diff options
author | rwatson <rwatson@FreeBSD.org> | 2006-09-02 09:37:14 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2006-09-02 09:37:14 +0000 |
commit | 24713adf4396d925450ece7ee61082d0bed8b75a (patch) | |
tree | 3da41d520353ce92b4e87e3e00d9beafbe0899be /contrib/openbsm/bin | |
parent | 7dd78d9e529d87caf67146dbac9a4fdd3e2d8aeb (diff) | |
download | FreeBSD-src-24713adf4396d925450ece7ee61082d0bed8b75a.zip FreeBSD-src-24713adf4396d925450ece7ee61082d0bed8b75a.tar.gz |
Vendor import of OpenBSM 1.0 alpha 10, with the following changes:
- auditd now generates complete audit records for its events, as required for
application-submitted audit records in the the FreeBSD kernel audit
implementation.
This also restores contrib/openbsm/bsm/audit_record to the vendor version
after the build fixes previously committed; however, this file is not used
in the build.
Obtained from: TrustedBSD Project
Diffstat (limited to 'contrib/openbsm/bin')
-rw-r--r-- | contrib/openbsm/bin/auditd/auditd.c | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/contrib/openbsm/bin/auditd/auditd.c b/contrib/openbsm/bin/auditd/auditd.c index 3996081..838424e 100644 --- a/contrib/openbsm/bin/auditd/auditd.c +++ b/contrib/openbsm/bin/auditd/auditd.c @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#17 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#18 $ */ #include <sys/types.h> @@ -366,6 +366,7 @@ read_control_file(void) static int close_all(void) { + struct auditinfo ai; int err_ret = 0; char TS[POSTFIX_LEN]; int aufd; @@ -378,6 +379,17 @@ close_all(void) else { if ((tok = au_to_text("auditd::Audit shutdown")) != NULL) au_write(aufd, tok); + /* + * XXX we need to implement extended subject tokens so we can + * effectively represent terminal lines with this token type. + */ + bzero(&ai, sizeof(ai)); + if ((tok = au_to_subject32(getuid(), geteuid(), getegid(), + getuid(), getgid(), getpid(), getpid(), &ai.ai_termid)) + != NULL) + au_write(aufd, tok); + if ((tok = au_to_return32(0, 0)) != NULL) + au_write(aufd, tok); if (au_close(aufd, 1, AUE_audit_shutdown) == -1) syslog(LOG_ERR, "Could not close audit shutdown event."); @@ -745,6 +757,7 @@ config_audit_controls(void) static void setup(void) { + struct auditinfo ai; auditinfo_t auinfo; int aufd; token_t *tok; @@ -781,8 +794,20 @@ setup(void) if ((aufd = au_open()) == -1) syslog(LOG_ERR, "Could not create audit startup event."); else { + /* + * XXXCSJP Perhaps we wan't more robust audit records for + * audit start up and shutdown. This might include capturing + * failures to initialize the audit subsystem? + */ + bzero(&ai, sizeof(ai)); + if ((tok = au_to_subject32(getuid(), geteuid(), getegid(), + getuid(), getgid(), getpid(), getpid(), &ai.ai_termid)) + != NULL) + au_write(aufd, tok); if ((tok = au_to_text("auditd::Audit startup")) != NULL) au_write(aufd, tok); + if ((tok = au_to_return32(0, 0)) != NULL) + au_write(aufd, tok); if (au_close(aufd, 1, AUE_audit_startup) == -1) syslog(LOG_ERR, "Could not close audit startup event."); |