbsm/au_control.3 b/contrib/openbsm/libbsm/au_control.3
index 00a551eed2d9..0985825f4113 100644
--- a/contrib/openbsm/libbsm/au_control.3
+++ b/contrib/openbsm/libbsm/au_control.3
@@ -1,5 +1,5 @@
.\"-
-.\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#4 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#5 $
.\"
.Dd April 19, 2005
.Dt AU_CONTROL 3
@@ -33,6 +33,7 @@
.Nm endac ,
.Nm getacdir ,
.Nm getacmin ,
+.Nm getacfilesz ,
.Nm getacflg ,
.Nm getacna ,
.Nm getacpol ,
@@ -52,6 +53,8 @@
.Ft int
.Fn getacmin "int *min_val"
.Ft int
+.Fn getacfilesz "size_t *size_val"
+.Ft int
.Fn getacflg "char *auditstr" "int len"
.Ft int
.Fn getacna "char *auditstr" "int len"
@@ -88,6 +91,10 @@ the passed
.Va min_val
variable.
.Pp
+.Fn getacfilesz
+returns the audit trail rotation size in the passed size_t buffer
+.Fa size_val .
+.Pp
.Fn getacflg
returns the audit system flags via the the passed character buffer
.Va auditstr
diff --git a/contrib/openbsm/libbsm/bsm_control.c b/contrib/openbsm/libbsm/bsm_control.c
index ba643b2b9fde..dd901b76ca36 100644
--- a/contrib/openbsm/libbsm/bsm_control.c
+++ b/contrib/openbsm/libbsm/bsm_control.c
@@ -27,7 +27,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#15 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#16 $
*/
#include <bsm/libbsm.h>
@@ -396,6 +396,46 @@ getacmin(int *min_val)
}
/*
+ * Return the desired trail rotation size from the audit control file.
+ */
+int
+getacfilesz(size_t *filesz_val)
+{
+ char *filesz, *dummy;
+ long long ll;
+
+ pthread_mutex_lock(&mutex);
+ setac_locked();
+ if (getstrfromtype_locked(FILESZ_CONTROL_ENTRY, &filesz) < 0) {
+ pthread_mutex_unlock(&mutex);
+ return (-2);
+ }
+ if (filesz == NULL) {
+ pthread_mutex_unlock(&mutex);
+ errno = EINVAL;
+ return (1);
+ }
+ ll = strtoll(filesz, &dummy, 10);
+ if (*dummy != '\0') {
+ pthread_mutex_unlock(&mutex);
+ errno = EINVAL;
+ return (-1);
+ }
+ /*
+ * The file size must either be 0 or >= MIN_AUDIT_FILE_SIZE. 0
+ * indicates no rotation size.
+ */
+ if (ll < 0 || (ll > 0 && ll < MIN_AUDIT_FILE_SIZE)) {
+ pthread_mutex_unlock(&mutex);
+ errno = EINVAL;
+ return (-1);
+ }
+ *filesz_val = ll;
+ pthread_mutex_unlock(&mutex);
+ return (0);
+}
+
+/*
* Return the system audit value from the audit contol file.
*/
int
diff --git a/contrib/openbsm/libbsm/libbsm.3 b/contrib/openbsm/libbsm/libbsm.3
index 3d9aadd393e9..f87cf5574128 100644
--- a/contrib/openbsm/libbsm/libbsm.3
+++ b/contrib/openbsm/libbsm/libbsm.3
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#8 $
.\"
.Dd April 19, 2005
.Dt LIBBSM 3
@@ -84,6 +84,7 @@ database:
.Xr endac 3 ,
.Xr setac 3 ,
.Xr getacdir 3 ,
+.Xr getacfilesz 3 ,
.Xr getacflg 3 ,
.Xr getacmin 3 ,
.Xr getacna 3 ,
diff --git a/contrib/openbsm/man/audit_control.5 b/contrib/openbsm/man/audit_control.5
index edd38bb72043..25cb2266822f 100644
--- a/contrib/openbsm/man/audit_control.5
+++ b/contrib/openbsm/man/audit_control.5
@@ -1,4 +1,5 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" Copyright (c) 2006 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -25,7 +26,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#11 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#13 $
.\"
.Dd January 4, 2006
.Dt AUDIT_CONTROL 5
@@ -66,6 +67,12 @@ Not currently used as the value of 20 percent is chosen by the kernel.
.It Va policy
A list of global audit policy flags specifying various behaviors, such as
fail stop, auditing of paths and arguments, etc.
+.It Va filesz
+Maximum trail size in bytes; if set to a non-0 value, the audit daemon will
+rotate the audit trail file at around this size.
+Sizes less than the minimum trail size (default of 512K) will be rejected as
+invalid.
+If 0, trail files will not be automatically rotated based on file size.
.El
.Sh AUDIT FLAGS
Audit flags are a comma-delimited list of audit classes as defined in the
@@ -78,12 +85,14 @@ Event classes may be preceded by a prefix which changes their interpretation.
The following prefixes may be used for each class:
.Pp
.Bl -tag -width Ds -compact -offset indent
+.It (none)
+Record both successful and failed events
.It +
Record successful events
.It -
Record failed events
.It ^
-Record both successful and failed events
+Record neither successful nor failed events
.It ^+
Do not record successful events
.It ^-
@@ -146,6 +155,7 @@ flags:lo
minfree:20
naflags:lo
policy:cnt
+filesz:0
.Ed
.Pp
The
@@ -156,7 +166,8 @@ The
.Va policy
parameter specifies that the system should neither fail stop nor suspend
processes when the audit store fills.
-will be audited.
+The trail file will not be automatically rotated by the audit daemon based on
+file size.
.Sh FILES
.Bl -tag -width "/etc/security/audit_control" -compact
.It Pa /etc/security/audit_control