diff options
author | Robert Watson <rwatson@FreeBSD.org> | 2006-09-25 11:40:29 +0000 |
---|---|---|
committer | Robert Watson <rwatson@FreeBSD.org> | 2006-09-25 11:40:29 +0000 |
commit | b3a9bf4df772eb9bf50acac77ca489ddf8d4439e (patch) | |
tree | ec3ed648a8c1097bbf1c7c5b4c1e94ccabcdc506 /contrib | |
parent | 6b31d3f79dd99fc580d8ba0e6faa34f43886ea6f (diff) | |
parent | 4bd0c025f38ae20e2ec54bfbe3f11a0847e87ffb (diff) | |
download | src-b3a9bf4df772eb9bf50acac77ca489ddf8d4439e.tar.gz src-b3a9bf4df772eb9bf50acac77ca489ddf8d4439e.zip |
This commit was generated by cvs2svn to compensate for changes in r162621,
which included commits to RCS files with non-trunk default branches.
Notes
Notes:
svn path=/head/; revision=162622
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/openbsm/HISTORY | 23 | ||||
-rw-r--r-- | contrib/openbsm/TODO | 7 | ||||
-rw-r--r-- | contrib/openbsm/VERSION | 2 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditd/audit_warn.c | 17 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditd/auditd.c | 19 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditd/auditd.h | 4 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditreduce/auditreduce.1 | 43 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditreduce/auditreduce.c | 120 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditreduce/auditreduce.h | 9 | ||||
-rw-r--r-- | contrib/openbsm/bsm/libbsm.h | 4 | ||||
-rwxr-xr-x | contrib/openbsm/configure | 22 | ||||
-rw-r--r-- | contrib/openbsm/configure.ac | 4 | ||||
-rw-r--r-- | contrib/openbsm/libbsm/au_control.3 | 11 | ||||
-rw-r--r-- | contrib/openbsm/libbsm/bsm_control.c | 42 | ||||
-rw-r--r-- | contrib/openbsm/libbsm/libbsm.3 | 3 | ||||
-rw-r--r-- | contrib/openbsm/man/audit_control.5 | 17 |
16 files changed, 290 insertions, 57 deletions
diff --git a/contrib/openbsm/HISTORY b/contrib/openbsm/HISTORY index e9093001a557..0b44df261e08 100644 --- a/contrib/openbsm/HISTORY +++ b/contrib/openbsm/HISTORY @@ -1,3 +1,24 @@ +OpenBSM 1.0 alpha 12 + +- Correct bug in auditreduce which prevented the -c option from working + correctly when the user specifies to process successful or failed events. + The problem stemmed from not having access to the return token at the time + the initial preselection occurred, but now a second preselection process + occurs while processing the return token. +- getacfilesz(3) API added to read new audit_control(5) filesz setting, + which auditd(8) now sets the kernel audit trail rotation size to. +- auditreduce(1) now uses stdin if no file names are specified on the command + line; this was the documented behavior previously, but it was not + implemented. Be more specific in auditreduce(1)'s examples section about + what might be done with the output of auditreduce. +- Add audit_warn(5) closefile event so that administrators can hook + termination of an audit trail file. For example, this might be used to + compress the trail file after it is closed. +- auditreduce(1) now uses regular expressions for pathname matching. Users can + now supply one or more (comma delimited) regular expressions for searching + the pathnames. If one of the regular expressions is prefixed with a tilde + (~), and a path matches, it will be excluded from the search results. + OpenBSM 1.0 alpha 11 - Reclassify certain read/write operations as having no class rather than the @@ -243,4 +264,4 @@ OpenBSM 1.0 alpha 1 to support reloading of kernel event table. - Allow comments in /etc/security configuration files. -$P4: //depot/projects/trustedbsd/openbsm/HISTORY#33 $ +$P4: //depot/projects/trustedbsd/openbsm/HISTORY#39 $ diff --git a/contrib/openbsm/TODO b/contrib/openbsm/TODO index 5e0b9c3ae318..696974340819 100644 --- a/contrib/openbsm/TODO +++ b/contrib/openbsm/TODO @@ -17,10 +17,7 @@ just at the beginning of a record. This will make it easier to use praudit in test suites processing single-token files without header and trailer context. -- Teach auditd how to notify a script when it is done with trail files so - that the script can archive them, compress them, delete them, whatever. - It should walk any trail files found at startup also, assuming it - successfully registers. - Put hostname in trail file name. +- Document audit_warn event arguments. -$P4: //depot/projects/trustedbsd/openbsm/TODO#7 $ +$P4: //depot/projects/trustedbsd/openbsm/TODO#8 $ diff --git a/contrib/openbsm/VERSION b/contrib/openbsm/VERSION index 12b10e099a6e..b27583b27697 100644 --- a/contrib/openbsm/VERSION +++ b/contrib/openbsm/VERSION @@ -1 +1 @@ -OPENBSM_1_0_ALPHA_11 +OPENBSM_1_0_ALPHA_12 diff --git a/contrib/openbsm/bin/auditd/audit_warn.c b/contrib/openbsm/bin/auditd/audit_warn.c index 7fa5eb927254..3239b67c7e3e 100644 --- a/contrib/openbsm/bin/auditd/audit_warn.c +++ b/contrib/openbsm/bin/auditd/audit_warn.c @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#6 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#7 $ */ #include <sys/types.h> @@ -125,6 +125,21 @@ audit_warn_auditoff(void) } /* + * Indicate that a trail file has been closed, so can now be post-processed. + */ +int +audit_warn_closefile(char *filename) +{ + char *args[3]; + + args[0] = CLOSEFILE_WARN; + args[1] = filename; + args[2] = NULL; + + return (auditwarnlog(args)); +} + +/* * Indicates that the audit deammn is already running */ int diff --git a/contrib/openbsm/bin/auditd/auditd.c b/contrib/openbsm/bin/auditd/auditd.c index 86cf2335c28f..7ca2123bdb56 100644 --- a/contrib/openbsm/bin/auditd/auditd.c +++ b/contrib/openbsm/bin/auditd/auditd.c @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#21 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#23 $ */ #include <sys/types.h> @@ -163,9 +163,11 @@ close_lastfile(char *TS) syslog(LOG_ERR, "Could not rename %s to %s: %m", oldname, lastfile); - else + else { syslog(LOG_INFO, "renamed %s to %s", oldname, lastfile); + audit_warn_closefile(lastfile); + } } free(lastfile); free(oldname); @@ -727,6 +729,8 @@ config_audit_controls(void) char naeventstr[NA_EVENT_STR_SIZE]; char polstr[POL_STR_SIZE]; long policy; + au_fstat_t au_fstat; + size_t filesz; /* * Process the audit event file, obtaining a class mapping for each @@ -806,6 +810,17 @@ config_audit_controls(void) "Failed to set default audit policy: %m"); } + /* + * Set trail rotation size. + */ + if (getacfilesz(&filesz) == 0) { + bzero(&au_fstat, sizeof(au_fstat)); + au_fstat.af_filesz = filesz; + if (auditon(A_SETFSIZE, &au_fstat, sizeof(au_fstat)) < 0) + syslog(LOG_ERR, "Failed to set filesz: %m"); + } else + syslog(LOG_ERR, "Failed to obtain filesz: %m"); + return (0); } diff --git a/contrib/openbsm/bin/auditd/auditd.h b/contrib/openbsm/bin/auditd/auditd.h index 11bf9d4ce176..9c5ae287c17b 100644 --- a/contrib/openbsm/bin/auditd/auditd.h +++ b/contrib/openbsm/bin/auditd/auditd.h @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#6 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#7 $ */ #ifndef _AUDITD_H_ @@ -62,6 +62,7 @@ struct dir_ent { #define HARDLIM_ALL_WARN "allhard" #define SOFTLIM_ALL_WARN "allsoft" #define AUDITOFF_WARN "auditoff" +#define CLOSEFILE_WARN "closefile" #define EBUSY_WARN "ebusy" #define GETACDIR_WARN "getacdir" #define HARDLIM_WARN "hard" @@ -76,6 +77,7 @@ struct dir_ent { int audit_warn_allhard(int count); int audit_warn_allsoft(void); int audit_warn_auditoff(void); +int audit_warn_closefile(char *filename); int audit_warn_ebusy(void); int audit_warn_getacdir(char *filename); int audit_warn_hard(char *filename); diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.1 b/contrib/openbsm/bin/auditreduce/auditreduce.1 index 9ae97263aa64..f590e35f0717 100644 --- a/contrib/openbsm/bin/auditreduce/auditreduce.1 +++ b/contrib/openbsm/bin/auditreduce/auditreduce.1 @@ -25,7 +25,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#10 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $ .\" .Dd January 24, 2004 .Dt AUDITREDUCE 1 @@ -105,12 +105,17 @@ for a description of audit event names and numbers. .It Fl o Ar object=value .Bl -tag -width Ds .It Nm file -Select records containing the given path name. -file="/usr" matches paths -starting with -.Pa usr . -file="~/usr" matches paths not starting with -.Pa usr . +Select records containing path tokens, where the pathname matches +one of the comma delimited extended regular expression contained in +given specification. +Regular expressions which are prefixed with a tilde (~) are excluded +from the search results. +These extended regular expressions are processed from left to right, +and a path will either be selected or deslected based on the first match. +.Pp +Since commas are used to delimit the regular expressions, a backslash (\\) +character should be used to escape the comma if it's a part of the search +pattern. .It Nm msgqid Select records containing the given message queue id. .It Nm pid @@ -136,6 +141,30 @@ events from that log: .Pp .Nm -m AUE_SETLOGIN /var/audit/20031016184719.20031017122634 +.Pp +Output from the above command lines will typically be piped to a new trail +file, or via standard output to the +.Xr praudit 1 +command. +.Pp +Select all records containing a path token where the pathname contains +.Pa /etc/master.passwd +.Pp +.Nm +-ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634 +.Pp +Select all records containing path tokens, where the pathname is a TTY +device: +.Pp +.Nm +-ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 +.Pp +Select all records containing path tokens, where the pathname is a TTY +except for +.Pa /dev/ttyp2 +.Pp +.Nm +-ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 .Sh SEE ALSO .Xr praudit 1 , .Xr audit_control 5 , diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.c b/contrib/openbsm/bin/auditreduce/auditreduce.c index 25a14ff453a5..31bd8922e41c 100644 --- a/contrib/openbsm/bin/auditreduce/auditreduce.c +++ b/contrib/openbsm/bin/auditreduce/auditreduce.c @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#14 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#18 $ */ /* @@ -40,6 +40,13 @@ * XXX the records present within the file and between the files themselves */ +#include <config/config.h> +#ifdef HAVE_FULL_QUEUE_H +#include <sys/queue.h> +#else +#include <compat/queue.h> +#endif + #include <bsm/libbsm.h> #include <err.h> @@ -51,9 +58,14 @@ #include <string.h> #include <time.h> #include <unistd.h> +#include <regex.h> +#include <errno.h> #include "auditreduce.h" +static TAILQ_HEAD(tailhead, re_entry) re_head = + TAILQ_HEAD_INITIALIZER(re_head); + extern char *optarg; extern int optind, optopt, opterr,optreset; @@ -81,10 +93,57 @@ static char *p_sockobj = NULL; static uint32_t opttochk = 0; static void +parse_regexp(char *re_string) +{ + char *orig, *copy, re_error[64]; + struct re_entry *rep; + int error, nstrs, i, len; + + copy = strdup(re_string); + orig = copy; + len = strlen(copy); + for (nstrs = 0, i = 0; i < len; i++) { + if (copy[i] == ',' && i > 0) { + if (copy[i - 1] == '\\') + strcpy(©[i - 1], ©[i]); + else { + nstrs++; + copy[i] = '\0'; + } + } + } + TAILQ_INIT(&re_head); + for (i = 0; i < nstrs + 1; i++) { + rep = calloc(1, sizeof(*rep)); + if (rep == NULL) { + (void) fprintf(stderr, "calloc: %s\n", + strerror(errno)); + exit(1); + } + if (*copy == '~') { + copy++; + rep->re_negate = 1; + } + rep->re_pattern = strdup(copy); + error = regcomp(&rep->re_regexp, rep->re_pattern, + REG_EXTENDED | REG_NOSUB); + if (error != 0) { + regerror(error, &rep->re_regexp, re_error, 64); + (void) fprintf(stderr, "regcomp: %s\n", re_error); + exit(1); + } + TAILQ_INSERT_TAIL(&re_head, rep, re_glue); + len = strlen(copy); + copy += len + 1; + } + free(orig); +} + +static void usage(const char *msg) { fprintf(stderr, "%s\n", msg); - fprintf(stderr, "Usage: auditreduce [options] audit-trail-file [....] \n"); + fprintf(stderr, "Usage: auditreduce [options] [file ...]\n"); fprintf(stderr, "\tOptions are : \n"); fprintf(stderr, "\t-A : all records\n"); fprintf(stderr, "\t-a YYYYMMDD[HH[[MM[SS]]] : after date\n"); @@ -258,23 +317,20 @@ select_ipcobj(u_char type, uint32_t id, uint32_t *optchkd) static int select_filepath(char *path, uint32_t *optchkd) { - char *loc; + struct re_entry *rep; + int match; SETOPT((*optchkd), OPT_of); + match = 1; if (ISOPTSET(opttochk, OPT_of)) { - if (p_fileobj[0] == '~') { - /* Object should not be in path. */ - loc = strstr(path, p_fileobj + 1); - if ((loc != NULL) && (loc == path)) - return (0); - } else { - /* Object should be in path. */ - loc = strstr(path, p_fileobj); - if ((loc == NULL) || (loc != path)) - return (0); + match = 0; + TAILQ_FOREACH(rep, &re_head, re_glue) { + if (regexec(&rep->re_regexp, path, 0, NULL, + 0) != REG_NOMATCH) + return (!rep->re_negate); } } - return (1); + return (match); } /* @@ -328,6 +384,24 @@ select_hdr32(tokenstr_t tok, uint32_t *optchkd) return (1); } +static int +select_return32(tokenstr_t tok_ret32, tokenstr_t tok_hdr32, uint32_t *optchkd) +{ + int sorf; + + SETOPT((*optchkd), (OPT_c)); + if (tok_ret32.tt.ret32.status == 0) + sorf = AU_PRS_SUCCESS; + else + sorf = AU_PRS_FAILURE; + if (ISOPTSET(opttochk, OPT_c)) { + if (au_preselect(tok_hdr32.tt.hdr32.e_type, &maskp, sorf, + AU_PRS_USECACHE) != 1) + return (0); + } + return (1); +} + /* * Return 1 if checks for the the following succeed * auid, @@ -395,6 +469,7 @@ select_subj32(tokenstr_t tok, uint32_t *optchkd) static int select_records(FILE *fp) { + tokenstr_t tok_hdr32_copy; u_char *buf; tokenstr_t tok; int reclen; @@ -423,6 +498,8 @@ select_records(FILE *fp) case AU_HEADER_32_TOKEN: selected = select_hdr32(tok, &optchkd); + bcopy(&tok, &tok_hdr32_copy, + sizeof(tok)); break; case AU_PROCESS_32_TOKEN: @@ -451,6 +528,11 @@ select_records(FILE *fp) tok.tt.path.path, &optchkd); break; + case AU_RETURN_32_TOKEN: + selected = select_return32(tok, + tok_hdr32_copy, &optchkd); + break; + /* * The following tokens dont have any relevant * attributes that we can select upon. @@ -465,7 +547,6 @@ select_records(FILE *fp) case AU_IPCPERM_TOKEN: case AU_IPORT_TOKEN: case AU_OPAQUE_TOKEN: - case AU_RETURN_32_TOKEN: case AU_SEQ_TOKEN: case AU_TEXT_TOKEN: case AU_ARB_TOKEN: @@ -500,6 +581,7 @@ parse_object_type(char *name, char *val) if (!strcmp(name, FILEOBJ)) { p_fileobj = val; + parse_regexp(val); SETOPT(opttochk, OPT_of); } else if (!strcmp(name, MSGQIDOBJ)) { p_msgqobj = val; @@ -679,8 +761,12 @@ main(int argc, char **argv) argv += optind; argc -= optind; - if (argc == 0) - usage("Filename needed"); + if (argc == 0) { + if (select_records(stdin) == -1) + errx(EXIT_FAILURE, + "Couldn't select records from stdin"); + exit(EXIT_SUCCESS); + } /* * XXX: We should actually be merging records here. diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.h b/contrib/openbsm/bin/auditreduce/auditreduce.h index 698e27605b0f..f69dc16f8389 100644 --- a/contrib/openbsm/bin/auditreduce/auditreduce.h +++ b/contrib/openbsm/bin/auditreduce/auditreduce.h @@ -26,13 +26,20 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#4 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#5 $ */ #ifndef _AUDITREDUCE_H_ #define _AUDITREDUCE_H_ +struct re_entry { + char *re_pattern; + int re_negate; + regex_t re_regexp; + TAILQ_ENTRY(re_entry) re_glue; +}; + #define OPT_a 0x00000001 #define OPT_b 0x00000002 #define OPT_c 0x00000004 diff --git a/contrib/openbsm/bsm/libbsm.h b/contrib/openbsm/bsm/libbsm.h index 34d9dbc062f0..2d76c3993317 100644 --- a/contrib/openbsm/bsm/libbsm.h +++ b/contrib/openbsm/bsm/libbsm.h @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#29 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#30 $ */ #ifndef _LIBBSM_H_ @@ -78,6 +78,7 @@ #define DIR_CONTROL_ENTRY "dir" #define MINFREE_CONTROL_ENTRY "minfree" +#define FILESZ_CONTROL_ENTRY "filesz" #define FLAGS_CONTROL_ENTRY "flags" #define NA_CONTROL_ENTRY "naflags" #define POLICY_CONTROL_ENTRY "policy" @@ -719,6 +720,7 @@ void setac(void); void endac(void); int getacdir(char *name, int len); int getacmin(int *min_val); +int getacfilesz(size_t *size_val); int getacflg(char *auditstr, int len); int getacna(char *auditstr, int len); int getacpol(char *auditstr, size_t len); diff --git a/contrib/openbsm/configure b/contrib/openbsm/configure index 26af770f4151..d680c434032a 100755 --- a/contrib/openbsm/configure +++ b/contrib/openbsm/configure @@ -1,7 +1,7 @@ #! /bin/sh -# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#31 . +# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 . # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a11. +# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a12. # # Report bugs to <trustedbsd-audit@TrustesdBSD.org>. # @@ -424,8 +424,8 @@ SHELL=${CONFIG_SHELL-/bin/sh} # Identity of this package. PACKAGE_NAME='OpenBSM' PACKAGE_TARNAME='openbsm' -PACKAGE_VERSION='1.0a11' -PACKAGE_STRING='OpenBSM 1.0a11' +PACKAGE_VERSION='1.0a12' +PACKAGE_STRING='OpenBSM 1.0a12' PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org' ac_unique_file="bin/auditreduce/auditreduce.c" @@ -955,7 +955,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures OpenBSM 1.0a11 to adapt to many kinds of systems. +\`configure' configures OpenBSM 1.0a12 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1021,7 +1021,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of OpenBSM 1.0a11:";; + short | recursive ) echo "Configuration of OpenBSM 1.0a12:";; esac cat <<\_ACEOF @@ -1162,7 +1162,7 @@ fi test -n "$ac_init_help" && exit 0 if $ac_init_version; then cat <<\_ACEOF -OpenBSM configure 1.0a11 +OpenBSM configure 1.0a12 generated by GNU Autoconf 2.59 Copyright (C) 2003 Free Software Foundation, Inc. @@ -1176,7 +1176,7 @@ cat >&5 <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by OpenBSM $as_me 1.0a11, which was +It was created by OpenBSM $as_me 1.0a12, which was generated by GNU Autoconf 2.59. Invocation command line was $ $0 $@ @@ -19278,7 +19278,7 @@ fi # Define the identity of the package. PACKAGE=OpenBSM - VERSION=1.0a11 + VERSION=1.0a12 cat >>confdefs.h <<_ACEOF @@ -23479,7 +23479,7 @@ _ASBOX } >&5 cat >&5 <<_CSEOF -This file was extended by OpenBSM $as_me 1.0a11, which was +This file was extended by OpenBSM $as_me 1.0a12, which was generated by GNU Autoconf 2.59. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -23542,7 +23542,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -OpenBSM config.status 1.0a11 +OpenBSM config.status 1.0a12 configured by $0, generated by GNU Autoconf 2.59, with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\" diff --git a/contrib/openbsm/configure.ac b/contrib/openbsm/configure.ac index 8547245c0e44..a8428f97f282 100644 --- a/contrib/openbsm/configure.ac +++ b/contrib/openbsm/configure.ac @@ -2,8 +2,8 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.59) -AC_INIT([OpenBSM], [1.0a11], [trustedbsd-audit@TrustesdBSD.org],[openbsm]) -AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#31 $]) +AC_INIT([OpenBSM], [1.0a12], [trustedbsd-audit@TrustesdBSD.org],[openbsm]) +AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 $]) AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c]) AC_CONFIG_AUX_DIR(config) AC_CONFIG_HEADER([config/config.h]) diff --git a/contrib/openbsm/libbsm/au_control.3 b/contrib/openbsm/libbsm/au_control.3 index 00a551eed2d9..0985825f4113 100644 --- a/contrib/openbsm/libbsm/au_control.3 +++ b/contrib/openbsm/libbsm/au_control.3 @@ -1,5 +1,5 @@ .\"- -.\" Copyright (c) 2005 Robert N. M. Watson +.\" Copyright (c) 2005-2006 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#4 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#5 $ .\" .Dd April 19, 2005 .Dt AU_CONTROL 3 @@ -33,6 +33,7 @@ .Nm endac , .Nm getacdir , .Nm getacmin , +.Nm getacfilesz , .Nm getacflg , .Nm getacna , .Nm getacpol , @@ -52,6 +53,8 @@ .Ft int .Fn getacmin "int *min_val" .Ft int +.Fn getacfilesz "size_t *size_val" +.Ft int .Fn getacflg "char *auditstr" "int len" .Ft int .Fn getacna "char *auditstr" "int len" @@ -88,6 +91,10 @@ the passed .Va min_val variable. .Pp +.Fn getacfilesz +returns the audit trail rotation size in the passed size_t buffer +.Fa size_val . +.Pp .Fn getacflg returns the audit system flags via the the passed character buffer .Va auditstr diff --git a/contrib/openbsm/libbsm/bsm_control.c b/contrib/openbsm/libbsm/bsm_control.c index ba643b2b9fde..dd901b76ca36 100644 --- a/contrib/openbsm/libbsm/bsm_control.c +++ b/contrib/openbsm/libbsm/bsm_control.c @@ -27,7 +27,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#15 $ + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#16 $ */ #include <bsm/libbsm.h> @@ -396,6 +396,46 @@ getacmin(int *min_val) } /* + * Return the desired trail rotation size from the audit control file. + */ +int +getacfilesz(size_t *filesz_val) +{ + char *filesz, *dummy; + long long ll; + + pthread_mutex_lock(&mutex); + setac_locked(); + if (getstrfromtype_locked(FILESZ_CONTROL_ENTRY, &filesz) < 0) { + pthread_mutex_unlock(&mutex); + return (-2); + } + if (filesz == NULL) { + pthread_mutex_unlock(&mutex); + errno = EINVAL; + return (1); + } + ll = strtoll(filesz, &dummy, 10); + if (*dummy != '\0') { + pthread_mutex_unlock(&mutex); + errno = EINVAL; + return (-1); + } + /* + * The file size must either be 0 or >= MIN_AUDIT_FILE_SIZE. 0 + * indicates no rotation size. + */ + if (ll < 0 || (ll > 0 && ll < MIN_AUDIT_FILE_SIZE)) { + pthread_mutex_unlock(&mutex); + errno = EINVAL; + return (-1); + } + *filesz_val = ll; + pthread_mutex_unlock(&mutex); + return (0); +} + +/* * Return the system audit value from the audit contol file. */ int diff --git a/contrib/openbsm/libbsm/libbsm.3 b/contrib/openbsm/libbsm/libbsm.3 index 3d9aadd393e9..f87cf5574128 100644 --- a/contrib/openbsm/libbsm/libbsm.3 +++ b/contrib/openbsm/libbsm/libbsm.3 @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#7 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#8 $ .\" .Dd April 19, 2005 .Dt LIBBSM 3 @@ -84,6 +84,7 @@ database: .Xr endac 3 , .Xr setac 3 , .Xr getacdir 3 , +.Xr getacfilesz 3 , .Xr getacflg 3 , .Xr getacmin 3 , .Xr getacna 3 , diff --git a/contrib/openbsm/man/audit_control.5 b/contrib/openbsm/man/audit_control.5 index edd38bb72043..25cb2266822f 100644 --- a/contrib/openbsm/man/audit_control.5 +++ b/contrib/openbsm/man/audit_control.5 @@ -1,4 +1,5 @@ .\" Copyright (c) 2004 Apple Computer, Inc. +.\" Copyright (c) 2006 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -25,7 +26,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#11 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#13 $ .\" .Dd January 4, 2006 .Dt AUDIT_CONTROL 5 @@ -66,6 +67,12 @@ Not currently used as the value of 20 percent is chosen by the kernel. .It Va policy A list of global audit policy flags specifying various behaviors, such as fail stop, auditing of paths and arguments, etc. +.It Va filesz +Maximum trail size in bytes; if set to a non-0 value, the audit daemon will +rotate the audit trail file at around this size. +Sizes less than the minimum trail size (default of 512K) will be rejected as +invalid. +If 0, trail files will not be automatically rotated based on file size. .El .Sh AUDIT FLAGS Audit flags are a comma-delimited list of audit classes as defined in the @@ -78,12 +85,14 @@ Event classes may be preceded by a prefix which changes their interpretation. The following prefixes may be used for each class: .Pp .Bl -tag -width Ds -compact -offset indent +.It (none) +Record both successful and failed events .It + Record successful events .It - Record failed events .It ^ -Record both successful and failed events +Record neither successful nor failed events .It ^+ Do not record successful events .It ^- @@ -146,6 +155,7 @@ flags:lo minfree:20 naflags:lo policy:cnt +filesz:0 .Ed .Pp The @@ -156,7 +166,8 @@ The .Va policy parameter specifies that the system should neither fail stop nor suspend processes when the audit store fills. -will be audited. +The trail file will not be automatically rotated by the audit daemon based on +file size. .Sh FILES .Bl -tag -width "/etc/security/audit_control" -compact .It Pa /etc/security/audit_control |