diff options
Diffstat (limited to 'contrib/openbsm/bin')
-rw-r--r-- | contrib/openbsm/bin/Makefile | 10 | ||||
-rw-r--r-- | contrib/openbsm/bin/audit/Makefile | 12 | ||||
-rw-r--r-- | contrib/openbsm/bin/audit/audit.8 | 86 | ||||
-rw-r--r-- | contrib/openbsm/bin/audit/audit.c | 102 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditd/Makefile | 13 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditd/audit_warn.c | 230 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditd/auditd.8 | 94 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditd/auditd.c | 760 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditd/auditd.h | 80 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditreduce/Makefile | 12 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditreduce/auditreduce.1 | 153 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditreduce/auditreduce.c | 699 | ||||
-rw-r--r-- | contrib/openbsm/bin/auditreduce/auditreduce.h | 67 | ||||
-rw-r--r-- | contrib/openbsm/bin/praudit/Makefile | 12 | ||||
-rw-r--r-- | contrib/openbsm/bin/praudit/praudit.1 | 97 | ||||
-rw-r--r-- | contrib/openbsm/bin/praudit/praudit.c | 157 |
16 files changed, 2584 insertions, 0 deletions
diff --git a/contrib/openbsm/bin/Makefile b/contrib/openbsm/bin/Makefile new file mode 100644 index 0000000..3bc4a6c --- /dev/null +++ b/contrib/openbsm/bin/Makefile @@ -0,0 +1,10 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/bin/Makefile#4 $ +# + +SUBDIR= audit \ + auditd \ + auditreduce \ + praudit + +.include <bsd.subdir.mk> diff --git a/contrib/openbsm/bin/audit/Makefile b/contrib/openbsm/bin/audit/Makefile new file mode 100644 index 0000000..cec37ea --- /dev/null +++ b/contrib/openbsm/bin/audit/Makefile @@ -0,0 +1,12 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile#2 $ +# + +CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I. +PROG= audit +MAN= audit.8 +DPADD= /usr/lib/libbsm.a +LDADD= -lbsm +BINDIR= /usr/sbin + +.include <bsd.prog.mk> diff --git a/contrib/openbsm/bin/audit/audit.8 b/contrib/openbsm/bin/audit/audit.8 new file mode 100644 index 0000000..419bcf1 --- /dev/null +++ b/contrib/openbsm/bin/audit/audit.8 @@ -0,0 +1,86 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" @APPLE_BSD_LICENSE_HEADER_START@ +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY +.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +.\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY +.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" @APPLE_BSD_LICENSE_HEADER_END@ +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#2 $ +.\" +.Dd Jan 24, 2004 +.Dt AUDIT 8 +.Os +.Sh NAME +.Nm audit +.Nd audit management utility +.Sh SYNOPSIS +.Nm audit +.Op Fl nst +.Op Ar file +.Sh DESCRIPTION +The +.Nm +utility controls the state of auditing system. The optional +.Ar file +operand specifies the location of the audit control input file (default +/etc/security/audit_control). +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl n +Forces the audit system to close the existing audit log file and rotate to +a new log file in a location specified in the audit control file. +.It Fl s +Specifies that the audit system should [re]synchronize its +configuration from the audit control file. A new log file will be +created. +.It Fl t +Specifies that the audit system should terminate. Log files are closed +and renamed to indicate the time of the shutdown. +.El +.Sh NOTES +The auditd(8) daemon must already be running. +.Sh FILES +.Bl -tag -width "/etc/security/audit_control" -compact +.It Pa /etc/security/audit_control +Default audit policy file used to configure the auditing system. +.El +.Sh SEE ALSO +.Xr auditd 8 +.Xr audit_control 5 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/bin/audit/audit.c b/contrib/openbsm/bin/audit/audit.c new file mode 100644 index 0000000..7be9c8c --- /dev/null +++ b/contrib/openbsm/bin/audit/audit.c @@ -0,0 +1,102 @@ +/* + * Copyright (c) 2005 Apple Computer, Inc. + * All rights reserved. + * + * @APPLE_BSD_LICENSE_HEADER_START@ + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @APPLE_BSD_LICENSE_HEADER_END@ + * + * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#2 $ + */ +/* + * Program to trigger the audit daemon with a message that is either: + * - Open a new audit log file + * - Read the audit control file and take action on it + * - Close the audit log file and exit + * + */ + +#include <sys/queue.h> +#include <sys/types.h> +#include <sys/uio.h> + +#include <bsm/audit.h> + +#include <fcntl.h> +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> + +static void +usage(void) +{ + + (void)fprintf(stderr, "Usage: audit -n | -s | -t \n"); + exit(-1); +} + +/* + * Main routine to process command line options. + */ +int +main(int argc, char **argv) +{ + char ch; + unsigned int trigger = 0; + + if (argc != 2) + usage(); + + while ((ch = getopt(argc, argv, "nst")) != -1) { + switch(ch) { + + case 'n': + trigger = AUDIT_TRIGGER_OPEN_NEW; + break; + + case 's': + trigger = AUDIT_TRIGGER_READ_FILE; + break; + + case 't': + trigger = AUDIT_TRIGGER_CLOSE_AND_DIE; + break; + + case '?': + default: + usage(); + break; + } + } + if (auditon(A_SENDTRIGGER, &trigger, sizeof(trigger)) < 0) { + perror("Error sending trigger"); + exit(-1); + } else { + printf("Trigger sent.\n"); + exit (0); + } +} diff --git a/contrib/openbsm/bin/auditd/Makefile b/contrib/openbsm/bin/auditd/Makefile new file mode 100644 index 0000000..fbbdc47 --- /dev/null +++ b/contrib/openbsm/bin/auditd/Makefile @@ -0,0 +1,13 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile#2 $ +# + +CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I. +PROG= auditd +SRCS= audit_warn.c auditd.c +MAN= auditd.8 +DPADD= /usr/lib/libbsm.a +LDADD= -lbsm +BINDIR= /usr/sbin + +.include <bsd.prog.mk> diff --git a/contrib/openbsm/bin/auditd/audit_warn.c b/contrib/openbsm/bin/auditd/audit_warn.c new file mode 100644 index 0000000..4a19984 --- /dev/null +++ b/contrib/openbsm/bin/auditd/audit_warn.c @@ -0,0 +1,230 @@ +/* + * Copyright (c) 2005 Apple Computer, Inc. + * All rights reserved. + * + * @APPLE_BSD_LICENSE_HEADER_START@ + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @APPLE_BSD_LICENSE_HEADER_END@ + * + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#5 $ + */ + +#include <sys/types.h> +#include <unistd.h> +#include <stdio.h> + +#include "auditd.h" + +/* + * Write an audit-related error to the system log via syslog(3). + */ +static int +auditwarnlog(char *args[]) +{ + char *loc_args[9]; + pid_t pid; + int i; + + loc_args[0] = AUDITWARN_SCRIPT; + for (i = 0; args[i] != NULL && i < 8; i++) + loc_args[i+1] = args[i]; + loc_args[i+1] = NULL; + + pid = fork(); + if (pid == -1) + return (-1); + if (pid == 0) { + /* + * Child. + */ + execv(AUDITWARN_SCRIPT, loc_args); + syslog(LOG_ERR, "Could not exec %s (%m)\n", + AUDITWARN_SCRIPT); + exit(1); + } + /* + * Parent. + */ + return (0); +} + +/* + * Indicates that the hard limit for all filesystems has been exceeded count + * times. + */ +int +audit_warn_allhard(int count) +{ + char intstr[12]; + char *args[3]; + + snprintf(intstr, 12, "%d", count); + + args[0] = HARDLIM_ALL_WARN; + args[1] = intstr; + args[2] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicates that the soft limit for all filesystems has been exceeded. + */ +int +audit_warn_allsoft(void) +{ + char *args[2]; + + args[0] = SOFTLIM_ALL_WARN; + args[1] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicates that someone other than the audit daemon turned off auditing. + * XXX Its not clear at this point how this function will be invoked. + * + * XXXRW: This function is not used. + */ +int +audit_warn_auditoff(void) +{ + char *args[2]; + + args[0] = AUDITOFF_WARN; + args[1] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicates that the audit deammn is already running + */ +int +audit_warn_ebusy(void) +{ + char *args[2]; + + args[0] = EBUSY_WARN; + args[1] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicates that there is a problem getting the directory from + * audit_control. + * + * XXX Note that we take the filename instead of a count as the argument here + * (different from BSM). + */ +int +audit_warn_getacdir(char *filename) +{ + char *args[3]; + + args[0] = GETACDIR_WARN; + args[1] = filename; + args[2] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicates that the hard limit for this file has been exceeded. + */ +int +audit_warn_hard(char *filename) +{ + char *args[3]; + + args[0] = HARDLIM_WARN; + args[1] = filename; + args[2] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicates that auditing could not be started. + */ +int +audit_warn_nostart(void) +{ + char *args[2]; + + args[0] = NOSTART_WARN; + args[1] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicaes that an error occrred during the orderly shutdown of the audit + * daemon. + */ +int +audit_warn_postsigterm(void) +{ + char *args[2]; + + args[0] = POSTSIGTERM_WARN; + args[1] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicates that the soft limit for this file has been exceeded. + */ +int +audit_warn_soft(char *filename) +{ + char *args[3]; + + args[0] = SOFTLIM_WARN; + args[1] = filename; + args[2] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicates that the temporary audit file already exists indicating a fatal + * error. + */ +int +audit_warn_tmpfile(void) +{ + char *args[2]; + + args[0] = TMPFILE_WARN; + args[1] = NULL; + + return (auditwarnlog(args)); +} diff --git a/contrib/openbsm/bin/auditd/auditd.8 b/contrib/openbsm/bin/auditd/auditd.8 new file mode 100644 index 0000000..18515da --- /dev/null +++ b/contrib/openbsm/bin/auditd/auditd.8 @@ -0,0 +1,94 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" @APPLE_BSD_LICENSE_HEADER_START@ +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY +.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +.\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY +.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" @APPLE_BSD_LICENSE_HEADER_END@ +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#6 $ +.\" +.Dd Jan 24, 2004 +.Dt AUDITD 8 +.Os +.Sh NAME +.Nm auditd +.Nd audit log management daemon +.Sh SYNOPSIS +.Nm auditd +.Op Fl dhs +.Sh DESCRIPTION +The +.Nm +daemon responds to requests from the audit(1) utility and notifications +from the kernel. It manages the resulting audit log files and specified +log file locations. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl d +Starts the daemon in debug mode - it will not daemonize. +.It Fl h +Specifies that if auditing cannot be performed as specified, the system should +halt (panic). Normally, the system will attempt to proceed - although individual +processes may be stopped (see the -s option). +.It Fl s +Specifies that individual processes should stop rather than perform operations +that may cause audit records to be lost due to log file full conditions +.El +.Sh NOTE +.Pp +To assure uninterrupted audit support, the +.Nm auditd +daemon should not be started and stopped manually. Instead, the audit(1) command +should be used to inform the daemon to change state/configuration after altering +the audit_control file. +.Pp +.\" Sending a SIGHUP to a running +.\" .Nm auditd +.\" daemon will force it to exit. +Sending a SIGTERM to a running +.Nm auditd +daemon will force it to exit. +.Sh FILES +.Bl -tag -width "/var/audit" -compact +.It Pa /var/audit +Default directory for storing audit log files. +.El +.Sh SEE ALSO +.Xr audit 8 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/bin/auditd/auditd.c b/contrib/openbsm/bin/auditd/auditd.c new file mode 100644 index 0000000..b25c9ec --- /dev/null +++ b/contrib/openbsm/bin/auditd/auditd.c @@ -0,0 +1,760 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * All rights reserved. + * + * @APPLE_BSD_LICENSE_HEADER_START@ + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @APPLE_BSD_LICENSE_HEADER_END@ + * + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#8 $ + */ + +#include <sys/dirent.h> +#include <sys/mman.h> +#include <sys/queue.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <sys/wait.h> + +#include <bsm/audit.h> +#include <bsm/audit_uevents.h> +#include <bsm/libbsm.h> + +#include <errno.h> +#include <fcntl.h> +#include <stdio.h> +#include <stdlib.h> +#include <time.h> +#include <unistd.h> +#include <signal.h> +#include <string.h> +#include <syslog.h> + +#include "auditd.h" + +#define NA_EVENT_STR_SIZE 25 + +static int ret, minval; +static char *lastfile = NULL; +static int allhardcount = 0; +static int triggerfd = 0; +static int sighups, sighups_handled; +static int sigterms, sigterms_handled; +static long global_flags; + +static TAILQ_HEAD(, dir_ent) dir_q; + +static int config_audit_controls(void); + +/* + * Error starting auditd + */ +static void +fail_exit(void) +{ + + audit_warn_nostart(); + exit(1); +} + +/* + * Free our local list of directory names. + */ +static void +free_dir_q() +{ + struct dir_ent *dirent; + + while ((dirent = TAILQ_FIRST(&dir_q))) { + TAILQ_REMOVE(&dir_q, dirent, dirs); + free(dirent->dirname); + free(dirent); + } +} + +/* + * Generate the timestamp string. + */ +static int +getTSstr(char *buf, int len) +{ + struct timeval ts; + struct timezone tzp; + time_t tt; + + if (gettimeofday(&ts, &tzp) != 0) + return (-1); + tt = (time_t)ts.tv_sec; + if (!strftime(buf, len, "%Y%m%d%H%M%S", gmtime(&tt))) + return (-1); + return (0); +} + +/* + * Concat the directory name to the given file name. + * XXX We should affix the hostname also + */ +static char * +affixdir(char *name, struct dir_ent *dirent) +{ + char *fn; + char *curdir; + const char *sep = "/"; + + curdir = dirent->dirname; + syslog(LOG_INFO, "dir = %s\n", dirent->dirname); + + fn = malloc(strlen(curdir) + strlen(sep) + (2 * POSTFIX_LEN) + 1); + if (fn == NULL) + return (NULL); + strcpy(fn, curdir); + strcat(fn, sep); + strcat(fn, name); + return (fn); +} + +/* + * Close the previous audit trail file. + */ +static int +close_lastfile(char *TS) +{ + char *ptr; + char *oldname; + + if (lastfile != NULL) { + oldname = (char *)malloc(strlen(lastfile) + 1); + if (oldname == NULL) + return (-1); + strcpy(oldname, lastfile); + + /* Rename the last file -- append timestamp. */ + if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) { + *ptr = '.'; + strcpy(ptr+1, TS); + if (rename(oldname, lastfile) != 0) + syslog(LOG_ERR, "Could not rename %s to %s \n", + oldname, lastfile); + else + syslog(LOG_INFO, "renamed %s to %s \n", + oldname, lastfile); + } + free(lastfile); + free(oldname); + lastfile = NULL; + } + return (0); +} + +/* + * Create the new file name, swap with existing audit file. + */ +static int +swap_audit_file(void) +{ + char timestr[2 * POSTFIX_LEN]; + char *fn; + char TS[POSTFIX_LEN]; + struct dir_ent *dirent; + int fd; + + if (getTSstr(TS, POSTFIX_LEN) != 0) + return (-1); + + strcpy(timestr, TS); + strcat(timestr, NOT_TERMINATED); + + /* Try until we succeed. */ + while ((dirent = TAILQ_FIRST(&dir_q))) { + if ((fn = affixdir(timestr, dirent)) == NULL) { + syslog(LOG_INFO, "Failed to swap log at time %s\n", + timestr); + return (-1); + } + + /* + * Create and open the file; then close and pass to the + * kernel if all went well. + */ + syslog(LOG_INFO, "New audit file is %s\n", fn); + fd = open(fn, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP); + if (fd < 0) + perror("File open"); + else if (auditctl(fn) != 0) { + syslog(LOG_ERR, + "auditctl failed setting log file! : %s\n", + strerror(errno)); + close(fd); + } else { + /* Success. */ + close_lastfile(TS); + lastfile = fn; + close(fd); + return (0); + } + + /* + * Tell the administrator about lack of permissions for dir. + */ + audit_warn_getacdir(dirent->dirname); + + /* Try again with a different directory. */ + TAILQ_REMOVE(&dir_q, dirent, dirs); + free(dirent->dirname); + free(dirent); + } + syslog(LOG_INFO, "Log directories exhausted\n"); + return (-1); +} + +/* + * Read the audit_control file contents. + */ +static int +read_control_file(void) +{ + char cur_dir[MAXNAMLEN]; + struct dir_ent *dirent; + au_qctrl_t qctrl; + + /* + * Clear old values. Force a re-read of the file the next time. + */ + free_dir_q(); + endac(); + + /* + * Read the list of directories into a local linked list. + * + * XXX We should use the reentrant interfaces once they are + * available. + */ + while (getacdir(cur_dir, MAXNAMLEN) >= 0) { + dirent = (struct dir_ent *) malloc(sizeof(struct dir_ent)); + if (dirent == NULL) + return (-1); + dirent->softlim = 0; + dirent->dirname = (char *) malloc(MAXNAMLEN); + if (dirent->dirname == NULL) { + free(dirent); + return (-1); + } + strcpy(dirent->dirname, cur_dir); + TAILQ_INSERT_TAIL(&dir_q, dirent, dirs); + } + + allhardcount = 0; + if (swap_audit_file() == -1) { + syslog(LOG_ERR, "Could not swap audit file\n"); + /* + * XXX Faulty directory listing? - user should be given + * XXX an opportunity to change the audit_control file + * XXX switch to a reduced mode of auditing? + */ + return (-1); + } + + /* + * XXX There are synchronization problems here + * XXX what should we do if a trigger for the earlier limit + * XXX is generated here? + */ + if (0 == (ret = getacmin(&minval))) { + syslog(LOG_INFO, "min free = %d\n", minval); + if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) { + syslog(LOG_ERR, + "could not get audit queue settings\n"); + return (-1); + } + qctrl.aq_minfree = minval; + if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0) { + syslog(LOG_ERR, + "could not set audit queue settings\n"); + return (-1); + } + } + + return (0); +} + +/* + * Close all log files, control files, and tell the audit system. + */ +static int +close_all(void) +{ + int err_ret = 0; + char TS[POSTFIX_LEN]; + int aufd; + token_t *tok; + long cond; + + /* Generate an audit record. */ + if ((aufd = au_open()) == -1) + syslog(LOG_ERR, "Could not create audit shutdown event.\n"); + else { + if ((tok = au_to_text("auditd::Audit shutdown")) != NULL) + au_write(aufd, tok); + if (au_close(aufd, 1, AUE_audit_shutdown) == -1) + syslog(LOG_ERR, + "Could not close audit shutdown event.\n"); + } + + /* Flush contents. */ + cond = AUC_DISABLED; + err_ret = auditon(A_SETCOND, &cond, sizeof(cond)); + if (err_ret != 0) { + syslog(LOG_ERR, "Disabling audit failed! : %s\n", + strerror(errno)); + err_ret = 1; + } + if (getTSstr(TS, POSTFIX_LEN) == 0) + close_lastfile(TS); + if (lastfile != NULL) + free(lastfile); + + free_dir_q(); + if ((remove(AUDITD_PIDFILE) == -1) || err_ret) { + syslog(LOG_ERR, "Could not unregister\n"); + audit_warn_postsigterm(); + return (1); + } + endac(); + + if (close(triggerfd) != 0) + syslog(LOG_ERR, "Error closing control file\n"); + syslog(LOG_INFO, "Finished.\n"); + return (0); +} + +/* + * When we get a signal, we are often not at a clean point. So, little can + * be done in the signal handler itself. Instead, we send a message to the + * main servicing loop to do proper handling from a non-signal-handler + * context. + */ +static void +relay_signal(int signal) +{ + + if (signal == SIGHUP) + sighups++; + if (signal == SIGTERM) + sigterms++; +} + +/* + * Registering the daemon. + */ +static int +register_daemon(void) +{ + FILE * pidfile; + int fd; + pid_t pid; + + /* Set up the signal hander. */ + if (signal(SIGTERM, relay_signal) == SIG_ERR) { + syslog(LOG_ERR, + "Could not set signal handler for SIGTERM\n"); + fail_exit(); + } + if (signal(SIGCHLD, relay_signal) == SIG_ERR) { + syslog(LOG_ERR, + "Could not set signal handler for SIGCHLD\n"); + fail_exit(); + } + if (signal(SIGHUP, relay_signal) == SIG_ERR) { + syslog(LOG_ERR, + "Could not set signal handler for SIGHUP\n"); + fail_exit(); + } + + if ((pidfile = fopen(AUDITD_PIDFILE, "a")) == NULL) { + syslog(LOG_ERR, + "Could not open PID file\n"); + audit_warn_tmpfile(); + return (-1); + } + + /* Attempt to lock the pid file; if a lock is present, exit. */ + fd = fileno(pidfile); + if (flock(fd, LOCK_EX | LOCK_NB) < 0) { + syslog(LOG_ERR, + "PID file is locked (is another auditd running?).\n"); + audit_warn_ebusy(); + return (-1); + } + + pid = getpid(); + ftruncate(fd, 0); + if (fprintf(pidfile, "%u\n", pid) < 0) { + /* Should not start the daemon. */ + fail_exit(); + } + + fflush(pidfile); + return (0); +} + +/* + * Suppress duplicate messages within a 30 second interval. This should be + * enough to time to rotate log files without thrashing from soft warnings + * generated before the log is actually rotated. + */ +#define DUPLICATE_INTERVAL 30 +static void +handle_audit_trigger(int trigger) +{ + static int last_trigger; + static time_t last_time; + struct dir_ent *dirent; + int rc; + + /* + * Suppres duplicate messages from the kernel within the specified + * interval. + */ + struct timeval ts; + struct timezone tzp; + time_t tt; + + if (gettimeofday(&ts, &tzp) == 0) { + tt = (time_t)ts.tv_sec; + if ((trigger == last_trigger) && + (tt < (last_time + DUPLICATE_INTERVAL))) + return; + last_trigger = trigger; + last_time = tt; + } + + /* + * Message processing is done here. + */ + dirent = TAILQ_FIRST(&dir_q); + switch(trigger) { + + case AUDIT_TRIGGER_LOW_SPACE: + syslog(LOG_INFO, "Got low space trigger\n"); + if (dirent && (dirent->softlim != 1)) { + TAILQ_REMOVE(&dir_q, dirent, dirs); + /* Add this node to the end of the list. */ + TAILQ_INSERT_TAIL(&dir_q, dirent, dirs); + audit_warn_soft(dirent->dirname); + dirent->softlim = 1; + + if (TAILQ_NEXT(TAILQ_FIRST(&dir_q), dirs) != NULL && + swap_audit_file() == -1) + syslog(LOG_ERR, "Error swapping audit file\n"); + + /* + * Check if the next dir has already reached its soft + * limit. + */ + dirent = TAILQ_FIRST(&dir_q); + if (dirent->softlim == 1) { + /* All dirs have reached their soft limit. */ + audit_warn_allsoft(); + } + } else { + /* + * Continue auditing to the current file. Also + * generate an allsoft warning. + * XXX do we want to do this ? + */ + audit_warn_allsoft(); + } + break; + + case AUDIT_TRIGGER_NO_SPACE: + syslog(LOG_INFO, "Got no space trigger\n"); + + /* Delete current dir, go on to next. */ + TAILQ_REMOVE(&dir_q, dirent, dirs); + audit_warn_hard(dirent->dirname); + free(dirent->dirname); + free(dirent); + + if (swap_audit_file() == -1) + syslog(LOG_ERR, "Error swapping audit file\n"); + + /* We are out of log directories. */ + audit_warn_allhard(++allhardcount); + break; + + case AUDIT_TRIGGER_OPEN_NEW: + /* + * Create a new file and swap with the one being used in + * kernel + */ + syslog(LOG_INFO, "Got open new trigger\n"); + if (swap_audit_file() == -1) + syslog(LOG_ERR, "Error swapping audit file\n"); + break; + + case AUDIT_TRIGGER_READ_FILE: + syslog(LOG_INFO, "Got read file trigger\n"); + if (read_control_file() == -1) + syslog(LOG_ERR, "Error in audit control file\n"); + if (config_audit_controls() == -1) + syslog(LOG_ERR, "Error setting audit controls\n"); + break; + + default: + syslog(LOG_ERR, "Got unknown trigger %d\n", trigger); + break; + } +} + +static void +handle_sighup(void) +{ + + sighups_handled = sighups; + config_audit_controls(); +} + +/* + * Read the control file for triggers and handle appropriately. + */ +static int +wait_for_triggers(void) +{ + int num; + unsigned int trigger; + + for (;;) { + num = read(triggerfd, &trigger, sizeof(trigger)); + if ((num == -1) && (errno != EINTR)) { + syslog(LOG_ERR, "%s: error %d\n", __FUNCTION__, errno); + return (-1); + } + if (sigterms != sigterms_handled) { + syslog(LOG_INFO, "%s: SIGTERM", __FUNCTION__); + break; + } + if (sighups != sighups_handled) { + syslog(LOG_INFO, "%s: SIGHUP", __FUNCTION__); + handle_sighup(); + } + if ((num == -1) && (errno == EINTR)) + continue; + if (num == 0) { + syslog(LOG_INFO, "%s: read EOF\n", __FUNCTION__); + return (-1); + } + syslog(LOG_INFO, "%s: read %d\n", __FUNCTION__, trigger); + if (trigger == AUDIT_TRIGGER_CLOSE_AND_DIE) + break; + else + handle_audit_trigger(trigger); + } + return (close_all()); +} + +/* + * Reap our children. + */ +static void +reap_children(void) +{ + pid_t child; + int wstatus; + + while ((child = waitpid(-1, &wstatus, WNOHANG)) > 0) { + if (!wstatus) + continue; + syslog(LOG_INFO, "warn process [pid=%d] %s %d.\n", child, + ((WIFEXITED(wstatus)) ? "exited with non-zero status" : + "exited as a result of signal"), + ((WIFEXITED(wstatus)) ? WEXITSTATUS(wstatus) : + WTERMSIG(wstatus))); + } +} + +/* + * Configure the audit controls in the kernel: the event to class mapping, + * kernel preselection mask, etc. + */ +static int +config_audit_controls(void) +{ + au_event_ent_t ev, *evp; + au_evclass_map_t evc_map; + au_mask_t aumask; + int ctr = 0; + char naeventstr[NA_EVENT_STR_SIZE]; + + /* + * Process the audit event file, obtaining a class mapping for each + * event, and send that mapping into the kernel. + * XXX There's a risk here that the BSM library will return NULL + * for an event when it can't properly map it to a class. In that + * case, we will not process any events beyond the one that failed, + * but should. We need a way to get a count of the events. + */ + ev.ae_name = (char *)malloc(AU_EVENT_NAME_MAX); + ev.ae_desc = (char *)malloc(AU_EVENT_DESC_MAX); + if ((ev.ae_name == NULL) || (ev.ae_desc == NULL)) { + syslog(LOG_ERR, + "Memory allocation error when configuring audit controls."); + return (-1); + } + evp = &ev; + setauevent(); + while ((evp = getauevent_r(evp)) != NULL) { + evc_map.ec_number = evp->ae_number; + evc_map.ec_class = evp->ae_class; + if (auditon(A_SETCLASS, &evc_map, sizeof(au_evclass_map_t)) + != 0) + syslog(LOG_ERR, + "Failed to register class mapping for event %s", + evp->ae_name); + else + ctr++; + } + endauevent(); + free(ev.ae_name); + free(ev.ae_desc); + if (ctr == 0) + syslog(LOG_ERR, "No events to class mappings registered."); + else + syslog(LOG_INFO, "Registered %d event to class mappings.", + ctr); + + /* + * Get the non-attributable event string and set the kernel mask from + * that. + */ + if ((getacna(naeventstr, NA_EVENT_STR_SIZE) == 0) && + (getauditflagsbin(naeventstr, &aumask) == 0)) { + if (auditon(A_SETKMASK, &aumask, sizeof(au_mask_t))) + syslog(LOG_ERR, + "Failed to register non-attributable event mask."); + else + syslog(LOG_INFO, + "Registered non-attributable event mask."); + } else + syslog(LOG_ERR, + "Failed to obtain non-attributable event mask."); + + /* + * Set the audit policy flags based on passed in parameter values. + */ + if (auditon(A_SETPOLICY, &global_flags, sizeof(global_flags))) + syslog(LOG_ERR, "Failed to set audit policy."); + + return (0); +} + +static void +setup(void) +{ + int aufd; + token_t *tok; + + if ((triggerfd = open(AUDIT_TRIGGER_FILE, O_RDONLY, 0)) < 0) { + syslog(LOG_ERR, "Error opening trigger file\n"); + fail_exit(); + } + + TAILQ_INIT(&dir_q); + if (read_control_file() == -1) { + syslog(LOG_ERR, "Error reading control file\n"); + fail_exit(); + } + + /* Generate an audit record. */ + if ((aufd = au_open()) == -1) + syslog(LOG_ERR, "Could not create audit startup event.\n"); + else { + if ((tok = au_to_text("auditd::Audit startup")) != NULL) + au_write(aufd, tok); + if (au_close(aufd, 1, AUE_audit_startup) == -1) + syslog(LOG_ERR, + "Could not close audit startup event.\n"); + } + + if (config_audit_controls() == 0) + syslog(LOG_INFO, "Audit controls init successful\n"); + else + syslog(LOG_INFO, "Audit controls init failed\n"); +} + +int +main(int argc, char **argv) +{ + char ch; + int debug = 0; + int rc; + + global_flags |= AUDIT_CNT; + while ((ch = getopt(argc, argv, "dhs")) != -1) { + switch(ch) { + case 'd': + /* Debug option. */ + debug = 1; + break; + + case 's': + /* Fail-stop option. */ + global_flags &= ~(AUDIT_CNT); + break; + + case 'h': + /* Halt-stop option. */ + global_flags |= AUDIT_AHLT; + break; + + case '?': + default: + (void)fprintf(stderr, + "usage: auditd [-h | -s] [-d] \n"); + exit(1); + } + } + + openlog("auditd", LOG_CONS | LOG_PID, LOG_SECURITY); + syslog(LOG_INFO, "starting...\n"); + + if (debug == 0 && daemon(0, 0) == -1) { + syslog(LOG_ERR, "Failed to daemonize\n"); + exit(1); + } + + if (register_daemon() == -1) { + syslog(LOG_ERR, "Could not register as daemon\n"); + exit(1); + } + + setup(); + + rc = wait_for_triggers(); + syslog(LOG_INFO, "auditd exiting.\n"); + + exit(rc); +} diff --git a/contrib/openbsm/bin/auditd/auditd.h b/contrib/openbsm/bin/auditd/auditd.h new file mode 100644 index 0000000..e1731d9 --- /dev/null +++ b/contrib/openbsm/bin/auditd/auditd.h @@ -0,0 +1,80 @@ +/* + * Copyright (c) 2005 Apple Computer, Inc. + * All rights reserved. + * + * @APPLE_BSD_LICENSE_HEADER_START@ + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @APPLE_BSD_LICENSE_HEADER_END@ + * + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#4 $ + */ + +#ifndef _AUDITD_H_ +#define _AUDITD_H_ + +#include <sys/types.h> +#include <sys/queue.h> +#include <syslog.h> + +#define MAX_DIR_SIZE 255 +#define AUDITD_NAME "auditd" + +#define POSTFIX_LEN 16 +#define NOT_TERMINATED ".not_terminated" + +struct dir_ent { + char *dirname; + char softlim; + TAILQ_ENTRY(dir_ent) dirs; +}; + +#define HARDLIM_ALL_WARN "allhard" +#define SOFTLIM_ALL_WARN "allsoft" +#define AUDITOFF_WARN "aditoff" +#define EBUSY_WARN "ebusy" +#define GETACDIR_WARN "getacdir" +#define HARDLIM_WARN "hard" +#define NOSTART_WARN "nostart" +#define POSTSIGTERM_WARN "postsigterm" +#define SOFTLIM_WARN "soft" +#define TMPFILE_WARN "tmpfile" + +#define AUDITWARN_SCRIPT "/etc/security/audit_warn" +#define AUDITD_PIDFILE "/var/run/auditd.pid" + +int audit_warn_allhard(int count); +int audit_warn_allsoft(void); +int audit_warn_auditoff(void); +int audit_warn_ebusy(void); +int audit_warn_getacdir(char *filename); +int audit_warn_hard(char *filename); +int audit_warn_nostart(void); +int audit_warn_postsigterm(void); +int audit_warn_soft(char *filename); +int audit_warn_tmpfile(void); + +#endif /* !_AUDITD_H_ */ diff --git a/contrib/openbsm/bin/auditreduce/Makefile b/contrib/openbsm/bin/auditreduce/Makefile new file mode 100644 index 0000000..f4c292a --- /dev/null +++ b/contrib/openbsm/bin/auditreduce/Makefile @@ -0,0 +1,12 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/Makefile#4 $ +# + +CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I. +PROG= auditreduce +MAN= auditreduce.1 +DPADD= /usr/lib/libbsm.a +LDADD= -lbsm +BINDIR= /usr/sbin + +.include <bsd.prog.mk> diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.1 b/contrib/openbsm/bin/auditreduce/auditreduce.1 new file mode 100644 index 0000000..6374e5b --- /dev/null +++ b/contrib/openbsm/bin/auditreduce/auditreduce.1 @@ -0,0 +1,153 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#6 $ +.\" +.Dd Jan 24, 2004 +.Dt AUDITREDUCE 1 +.Os +.Sh NAME +.Nm auditreduce +.Nd "select records from audit trail files" +.Sh SYNOPSIS +.Nm auditreduce +.Op Fl A +.Op Fl a Ar YYYYMMDD[HH[MM[SS]]] +.Op Fl b Ar YYYYMMDD[HH[MM[SS]]] +.Op Fl c Ar flags +.Op Fl d Ar YYYYMMDD +.Op Fl e Ar euid +.Op Fl f Ar egid +.Op Fl g Ar rgid +.Op Fl r Ar ruid +.Op Fl u Ar auid +.Op Fl j Ar id +.Op Fl m Ar event +.Op Fl o Ar object=value +.Op Ar file ... +.Sh DESCRIPTION +The +.Nm +utility selects records from the audit trail files based on the specified +criteria. +Matching audit records are printed to the standard output in +their raw binary form. +If no filename is specified, the standard input is used +by default. +Use the +.Nm praudit +utility to print the selected audit records in human-readable form. +See +.Xr praudit 1 +for more information. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl A +Select all records. +.It Fl a Ar YYYYMMDD[HH[MM[SS]]] +Select records that occurred after or on the given datetime. +.It Fl b Ar YYYYMMDD[HH[MM[SS]]] +Select records that occurred before the given datetime. +.It Fl c Ar flags +Select records matching the given audit classes specified as a comma +separated list of audit flags. +See +.Xr audit_control 5 +for a description of audit flags. +.It Fl d Ar YYYYMMDD +Select records that occurred on a given date. +This option cannot be used with +.Fl a +or +.Fl b +.It Fl e Ar euid +Select records with the given effective user id or name. +.It Fl f Ar egid +Select records with the given effective group id or name. +.It Fl g Ar rgid +Select records with the given real group id or name. +.It Fl r Ar ruid +Select records with the given real user id or name. +.It Fl u Ar auid +Select records with the given audit id. +.It Fl j Ar id +Select records having a subject token with matching ID. +.It Fl m Ar event +Select records with the given event name or number. +See +.Xr audit_event 5 +for a description of audit event names and numbers. +.It Fl o Ar object=value +.Bl -tag -width Ds +.It Nm file +Select records containing the given path name. +file="/usr" matches paths +starting with +.Pa usr . +file="~/usr" matches paths not starting with +.Pa usr . +.It Nm msgqid +Select records containing the given message queue id. +.It Nm pid +Select records containing the given process id. +.It Nm semid +Select records containing the given semaphore id. +.It Nm shmid +Select records containing the given shared memory id. +.El +.El +.Sh Examples +.Pp +To select all records associated with effective user ID root from the audit +log /var/audit/20031016184719.20031017122634: +.Pp +.Nm +-e root /var/audit/20031016184719.20031017122634 +.Pp +To select all +.Xr setlogin 2 +events from that log: +.Pp +.Nm +-m AUE_SETLOGIN /var/audit/20031016184719.20031017122634 +.Sh SEE ALSO +.Xr audit_control 5 , +.Xr audit_event 5 , +.Xr praudit 1 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.c b/contrib/openbsm/bin/auditreduce/auditreduce.c new file mode 100644 index 0000000..8e6f245 --- /dev/null +++ b/contrib/openbsm/bin/auditreduce/auditreduce.c @@ -0,0 +1,699 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#11 $ + */ + +/* + * Tool used to merge and select audit records from audit trail files + */ + +/* + * XXX Currently we do not support merging of records from multiple + * XXX audit trail files + * XXX We assume that records are sorted chronologically - both wrt to + * XXX the records present within the file and between the files themselves + */ + +#include <bsm/libbsm.h> + +#include <stdio.h> +#include <stdlib.h> +#include <sysexits.h> +#include <grp.h> +#include <pwd.h> +#include <string.h> +#include <time.h> +#include <unistd.h> + +#include "auditreduce.h" + +extern char *optarg; +extern int optind, optopt, opterr,optreset; + +static au_mask_t maskp; /* Class. */ +static time_t p_atime; /* Created after this time. */ +static time_t p_btime; /* Created before this time. */ +static uint16_t p_evtype; /* Event that we are searching for. */ +static int p_auid; /* Audit id. */ +static int p_euid; /* Effective user id. */ +static int p_egid; /* Effective group id. */ +static int p_rgid; /* Real group id. */ +static int p_ruid; /* Real user id. */ +static int p_subid; /* Subject id. */ + +/* + * Following are the objects (-o option) that we can select upon. + */ +static char *p_fileobj = NULL; +static char *p_msgqobj = NULL; +static char *p_pidobj = NULL; +static char *p_semobj = NULL; +static char *p_shmobj = NULL; +static char *p_sockobj = NULL; + +static uint32_t opttochk = 0; + +static void +usage(const char *msg) +{ + fprintf(stderr, "%s\n", msg); + fprintf(stderr, "Usage: auditreduce [options] audit-trail-file [....] \n"); + fprintf(stderr, "\tOptions are : \n"); + fprintf(stderr, "\t-A : all records\n"); + fprintf(stderr, "\t-a YYYYMMDD[HH[[MM[SS]]] : after date\n"); + fprintf(stderr, "\t-b YYYYMMDD[HH[[MM[SS]]] : before date\n"); + fprintf(stderr, "\t-c <flags> : matching class\n"); + fprintf(stderr, "\t-d YYYYMMDD : on date\n"); + fprintf(stderr, "\t-e <uid|name> : effective user\n"); + fprintf(stderr, "\t-f <gid|group> : effective group\n"); + fprintf(stderr, "\t-g <gid|group> : real group\n"); + fprintf(stderr, "\t-j <pid> : subject id \n"); + fprintf(stderr, "\t-m <evno|evname> : matching event\n"); + fprintf(stderr, "\t-o objecttype=objectvalue\n"); + fprintf(stderr, "\t\t file=<pathname>\n"); + fprintf(stderr, "\t\t msgqid=<ID>\n"); + fprintf(stderr, "\t\t pid=<ID>\n"); + fprintf(stderr, "\t\t semid=<ID>\n"); + fprintf(stderr, "\t\t shmid=<ID>\n"); + fprintf(stderr, "\t-r <uid|name> : real user\n"); + fprintf(stderr, "\t-u <uid|name> : audit user\n"); + exit(EX_USAGE); +} + +/* + * Check if the given auid matches the selection criteria. + */ +static int +select_auid(int au) +{ + + /* Check if we want to select on auid. */ + if (ISOPTSET(opttochk, OPT_u)) { + if (au != p_auid) + return (0); + } + return (1); +} + +/* + * Check if the given euid matches the selection criteria. + */ +static int +select_euid(int euser) +{ + + /* Check if we want to select on euid. */ + if (ISOPTSET(opttochk, OPT_e)) { + if (euser != p_euid) + return (0); + } + return (1); +} + +/* + * Check if the given egid matches the selection criteria. + */ +static int +select_egid(int egrp) +{ + + /* Check if we want to select on egid. */ + if (ISOPTSET(opttochk, OPT_f)) { + if (egrp != p_egid) + return (0); + } + return (1); +} + +/* + * Check if the given rgid matches the selection criteria. + */ +static int +select_rgid(int grp) +{ + + /* Check if we want to select on rgid. */ + if (ISOPTSET(opttochk, OPT_g)) { + if (grp != p_rgid) + return (0); + } + return (1); +} + +/* + * Check if the given ruid matches the selection criteria. + */ +static int +select_ruid(int user) +{ + + /* Check if we want to select on rgid. */ + if (ISOPTSET(opttochk, OPT_r)) { + if (user != p_ruid) + return (0); + } + return (1); +} + +/* + * Check if the given subject id (pid) matches the selection criteria. + */ +static int +select_subid(int subid) +{ + + /* Check if we want to select on subject uid. */ + if (ISOPTSET(opttochk, OPT_j)) { + if (subid != p_subid) + return (0); + } + return (1); +} + + +/* + * Check if object's pid maches the given pid. + */ +static int +select_pidobj(uint32_t pid) +{ + + if (ISOPTSET(opttochk, OPT_op)) { + if (pid != strtol(p_pidobj, (char **)NULL, 10)) + return (0); + } + return (1); +} + +/* + * Check if the given ipc object with the given type matches the selection + * criteria. + */ +static int +select_ipcobj(u_char type, uint32_t id, uint32_t *optchkd) +{ + + if (type == AT_IPC_MSG) { + SETOPT((*optchkd), OPT_om); + if (ISOPTSET(opttochk, OPT_om)) { + if (id != strtol(p_msgqobj, (char **)NULL, 10)) + return (0); + } + return (1); + } else if (type == AT_IPC_SEM) { + SETOPT((*optchkd), OPT_ose); + if (ISOPTSET(opttochk, OPT_ose)) { + if (id != strtol(p_semobj, (char **)NULL, 10)) + return (0); + } + return (1); + } else if (type == AT_IPC_SHM) { + SETOPT((*optchkd), OPT_osh); + if (ISOPTSET(opttochk, OPT_osh)) { + if (id != strtol(p_shmobj, (char **)NULL, 10)) + return (0); + } + return (1); + } + + /* Unknown type -- filter if *any* ipc filtering is required. */ + if (ISOPTSET(opttochk, OPT_om) || ISOPTSET(opttochk, OPT_ose) + || ISOPTSET(opttochk, OPT_osh)) + return (0); + + return (1); +} + + +/* + * Check if the file name matches selection criteria. + */ +static int +select_filepath(char *path, uint32_t *optchkd) +{ + char *loc; + + SETOPT((*optchkd), OPT_of); + if (ISOPTSET(opttochk, OPT_of)) { + if (p_fileobj[0] == '~') { + /* Object should not be in path. */ + loc = strstr(path, p_fileobj + 1); + if ((loc != NULL) && (loc == path)) + return (0); + } else { + /* Object should be in path. */ + loc = strstr(path, p_fileobj); + if ((loc == NULL) || (loc != path)) + return (0); + } + } + return (1); +} + +/* + * Returns 1 if the following pass the selection rules: + * + * before-time, + * after time, + * date, + * class, + * event + */ +static int +select_hdr32(tokenstr_t tok, uint32_t *optchkd) +{ + + SETOPT((*optchkd), (OPT_A | OPT_a | OPT_b | OPT_c | OPT_m)); + + /* The A option overrides a, b and d. */ + if (!ISOPTSET(opttochk, OPT_A)) { + if (ISOPTSET(opttochk, OPT_a)) { + if (difftime((time_t)tok.tt.hdr32.s, p_atime) < 0) { + /* Record was created before p_atime. */ + return (0); + } + } + + if (ISOPTSET(opttochk, OPT_b)) { + if (difftime(p_btime, (time_t)tok.tt.hdr32.s) < 0) { + /* Record was created after p_btime. */ + return (0); + } + } + } + + if (ISOPTSET(opttochk, OPT_c)) { + /* + * Check if the classes represented by the event matches + * given class. + */ + if (au_preselect(tok.tt.hdr32.e_type, &maskp, AU_PRS_BOTH, + AU_PRS_USECACHE) != 1) + return (0); + } + + /* Check if event matches. */ + if (ISOPTSET(opttochk, OPT_m)) { + if (tok.tt.hdr32.e_type != p_evtype) + return (0); + } + + return (1); +} + +/* + * Return 1 if checks for the the following succeed + * auid, + * euid, + * egid, + * rgid, + * ruid, + * process id + */ +static int +select_proc32(tokenstr_t tok, uint32_t *optchkd) +{ + + SETOPT((*optchkd), (OPT_u | OPT_e | OPT_f | OPT_g | OPT_r | OPT_op)); + + if (!select_auid(tok.tt.proc32.auid)) + return (0); + if (!select_euid(tok.tt.proc32.euid)) + return (0); + if (!select_egid(tok.tt.proc32.egid)) + return (0); + if (!select_rgid(tok.tt.proc32.rgid)) + return (0); + if (!select_ruid(tok.tt.proc32.ruid)) + return (0); + if (!select_pidobj(tok.tt.proc32.pid)) + return (0); + return (1); +} + +/* + * Return 1 if checks for the the following succeed + * auid, + * euid, + * egid, + * rgid, + * ruid, + * subject id + */ +static int +select_subj32(tokenstr_t tok, uint32_t *optchkd) +{ + + SETOPT((*optchkd), (OPT_u | OPT_e | OPT_f | OPT_g | OPT_r | OPT_j)); + + if (!select_auid(tok.tt.subj32.auid)) + return (0); + if (!select_euid(tok.tt.subj32.euid)) + return (0); + if (!select_egid(tok.tt.subj32.egid)) + return (0); + if (!select_rgid(tok.tt.subj32.rgid)) + return (0); + if (!select_ruid(tok.tt.subj32.ruid)) + return (0); + if (!select_subid(tok.tt.subj32.pid)) + return (0); + return (1); +} + +/* + * Read each record from the audit trail. Check if it is selected after + * passing through each of the options + */ +static int +select_records(FILE *fp) +{ + u_char *buf; + tokenstr_t tok; + int reclen; + int bytesread; + int selected; + uint32_t optchkd; + + int err = 0; + while ((reclen = au_read_rec(fp, &buf)) != -1) { + optchkd = 0; + bytesread = 0; + selected = 1; + while ((selected == 1) && (bytesread < reclen)) { + if (-1 == au_fetch_tok(&tok, buf + bytesread, + reclen - bytesread)) { + /* Is this an incomplete record? */ + err = 1; + break; + } + + /* + * For each token type we have have different + * selection criteria. + */ + switch(tok.id) { + case AU_HEADER_32_TOKEN: + selected = select_hdr32(tok, + &optchkd); + break; + + case AU_PROCESS_32_TOKEN: + selected = select_proc32(tok, + &optchkd); + break; + + case AU_SUBJECT_32_TOKEN: + selected = select_subj32(tok, + &optchkd); + break; + + case AU_IPC_TOKEN: + selected = select_ipcobj( + tok.tt.ipc.type, tok.tt.ipc.id, + &optchkd); + break; + + case AU_FILE_TOKEN: + selected = select_filepath( + tok.tt.file.name, &optchkd); + break; + + case AU_PATH_TOKEN: + selected = select_filepath( + tok.tt.path.path, &optchkd); + break; + + /* + * The following tokens dont have any relevant + * attributes that we can select upon. + */ + case AU_TRAILER_TOKEN: + case AU_ARG32_TOKEN: + case AU_ATTR32_TOKEN: + case AU_EXIT_TOKEN: + case AU_NEWGROUPS_TOKEN: + case AU_IN_ADDR_TOKEN: + case AU_IP_TOKEN: + case AU_IPCPERM_TOKEN: + case AU_IPORT_TOKEN: + case AU_OPAQUE_TOKEN: + case AU_RETURN_32_TOKEN: + case AU_SEQ_TOKEN: + case AU_TEXT_TOKEN: + case AU_ARB_TOKEN: + case AU_SOCK_TOKEN: + default: + break; + } + bytesread += tok.len; + } + if ((selected == 1) && (!err)) { + /* Check if all the options were matched. */ + if (!(opttochk & ~optchkd)) { + /* XXX Write this record to the output file. */ + /* default to stdout */ + fwrite(buf, 1, reclen, stdout); + } + } + free(buf); + } + return (0); +} + +/* + * The -o option has the form object_type=object_value. Identify the object + * components. + */ +void +parse_object_type(char *name, char *val) +{ + if (val == NULL) + return; + + if (!strcmp(name, FILEOBJ)) { + p_fileobj = val; + SETOPT(opttochk, OPT_of); + } else if (!strcmp(name, MSGQIDOBJ)) { + p_msgqobj = val; + SETOPT(opttochk, OPT_om); + } else if (!strcmp(name, PIDOBJ)) { + p_pidobj = val; + SETOPT(opttochk, OPT_op); + } else if (!strcmp(name, SEMIDOBJ)) { + p_semobj = val; + SETOPT(opttochk, OPT_ose); + } else if (!strcmp(name, SHMIDOBJ)) { + p_shmobj = val; + SETOPT(opttochk, OPT_osh); + } else if (!strcmp(name, SOCKOBJ)) { + p_sockobj = val; + SETOPT(opttochk, OPT_oso); + } else + usage("unknown value for -o"); +} + +int +main(int argc, char **argv) +{ + struct group *grp; + struct passwd *pw; + struct tm tm; + au_event_t *n; + FILE *fp; + int i; + char *objval, *converr; + char ch; + char timestr[128]; + char *fname; + + converr = NULL; + + while ((ch = getopt(argc, argv, "Aa:b:c:d:e:f:g:j:m:o:r:u:")) != -1) { + switch(ch) { + case 'A': + SETOPT(opttochk, OPT_A); + break; + + case 'a': + if (ISOPTSET(opttochk, OPT_a)) { + usage("d is exclusive with a and b"); + } + SETOPT(opttochk, OPT_a); + strptime(optarg, "%Y%m%d%H%M%S", &tm); + strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S", + &tm); + /* fprintf(stderr, "Time converted = %s\n", timestr); */ + p_atime = mktime(&tm); + break; + + case 'b': + if (ISOPTSET(opttochk, OPT_b)) { + usage("d is exclusive with a and b"); + } + SETOPT(opttochk, OPT_b); + strptime(optarg, "%Y%m%d%H%M%S", &tm); + strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S", + &tm); + /* fprintf(stderr, "Time converted = %s\n", timestr); */ + p_btime = mktime(&tm); + break; + + case 'c': + if (0 != getauditflagsbin(optarg, &maskp)) { + /* Incorrect class */ + usage("Incorrect class"); + } + SETOPT(opttochk, OPT_c); + break; + + case 'd': + if (ISOPTSET(opttochk, OPT_b) || ISOPTSET(opttochk, + OPT_a)) + usage("'d' is exclusive with 'a' and 'b'"); + SETOPT(opttochk, OPT_d); + strptime(optarg, "%Y%m%d", &tm); + strftime(timestr, sizeof(timestr), "%Y%m%d", &tm); + /* fprintf(stderr, "Time converted = %s\n", timestr); */ + p_atime = mktime(&tm); + tm.tm_hour = 23; + tm.tm_min = 59; + tm.tm_sec = 59; + strftime(timestr, sizeof(timestr), "%Y%m%d", &tm); + /* fprintf(stderr, "Time converted = %s\n", timestr); */ + p_btime = mktime(&tm); + break; + + case 'e': + p_euid = strtol(optarg, &converr, 10); + if (*converr != '\0') { + /* Try the actual name */ + if ((pw = getpwnam(optarg)) == NULL) + break; + p_euid = pw->pw_uid; + } + SETOPT(opttochk, OPT_e); + break; + + case 'f': + p_egid = strtol(optarg, &converr, 10); + if (*converr != '\0') { + /* Try actual group name. */ + if ((grp = getgrnam(optarg)) == NULL) + break; + p_egid = grp->gr_gid; + } + SETOPT(opttochk, OPT_f); + break; + + case 'g': + p_rgid = strtol(optarg, &converr, 10); + if (*converr != '\0') { + /* Try actual group name. */ + if ((grp = getgrnam(optarg)) == NULL) + break; + p_rgid = grp->gr_gid; + } + SETOPT(opttochk, OPT_g); + break; + + case 'j': + p_subid = strtol(optarg, (char **)NULL, 10); + SETOPT(opttochk, OPT_j); + break; + + case 'm': + p_evtype = strtol(optarg, (char **)NULL, 10); + if (p_evtype == 0) { + /* Could be the string representation. */ + n = getauevnonam(optarg); + if (n == NULL) + usage("Incorrect event name"); + p_evtype = *n; + free(n); + } + SETOPT(opttochk, OPT_m); + break; + + case 'o': + objval = strchr(optarg, '='); + if (objval != NULL) { + *objval = '\0'; + objval += 1; + parse_object_type(optarg, objval); + } + break; + + case 'r': + p_ruid = strtol(optarg, &converr, 10); + if (*converr != '\0') { + if ((pw = getpwnam(optarg)) == NULL) + break; + p_ruid = pw->pw_uid; + } + SETOPT(opttochk, OPT_r); + break; + + case 'u': + p_auid = strtol(optarg, &converr, 10); + if (*converr != '\0') { + if ((pw = getpwnam(optarg)) == NULL) + break; + p_auid = pw->pw_uid; + } + SETOPT(opttochk, OPT_u); + break; + + case '?': + default: + usage("Unknown option"); + } + } + argv += optind; + argc -= optind; + + if (argc == 0) + usage("Filename needed"); + + /* + * XXX: We should actually be merging records here. + */ + for (i = 0; i < argc; i++) { + fname = argv[i]; + fp = fopen(fname, "r"); + if (fp == NULL) + errx(EXIT_FAILURE, "Couldn't open %s", fname); + if (select_records(fp) == -1) { + errx(EXIT_FAILURE, "Couldn't select records %s", + fname); + } + fclose(fp); + } + exit(EXIT_SUCCESS); +} diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.h b/contrib/openbsm/bin/auditreduce/auditreduce.h new file mode 100644 index 0000000..698e276 --- /dev/null +++ b/contrib/openbsm/bin/auditreduce/auditreduce.h @@ -0,0 +1,67 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#4 $ + */ + +#ifndef _AUDITREDUCE_H_ +#define _AUDITREDUCE_H_ + + +#define OPT_a 0x00000001 +#define OPT_b 0x00000002 +#define OPT_c 0x00000004 +#define OPT_d (OPT_a | OPT_b) +#define OPT_e 0x00000010 +#define OPT_f 0x00000020 +#define OPT_g 0x00000040 +#define OPT_j 0x00000080 +#define OPT_m 0x00000100 +#define OPT_of 0x00000200 +#define OPT_om 0x00000400 +#define OPT_op 0x00000800 +#define OPT_ose 0x00001000 +#define OPT_osh 0x00002000 +#define OPT_oso 0x00004000 +#define OPT_r 0x00008000 +#define OPT_u 0x00010000 +#define OPT_A 0x00020000 + +#define FILEOBJ "file" +#define MSGQIDOBJ "msgqid" +#define PIDOBJ "pid" +#define SEMIDOBJ "semid" +#define SHMIDOBJ "shmid" +#define SOCKOBJ "sock" + + +#define SETOPT(optmask, bit) (optmask |= bit) +#define ISOPTSET(optmask, bit) (optmask & bit) + + +#endif /* !_AUDITREDUCE_H_ */ diff --git a/contrib/openbsm/bin/praudit/Makefile b/contrib/openbsm/bin/praudit/Makefile new file mode 100644 index 0000000..34e136b --- /dev/null +++ b/contrib/openbsm/bin/praudit/Makefile @@ -0,0 +1,12 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/Makefile#4 $ +# + +CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I. +PROG= praudit +MAN= praudit.1 +DPADD= /usr/lib/libbsm.a +LDADD= -lbsm +BINDIR= /usr/sbin + +.include <bsd.prog.mk> diff --git a/contrib/openbsm/bin/praudit/praudit.1 b/contrib/openbsm/bin/praudit/praudit.1 new file mode 100644 index 0000000..e994638 --- /dev/null +++ b/contrib/openbsm/bin/praudit/praudit.1 @@ -0,0 +1,97 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#7 $ +.\" +.Dd Jan 24, 2004 +.Dt PRAUDIT 1 +.Os +.Sh NAME +.Nm praudit +.Nd "print the contents of audit trail files" +.Sh SYNOPSIS +.Nm praudit +.Op Fl lrs +.Op Fl d Ar del +.Op Ar file ... +.Sh DESCRIPTION +The +.Nm +utility prints the contents of the audit trail files to the standard output in +human-readable form. +If no filename is specified, the standard input is used +by default. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl l +Prints the entire record on the same line. +If this option is not specified, +every token is displayed on a different line. +.It Fl r +Prints the records in their raw, numeric form. +This option is exclusive from +.Fl s +.It Fl s +Prints the tokens in their short form. +Short text representations for +record and event type are displayed. +This option is exclusive from +.Fl r +.It Fl d Ar del +Specifies the delimiter. +The default delimiter is the comma. +.El +.Pp +If the raw or short forms are not specified, the default is to print the tokens +in their long form. +Events are displayed as per their descriptions given in +.Pa /etc/security/audit_event ; +uids and gids are expanded to their names; +dates and times are displayed in human-readable format. +.Sh FILES +.Bl -tag -width "/etc/security/audit_control" -compact +.It Pa /etc/security/audit_class +Descriptions of audit event classes +.It Pa /etc/security/audit_event +Descriptions of audit events +.El +.Sh SEE ALSO +.Xr audit_class 5 , +.Xr audit_event 5 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/bin/praudit/praudit.c b/contrib/openbsm/bin/praudit/praudit.c new file mode 100644 index 0000000..920f6d4 --- /dev/null +++ b/contrib/openbsm/bin/praudit/praudit.c @@ -0,0 +1,157 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#7 $ + */ + +/* + * Tool used to parse audit records conforming to the BSM structure. + */ + +/* + * praudit [-lrs] [-ddel] [filenames] + */ + +#include <bsm/libbsm.h> + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> + +extern char *optarg; +extern int optind, optopt, opterr,optreset; + +static char *del = ","; /* Default delimiter. */ +static int oneline = 0; +static int raw = 0; +static int shortfrm = 0; +static int partial = 0; + +static void +usage() +{ + + fprintf(stderr, "Usage: praudit [-lrs] [-ddel] [filenames]\n"); + exit(1); +} + +/* + * Token printing for each token type . + */ +static int +print_tokens(FILE *fp) +{ + u_char *buf; + tokenstr_t tok; + int reclen; + int bytesread; + + /* Allow tail -f | praudit to work. */ + if (partial) { + u_char type = 0; + /* Record must begin with a header token. */ + do { + type = fgetc(fp); + } while(type != AU_HEADER_32_TOKEN); + ungetc(type, fp); + } + + while ((reclen = au_read_rec(fp, &buf)) != -1) { + bytesread = 0; + while (bytesread < reclen) { + /* Is this an incomplete record? */ + if (-1 == au_fetch_tok(&tok, buf + bytesread, + reclen - bytesread)) + break; + au_print_tok(stdout, &tok, del, raw, shortfrm); + bytesread += tok.len; + if (oneline) + printf("%s", del); + else + printf("\n"); + } + free(buf); + if (oneline) + printf("\n"); + } + return (0); +} + +int +main(int argc, char **argv) +{ + char ch; + int i; + FILE *fp; + + while ((ch = getopt(argc, argv, "lprsd:")) != -1) { + switch(ch) { + case 'l': + oneline = 1; + break; + + case 'r': + if (shortfrm) + usage(); /* Exclusive from shortfrm. */ + raw = 1; + break; + + case 's': + if (raw) + usage(); /* Exclusive from raw. */ + shortfrm = 1; + break; + + case 'd': + del = optarg; + break; + + case 'p': + partial = 1; + break; + + case '?': + default: + usage(); + } + } + + /* For each of the files passed as arguments dump the contents. */ + if (optind == argc) { + print_tokens(stdin); + return (1); + } + for (i = optind; i < argc; i++) { + fp = fopen(argv[i], "r"); + if ((fp == NULL) || (print_tokens(fp) == -1)) + perror(argv[i]); + if (fp != NULL) + fclose(fp); + } + return (1); +} |