From 6b46b736cc84f6697b21608e304026e847ac155d Mon Sep 17 00:00:00 2001
From: rwatson <rwatson@FreeBSD.org>
Date: Mon, 25 Sep 2006 11:40:29 +0000
Subject: Vendor import TrustedBSD OpenBSM 1.0 alpha 12, with the following
 change history notes since the last import:

OpenBSM 1.0 alpha 12

- Correct bug in auditreduce which prevented the -c option from working
  correctly when the user specifies to process successful or failed events.
  The problem stemmed from not having access to the return token at the time
  the initial preselection occurred, but now a second preselection process
  occurs while processing the return token.
- getacfilesz(3) API added to read new audit_control(5) filesz setting,
  which auditd(8) now sets the kernel audit trail rotation size to.
- auditreduce(1) now uses stdin if no file names are specified on the command
  line; this was the documented behavior previously, but it was not
  implemented.  Be more specific in auditreduce(1)'s examples section about
  what might be done with the output of auditreduce.
- Add audit_warn(5) closefile event so that administrators can hook
  termination of an audit trail file.  For example, this might be used to
  compress the trail file after it is closed.
- auditreduce(1) now uses regular expressions for pathname matching. Users can
  now supply one or more (comma delimited) regular expressions for searching
  the pathnames. If one of the regular expressions is prefixed with a tilde
  (~), and a path matches, it will be excluded from the search results.

MFC after:	3 days
Obtained from:	TrustedBSD Project
---
 contrib/openbsm/bin/auditd/audit_warn.c       |  17 +++-
 contrib/openbsm/bin/auditd/auditd.c           |  19 +++-
 contrib/openbsm/bin/auditd/auditd.h           |   4 +-
 contrib/openbsm/bin/auditreduce/auditreduce.1 |  43 +++++++--
 contrib/openbsm/bin/auditreduce/auditreduce.c | 120 ++++++++++++++++++++++----
 contrib/openbsm/bin/auditreduce/auditreduce.h |   9 +-
 6 files changed, 183 insertions(+), 29 deletions(-)

(limited to 'contrib/openbsm/bin')

diff --git a/contrib/openbsm/bin/auditd/audit_warn.c b/contrib/openbsm/bin/auditd/audit_warn.c
index 7fa5eb9..3239b67 100644
--- a/contrib/openbsm/bin/auditd/audit_warn.c
+++ b/contrib/openbsm/bin/auditd/audit_warn.c
@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#6 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#7 $
  */
 
 #include <sys/types.h>
@@ -125,6 +125,21 @@ audit_warn_auditoff(void)
 }
 
 /*
+ * Indicate that a trail file has been closed, so can now be post-processed.
+ */
+int
+audit_warn_closefile(char *filename)
+{
+	char *args[3];
+
+	args[0] = CLOSEFILE_WARN;
+	args[1] = filename;
+	args[2] = NULL;
+
+	return (auditwarnlog(args));
+}
+
+/*
  * Indicates that the audit deammn is already running
  */
 int
diff --git a/contrib/openbsm/bin/auditd/auditd.c b/contrib/openbsm/bin/auditd/auditd.c
index 86cf233..7ca2123 100644
--- a/contrib/openbsm/bin/auditd/auditd.c
+++ b/contrib/openbsm/bin/auditd/auditd.c
@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#21 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#23 $
  */
 
 #include <sys/types.h>
@@ -163,9 +163,11 @@ close_lastfile(char *TS)
 				syslog(LOG_ERR,
 				    "Could not rename %s to %s: %m", oldname,
 				    lastfile);
-			else
+			else {
 				syslog(LOG_INFO, "renamed %s to %s",
 				    oldname, lastfile);
+				audit_warn_closefile(lastfile);
+			}
 		}
 		free(lastfile);
 		free(oldname);
@@ -727,6 +729,8 @@ config_audit_controls(void)
 	char naeventstr[NA_EVENT_STR_SIZE];
 	char polstr[POL_STR_SIZE];
 	long policy;
+	au_fstat_t au_fstat;
+	size_t filesz;
 
 	/*
 	 * Process the audit event file, obtaining a class mapping for each
@@ -806,6 +810,17 @@ config_audit_controls(void)
 			    "Failed to set default audit policy: %m");
 	}
 
+	/*
+	 * Set trail rotation size.
+	 */
+	if (getacfilesz(&filesz) == 0) {
+		bzero(&au_fstat, sizeof(au_fstat));
+		au_fstat.af_filesz = filesz;
+		if (auditon(A_SETFSIZE, &au_fstat, sizeof(au_fstat)) < 0)
+			syslog(LOG_ERR, "Failed to set filesz: %m");
+	} else
+		syslog(LOG_ERR, "Failed to obtain filesz: %m");
+
 	return (0);
 }
 
diff --git a/contrib/openbsm/bin/auditd/auditd.h b/contrib/openbsm/bin/auditd/auditd.h
index 11bf9d4..9c5ae28 100644
--- a/contrib/openbsm/bin/auditd/auditd.h
+++ b/contrib/openbsm/bin/auditd/auditd.h
@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#6 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#7 $
  */
 
 #ifndef _AUDITD_H_
@@ -62,6 +62,7 @@ struct dir_ent {
 #define	HARDLIM_ALL_WARN	"allhard"
 #define	SOFTLIM_ALL_WARN	"allsoft"
 #define	AUDITOFF_WARN		"auditoff"
+#define	CLOSEFILE_WARN		"closefile"
 #define	EBUSY_WARN		"ebusy"
 #define	GETACDIR_WARN		"getacdir"
 #define	HARDLIM_WARN		"hard"
@@ -76,6 +77,7 @@ struct dir_ent {
 int	audit_warn_allhard(int count);
 int	audit_warn_allsoft(void);
 int	audit_warn_auditoff(void);
+int	audit_warn_closefile(char *filename);
 int	audit_warn_ebusy(void);
 int	audit_warn_getacdir(char *filename);
 int	audit_warn_hard(char *filename);
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.1 b/contrib/openbsm/bin/auditreduce/auditreduce.1
index 9ae9726..f590e35 100644
--- a/contrib/openbsm/bin/auditreduce/auditreduce.1
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.1
@@ -25,7 +25,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#10 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $
 .\"
 .Dd January 24, 2004
 .Dt AUDITREDUCE 1
@@ -105,12 +105,17 @@ for a description of audit event names and numbers.
 .It Fl o Ar object=value
 .Bl -tag -width Ds
 .It Nm file
-Select records containing the given path name.
-file="/usr" matches paths
-starting with
-.Pa usr .
-file="~/usr" matches paths not starting with
-.Pa usr .
+Select records containing path tokens, where the pathname matches
+one of the comma delimited extended regular expression contained in
+given specification.
+Regular expressions which are prefixed with a tilde (~) are excluded
+from the search results.
+These extended regular expressions are processed from left to right,
+and a path will either be selected or deslected based on the first match.
+.Pp
+Since commas are used to delimit the regular expressions, a backslash (\\)
+character should be used to escape the comma if it's a part of the search
+pattern.
 .It Nm msgqid
 Select records containing the given message queue id.
 .It Nm pid
@@ -136,6 +141,30 @@ events from that log:
 .Pp
 .Nm
 -m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
+.Pp
+Output from the above command lines will typically be piped to a new trail
+file, or via standard output to the
+.Xr praudit 1
+command.
+.Pp
+Select all records containing a path token where the pathname contains
+.Pa /etc/master.passwd
+.Pp
+.Nm
+-ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634
+.Pp
+Select all records containing path tokens, where the pathname is a TTY
+device:
+.Pp
+.Nm
+-ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+.Pp
+Select all records containing path tokens, where the pathname is a TTY
+except for
+.Pa /dev/ttyp2
+.Pp
+.Nm
+-ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
 .Sh SEE ALSO
 .Xr praudit 1 ,
 .Xr audit_control 5 ,
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.c b/contrib/openbsm/bin/auditreduce/auditreduce.c
index 25a14ff..31bd892 100644
--- a/contrib/openbsm/bin/auditreduce/auditreduce.c
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.c
@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#14 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#18 $
  */
 
 /* 
@@ -40,6 +40,13 @@
  * XXX the records present within the file and between the files themselves
  */ 
 
+#include <config/config.h>
+#ifdef HAVE_FULL_QUEUE_H
+#include <sys/queue.h>
+#else
+#include <compat/queue.h>
+#endif
+
 #include <bsm/libbsm.h>
 
 #include <err.h>
@@ -51,9 +58,14 @@
 #include <string.h>
 #include <time.h>
 #include <unistd.h>
+#include <regex.h>
+#include <errno.h>
 
 #include "auditreduce.h"
 
+static TAILQ_HEAD(tailhead, re_entry) re_head =
+    TAILQ_HEAD_INITIALIZER(re_head);
+
 extern char		*optarg;
 extern int		 optind, optopt, opterr,optreset;
 
@@ -81,10 +93,57 @@ static char	*p_sockobj = NULL;
 static uint32_t opttochk = 0;
 
 static void
+parse_regexp(char *re_string)
+{
+	char *orig, *copy, re_error[64];
+	struct re_entry *rep;
+	int error, nstrs, i, len;
+
+	copy = strdup(re_string);
+	orig = copy;
+	len = strlen(copy);
+	for (nstrs = 0, i = 0; i < len; i++) {
+		if (copy[i] == ',' && i > 0) {
+			if (copy[i - 1] == '\\')
+				strcpy(&copy[i - 1], &copy[i]);
+			else {
+				nstrs++;
+				copy[i] = '\0';
+			}
+		}
+	}
+	TAILQ_INIT(&re_head);
+	for (i = 0; i < nstrs + 1; i++) {
+		rep = calloc(1, sizeof(*rep));
+		if (rep == NULL) {
+			(void) fprintf(stderr, "calloc: %s\n",
+			    strerror(errno));
+			exit(1);
+		}
+		if (*copy == '~') {
+			copy++;
+			rep->re_negate = 1;
+		}
+		rep->re_pattern = strdup(copy);
+		error = regcomp(&rep->re_regexp, rep->re_pattern,
+		    REG_EXTENDED | REG_NOSUB);
+		if (error != 0) {
+			regerror(error, &rep->re_regexp, re_error, 64);
+			(void) fprintf(stderr, "regcomp: %s\n", re_error);
+			exit(1);
+		}
+		TAILQ_INSERT_TAIL(&re_head, rep, re_glue);
+		len = strlen(copy);
+		copy += len + 1;
+	}
+	free(orig);
+}
+
+static void
 usage(const char *msg)
 {
 	fprintf(stderr, "%s\n", msg);
-	fprintf(stderr, "Usage: auditreduce [options] audit-trail-file [....] \n");
+	fprintf(stderr, "Usage: auditreduce [options] [file ...]\n");
 	fprintf(stderr, "\tOptions are : \n");
 	fprintf(stderr, "\t-A : all records\n");
 	fprintf(stderr, "\t-a YYYYMMDD[HH[[MM[SS]]] : after date\n");
@@ -258,23 +317,20 @@ select_ipcobj(u_char type, uint32_t id, uint32_t *optchkd)
 static int
 select_filepath(char *path, uint32_t *optchkd)
 {
-	char *loc;
+	struct re_entry *rep;
+	int match;
 
 	SETOPT((*optchkd), OPT_of);
+	match = 1;
 	if (ISOPTSET(opttochk, OPT_of)) {
-		if (p_fileobj[0] == '~') {
-			/* Object should not be in path. */
-			loc = strstr(path, p_fileobj + 1);
-			if ((loc != NULL) && (loc == path))
-				return (0);
-		} else {
-			/* Object should be in path. */
-			loc = strstr(path, p_fileobj);
-			if ((loc == NULL) || (loc != path))
-				return (0);
+		match = 0;
+		TAILQ_FOREACH(rep, &re_head, re_glue) {
+			if (regexec(&rep->re_regexp, path, 0, NULL,
+			    0) != REG_NOMATCH)
+				return (!rep->re_negate);
 		}
 	}
-	return (1);
+	return (match);
 }
 
 /*
@@ -328,6 +384,24 @@ select_hdr32(tokenstr_t tok, uint32_t *optchkd)
 	return (1);
 }
 
+static int
+select_return32(tokenstr_t tok_ret32, tokenstr_t tok_hdr32, uint32_t *optchkd)
+{
+	int sorf;
+
+	SETOPT((*optchkd), (OPT_c));
+	if (tok_ret32.tt.ret32.status == 0)
+		sorf = AU_PRS_SUCCESS;
+	else
+		sorf = AU_PRS_FAILURE;
+	if (ISOPTSET(opttochk, OPT_c)) {
+		if (au_preselect(tok_hdr32.tt.hdr32.e_type, &maskp, sorf,
+		    AU_PRS_USECACHE) != 1)
+			return (0);
+	}
+	return (1);
+}
+
 /*
  * Return 1 if checks for the the following succeed
  * auid, 
@@ -395,6 +469,7 @@ select_subj32(tokenstr_t tok, uint32_t *optchkd)
 static int
 select_records(FILE *fp)
 {
+	tokenstr_t tok_hdr32_copy;
 	u_char *buf;
 	tokenstr_t tok;
 	int reclen;
@@ -423,6 +498,8 @@ select_records(FILE *fp)
 			case AU_HEADER_32_TOKEN:
 					selected = select_hdr32(tok,
 					    &optchkd);
+					bcopy(&tok, &tok_hdr32_copy,
+					    sizeof(tok));
 					break;
 
 			case AU_PROCESS_32_TOKEN:
@@ -451,6 +528,11 @@ select_records(FILE *fp)
 					    tok.tt.path.path, &optchkd);
 					break;	
 
+			case AU_RETURN_32_TOKEN:
+				selected = select_return32(tok,
+				    tok_hdr32_copy, &optchkd);
+				break;
+
 			/* 
 			 * The following tokens dont have any relevant
 			 * attributes that we can select upon.
@@ -465,7 +547,6 @@ select_records(FILE *fp)
 			case AU_IPCPERM_TOKEN:
 			case AU_IPORT_TOKEN:
 			case AU_OPAQUE_TOKEN:
-			case AU_RETURN_32_TOKEN:
 			case AU_SEQ_TOKEN:
 			case AU_TEXT_TOKEN:
 			case AU_ARB_TOKEN:
@@ -500,6 +581,7 @@ parse_object_type(char *name, char *val)
 
 	if (!strcmp(name, FILEOBJ)) {
 		p_fileobj = val;
+		parse_regexp(val);
 		SETOPT(opttochk, OPT_of);
 	} else if (!strcmp(name, MSGQIDOBJ)) {
 		p_msgqobj = val;
@@ -679,8 +761,12 @@ main(int argc, char **argv)
 	argv += optind;
 	argc -= optind;
 
-	if (argc == 0)
-		usage("Filename needed");
+	if (argc == 0) {
+		if (select_records(stdin) == -1)
+			errx(EXIT_FAILURE,
+			    "Couldn't select records from stdin");
+		exit(EXIT_SUCCESS);
+	}
 
 	/*
 	 * XXX: We should actually be merging records here.
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.h b/contrib/openbsm/bin/auditreduce/auditreduce.h
index 698e276..f69dc16 100644
--- a/contrib/openbsm/bin/auditreduce/auditreduce.h
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.h
@@ -26,13 +26,20 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#4 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#5 $
  */
 
 #ifndef _AUDITREDUCE_H_
 #define _AUDITREDUCE_H_
 
 
+struct re_entry {
+	char		*re_pattern;
+	int		 re_negate;
+	regex_t		 re_regexp;
+	TAILQ_ENTRY(re_entry) re_glue;
+};
+
 #define OPT_a	0x00000001
 #define OPT_b	0x00000002
 #define OPT_c	0x00000004
-- 
cgit v1.1