diff options
author | rwatson <rwatson@FreeBSD.org> | 2006-09-25 11:40:29 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2006-09-25 11:40:29 +0000 |
commit | 3ea1855f4d5e663b647ad481266289733547a266 (patch) | |
tree | ec3ed648a8c1097bbf1c7c5b4c1e94ccabcdc506 /contrib/openbsm/bin | |
parent | bb20bc75993eaf712477b0dc714a3fb4aca2fab0 (diff) | |
parent | 6b46b736cc84f6697b21608e304026e847ac155d (diff) | |
download | FreeBSD-src-3ea1855f4d5e663b647ad481266289733547a266.zip FreeBSD-src-3ea1855f4d5e663b647ad481266289733547a266.tar.gz |
This commit was generated by cvs2svn to compensate for changes in r162621,
which included commits to RCS files with non-trunk default branches.
Diffstat (limited to 'contrib/openbsm/bin')
-rw-r--r-- | contrib/openbsm/bin/auditd/audit_warn.c | 17 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditd/auditd.c | 19 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditd/auditd.h | 4 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditreduce/auditreduce.1 | 43 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditreduce/auditreduce.c | 120 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditreduce/auditreduce.h | 9 |
6 files changed, 183 insertions, 29 deletions
diff --git a/contrib/openbsm/bin/auditd/audit_warn.c b/contrib/openbsm/bin/auditd/audit_warn.c index 7fa5eb9..3239b67 100644 --- a/contrib/openbsm/bin/auditd/audit_warn.c +++ b/contrib/openbsm/bin/auditd/audit_warn.c @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#6 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#7 $ */ #include <sys/types.h> @@ -125,6 +125,21 @@ audit_warn_auditoff(void) } /* + * Indicate that a trail file has been closed, so can now be post-processed. + */ +int +audit_warn_closefile(char *filename) +{ + char *args[3]; + + args[0] = CLOSEFILE_WARN; + args[1] = filename; + args[2] = NULL; + + return (auditwarnlog(args)); +} + +/* * Indicates that the audit deammn is already running */ int diff --git a/contrib/openbsm/bin/auditd/auditd.c b/contrib/openbsm/bin/auditd/auditd.c index 86cf233..7ca2123 100644 --- a/contrib/openbsm/bin/auditd/auditd.c +++ b/contrib/openbsm/bin/auditd/auditd.c @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#21 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#23 $ */ #include <sys/types.h> @@ -163,9 +163,11 @@ close_lastfile(char *TS) syslog(LOG_ERR, "Could not rename %s to %s: %m", oldname, lastfile); - else + else { syslog(LOG_INFO, "renamed %s to %s", oldname, lastfile); + audit_warn_closefile(lastfile); + } } free(lastfile); free(oldname); @@ -727,6 +729,8 @@ config_audit_controls(void) char naeventstr[NA_EVENT_STR_SIZE]; char polstr[POL_STR_SIZE]; long policy; + au_fstat_t au_fstat; + size_t filesz; /* * Process the audit event file, obtaining a class mapping for each @@ -806,6 +810,17 @@ config_audit_controls(void) "Failed to set default audit policy: %m"); } + /* + * Set trail rotation size. + */ + if (getacfilesz(&filesz) == 0) { + bzero(&au_fstat, sizeof(au_fstat)); + au_fstat.af_filesz = filesz; + if (auditon(A_SETFSIZE, &au_fstat, sizeof(au_fstat)) < 0) + syslog(LOG_ERR, "Failed to set filesz: %m"); + } else + syslog(LOG_ERR, "Failed to obtain filesz: %m"); + return (0); } diff --git a/contrib/openbsm/bin/auditd/auditd.h b/contrib/openbsm/bin/auditd/auditd.h index 11bf9d4..9c5ae28 100644 --- a/contrib/openbsm/bin/auditd/auditd.h +++ b/contrib/openbsm/bin/auditd/auditd.h @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#6 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#7 $ */ #ifndef _AUDITD_H_ @@ -62,6 +62,7 @@ struct dir_ent { #define HARDLIM_ALL_WARN "allhard" #define SOFTLIM_ALL_WARN "allsoft" #define AUDITOFF_WARN "auditoff" +#define CLOSEFILE_WARN "closefile" #define EBUSY_WARN "ebusy" #define GETACDIR_WARN "getacdir" #define HARDLIM_WARN "hard" @@ -76,6 +77,7 @@ struct dir_ent { int audit_warn_allhard(int count); int audit_warn_allsoft(void); int audit_warn_auditoff(void); +int audit_warn_closefile(char *filename); int audit_warn_ebusy(void); int audit_warn_getacdir(char *filename); int audit_warn_hard(char *filename); diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.1 b/contrib/openbsm/bin/auditreduce/auditreduce.1 index 9ae9726..f590e35 100644 --- a/contrib/openbsm/bin/auditreduce/auditreduce.1 +++ b/contrib/openbsm/bin/auditreduce/auditreduce.1 @@ -25,7 +25,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#10 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $ .\" .Dd January 24, 2004 .Dt AUDITREDUCE 1 @@ -105,12 +105,17 @@ for a description of audit event names and numbers. .It Fl o Ar object=value .Bl -tag -width Ds .It Nm file -Select records containing the given path name. -file="/usr" matches paths -starting with -.Pa usr . -file="~/usr" matches paths not starting with -.Pa usr . +Select records containing path tokens, where the pathname matches +one of the comma delimited extended regular expression contained in +given specification. +Regular expressions which are prefixed with a tilde (~) are excluded +from the search results. +These extended regular expressions are processed from left to right, +and a path will either be selected or deslected based on the first match. +.Pp +Since commas are used to delimit the regular expressions, a backslash (\\) +character should be used to escape the comma if it's a part of the search +pattern. .It Nm msgqid Select records containing the given message queue id. .It Nm pid @@ -136,6 +141,30 @@ events from that log: .Pp .Nm -m AUE_SETLOGIN /var/audit/20031016184719.20031017122634 +.Pp +Output from the above command lines will typically be piped to a new trail +file, or via standard output to the +.Xr praudit 1 +command. +.Pp +Select all records containing a path token where the pathname contains +.Pa /etc/master.passwd +.Pp +.Nm +-ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634 +.Pp +Select all records containing path tokens, where the pathname is a TTY +device: +.Pp +.Nm +-ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 +.Pp +Select all records containing path tokens, where the pathname is a TTY +except for +.Pa /dev/ttyp2 +.Pp +.Nm +-ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 .Sh SEE ALSO .Xr praudit 1 , .Xr audit_control 5 , diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.c b/contrib/openbsm/bin/auditreduce/auditreduce.c index 25a14ff..31bd892 100644 --- a/contrib/openbsm/bin/auditreduce/auditreduce.c +++ b/contrib/openbsm/bin/auditreduce/auditreduce.c @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#14 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#18 $ */ /* @@ -40,6 +40,13 @@ * XXX the records present within the file and between the files themselves */ +#include <config/config.h> +#ifdef HAVE_FULL_QUEUE_H +#include <sys/queue.h> +#else +#include <compat/queue.h> +#endif + #include <bsm/libbsm.h> #include <err.h> @@ -51,9 +58,14 @@ #include <string.h> #include <time.h> #include <unistd.h> +#include <regex.h> +#include <errno.h> #include "auditreduce.h" +static TAILQ_HEAD(tailhead, re_entry) re_head = + TAILQ_HEAD_INITIALIZER(re_head); + extern char *optarg; extern int optind, optopt, opterr,optreset; @@ -81,10 +93,57 @@ static char *p_sockobj = NULL; static uint32_t opttochk = 0; static void +parse_regexp(char *re_string) +{ + char *orig, *copy, re_error[64]; + struct re_entry *rep; + int error, nstrs, i, len; + + copy = strdup(re_string); + orig = copy; + len = strlen(copy); + for (nstrs = 0, i = 0; i < len; i++) { + if (copy[i] == ',' && i > 0) { + if (copy[i - 1] == '\\') + strcpy(©[i - 1], ©[i]); + else { + nstrs++; + copy[i] = '\0'; + } + } + } + TAILQ_INIT(&re_head); + for (i = 0; i < nstrs + 1; i++) { + rep = calloc(1, sizeof(*rep)); + if (rep == NULL) { + (void) fprintf(stderr, "calloc: %s\n", + strerror(errno)); + exit(1); + } + if (*copy == '~') { + copy++; + rep->re_negate = 1; + } + rep->re_pattern = strdup(copy); + error = regcomp(&rep->re_regexp, rep->re_pattern, + REG_EXTENDED | REG_NOSUB); + if (error != 0) { + regerror(error, &rep->re_regexp, re_error, 64); + (void) fprintf(stderr, "regcomp: %s\n", re_error); + exit(1); + } + TAILQ_INSERT_TAIL(&re_head, rep, re_glue); + len = strlen(copy); + copy += len + 1; + } + free(orig); +} + +static void usage(const char *msg) { fprintf(stderr, "%s\n", msg); - fprintf(stderr, "Usage: auditreduce [options] audit-trail-file [....] \n"); + fprintf(stderr, "Usage: auditreduce [options] [file ...]\n"); fprintf(stderr, "\tOptions are : \n"); fprintf(stderr, "\t-A : all records\n"); fprintf(stderr, "\t-a YYYYMMDD[HH[[MM[SS]]] : after date\n"); @@ -258,23 +317,20 @@ select_ipcobj(u_char type, uint32_t id, uint32_t *optchkd) static int select_filepath(char *path, uint32_t *optchkd) { - char *loc; + struct re_entry *rep; + int match; SETOPT((*optchkd), OPT_of); + match = 1; if (ISOPTSET(opttochk, OPT_of)) { - if (p_fileobj[0] == '~') { - /* Object should not be in path. */ - loc = strstr(path, p_fileobj + 1); - if ((loc != NULL) && (loc == path)) - return (0); - } else { - /* Object should be in path. */ - loc = strstr(path, p_fileobj); - if ((loc == NULL) || (loc != path)) - return (0); + match = 0; + TAILQ_FOREACH(rep, &re_head, re_glue) { + if (regexec(&rep->re_regexp, path, 0, NULL, + 0) != REG_NOMATCH) + return (!rep->re_negate); } } - return (1); + return (match); } /* @@ -328,6 +384,24 @@ select_hdr32(tokenstr_t tok, uint32_t *optchkd) return (1); } +static int +select_return32(tokenstr_t tok_ret32, tokenstr_t tok_hdr32, uint32_t *optchkd) +{ + int sorf; + + SETOPT((*optchkd), (OPT_c)); + if (tok_ret32.tt.ret32.status == 0) + sorf = AU_PRS_SUCCESS; + else + sorf = AU_PRS_FAILURE; + if (ISOPTSET(opttochk, OPT_c)) { + if (au_preselect(tok_hdr32.tt.hdr32.e_type, &maskp, sorf, + AU_PRS_USECACHE) != 1) + return (0); + } + return (1); +} + /* * Return 1 if checks for the the following succeed * auid, @@ -395,6 +469,7 @@ select_subj32(tokenstr_t tok, uint32_t *optchkd) static int select_records(FILE *fp) { + tokenstr_t tok_hdr32_copy; u_char *buf; tokenstr_t tok; int reclen; @@ -423,6 +498,8 @@ select_records(FILE *fp) case AU_HEADER_32_TOKEN: selected = select_hdr32(tok, &optchkd); + bcopy(&tok, &tok_hdr32_copy, + sizeof(tok)); break; case AU_PROCESS_32_TOKEN: @@ -451,6 +528,11 @@ select_records(FILE *fp) tok.tt.path.path, &optchkd); break; + case AU_RETURN_32_TOKEN: + selected = select_return32(tok, + tok_hdr32_copy, &optchkd); + break; + /* * The following tokens dont have any relevant * attributes that we can select upon. @@ -465,7 +547,6 @@ select_records(FILE *fp) case AU_IPCPERM_TOKEN: case AU_IPORT_TOKEN: case AU_OPAQUE_TOKEN: - case AU_RETURN_32_TOKEN: case AU_SEQ_TOKEN: case AU_TEXT_TOKEN: case AU_ARB_TOKEN: @@ -500,6 +581,7 @@ parse_object_type(char *name, char *val) if (!strcmp(name, FILEOBJ)) { p_fileobj = val; + parse_regexp(val); SETOPT(opttochk, OPT_of); } else if (!strcmp(name, MSGQIDOBJ)) { p_msgqobj = val; @@ -679,8 +761,12 @@ main(int argc, char **argv) argv += optind; argc -= optind; - if (argc == 0) - usage("Filename needed"); + if (argc == 0) { + if (select_records(stdin) == -1) + errx(EXIT_FAILURE, + "Couldn't select records from stdin"); + exit(EXIT_SUCCESS); + } /* * XXX: We should actually be merging records here. diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.h b/contrib/openbsm/bin/auditreduce/auditreduce.h index 698e276..f69dc16 100644 --- a/contrib/openbsm/bin/auditreduce/auditreduce.h +++ b/contrib/openbsm/bin/auditreduce/auditreduce.h @@ -26,13 +26,20 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#4 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#5 $ */ #ifndef _AUDITREDUCE_H_ #define _AUDITREDUCE_H_ +struct re_entry { + char *re_pattern; + int re_negate; + regex_t re_regexp; + TAILQ_ENTRY(re_entry) re_glue; +}; + #define OPT_a 0x00000001 #define OPT_b 0x00000002 #define OPT_c 0x00000004 |