Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both

contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).

OpenBSM history for imported revision below for reference.

MFC after:      1 month
Sponsored by:   Apple, Inc.
Obtained from:  TrustedBSD Project

OpenBSM 1.1 beta 1

- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
  Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
  For legacy support no suffix defaults to bytes.
- Audit trail log expiration support added.  It is configured in
  audit_control(5) with the expire-after parameter.  If there is no
  expire-after parameter in audit_control(5), the default, then the audit
  trail files are not expired and removed.  See audit_control(5) for
  more information.
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
  partitions, rotate automatically at 2mb, and set the default policy to
  cnt,argv rather than cnt so that execve(2) arguments are captured if
  AUE_EXECVE events are audited.  These may provide more usable defaults for
  many users.
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
  au_to_socket_ex(3) arguments to BSM format.
- Fix error encoding AUT_IPC_PERM tokens.

5 files changed, 76 insertions, 21 deletions

diff --git a/contrib/openbsm/bin/audit/audit.8 b/contrib/openbsm/bin/audit/audit.8
index b0276d4..ff3c52d 100644
--- a/contrib/openbsm/bin/audit/audit.8
+++ b/contrib/openbsm/bin/audit/audit.8
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2004 Apple Inc.
+.\" Copyright (c) 2004-2009 Apple Inc.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -25,9 +25,9 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#13 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#15 $
 .\"
-.Dd December 11, 2008
+.Dd January 29, 2009
 .Dt AUDIT 8
 .Os
 .Sh NAME
@@ -35,7 +35,7 @@
 .Nd audit management utility
 .Sh SYNOPSIS
 .Nm
-.Fl i | n | s | t
+.Fl e | i | n | s | t
 .Sh DESCRIPTION
 The
 .Nm
@@ -43,6 +43,10 @@ utility controls the state of the audit system.
 One of the following flags is required as an argument to
 .Nm :
 .Bl -tag -width indent
+.It Fl e
+Forces the audit system to immediately remove audit log files that
+meet the expiration criteria specified in the audit control file without
+doing a log rotation. 
 .It Fl i
 Initializes and starts auditing.
 This option is currently for Mac OS X only
@@ -53,6 +57,8 @@ to be configured to run under
 .It Fl n
 Forces the audit system to close the existing audit log file and rotate to
 a new log file in a location specified in the audit control file.
+Also, audit log files that meet the expiration criteria specified in the 
+audit control file will be removed.
 .It Fl s
 Specifies that the audit system should [re]synchronize its
 configuration from the audit control file.
diff --git a/contrib/openbsm/bin/audit/audit.c b/contrib/openbsm/bin/audit/audit.c
index 3a07aa7..f9148ca 100644
--- a/contrib/openbsm/bin/audit/audit.c
+++ b/contrib/openbsm/bin/audit/audit.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2005-2008 Apple Inc.
+ * Copyright (c) 2005-2009 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#13 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#14 $
  */
 /*
  * Program to trigger the audit daemon with a message that is either:
@@ -68,12 +68,15 @@ static int send_trigger(unsigned int);
 #include "auditd_control.h"
 
 /* 
- * XXX the following is temporary until this can be added to the kernel
+ * XXX The following are temporary until these can be added to the kernel
  * audit.h header. 
  */
 #ifndef AUDIT_TRIGGER_INITIALIZE
 #define	AUDIT_TRIGGER_INITIALIZE	7
 #endif
+#ifndef AUDIT_TRIGGER_EXPIRE_TRAILS
+#define	AUDIT_TRIGGER_EXPIRE_TRAILS	8
+#endif
 
 static int
 send_trigger(unsigned int trigger)
@@ -125,7 +128,7 @@ static void
 usage(void)
 {
 
-	(void)fprintf(stderr, "Usage: audit -i | -n | -s | -t \n");
+	(void)fprintf(stderr, "Usage: audit -e | -i | -n | -s | -t \n");
 	exit(-1);
 }
 
@@ -141,9 +144,13 @@ main(int argc, char **argv)
 	if (argc != 2)
 		usage();
 
-	while ((ch = getopt(argc, argv, "inst")) != -1) {
+	while ((ch = getopt(argc, argv, "einst")) != -1) {
 		switch(ch) {
 
+		case 'e':
+			trigger = AUDIT_TRIGGER_EXPIRE_TRAILS;
+			break;
+
 		case 'i':
 			trigger = AUDIT_TRIGGER_INITIALIZE;
 			break;
diff --git a/contrib/openbsm/bin/auditd/audit_warn.c b/contrib/openbsm/bin/auditd/audit_warn.c
index 6dfb3bd..22806e2 100644
--- a/contrib/openbsm/bin/auditd/audit_warn.c
+++ b/contrib/openbsm/bin/auditd/audit_warn.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2005 Apple Inc.
+ * Copyright (c) 2005-2009 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#10 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#11 $
  */
 
 #include <sys/types.h>
@@ -236,3 +236,18 @@ audit_warn_tmpfile(void)
 
 	return (auditwarnlog(args));
 }
+
+/*
+ * Indicates that this trail file has expired and was removed.
+ */
+int
+audit_warn_expired(char *filename)
+{
+	char *args[3];
+
+	args[0] = EXPIRED_WARN;
+	args[1] = filename;
+	args[2] = NULL;
+
+	return (auditwarnlog(args));
+}
diff --git a/contrib/openbsm/bin/auditd/auditd.c b/contrib/openbsm/bin/auditd/auditd.c
index 20300c1..1fc766b 100644
--- a/contrib/openbsm/bin/auditd/auditd.c
+++ b/contrib/openbsm/bin/auditd/auditd.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2004-2008 Apple Inc.
+ * Copyright (c) 2004-2009 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#41 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#43 $
  */
 
 #include <sys/types.h>
@@ -67,12 +67,16 @@
 #endif
 
 /*
- * XXX the following is temporary until this can be added to the kernel
+ * XXX The following are temporary until these can be added to the kernel
  * audit.h header.
  */
 #ifndef	AUDIT_TRIGGER_INITIALIZE
 #define	AUDIT_TRIGGER_INITIALIZE	7
 #endif
+#ifndef	AUDIT_TRIGGER_EXPIRE_TRAILS
+#define	AUDIT_TRIGGER_EXPIRE_TRAILS	8
+#endif
+
 
 /*
  * LaunchD flag (Mac OS X and, maybe, FreeBSD only.)  See launchd(8) and 
@@ -166,7 +170,7 @@ close_lastfile(char *TS)
 
 		/* Rename the last file -- append timestamp. */
 		if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) {
-			strlcpy(ptr, TS, TIMESTAMP_LEN);
+			memcpy(ptr, TS, POSTFIX_LEN);
 			if (rename(oldname, lastfile) != 0)
 				auditd_log_err(
 				    "Could not rename %s to %s: %m", oldname,
@@ -275,6 +279,14 @@ do_trail_file(void)
 		return (-1);
 	}
 
+	/*
+	 * Finally, see if there are any trail files to expire.
+	 */
+	err = auditd_expire_trails(audit_warn_expired);
+	if (err)
+		auditd_log_err("auditd_expire_trails(): %s",
+		    auditd_strerror(err));
+
 	return (0);
 }
 
@@ -550,6 +562,14 @@ auditd_handle_trigger(int trigger)
 			audit_setup();
 		break;
 
+	case AUDIT_TRIGGER_EXPIRE_TRAILS:
+		auditd_log_info("Got audit expire trails trigger");
+		err = auditd_expire_trails(audit_warn_expired);
+		if (err)
+			auditd_log_err("auditd_expire_trails(): %s",
+		    	    auditd_strerror(err));
+		break;
+
 	default:
 		auditd_log_err("Got unknown trigger %d", trigger);
 		break;
@@ -669,13 +689,18 @@ auditd_config_controls(void)
 	 */
 	err = auditd_set_host();
 	if (err) {
-		auditd_log_err("auditd_set_host() %s: %m",
-		    auditd_strerror(err));
-		ret = -1;
+		if (err == ADE_PARSE) {
+			auditd_log_notice(
+			    "audit_control(5) may be missing 'host:' field");
+		} else {
+			auditd_log_err("auditd_set_host() %s: %m",
+			    auditd_strerror(err));
+			ret = -1;
+		}
 	} else
 		auditd_log_debug(
 		    "Set audit host address information in kernel.");
-	
+
 	return (ret);
 }
 
diff --git a/contrib/openbsm/bin/auditd/auditd.h b/contrib/openbsm/bin/auditd/auditd.h
index 0351a0e..f952181 100644
--- a/contrib/openbsm/bin/auditd/auditd.h
+++ b/contrib/openbsm/bin/auditd/auditd.h
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2005 Apple Inc.
+ * Copyright (c) 2005-2009 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#12 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#13 $
  */
 
 #ifndef _AUDITD_H_
@@ -57,6 +57,7 @@
 #define	POSTSIGTERM_WARN	"postsigterm"
 #define	SOFTLIM_WARN		"soft"
 #define	TMPFILE_WARN		"tmpfile"
+#define	EXPIRED_WARN		"expired"
 
 #define	AUDITWARN_SCRIPT	"/etc/security/audit_warn"
 #define	AUDITD_PIDFILE		"/var/run/auditd.pid"
@@ -76,6 +77,7 @@ int	audit_warn_nostart(void);
 int	audit_warn_postsigterm(void);
 int	audit_warn_soft(char *filename);
 int	audit_warn_tmpfile(void);
+int	audit_warn_expired(char *filename);
 
 void	auditd_openlog(int debug, gid_t gid);
 void	auditd_log_err(const char *fmt, ...);