diff options
author | rwatson <rwatson@FreeBSD.org> | 2009-03-02 13:29:18 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2009-03-02 13:29:18 +0000 |
commit | ee5318d5431890ccd7baeb15560b4bebe982525b (patch) | |
tree | e1a5bcd2b0eca50f696afbc416858fa574e50e8d /contrib/openbsm/bin | |
parent | 5cacf7357664a8a200d2ba7bd7b8e820b681cd06 (diff) | |
download | FreeBSD-src-ee5318d5431890ccd7baeb15560b4bebe982525b.zip FreeBSD-src-ee5318d5431890ccd7baeb15560b4bebe982525b.tar.gz |
Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).
OpenBSM history for imported revision below for reference.
MFC after: 1 month
Sponsored by: Apple, Inc.
Obtained from: TrustedBSD Project
OpenBSM 1.1 beta 1
- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
For legacy support no suffix defaults to bytes.
- Audit trail log expiration support added. It is configured in
audit_control(5) with the expire-after parameter. If there is no
expire-after parameter in audit_control(5), the default, then the audit
trail files are not expired and removed. See audit_control(5) for
more information.
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
partitions, rotate automatically at 2mb, and set the default policy to
cnt,argv rather than cnt so that execve(2) arguments are captured if
AUE_EXECVE events are audited. These may provide more usable defaults for
many users.
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
au_to_socket_ex(3) arguments to BSM format.
- Fix error encoding AUT_IPC_PERM tokens.
Diffstat (limited to 'contrib/openbsm/bin')
-rw-r--r-- | contrib/openbsm/bin/audit/audit.8 | 14 | ||||
-rw-r--r-- | contrib/openbsm/bin/audit/audit.c | 17 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditd/audit_warn.c | 19 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditd/auditd.c | 41 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditd/auditd.h | 6 |
5 files changed, 76 insertions, 21 deletions
diff --git a/contrib/openbsm/bin/audit/audit.8 b/contrib/openbsm/bin/audit/audit.8 index b0276d4..ff3c52d 100644 --- a/contrib/openbsm/bin/audit/audit.8 +++ b/contrib/openbsm/bin/audit/audit.8 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2004 Apple Inc. +.\" Copyright (c) 2004-2009 Apple Inc. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -25,9 +25,9 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#13 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#15 $ .\" -.Dd December 11, 2008 +.Dd January 29, 2009 .Dt AUDIT 8 .Os .Sh NAME @@ -35,7 +35,7 @@ .Nd audit management utility .Sh SYNOPSIS .Nm -.Fl i | n | s | t +.Fl e | i | n | s | t .Sh DESCRIPTION The .Nm @@ -43,6 +43,10 @@ utility controls the state of the audit system. One of the following flags is required as an argument to .Nm : .Bl -tag -width indent +.It Fl e +Forces the audit system to immediately remove audit log files that +meet the expiration criteria specified in the audit control file without +doing a log rotation. .It Fl i Initializes and starts auditing. This option is currently for Mac OS X only @@ -53,6 +57,8 @@ to be configured to run under .It Fl n Forces the audit system to close the existing audit log file and rotate to a new log file in a location specified in the audit control file. +Also, audit log files that meet the expiration criteria specified in the +audit control file will be removed. .It Fl s Specifies that the audit system should [re]synchronize its configuration from the audit control file. diff --git a/contrib/openbsm/bin/audit/audit.c b/contrib/openbsm/bin/audit/audit.c index 3a07aa7..f9148ca 100644 --- a/contrib/openbsm/bin/audit/audit.c +++ b/contrib/openbsm/bin/audit/audit.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2005-2008 Apple Inc. + * Copyright (c) 2005-2009 Apple Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -26,7 +26,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#13 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#14 $ */ /* * Program to trigger the audit daemon with a message that is either: @@ -68,12 +68,15 @@ static int send_trigger(unsigned int); #include "auditd_control.h" /* - * XXX the following is temporary until this can be added to the kernel + * XXX The following are temporary until these can be added to the kernel * audit.h header. */ #ifndef AUDIT_TRIGGER_INITIALIZE #define AUDIT_TRIGGER_INITIALIZE 7 #endif +#ifndef AUDIT_TRIGGER_EXPIRE_TRAILS +#define AUDIT_TRIGGER_EXPIRE_TRAILS 8 +#endif static int send_trigger(unsigned int trigger) @@ -125,7 +128,7 @@ static void usage(void) { - (void)fprintf(stderr, "Usage: audit -i | -n | -s | -t \n"); + (void)fprintf(stderr, "Usage: audit -e | -i | -n | -s | -t \n"); exit(-1); } @@ -141,9 +144,13 @@ main(int argc, char **argv) if (argc != 2) usage(); - while ((ch = getopt(argc, argv, "inst")) != -1) { + while ((ch = getopt(argc, argv, "einst")) != -1) { switch(ch) { + case 'e': + trigger = AUDIT_TRIGGER_EXPIRE_TRAILS; + break; + case 'i': trigger = AUDIT_TRIGGER_INITIALIZE; break; diff --git a/contrib/openbsm/bin/auditd/audit_warn.c b/contrib/openbsm/bin/auditd/audit_warn.c index 6dfb3bd..22806e2 100644 --- a/contrib/openbsm/bin/auditd/audit_warn.c +++ b/contrib/openbsm/bin/auditd/audit_warn.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2005 Apple Inc. + * Copyright (c) 2005-2009 Apple Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -26,7 +26,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#10 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#11 $ */ #include <sys/types.h> @@ -236,3 +236,18 @@ audit_warn_tmpfile(void) return (auditwarnlog(args)); } + +/* + * Indicates that this trail file has expired and was removed. + */ +int +audit_warn_expired(char *filename) +{ + char *args[3]; + + args[0] = EXPIRED_WARN; + args[1] = filename; + args[2] = NULL; + + return (auditwarnlog(args)); +} diff --git a/contrib/openbsm/bin/auditd/auditd.c b/contrib/openbsm/bin/auditd/auditd.c index 20300c1..1fc766b 100644 --- a/contrib/openbsm/bin/auditd/auditd.c +++ b/contrib/openbsm/bin/auditd/auditd.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2004-2008 Apple Inc. + * Copyright (c) 2004-2009 Apple Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -26,7 +26,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#41 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#43 $ */ #include <sys/types.h> @@ -67,12 +67,16 @@ #endif /* - * XXX the following is temporary until this can be added to the kernel + * XXX The following are temporary until these can be added to the kernel * audit.h header. */ #ifndef AUDIT_TRIGGER_INITIALIZE #define AUDIT_TRIGGER_INITIALIZE 7 #endif +#ifndef AUDIT_TRIGGER_EXPIRE_TRAILS +#define AUDIT_TRIGGER_EXPIRE_TRAILS 8 +#endif + /* * LaunchD flag (Mac OS X and, maybe, FreeBSD only.) See launchd(8) and @@ -166,7 +170,7 @@ close_lastfile(char *TS) /* Rename the last file -- append timestamp. */ if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) { - strlcpy(ptr, TS, TIMESTAMP_LEN); + memcpy(ptr, TS, POSTFIX_LEN); if (rename(oldname, lastfile) != 0) auditd_log_err( "Could not rename %s to %s: %m", oldname, @@ -275,6 +279,14 @@ do_trail_file(void) return (-1); } + /* + * Finally, see if there are any trail files to expire. + */ + err = auditd_expire_trails(audit_warn_expired); + if (err) + auditd_log_err("auditd_expire_trails(): %s", + auditd_strerror(err)); + return (0); } @@ -550,6 +562,14 @@ auditd_handle_trigger(int trigger) audit_setup(); break; + case AUDIT_TRIGGER_EXPIRE_TRAILS: + auditd_log_info("Got audit expire trails trigger"); + err = auditd_expire_trails(audit_warn_expired); + if (err) + auditd_log_err("auditd_expire_trails(): %s", + auditd_strerror(err)); + break; + default: auditd_log_err("Got unknown trigger %d", trigger); break; @@ -669,13 +689,18 @@ auditd_config_controls(void) */ err = auditd_set_host(); if (err) { - auditd_log_err("auditd_set_host() %s: %m", - auditd_strerror(err)); - ret = -1; + if (err == ADE_PARSE) { + auditd_log_notice( + "audit_control(5) may be missing 'host:' field"); + } else { + auditd_log_err("auditd_set_host() %s: %m", + auditd_strerror(err)); + ret = -1; + } } else auditd_log_debug( "Set audit host address information in kernel."); - + return (ret); } diff --git a/contrib/openbsm/bin/auditd/auditd.h b/contrib/openbsm/bin/auditd/auditd.h index 0351a0e..f952181 100644 --- a/contrib/openbsm/bin/auditd/auditd.h +++ b/contrib/openbsm/bin/auditd/auditd.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2005 Apple Inc. + * Copyright (c) 2005-2009 Apple Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -26,7 +26,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#12 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#13 $ */ #ifndef _AUDITD_H_ @@ -57,6 +57,7 @@ #define POSTSIGTERM_WARN "postsigterm" #define SOFTLIM_WARN "soft" #define TMPFILE_WARN "tmpfile" +#define EXPIRED_WARN "expired" #define AUDITWARN_SCRIPT "/etc/security/audit_warn" #define AUDITD_PIDFILE "/var/run/auditd.pid" @@ -76,6 +77,7 @@ int audit_warn_nostart(void); int audit_warn_postsigterm(void); int audit_warn_soft(char *filename); int audit_warn_tmpfile(void); +int audit_warn_expired(char *filename); void auditd_openlog(int debug, gid_t gid); void auditd_log_err(const char *fmt, ...); |