Vendor branch import of OpenBSM 1.0 alpha 3:

- Man page formatting, cross reference, mlinks, and accuracy improvements.
- auditd and tools now compile and run on FreeBSD/arm.
- auditd will now fchown() the trail file to the audit review group, if
  defined at compile-time.
- Added AUE_SYSARCH for FreeBSD.
- Definition of AUE_SETFSGID fixed for Linux.

Many thanks to:	brueffer, cognet
Obtained from:	TrustedBSD Project

9 files changed, 111 insertions, 39 deletions

diff --git a/contrib/openbsm/bin/audit/audit.8 b/contrib/openbsm/bin/audit/audit.8
index 4883826..1d490f5 100644
--- a/contrib/openbsm/bin/audit/audit.8
+++ b/contrib/openbsm/bin/audit/audit.8
@@ -29,9 +29,9 @@
 .\" 
 .\" @APPLE_BSD_LICENSE_HEADER_END@
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#4 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#6 $
 .\"
-.Dd Jan 24, 2004
+.Dd January 24, 2004
 .Dt AUDIT 8
 .Os
 .Sh NAME
@@ -48,7 +48,7 @@ utility controls the state of the audit system.
 The optional
 .Ar file
 operand specifies the location of the audit control input file (default
-.Pa /etc/security/audit_control ).
+.Pa /etc/security/audit_control ) .
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
@@ -65,15 +65,17 @@ Log files are closed
 and renamed to indicate the time of the shutdown.
 .El
 .Sh NOTES
-The auditd(8) daemon must already be running.
+The
+.Xr auditd 8
+daemon must already be running.
 .Sh FILES
 .Bl -tag -width "/etc/security/audit_control" -compact
 .It Pa /etc/security/audit_control
 Default audit policy file used to configure the auditing system.
 .El
 .Sh SEE ALSO
+.Xr audit_control 5 ,
 .Xr auditd 8
-.Xr audit_control 5
 .Sh AUTHORS
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
diff --git a/contrib/openbsm/bin/audit/audit.c b/contrib/openbsm/bin/audit/audit.c
index 7be9c8c..faf0a7e 100644
--- a/contrib/openbsm/bin/audit/audit.c
+++ b/contrib/openbsm/bin/audit/audit.c
@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#2 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#4 $
  */
 /*
  * Program to trigger the audit daemon with a message that is either:
@@ -65,7 +65,7 @@ usage(void)
 int
 main(int argc, char **argv)
 {
-	char ch;
+	int ch;
 	unsigned int trigger = 0;
 
 	if (argc != 2)
diff --git a/contrib/openbsm/bin/auditd/auditd.8 b/contrib/openbsm/bin/auditd/auditd.8
index 18515da..8f054c6 100644
--- a/contrib/openbsm/bin/auditd/auditd.8
+++ b/contrib/openbsm/bin/auditd/auditd.8
@@ -29,9 +29,9 @@
 .\"
 .\" @APPLE_BSD_LICENSE_HEADER_END@
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#6 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#8 $
 .\"
-.Dd Jan 24, 2004
+.Dd January 24, 2004
 .Dt AUDITD 8
 .Os
 .Sh NAME
@@ -63,9 +63,14 @@ that may cause audit records to be lost due to log file full conditions
 .Pp
 To assure uninterrupted audit support, the
 .Nm auditd
-daemon should not be started and stopped manually.  Instead, the audit(1) command
+daemon should not be started and stopped manually.
+Instead, the
+.Xr audit 8
+command
 should be used to inform the daemon to change state/configuration after altering
-the audit_control file.
+the
+.Pa audit_control
+file.
 .Pp
 .\" Sending a SIGHUP to a running
 .\" .Nm auditd
diff --git a/contrib/openbsm/bin/auditd/auditd.c b/contrib/openbsm/bin/auditd/auditd.c
index b25c9ec..893e972 100644
--- a/contrib/openbsm/bin/auditd/auditd.c
+++ b/contrib/openbsm/bin/auditd/auditd.c
@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#8 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#11 $
  */
 
 #include <sys/dirent.h>
@@ -46,6 +46,7 @@
 
 #include <errno.h>
 #include <fcntl.h>
+#include <grp.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
@@ -171,6 +172,34 @@ close_lastfile(char *TS)
 }
 
 /*
+ * Create the new audit file with appropriate permissions and ownership.  Try
+ * to clean up if something goes wrong.
+ */
+static int
+#ifdef AUDIT_REVIEW_GROUP
+open_trail(const char *fname, uid_t uid, gid_t gid)
+#else
+open_trail(const char *fname)
+#endif
+{
+	int error, fd;
+
+	fd = open(fname, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP);
+	if (fd < 0)
+		return (-1);
+#ifdef AUDIT_REVIEW_GROUP
+	if (fchown(fd, uid, gid) < 0) {
+		error = errno;
+		close(fd);
+		(void)unlink(fname);
+		errno = error;
+		return (-1);
+	}
+#endif
+	return (fd);
+}
+
+/*
  * Create the new file name, swap with existing audit file.
  */
 static int
@@ -180,7 +209,12 @@ swap_audit_file(void)
 	char *fn;
 	char TS[POSTFIX_LEN];
 	struct dir_ent *dirent;
-	int fd;
+#ifdef AUDIT_REVIEW_GROUP
+	struct group *grp;
+	gid_t gid;
+	uid_t uid;
+#endif
+	int error, fd;
 
 	if (getTSstr(TS, POSTFIX_LEN) != 0)
 		return (-1);
@@ -188,6 +222,22 @@ swap_audit_file(void)
 	strcpy(timestr, TS);
 	strcat(timestr, NOT_TERMINATED);
 
+#ifdef AUDIT_REVIEW_GROUP
+	/*
+	 * XXXRW: Currently, this code falls back to the daemon gid, which is
+	 * likely the wheel group.  Is there a better way to deal with this?
+	 */
+	grp = getgrnam(AUDIT_REVIEW_GROUP);
+	if (grp == NULL) {
+		syslog(LOG_INFO,
+		    "Audit review group '%s' not available, using daemon gid",
+		    AUDIT_REVIEW_GROUP);
+		gid = -1;
+	} else
+		gid = grp->gr_gid;
+	uid = getuid();
+#endif
+
 	/* Try until we succeed. */
 	while ((dirent = TAILQ_FIRST(&dir_q))) {
 		if ((fn = affixdir(timestr, dirent)) == NULL) {
@@ -201,20 +251,27 @@ swap_audit_file(void)
 		 * kernel if all went well.
 		 */
 		syslog(LOG_INFO, "New audit file is %s\n", fn);
-		fd = open(fn, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP);
+#ifdef AUDIT_REVIEW_GROUP
+		fd = open_trail(fn, uid, gid);
+#else
+		fd = open_trail(fn);
+#endif
 		if (fd < 0)
-			perror("File open");
-		else if (auditctl(fn) != 0) {
-			syslog(LOG_ERR,
-			    "auditctl failed setting log file! : %s\n",
-			    strerror(errno));
-			close(fd);
-		} else {
-			/* Success. */
-			close_lastfile(TS);
-			lastfile = fn;
-			close(fd);
-			return (0);
+			warn("open(%s)", fn);
+		if (fd >= 0) {
+			error = auditctl(fn);
+			if (error) {
+				syslog(LOG_ERR,
+				    "auditctl failed setting log file! : %s\n",
+				    strerror(errno));
+				close(fd);
+			} else {
+				/* Success. */
+				close_lastfile(TS);
+				lastfile = fn;
+				close(fd);
+				return (0);
+			}
 		}
 
 		/*
@@ -708,7 +765,7 @@ setup(void)
 int
 main(int argc, char **argv)
 {
-	char ch;
+	int ch;
 	int debug = 0;
 	int rc;
 
diff --git a/contrib/openbsm/bin/auditd/auditd.h b/contrib/openbsm/bin/auditd/auditd.h
index e1731d9..bca6370 100644
--- a/contrib/openbsm/bin/auditd/auditd.h
+++ b/contrib/openbsm/bin/auditd/auditd.h
@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#4 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#5 $
  */
 
 #ifndef _AUDITD_H_
@@ -43,6 +43,13 @@
 #define	MAX_DIR_SIZE	255
 #define	AUDITD_NAME	"auditd"
 
+/*
+ * If defined, then the audit daemon will attempt to chown newly created logs
+ * to this group.  Otherwise, they will be the default for the user running
+ * auditd, likely the audit group.
+ */
+#define	AUDIT_REVIEW_GROUP	"audit"
+
 #define	POSTFIX_LEN		16
 #define	NOT_TERMINATED	".not_terminated"
 
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.1 b/contrib/openbsm/bin/auditreduce/auditreduce.1
index 1ac2acd..9ae9726 100644
--- a/contrib/openbsm/bin/auditreduce/auditreduce.1
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.1
@@ -25,9 +25,9 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#10 $
 .\"
-.Dd Jan 24, 2004
+.Dd January 24, 2004
 .Dt AUDITREDUCE 1
 .Os
 .Sh NAME
@@ -124,7 +124,8 @@ Select records containing the given shared memory id.
 .Sh Examples
 .Pp
 To select all records associated with effective user ID root from the audit
-log /var/audit/20031016184719.20031017122634:
+log
+.Pa /var/audit/20031016184719.20031017122634 :
 .Pp
 .Nm
 -e root /var/audit/20031016184719.20031017122634
@@ -136,9 +137,9 @@ events from that log:
 .Nm
 -m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
 .Sh SEE ALSO
+.Xr praudit 1 ,
 .Xr audit_control 5 ,
-.Xr audit_event 5 ,
-.Xr praudit 1
+.Xr audit_event 5
 .Sh AUTHORS
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.c b/contrib/openbsm/bin/auditreduce/auditreduce.c
index 8e6f245..63619b7 100644
--- a/contrib/openbsm/bin/auditreduce/auditreduce.c
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.c
@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#11 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#13 $
  */
 
 /* 
@@ -529,7 +529,7 @@ main(int argc, char **argv)
 	FILE *fp;
 	int i;
 	char *objval, *converr;
-	char ch;
+	int ch;
 	char timestr[128];
 	char *fname;
 
diff --git a/contrib/openbsm/bin/praudit/praudit.1 b/contrib/openbsm/bin/praudit/praudit.1
index e994638..00cbfcd 100644
--- a/contrib/openbsm/bin/praudit/praudit.1
+++ b/contrib/openbsm/bin/praudit/praudit.1
@@ -25,9 +25,9 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#8 $
 .\"
-.Dd Jan 24, 2004
+.Dd January 24, 2004
 .Dt PRAUDIT 1
 .Os
 .Sh NAME
diff --git a/contrib/openbsm/bin/praudit/praudit.c b/contrib/openbsm/bin/praudit/praudit.c
index 920f6d4..e812f98 100644
--- a/contrib/openbsm/bin/praudit/praudit.c
+++ b/contrib/openbsm/bin/praudit/praudit.c
@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#7 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#9 $
  */
 
 /*
@@ -105,7 +105,7 @@ print_tokens(FILE *fp)
 int
 main(int argc, char **argv)
 {
-	char ch;
+	int ch;
 	int i;
 	FILE *fp;