diff options
72 files changed, 15884 insertions, 0 deletions
diff --git a/contrib/openbsm/CHANGELOG b/contrib/openbsm/CHANGELOG new file mode 100644 index 000000000000..846cbf98c333 --- /dev/null +++ b/contrib/openbsm/CHANGELOG @@ -0,0 +1,69 @@ +OpenBSM 1.0 + +- Import of Darwin74 BSM drop +- Use 'syslog' for audit log warnings, rather than echoing to a file in + audit_warn. +- Compile using BSD make infrastructure. +- Integrate bsm/ include files from Darwin74 XNU drop into OpenBSM. +- Narrow set of symbols and defines that are exposed in user space: don't + compile in code relying on kernel-only types such as 'struct socket'. +- Add README, including basic build documentation. +- Compilation of Apple-specific notify and Machroutines now #ifdef __APPLE__. +- Staticize libbsm global variables to avoid leakage into application. +- Add free_au_user_ent() so that au_user_ent's don't have to be leaked. +- Clean up bogus nul-termination checks in libbsm. +- Add libbsm API man pages: au_class.3 au_control.3 au_event.3 + au_free_token.3 au_io.3 au_mask.3 au_token.3 au_user.3 libbsm.3. +- Add man pages for BSM system calls: audit.2 auditctl.2 auditon.2 getaudit.2 + getauid.2 setaudit.2 setauid.2 +- Modify various libbsm interfaces to more consistently return 'errno' values + on failure. +- Break out au_close() into constituent parts, allowing records to be written + to memory as well as files. +- Prefix various defines with 'BSM_' to reduce name space pollution. +- Added audit_internal.h, which can be used by a kernel audit implementation + wanting to rely on libbsm components. +- Build with warnings, and eliminate warnings. +- Make libbsm endian-independent, storing and reading BSM are big endian + (network byte order) rather than native byte order. More consistently + print IP addresses using the IP address print routine. These changes + make use of sys/endian.h from *BSD; since this isn't present on Darwin, + add it to OpenBSM as compat/endian.h, which is used only on Darwin. +- Import of Darwin80 BSM drop, including 64-bit file IDs, better + documentation of private APIs, and bug fixes. +- White space cleanup. +- Add audit.log.5, a first cut at a man page documenting the BSM file format. +- Teach au_read_rec() to recognize stand-alone file tokens, which are present + at the beginning and end of Solaris audit trails. Technically, these + appear to violate the high level BSM spec, which suggests that all tokens + are present in records, but need to be supported. +- Implement HEADER64, ATTR64, SUBJECT64 token types, which make it possible + to run praudit(1) on basic Solaris BSM streams. +- Switched to Solaris spelling of token names; Darwin spellings are now + deprecated and will be removed in a future version of OpenBSM. +- Adopt Solaris model for representing IPv4 and IPv6 addresses. +- Prefer C99 types. +- Attempt to universally adopt the BSD style(9) coding style for + consistency. +- auditreduce(1) now has a usage message. +- Update support for auditctl(2) system call to support FreeBSD. +- Add support for /dev/audit as the trigger source on FreeBSD. +- Add additional event types for Darwin, FreeBSD, and Solaris. Annotate + conflicts (there are a few, unfortunately). Correct spellings, comment, + sort, etc. These include {get,set}res[ug]id(), sendfile(), lchflags(), + eaccess(), kqueue(), kevent(), poll(), lchmod(). +- Relicensed under a BSD license, many thanks to Apple, Inc! +- Many bug fixes, cleanups, thread safety in the class, control, event, + and user system audit databases. Annotate some persisting atomicity + bugs associated with the API and implementation. +- Add audump test tool. +- Adopt OpenSolaris BSM API memory semantics: caller allocates memory, + or static memory is returned for non-_r() versions of API calls. + _free() calls dropped as a result, and source code compatibility with + OpenSolaris improved significantly. +- Annotate BSM events with origin OS and compatibility information. +- auditd(8), audit(8) added to the OpenBSM distribution. auditd extended + to support reloading of kernel event table. +- Allow comments in /etc/security configuration files. + +$P4: //depot/projects/trustedbsd/openbsm/CHANGELOG#6 $ diff --git a/contrib/openbsm/LICENSE b/contrib/openbsm/LICENSE new file mode 100644 index 000000000000..3b5d8b86706a --- /dev/null +++ b/contrib/openbsm/LICENSE @@ -0,0 +1,33 @@ +OpenBSM is covered by a number of copyrights, with licenses being either two +or three clause BSD licenses. Individual file headers should be consulted +for specific copyrights on specific components. The TrustedBSD Project would +appreciate the contribution of fixes and enhancements under identical or +substantially similar licenses: + + * Copyright (c) <year> <copyright holder> + * All rights reserved. + * + * <any additional comments or credits> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + +$P4: //depot/projects/trustedbsd/openbsm/LICENSE#4 $ diff --git a/contrib/openbsm/Makefile b/contrib/openbsm/Makefile new file mode 100644 index 000000000000..b480723c19a8 --- /dev/null +++ b/contrib/openbsm/Makefile @@ -0,0 +1,9 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/Makefile#2 $ +# + +SUBDIR= bsm \ + libbsm \ + bin + +.include <bsd.subdir.mk> diff --git a/contrib/openbsm/README b/contrib/openbsm/README new file mode 100644 index 000000000000..60877a6fc59d --- /dev/null +++ b/contrib/openbsm/README @@ -0,0 +1,86 @@ +OpenBSM 1.0 + + Introduction + +OpenBSM provides an open source implementation of Sun's BSM Audit API. +Originally created under contract to Apple Computer by McAfee Research, +this implementation is now maintained by volunteers and the generous +contribution of several organizations. Coupled with a kernel audit +implementation, OpenBSM can be used to maintain system audit streams, and +is a foundation for an Audit-enabled system. + + Contents + +OpenBSM consists of several directories: + + bin/ Audit-related command line tools + bsm/ System include files for BSM + etc/ Sample /etc/security configuration files + libbsm/ Implementation of BSM library interfaces and man pages + man/ System call and configuration file man pages + +OpenBSM currently builds on FreeBSD and Darwin. With Makefile adjustment +and minor tweaks, it should build without problems on a broad range of +POSIX-like systems. + + Building + +OpenBSM is currently built using a series of BSD make files which should +work on both FreeBSD and Darwin. One known issue is that versions of +Darwin prior to 10.3.8 have a nested include of "sys/audit.h" from +"sys/proc.h", which can result in type definition conflicts. If running +with include files from an earlier version of Darwin, the nested include +must be manually removed in order that libbsm can be built, due to +potentially conflicting types resulting from an include of "sys/sysctl.h" +by that file. On Darwin, the use of BSD make must be specified explicitly +by using "bsdmake" rather than "make", which on Darwin refers to GNU make. +Typical invocations from the OpenBSM tree root: + +FreeBSD + + % make + # make install + +Darwin + + % bsdmake + # bsdmake install + + Credits + +The following organizations and individuals have contributed substantially +to the development of OpenBSM: + + Apple Computer, Inc. + McAfee Research, McAfee, Inc. + SPARTA, Inc. + Robert Watson + Wayne Salamon + Suresh Krishnaswamy + Kevin Van Vechten + Tom Rhodes + Wojciech Koszek + Chunyang Yuan + Poul-Henning Kamp + +In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel +Software's FlexeLint tool were used to identify a number of bugs in the +OpenBSM implementation. + + Contributions + +The TrustedBSD Project would appreciate the contribution of bug fixes, +enhancements, etc, under identically or substantially similar licenses to +those present on the remainder of the OpenBSM source code. + + Location + +Information on OpenBSM may be found on the OpenBSM home page: + + http://www.OpenBSM.org/ + +Information on TrustedBSD may be found on the TrustedBSD home page: + + http://www.TrustedBSD.org/ + +$P4: //depot/projects/trustedbsd/openbsm/README#11 $ diff --git a/contrib/openbsm/TODO b/contrib/openbsm/TODO new file mode 100644 index 000000000000..135a26b4f7c3 --- /dev/null +++ b/contrib/openbsm/TODO @@ -0,0 +1,12 @@ +- Teach praudit how to general XML format BSM streams. +- Teach libbsm about any additional 64-bit token types that are present + in more recent Solaris versions. +- Build a regression test suite for libbsm that generates each token + type and then compares the results with known good data. Make sure to + test that things work properly with respect to endianness of the local + platform. +- Document contents of libbsm "public" data structures in libbsm man pages. +- The audit.log.5 man page is incomplete, as it does not describe all + token types. + +$P4: //depot/projects/trustedbsd/openbsm/TODO#4 $ diff --git a/contrib/openbsm/VERSION b/contrib/openbsm/VERSION new file mode 100644 index 000000000000..d75e15753e1d --- /dev/null +++ b/contrib/openbsm/VERSION @@ -0,0 +1 @@ +OPENBSM_1_0_ALPHA_1 diff --git a/contrib/openbsm/bin/Makefile b/contrib/openbsm/bin/Makefile new file mode 100644 index 000000000000..3bc4a6c11567 --- /dev/null +++ b/contrib/openbsm/bin/Makefile @@ -0,0 +1,10 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/bin/Makefile#4 $ +# + +SUBDIR= audit \ + auditd \ + auditreduce \ + praudit + +.include <bsd.subdir.mk> diff --git a/contrib/openbsm/bin/audit/Makefile b/contrib/openbsm/bin/audit/Makefile new file mode 100644 index 000000000000..cec37ead6244 --- /dev/null +++ b/contrib/openbsm/bin/audit/Makefile @@ -0,0 +1,12 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile#2 $ +# + +CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I. +PROG= audit +MAN= audit.8 +DPADD= /usr/lib/libbsm.a +LDADD= -lbsm +BINDIR= /usr/sbin + +.include <bsd.prog.mk> diff --git a/contrib/openbsm/bin/audit/audit.8 b/contrib/openbsm/bin/audit/audit.8 new file mode 100644 index 000000000000..419bcf12d80d --- /dev/null +++ b/contrib/openbsm/bin/audit/audit.8 @@ -0,0 +1,86 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" @APPLE_BSD_LICENSE_HEADER_START@ +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY +.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +.\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY +.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" @APPLE_BSD_LICENSE_HEADER_END@ +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#2 $ +.\" +.Dd Jan 24, 2004 +.Dt AUDIT 8 +.Os +.Sh NAME +.Nm audit +.Nd audit management utility +.Sh SYNOPSIS +.Nm audit +.Op Fl nst +.Op Ar file +.Sh DESCRIPTION +The +.Nm +utility controls the state of auditing system. The optional +.Ar file +operand specifies the location of the audit control input file (default +/etc/security/audit_control). +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl n +Forces the audit system to close the existing audit log file and rotate to +a new log file in a location specified in the audit control file. +.It Fl s +Specifies that the audit system should [re]synchronize its +configuration from the audit control file. A new log file will be +created. +.It Fl t +Specifies that the audit system should terminate. Log files are closed +and renamed to indicate the time of the shutdown. +.El +.Sh NOTES +The auditd(8) daemon must already be running. +.Sh FILES +.Bl -tag -width "/etc/security/audit_control" -compact +.It Pa /etc/security/audit_control +Default audit policy file used to configure the auditing system. +.El +.Sh SEE ALSO +.Xr auditd 8 +.Xr audit_control 5 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/bin/audit/audit.c b/contrib/openbsm/bin/audit/audit.c new file mode 100644 index 000000000000..7be9c8c4521b --- /dev/null +++ b/contrib/openbsm/bin/audit/audit.c @@ -0,0 +1,102 @@ +/* + * Copyright (c) 2005 Apple Computer, Inc. + * All rights reserved. + * + * @APPLE_BSD_LICENSE_HEADER_START@ + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @APPLE_BSD_LICENSE_HEADER_END@ + * + * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#2 $ + */ +/* + * Program to trigger the audit daemon with a message that is either: + * - Open a new audit log file + * - Read the audit control file and take action on it + * - Close the audit log file and exit + * + */ + +#include <sys/queue.h> +#include <sys/types.h> +#include <sys/uio.h> + +#include <bsm/audit.h> + +#include <fcntl.h> +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> + +static void +usage(void) +{ + + (void)fprintf(stderr, "Usage: audit -n | -s | -t \n"); + exit(-1); +} + +/* + * Main routine to process command line options. + */ +int +main(int argc, char **argv) +{ + char ch; + unsigned int trigger = 0; + + if (argc != 2) + usage(); + + while ((ch = getopt(argc, argv, "nst")) != -1) { + switch(ch) { + + case 'n': + trigger = AUDIT_TRIGGER_OPEN_NEW; + break; + + case 's': + trigger = AUDIT_TRIGGER_READ_FILE; + break; + + case 't': + trigger = AUDIT_TRIGGER_CLOSE_AND_DIE; + break; + + case '?': + default: + usage(); + break; + } + } + if (auditon(A_SENDTRIGGER, &trigger, sizeof(trigger)) < 0) { + perror("Error sending trigger"); + exit(-1); + } else { + printf("Trigger sent.\n"); + exit (0); + } +} diff --git a/contrib/openbsm/bin/auditd/Makefile b/contrib/openbsm/bin/auditd/Makefile new file mode 100644 index 000000000000..fbbdc47985a4 --- /dev/null +++ b/contrib/openbsm/bin/auditd/Makefile @@ -0,0 +1,13 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile#2 $ +# + +CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I. +PROG= auditd +SRCS= audit_warn.c auditd.c +MAN= auditd.8 +DPADD= /usr/lib/libbsm.a +LDADD= -lbsm +BINDIR= /usr/sbin + +.include <bsd.prog.mk> diff --git a/contrib/openbsm/bin/auditd/audit_warn.c b/contrib/openbsm/bin/auditd/audit_warn.c new file mode 100644 index 000000000000..4a1998445703 --- /dev/null +++ b/contrib/openbsm/bin/auditd/audit_warn.c @@ -0,0 +1,230 @@ +/* + * Copyright (c) 2005 Apple Computer, Inc. + * All rights reserved. + * + * @APPLE_BSD_LICENSE_HEADER_START@ + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @APPLE_BSD_LICENSE_HEADER_END@ + * + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#5 $ + */ + +#include <sys/types.h> +#include <unistd.h> +#include <stdio.h> + +#include "auditd.h" + +/* + * Write an audit-related error to the system log via syslog(3). + */ +static int +auditwarnlog(char *args[]) +{ + char *loc_args[9]; + pid_t pid; + int i; + + loc_args[0] = AUDITWARN_SCRIPT; + for (i = 0; args[i] != NULL && i < 8; i++) + loc_args[i+1] = args[i]; + loc_args[i+1] = NULL; + + pid = fork(); + if (pid == -1) + return (-1); + if (pid == 0) { + /* + * Child. + */ + execv(AUDITWARN_SCRIPT, loc_args); + syslog(LOG_ERR, "Could not exec %s (%m)\n", + AUDITWARN_SCRIPT); + exit(1); + } + /* + * Parent. + */ + return (0); +} + +/* + * Indicates that the hard limit for all filesystems has been exceeded count + * times. + */ +int +audit_warn_allhard(int count) +{ + char intstr[12]; + char *args[3]; + + snprintf(intstr, 12, "%d", count); + + args[0] = HARDLIM_ALL_WARN; + args[1] = intstr; + args[2] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicates that the soft limit for all filesystems has been exceeded. + */ +int +audit_warn_allsoft(void) +{ + char *args[2]; + + args[0] = SOFTLIM_ALL_WARN; + args[1] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicates that someone other than the audit daemon turned off auditing. + * XXX Its not clear at this point how this function will be invoked. + * + * XXXRW: This function is not used. + */ +int +audit_warn_auditoff(void) +{ + char *args[2]; + + args[0] = AUDITOFF_WARN; + args[1] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicates that the audit deammn is already running + */ +int +audit_warn_ebusy(void) +{ + char *args[2]; + + args[0] = EBUSY_WARN; + args[1] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicates that there is a problem getting the directory from + * audit_control. + * + * XXX Note that we take the filename instead of a count as the argument here + * (different from BSM). + */ +int +audit_warn_getacdir(char *filename) +{ + char *args[3]; + + args[0] = GETACDIR_WARN; + args[1] = filename; + args[2] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicates that the hard limit for this file has been exceeded. + */ +int +audit_warn_hard(char *filename) +{ + char *args[3]; + + args[0] = HARDLIM_WARN; + args[1] = filename; + args[2] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicates that auditing could not be started. + */ +int +audit_warn_nostart(void) +{ + char *args[2]; + + args[0] = NOSTART_WARN; + args[1] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicaes that an error occrred during the orderly shutdown of the audit + * daemon. + */ +int +audit_warn_postsigterm(void) +{ + char *args[2]; + + args[0] = POSTSIGTERM_WARN; + args[1] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicates that the soft limit for this file has been exceeded. + */ +int +audit_warn_soft(char *filename) +{ + char *args[3]; + + args[0] = SOFTLIM_WARN; + args[1] = filename; + args[2] = NULL; + + return (auditwarnlog(args)); +} + +/* + * Indicates that the temporary audit file already exists indicating a fatal + * error. + */ +int +audit_warn_tmpfile(void) +{ + char *args[2]; + + args[0] = TMPFILE_WARN; + args[1] = NULL; + + return (auditwarnlog(args)); +} diff --git a/contrib/openbsm/bin/auditd/auditd.8 b/contrib/openbsm/bin/auditd/auditd.8 new file mode 100644 index 000000000000..18515da7a07d --- /dev/null +++ b/contrib/openbsm/bin/auditd/auditd.8 @@ -0,0 +1,94 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" @APPLE_BSD_LICENSE_HEADER_START@ +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY +.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +.\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY +.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" @APPLE_BSD_LICENSE_HEADER_END@ +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#6 $ +.\" +.Dd Jan 24, 2004 +.Dt AUDITD 8 +.Os +.Sh NAME +.Nm auditd +.Nd audit log management daemon +.Sh SYNOPSIS +.Nm auditd +.Op Fl dhs +.Sh DESCRIPTION +The +.Nm +daemon responds to requests from the audit(1) utility and notifications +from the kernel. It manages the resulting audit log files and specified +log file locations. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl d +Starts the daemon in debug mode - it will not daemonize. +.It Fl h +Specifies that if auditing cannot be performed as specified, the system should +halt (panic). Normally, the system will attempt to proceed - although individual +processes may be stopped (see the -s option). +.It Fl s +Specifies that individual processes should stop rather than perform operations +that may cause audit records to be lost due to log file full conditions +.El +.Sh NOTE +.Pp +To assure uninterrupted audit support, the +.Nm auditd +daemon should not be started and stopped manually. Instead, the audit(1) command +should be used to inform the daemon to change state/configuration after altering +the audit_control file. +.Pp +.\" Sending a SIGHUP to a running +.\" .Nm auditd +.\" daemon will force it to exit. +Sending a SIGTERM to a running +.Nm auditd +daemon will force it to exit. +.Sh FILES +.Bl -tag -width "/var/audit" -compact +.It Pa /var/audit +Default directory for storing audit log files. +.El +.Sh SEE ALSO +.Xr audit 8 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/bin/auditd/auditd.c b/contrib/openbsm/bin/auditd/auditd.c new file mode 100644 index 000000000000..b25c9ecc2a44 --- /dev/null +++ b/contrib/openbsm/bin/auditd/auditd.c @@ -0,0 +1,760 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * All rights reserved. + * + * @APPLE_BSD_LICENSE_HEADER_START@ + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @APPLE_BSD_LICENSE_HEADER_END@ + * + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#8 $ + */ + +#include <sys/dirent.h> +#include <sys/mman.h> +#include <sys/queue.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <sys/wait.h> + +#include <bsm/audit.h> +#include <bsm/audit_uevents.h> +#include <bsm/libbsm.h> + +#include <errno.h> +#include <fcntl.h> +#include <stdio.h> +#include <stdlib.h> +#include <time.h> +#include <unistd.h> +#include <signal.h> +#include <string.h> +#include <syslog.h> + +#include "auditd.h" + +#define NA_EVENT_STR_SIZE 25 + +static int ret, minval; +static char *lastfile = NULL; +static int allhardcount = 0; +static int triggerfd = 0; +static int sighups, sighups_handled; +static int sigterms, sigterms_handled; +static long global_flags; + +static TAILQ_HEAD(, dir_ent) dir_q; + +static int config_audit_controls(void); + +/* + * Error starting auditd + */ +static void +fail_exit(void) +{ + + audit_warn_nostart(); + exit(1); +} + +/* + * Free our local list of directory names. + */ +static void +free_dir_q() +{ + struct dir_ent *dirent; + + while ((dirent = TAILQ_FIRST(&dir_q))) { + TAILQ_REMOVE(&dir_q, dirent, dirs); + free(dirent->dirname); + free(dirent); + } +} + +/* + * Generate the timestamp string. + */ +static int +getTSstr(char *buf, int len) +{ + struct timeval ts; + struct timezone tzp; + time_t tt; + + if (gettimeofday(&ts, &tzp) != 0) + return (-1); + tt = (time_t)ts.tv_sec; + if (!strftime(buf, len, "%Y%m%d%H%M%S", gmtime(&tt))) + return (-1); + return (0); +} + +/* + * Concat the directory name to the given file name. + * XXX We should affix the hostname also + */ +static char * +affixdir(char *name, struct dir_ent *dirent) +{ + char *fn; + char *curdir; + const char *sep = "/"; + + curdir = dirent->dirname; + syslog(LOG_INFO, "dir = %s\n", dirent->dirname); + + fn = malloc(strlen(curdir) + strlen(sep) + (2 * POSTFIX_LEN) + 1); + if (fn == NULL) + return (NULL); + strcpy(fn, curdir); + strcat(fn, sep); + strcat(fn, name); + return (fn); +} + +/* + * Close the previous audit trail file. + */ +static int +close_lastfile(char *TS) +{ + char *ptr; + char *oldname; + + if (lastfile != NULL) { + oldname = (char *)malloc(strlen(lastfile) + 1); + if (oldname == NULL) + return (-1); + strcpy(oldname, lastfile); + + /* Rename the last file -- append timestamp. */ + if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) { + *ptr = '.'; + strcpy(ptr+1, TS); + if (rename(oldname, lastfile) != 0) + syslog(LOG_ERR, "Could not rename %s to %s \n", + oldname, lastfile); + else + syslog(LOG_INFO, "renamed %s to %s \n", + oldname, lastfile); + } + free(lastfile); + free(oldname); + lastfile = NULL; + } + return (0); +} + +/* + * Create the new file name, swap with existing audit file. + */ +static int +swap_audit_file(void) +{ + char timestr[2 * POSTFIX_LEN]; + char *fn; + char TS[POSTFIX_LEN]; + struct dir_ent *dirent; + int fd; + + if (getTSstr(TS, POSTFIX_LEN) != 0) + return (-1); + + strcpy(timestr, TS); + strcat(timestr, NOT_TERMINATED); + + /* Try until we succeed. */ + while ((dirent = TAILQ_FIRST(&dir_q))) { + if ((fn = affixdir(timestr, dirent)) == NULL) { + syslog(LOG_INFO, "Failed to swap log at time %s\n", + timestr); + return (-1); + } + + /* + * Create and open the file; then close and pass to the + * kernel if all went well. + */ + syslog(LOG_INFO, "New audit file is %s\n", fn); + fd = open(fn, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP); + if (fd < 0) + perror("File open"); + else if (auditctl(fn) != 0) { + syslog(LOG_ERR, + "auditctl failed setting log file! : %s\n", + strerror(errno)); + close(fd); + } else { + /* Success. */ + close_lastfile(TS); + lastfile = fn; + close(fd); + return (0); + } + + /* + * Tell the administrator about lack of permissions for dir. + */ + audit_warn_getacdir(dirent->dirname); + + /* Try again with a different directory. */ + TAILQ_REMOVE(&dir_q, dirent, dirs); + free(dirent->dirname); + free(dirent); + } + syslog(LOG_INFO, "Log directories exhausted\n"); + return (-1); +} + +/* + * Read the audit_control file contents. + */ +static int +read_control_file(void) +{ + char cur_dir[MAXNAMLEN]; + struct dir_ent *dirent; + au_qctrl_t qctrl; + + /* + * Clear old values. Force a re-read of the file the next time. + */ + free_dir_q(); + endac(); + + /* + * Read the list of directories into a local linked list. + * + * XXX We should use the reentrant interfaces once they are + * available. + */ + while (getacdir(cur_dir, MAXNAMLEN) >= 0) { + dirent = (struct dir_ent *) malloc(sizeof(struct dir_ent)); + if (dirent == NULL) + return (-1); + dirent->softlim = 0; + dirent->dirname = (char *) malloc(MAXNAMLEN); + if (dirent->dirname == NULL) { + free(dirent); + return (-1); + } + strcpy(dirent->dirname, cur_dir); + TAILQ_INSERT_TAIL(&dir_q, dirent, dirs); + } + + allhardcount = 0; + if (swap_audit_file() == -1) { + syslog(LOG_ERR, "Could not swap audit file\n"); + /* + * XXX Faulty directory listing? - user should be given + * XXX an opportunity to change the audit_control file + * XXX switch to a reduced mode of auditing? + */ + return (-1); + } + + /* + * XXX There are synchronization problems here + * XXX what should we do if a trigger for the earlier limit + * XXX is generated here? + */ + if (0 == (ret = getacmin(&minval))) { + syslog(LOG_INFO, "min free = %d\n", minval); + if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) { + syslog(LOG_ERR, + "could not get audit queue settings\n"); + return (-1); + } + qctrl.aq_minfree = minval; + if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0) { + syslog(LOG_ERR, + "could not set audit queue settings\n"); + return (-1); + } + } + + return (0); +} + +/* + * Close all log files, control files, and tell the audit system. + */ +static int +close_all(void) +{ + int err_ret = 0; + char TS[POSTFIX_LEN]; + int aufd; + token_t *tok; + long cond; + + /* Generate an audit record. */ + if ((aufd = au_open()) == -1) + syslog(LOG_ERR, "Could not create audit shutdown event.\n"); + else { + if ((tok = au_to_text("auditd::Audit shutdown")) != NULL) + au_write(aufd, tok); + if (au_close(aufd, 1, AUE_audit_shutdown) == -1) + syslog(LOG_ERR, + "Could not close audit shutdown event.\n"); + } + + /* Flush contents. */ + cond = AUC_DISABLED; + err_ret = auditon(A_SETCOND, &cond, sizeof(cond)); + if (err_ret != 0) { + syslog(LOG_ERR, "Disabling audit failed! : %s\n", + strerror(errno)); + err_ret = 1; + } + if (getTSstr(TS, POSTFIX_LEN) == 0) + close_lastfile(TS); + if (lastfile != NULL) + free(lastfile); + + free_dir_q(); + if ((remove(AUDITD_PIDFILE) == -1) || err_ret) { + syslog(LOG_ERR, "Could not unregister\n"); + audit_warn_postsigterm(); + return (1); + } + endac(); + + if (close(triggerfd) != 0) + syslog(LOG_ERR, "Error closing control file\n"); + syslog(LOG_INFO, "Finished.\n"); + return (0); +} + +/* + * When we get a signal, we are often not at a clean point. So, little can + * be done in the signal handler itself. Instead, we send a message to the + * main servicing loop to do proper handling from a non-signal-handler + * context. + */ +static void +relay_signal(int signal) +{ + + if (signal == SIGHUP) + sighups++; + if (signal == SIGTERM) + sigterms++; +} + +/* + * Registering the daemon. + */ +static int +register_daemon(void) +{ + FILE * pidfile; + int fd; + pid_t pid; + + /* Set up the signal hander. */ + if (signal(SIGTERM, relay_signal) == SIG_ERR) { + syslog(LOG_ERR, + "Could not set signal handler for SIGTERM\n"); + fail_exit(); + } + if (signal(SIGCHLD, relay_signal) == SIG_ERR) { + syslog(LOG_ERR, + "Could not set signal handler for SIGCHLD\n"); + fail_exit(); + } + if (signal(SIGHUP, relay_signal) == SIG_ERR) { + syslog(LOG_ERR, + "Could not set signal handler for SIGHUP\n"); + fail_exit(); + } + + if ((pidfile = fopen(AUDITD_PIDFILE, "a")) == NULL) { + syslog(LOG_ERR, + "Could not open PID file\n"); + audit_warn_tmpfile(); + return (-1); + } + + /* Attempt to lock the pid file; if a lock is present, exit. */ + fd = fileno(pidfile); + if (flock(fd, LOCK_EX | LOCK_NB) < 0) { + syslog(LOG_ERR, + "PID file is locked (is another auditd running?).\n"); + audit_warn_ebusy(); + return (-1); + } + + pid = getpid(); + ftruncate(fd, 0); + if (fprintf(pidfile, "%u\n", pid) < 0) { + /* Should not start the daemon. */ + fail_exit(); + } + + fflush(pidfile); + return (0); +} + +/* + * Suppress duplicate messages within a 30 second interval. This should be + * enough to time to rotate log files without thrashing from soft warnings + * generated before the log is actually rotated. + */ +#define DUPLICATE_INTERVAL 30 +static void +handle_audit_trigger(int trigger) +{ + static int last_trigger; + static time_t last_time; + struct dir_ent *dirent; + int rc; + + /* + * Suppres duplicate messages from the kernel within the specified + * interval. + */ + struct timeval ts; + struct timezone tzp; + time_t tt; + + if (gettimeofday(&ts, &tzp) == 0) { + tt = (time_t)ts.tv_sec; + if ((trigger == last_trigger) && + (tt < (last_time + DUPLICATE_INTERVAL))) + return; + last_trigger = trigger; + last_time = tt; + } + + /* + * Message processing is done here. + */ + dirent = TAILQ_FIRST(&dir_q); + switch(trigger) { + + case AUDIT_TRIGGER_LOW_SPACE: + syslog(LOG_INFO, "Got low space trigger\n"); + if (dirent && (dirent->softlim != 1)) { + TAILQ_REMOVE(&dir_q, dirent, dirs); + /* Add this node to the end of the list. */ + TAILQ_INSERT_TAIL(&dir_q, dirent, dirs); + audit_warn_soft(dirent->dirname); + dirent->softlim = 1; + + if (TAILQ_NEXT(TAILQ_FIRST(&dir_q), dirs) != NULL && + swap_audit_file() == -1) + syslog(LOG_ERR, "Error swapping audit file\n"); + + /* + * Check if the next dir has already reached its soft + * limit. + */ + dirent = TAILQ_FIRST(&dir_q); + if (dirent->softlim == 1) { + /* All dirs have reached their soft limit. */ + audit_warn_allsoft(); + } + } else { + /* + * Continue auditing to the current file. Also + * generate an allsoft warning. + * XXX do we want to do this ? + */ + audit_warn_allsoft(); + } + break; + + case AUDIT_TRIGGER_NO_SPACE: + syslog(LOG_INFO, "Got no space trigger\n"); + + /* Delete current dir, go on to next. */ + TAILQ_REMOVE(&dir_q, dirent, dirs); + audit_warn_hard(dirent->dirname); + free(dirent->dirname); + free(dirent); + + if (swap_audit_file() == -1) + syslog(LOG_ERR, "Error swapping audit file\n"); + + /* We are out of log directories. */ + audit_warn_allhard(++allhardcount); + break; + + case AUDIT_TRIGGER_OPEN_NEW: + /* + * Create a new file and swap with the one being used in + * kernel + */ + syslog(LOG_INFO, "Got open new trigger\n"); + if (swap_audit_file() == -1) + syslog(LOG_ERR, "Error swapping audit file\n"); + break; + + case AUDIT_TRIGGER_READ_FILE: + syslog(LOG_INFO, "Got read file trigger\n"); + if (read_control_file() == -1) + syslog(LOG_ERR, "Error in audit control file\n"); + if (config_audit_controls() == -1) + syslog(LOG_ERR, "Error setting audit controls\n"); + break; + + default: + syslog(LOG_ERR, "Got unknown trigger %d\n", trigger); + break; + } +} + +static void +handle_sighup(void) +{ + + sighups_handled = sighups; + config_audit_controls(); +} + +/* + * Read the control file for triggers and handle appropriately. + */ +static int +wait_for_triggers(void) +{ + int num; + unsigned int trigger; + + for (;;) { + num = read(triggerfd, &trigger, sizeof(trigger)); + if ((num == -1) && (errno != EINTR)) { + syslog(LOG_ERR, "%s: error %d\n", __FUNCTION__, errno); + return (-1); + } + if (sigterms != sigterms_handled) { + syslog(LOG_INFO, "%s: SIGTERM", __FUNCTION__); + break; + } + if (sighups != sighups_handled) { + syslog(LOG_INFO, "%s: SIGHUP", __FUNCTION__); + handle_sighup(); + } + if ((num == -1) && (errno == EINTR)) + continue; + if (num == 0) { + syslog(LOG_INFO, "%s: read EOF\n", __FUNCTION__); + return (-1); + } + syslog(LOG_INFO, "%s: read %d\n", __FUNCTION__, trigger); + if (trigger == AUDIT_TRIGGER_CLOSE_AND_DIE) + break; + else + handle_audit_trigger(trigger); + } + return (close_all()); +} + +/* + * Reap our children. + */ +static void +reap_children(void) +{ + pid_t child; + int wstatus; + + while ((child = waitpid(-1, &wstatus, WNOHANG)) > 0) { + if (!wstatus) + continue; + syslog(LOG_INFO, "warn process [pid=%d] %s %d.\n", child, + ((WIFEXITED(wstatus)) ? "exited with non-zero status" : + "exited as a result of signal"), + ((WIFEXITED(wstatus)) ? WEXITSTATUS(wstatus) : + WTERMSIG(wstatus))); + } +} + +/* + * Configure the audit controls in the kernel: the event to class mapping, + * kernel preselection mask, etc. + */ +static int +config_audit_controls(void) +{ + au_event_ent_t ev, *evp; + au_evclass_map_t evc_map; + au_mask_t aumask; + int ctr = 0; + char naeventstr[NA_EVENT_STR_SIZE]; + + /* + * Process the audit event file, obtaining a class mapping for each + * event, and send that mapping into the kernel. + * XXX There's a risk here that the BSM library will return NULL + * for an event when it can't properly map it to a class. In that + * case, we will not process any events beyond the one that failed, + * but should. We need a way to get a count of the events. + */ + ev.ae_name = (char *)malloc(AU_EVENT_NAME_MAX); + ev.ae_desc = (char *)malloc(AU_EVENT_DESC_MAX); + if ((ev.ae_name == NULL) || (ev.ae_desc == NULL)) { + syslog(LOG_ERR, + "Memory allocation error when configuring audit controls."); + return (-1); + } + evp = &ev; + setauevent(); + while ((evp = getauevent_r(evp)) != NULL) { + evc_map.ec_number = evp->ae_number; + evc_map.ec_class = evp->ae_class; + if (auditon(A_SETCLASS, &evc_map, sizeof(au_evclass_map_t)) + != 0) + syslog(LOG_ERR, + "Failed to register class mapping for event %s", + evp->ae_name); + else + ctr++; + } + endauevent(); + free(ev.ae_name); + free(ev.ae_desc); + if (ctr == 0) + syslog(LOG_ERR, "No events to class mappings registered."); + else + syslog(LOG_INFO, "Registered %d event to class mappings.", + ctr); + + /* + * Get the non-attributable event string and set the kernel mask from + * that. + */ + if ((getacna(naeventstr, NA_EVENT_STR_SIZE) == 0) && + (getauditflagsbin(naeventstr, &aumask) == 0)) { + if (auditon(A_SETKMASK, &aumask, sizeof(au_mask_t))) + syslog(LOG_ERR, + "Failed to register non-attributable event mask."); + else + syslog(LOG_INFO, + "Registered non-attributable event mask."); + } else + syslog(LOG_ERR, + "Failed to obtain non-attributable event mask."); + + /* + * Set the audit policy flags based on passed in parameter values. + */ + if (auditon(A_SETPOLICY, &global_flags, sizeof(global_flags))) + syslog(LOG_ERR, "Failed to set audit policy."); + + return (0); +} + +static void +setup(void) +{ + int aufd; + token_t *tok; + + if ((triggerfd = open(AUDIT_TRIGGER_FILE, O_RDONLY, 0)) < 0) { + syslog(LOG_ERR, "Error opening trigger file\n"); + fail_exit(); + } + + TAILQ_INIT(&dir_q); + if (read_control_file() == -1) { + syslog(LOG_ERR, "Error reading control file\n"); + fail_exit(); + } + + /* Generate an audit record. */ + if ((aufd = au_open()) == -1) + syslog(LOG_ERR, "Could not create audit startup event.\n"); + else { + if ((tok = au_to_text("auditd::Audit startup")) != NULL) + au_write(aufd, tok); + if (au_close(aufd, 1, AUE_audit_startup) == -1) + syslog(LOG_ERR, + "Could not close audit startup event.\n"); + } + + if (config_audit_controls() == 0) + syslog(LOG_INFO, "Audit controls init successful\n"); + else + syslog(LOG_INFO, "Audit controls init failed\n"); +} + +int +main(int argc, char **argv) +{ + char ch; + int debug = 0; + int rc; + + global_flags |= AUDIT_CNT; + while ((ch = getopt(argc, argv, "dhs")) != -1) { + switch(ch) { + case 'd': + /* Debug option. */ + debug = 1; + break; + + case 's': + /* Fail-stop option. */ + global_flags &= ~(AUDIT_CNT); + break; + + case 'h': + /* Halt-stop option. */ + global_flags |= AUDIT_AHLT; + break; + + case '?': + default: + (void)fprintf(stderr, + "usage: auditd [-h | -s] [-d] \n"); + exit(1); + } + } + + openlog("auditd", LOG_CONS | LOG_PID, LOG_SECURITY); + syslog(LOG_INFO, "starting...\n"); + + if (debug == 0 && daemon(0, 0) == -1) { + syslog(LOG_ERR, "Failed to daemonize\n"); + exit(1); + } + + if (register_daemon() == -1) { + syslog(LOG_ERR, "Could not register as daemon\n"); + exit(1); + } + + setup(); + + rc = wait_for_triggers(); + syslog(LOG_INFO, "auditd exiting.\n"); + + exit(rc); +} diff --git a/contrib/openbsm/bin/auditd/auditd.h b/contrib/openbsm/bin/auditd/auditd.h new file mode 100644 index 000000000000..e1731d96542a --- /dev/null +++ b/contrib/openbsm/bin/auditd/auditd.h @@ -0,0 +1,80 @@ +/* + * Copyright (c) 2005 Apple Computer, Inc. + * All rights reserved. + * + * @APPLE_BSD_LICENSE_HEADER_START@ + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @APPLE_BSD_LICENSE_HEADER_END@ + * + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#4 $ + */ + +#ifndef _AUDITD_H_ +#define _AUDITD_H_ + +#include <sys/types.h> +#include <sys/queue.h> +#include <syslog.h> + +#define MAX_DIR_SIZE 255 +#define AUDITD_NAME "auditd" + +#define POSTFIX_LEN 16 +#define NOT_TERMINATED ".not_terminated" + +struct dir_ent { + char *dirname; + char softlim; + TAILQ_ENTRY(dir_ent) dirs; +}; + +#define HARDLIM_ALL_WARN "allhard" +#define SOFTLIM_ALL_WARN "allsoft" +#define AUDITOFF_WARN "aditoff" +#define EBUSY_WARN "ebusy" +#define GETACDIR_WARN "getacdir" +#define HARDLIM_WARN "hard" +#define NOSTART_WARN "nostart" +#define POSTSIGTERM_WARN "postsigterm" +#define SOFTLIM_WARN "soft" +#define TMPFILE_WARN "tmpfile" + +#define AUDITWARN_SCRIPT "/etc/security/audit_warn" +#define AUDITD_PIDFILE "/var/run/auditd.pid" + +int audit_warn_allhard(int count); +int audit_warn_allsoft(void); +int audit_warn_auditoff(void); +int audit_warn_ebusy(void); +int audit_warn_getacdir(char *filename); +int audit_warn_hard(char *filename); +int audit_warn_nostart(void); +int audit_warn_postsigterm(void); +int audit_warn_soft(char *filename); +int audit_warn_tmpfile(void); + +#endif /* !_AUDITD_H_ */ diff --git a/contrib/openbsm/bin/auditreduce/Makefile b/contrib/openbsm/bin/auditreduce/Makefile new file mode 100644 index 000000000000..f4c292a3c867 --- /dev/null +++ b/contrib/openbsm/bin/auditreduce/Makefile @@ -0,0 +1,12 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/Makefile#4 $ +# + +CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I. +PROG= auditreduce +MAN= auditreduce.1 +DPADD= /usr/lib/libbsm.a +LDADD= -lbsm +BINDIR= /usr/sbin + +.include <bsd.prog.mk> diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.1 b/contrib/openbsm/bin/auditreduce/auditreduce.1 new file mode 100644 index 000000000000..6374e5b91150 --- /dev/null +++ b/contrib/openbsm/bin/auditreduce/auditreduce.1 @@ -0,0 +1,153 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#6 $ +.\" +.Dd Jan 24, 2004 +.Dt AUDITREDUCE 1 +.Os +.Sh NAME +.Nm auditreduce +.Nd "select records from audit trail files" +.Sh SYNOPSIS +.Nm auditreduce +.Op Fl A +.Op Fl a Ar YYYYMMDD[HH[MM[SS]]] +.Op Fl b Ar YYYYMMDD[HH[MM[SS]]] +.Op Fl c Ar flags +.Op Fl d Ar YYYYMMDD +.Op Fl e Ar euid +.Op Fl f Ar egid +.Op Fl g Ar rgid +.Op Fl r Ar ruid +.Op Fl u Ar auid +.Op Fl j Ar id +.Op Fl m Ar event +.Op Fl o Ar object=value +.Op Ar file ... +.Sh DESCRIPTION +The +.Nm +utility selects records from the audit trail files based on the specified +criteria. +Matching audit records are printed to the standard output in +their raw binary form. +If no filename is specified, the standard input is used +by default. +Use the +.Nm praudit +utility to print the selected audit records in human-readable form. +See +.Xr praudit 1 +for more information. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl A +Select all records. +.It Fl a Ar YYYYMMDD[HH[MM[SS]]] +Select records that occurred after or on the given datetime. +.It Fl b Ar YYYYMMDD[HH[MM[SS]]] +Select records that occurred before the given datetime. +.It Fl c Ar flags +Select records matching the given audit classes specified as a comma +separated list of audit flags. +See +.Xr audit_control 5 +for a description of audit flags. +.It Fl d Ar YYYYMMDD +Select records that occurred on a given date. +This option cannot be used with +.Fl a +or +.Fl b +.It Fl e Ar euid +Select records with the given effective user id or name. +.It Fl f Ar egid +Select records with the given effective group id or name. +.It Fl g Ar rgid +Select records with the given real group id or name. +.It Fl r Ar ruid +Select records with the given real user id or name. +.It Fl u Ar auid +Select records with the given audit id. +.It Fl j Ar id +Select records having a subject token with matching ID. +.It Fl m Ar event +Select records with the given event name or number. +See +.Xr audit_event 5 +for a description of audit event names and numbers. +.It Fl o Ar object=value +.Bl -tag -width Ds +.It Nm file +Select records containing the given path name. +file="/usr" matches paths +starting with +.Pa usr . +file="~/usr" matches paths not starting with +.Pa usr . +.It Nm msgqid +Select records containing the given message queue id. +.It Nm pid +Select records containing the given process id. +.It Nm semid +Select records containing the given semaphore id. +.It Nm shmid +Select records containing the given shared memory id. +.El +.El +.Sh Examples +.Pp +To select all records associated with effective user ID root from the audit +log /var/audit/20031016184719.20031017122634: +.Pp +.Nm +-e root /var/audit/20031016184719.20031017122634 +.Pp +To select all +.Xr setlogin 2 +events from that log: +.Pp +.Nm +-m AUE_SETLOGIN /var/audit/20031016184719.20031017122634 +.Sh SEE ALSO +.Xr audit_control 5 , +.Xr audit_event 5 , +.Xr praudit 1 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.c b/contrib/openbsm/bin/auditreduce/auditreduce.c new file mode 100644 index 000000000000..8e6f2452bc50 --- /dev/null +++ b/contrib/openbsm/bin/auditreduce/auditreduce.c @@ -0,0 +1,699 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#11 $ + */ + +/* + * Tool used to merge and select audit records from audit trail files + */ + +/* + * XXX Currently we do not support merging of records from multiple + * XXX audit trail files + * XXX We assume that records are sorted chronologically - both wrt to + * XXX the records present within the file and between the files themselves + */ + +#include <bsm/libbsm.h> + +#include <stdio.h> +#include <stdlib.h> +#include <sysexits.h> +#include <grp.h> +#include <pwd.h> +#include <string.h> +#include <time.h> +#include <unistd.h> + +#include "auditreduce.h" + +extern char *optarg; +extern int optind, optopt, opterr,optreset; + +static au_mask_t maskp; /* Class. */ +static time_t p_atime; /* Created after this time. */ +static time_t p_btime; /* Created before this time. */ +static uint16_t p_evtype; /* Event that we are searching for. */ +static int p_auid; /* Audit id. */ +static int p_euid; /* Effective user id. */ +static int p_egid; /* Effective group id. */ +static int p_rgid; /* Real group id. */ +static int p_ruid; /* Real user id. */ +static int p_subid; /* Subject id. */ + +/* + * Following are the objects (-o option) that we can select upon. + */ +static char *p_fileobj = NULL; +static char *p_msgqobj = NULL; +static char *p_pidobj = NULL; +static char *p_semobj = NULL; +static char *p_shmobj = NULL; +static char *p_sockobj = NULL; + +static uint32_t opttochk = 0; + +static void +usage(const char *msg) +{ + fprintf(stderr, "%s\n", msg); + fprintf(stderr, "Usage: auditreduce [options] audit-trail-file [....] \n"); + fprintf(stderr, "\tOptions are : \n"); + fprintf(stderr, "\t-A : all records\n"); + fprintf(stderr, "\t-a YYYYMMDD[HH[[MM[SS]]] : after date\n"); + fprintf(stderr, "\t-b YYYYMMDD[HH[[MM[SS]]] : before date\n"); + fprintf(stderr, "\t-c <flags> : matching class\n"); + fprintf(stderr, "\t-d YYYYMMDD : on date\n"); + fprintf(stderr, "\t-e <uid|name> : effective user\n"); + fprintf(stderr, "\t-f <gid|group> : effective group\n"); + fprintf(stderr, "\t-g <gid|group> : real group\n"); + fprintf(stderr, "\t-j <pid> : subject id \n"); + fprintf(stderr, "\t-m <evno|evname> : matching event\n"); + fprintf(stderr, "\t-o objecttype=objectvalue\n"); + fprintf(stderr, "\t\t file=<pathname>\n"); + fprintf(stderr, "\t\t msgqid=<ID>\n"); + fprintf(stderr, "\t\t pid=<ID>\n"); + fprintf(stderr, "\t\t semid=<ID>\n"); + fprintf(stderr, "\t\t shmid=<ID>\n"); + fprintf(stderr, "\t-r <uid|name> : real user\n"); + fprintf(stderr, "\t-u <uid|name> : audit user\n"); + exit(EX_USAGE); +} + +/* + * Check if the given auid matches the selection criteria. + */ +static int +select_auid(int au) +{ + + /* Check if we want to select on auid. */ + if (ISOPTSET(opttochk, OPT_u)) { + if (au != p_auid) + return (0); + } + return (1); +} + +/* + * Check if the given euid matches the selection criteria. + */ +static int +select_euid(int euser) +{ + + /* Check if we want to select on euid. */ + if (ISOPTSET(opttochk, OPT_e)) { + if (euser != p_euid) + return (0); + } + return (1); +} + +/* + * Check if the given egid matches the selection criteria. + */ +static int +select_egid(int egrp) +{ + + /* Check if we want to select on egid. */ + if (ISOPTSET(opttochk, OPT_f)) { + if (egrp != p_egid) + return (0); + } + return (1); +} + +/* + * Check if the given rgid matches the selection criteria. + */ +static int +select_rgid(int grp) +{ + + /* Check if we want to select on rgid. */ + if (ISOPTSET(opttochk, OPT_g)) { + if (grp != p_rgid) + return (0); + } + return (1); +} + +/* + * Check if the given ruid matches the selection criteria. + */ +static int +select_ruid(int user) +{ + + /* Check if we want to select on rgid. */ + if (ISOPTSET(opttochk, OPT_r)) { + if (user != p_ruid) + return (0); + } + return (1); +} + +/* + * Check if the given subject id (pid) matches the selection criteria. + */ +static int +select_subid(int subid) +{ + + /* Check if we want to select on subject uid. */ + if (ISOPTSET(opttochk, OPT_j)) { + if (subid != p_subid) + return (0); + } + return (1); +} + + +/* + * Check if object's pid maches the given pid. + */ +static int +select_pidobj(uint32_t pid) +{ + + if (ISOPTSET(opttochk, OPT_op)) { + if (pid != strtol(p_pidobj, (char **)NULL, 10)) + return (0); + } + return (1); +} + +/* + * Check if the given ipc object with the given type matches the selection + * criteria. + */ +static int +select_ipcobj(u_char type, uint32_t id, uint32_t *optchkd) +{ + + if (type == AT_IPC_MSG) { + SETOPT((*optchkd), OPT_om); + if (ISOPTSET(opttochk, OPT_om)) { + if (id != strtol(p_msgqobj, (char **)NULL, 10)) + return (0); + } + return (1); + } else if (type == AT_IPC_SEM) { + SETOPT((*optchkd), OPT_ose); + if (ISOPTSET(opttochk, OPT_ose)) { + if (id != strtol(p_semobj, (char **)NULL, 10)) + return (0); + } + return (1); + } else if (type == AT_IPC_SHM) { + SETOPT((*optchkd), OPT_osh); + if (ISOPTSET(opttochk, OPT_osh)) { + if (id != strtol(p_shmobj, (char **)NULL, 10)) + return (0); + } + return (1); + } + + /* Unknown type -- filter if *any* ipc filtering is required. */ + if (ISOPTSET(opttochk, OPT_om) || ISOPTSET(opttochk, OPT_ose) + || ISOPTSET(opttochk, OPT_osh)) + return (0); + + return (1); +} + + +/* + * Check if the file name matches selection criteria. + */ +static int +select_filepath(char *path, uint32_t *optchkd) +{ + char *loc; + + SETOPT((*optchkd), OPT_of); + if (ISOPTSET(opttochk, OPT_of)) { + if (p_fileobj[0] == '~') { + /* Object should not be in path. */ + loc = strstr(path, p_fileobj + 1); + if ((loc != NULL) && (loc == path)) + return (0); + } else { + /* Object should be in path. */ + loc = strstr(path, p_fileobj); + if ((loc == NULL) || (loc != path)) + return (0); + } + } + return (1); +} + +/* + * Returns 1 if the following pass the selection rules: + * + * before-time, + * after time, + * date, + * class, + * event + */ +static int +select_hdr32(tokenstr_t tok, uint32_t *optchkd) +{ + + SETOPT((*optchkd), (OPT_A | OPT_a | OPT_b | OPT_c | OPT_m)); + + /* The A option overrides a, b and d. */ + if (!ISOPTSET(opttochk, OPT_A)) { + if (ISOPTSET(opttochk, OPT_a)) { + if (difftime((time_t)tok.tt.hdr32.s, p_atime) < 0) { + /* Record was created before p_atime. */ + return (0); + } + } + + if (ISOPTSET(opttochk, OPT_b)) { + if (difftime(p_btime, (time_t)tok.tt.hdr32.s) < 0) { + /* Record was created after p_btime. */ + return (0); + } + } + } + + if (ISOPTSET(opttochk, OPT_c)) { + /* + * Check if the classes represented by the event matches + * given class. + */ + if (au_preselect(tok.tt.hdr32.e_type, &maskp, AU_PRS_BOTH, + AU_PRS_USECACHE) != 1) + return (0); + } + + /* Check if event matches. */ + if (ISOPTSET(opttochk, OPT_m)) { + if (tok.tt.hdr32.e_type != p_evtype) + return (0); + } + + return (1); +} + +/* + * Return 1 if checks for the the following succeed + * auid, + * euid, + * egid, + * rgid, + * ruid, + * process id + */ +static int +select_proc32(tokenstr_t tok, uint32_t *optchkd) +{ + + SETOPT((*optchkd), (OPT_u | OPT_e | OPT_f | OPT_g | OPT_r | OPT_op)); + + if (!select_auid(tok.tt.proc32.auid)) + return (0); + if (!select_euid(tok.tt.proc32.euid)) + return (0); + if (!select_egid(tok.tt.proc32.egid)) + return (0); + if (!select_rgid(tok.tt.proc32.rgid)) + return (0); + if (!select_ruid(tok.tt.proc32.ruid)) + return (0); + if (!select_pidobj(tok.tt.proc32.pid)) + return (0); + return (1); +} + +/* + * Return 1 if checks for the the following succeed + * auid, + * euid, + * egid, + * rgid, + * ruid, + * subject id + */ +static int +select_subj32(tokenstr_t tok, uint32_t *optchkd) +{ + + SETOPT((*optchkd), (OPT_u | OPT_e | OPT_f | OPT_g | OPT_r | OPT_j)); + + if (!select_auid(tok.tt.subj32.auid)) + return (0); + if (!select_euid(tok.tt.subj32.euid)) + return (0); + if (!select_egid(tok.tt.subj32.egid)) + return (0); + if (!select_rgid(tok.tt.subj32.rgid)) + return (0); + if (!select_ruid(tok.tt.subj32.ruid)) + return (0); + if (!select_subid(tok.tt.subj32.pid)) + return (0); + return (1); +} + +/* + * Read each record from the audit trail. Check if it is selected after + * passing through each of the options + */ +static int +select_records(FILE *fp) +{ + u_char *buf; + tokenstr_t tok; + int reclen; + int bytesread; + int selected; + uint32_t optchkd; + + int err = 0; + while ((reclen = au_read_rec(fp, &buf)) != -1) { + optchkd = 0; + bytesread = 0; + selected = 1; + while ((selected == 1) && (bytesread < reclen)) { + if (-1 == au_fetch_tok(&tok, buf + bytesread, + reclen - bytesread)) { + /* Is this an incomplete record? */ + err = 1; + break; + } + + /* + * For each token type we have have different + * selection criteria. + */ + switch(tok.id) { + case AU_HEADER_32_TOKEN: + selected = select_hdr32(tok, + &optchkd); + break; + + case AU_PROCESS_32_TOKEN: + selected = select_proc32(tok, + &optchkd); + break; + + case AU_SUBJECT_32_TOKEN: + selected = select_subj32(tok, + &optchkd); + break; + + case AU_IPC_TOKEN: + selected = select_ipcobj( + tok.tt.ipc.type, tok.tt.ipc.id, + &optchkd); + break; + + case AU_FILE_TOKEN: + selected = select_filepath( + tok.tt.file.name, &optchkd); + break; + + case AU_PATH_TOKEN: + selected = select_filepath( + tok.tt.path.path, &optchkd); + break; + + /* + * The following tokens dont have any relevant + * attributes that we can select upon. + */ + case AU_TRAILER_TOKEN: + case AU_ARG32_TOKEN: + case AU_ATTR32_TOKEN: + case AU_EXIT_TOKEN: + case AU_NEWGROUPS_TOKEN: + case AU_IN_ADDR_TOKEN: + case AU_IP_TOKEN: + case AU_IPCPERM_TOKEN: + case AU_IPORT_TOKEN: + case AU_OPAQUE_TOKEN: + case AU_RETURN_32_TOKEN: + case AU_SEQ_TOKEN: + case AU_TEXT_TOKEN: + case AU_ARB_TOKEN: + case AU_SOCK_TOKEN: + default: + break; + } + bytesread += tok.len; + } + if ((selected == 1) && (!err)) { + /* Check if all the options were matched. */ + if (!(opttochk & ~optchkd)) { + /* XXX Write this record to the output file. */ + /* default to stdout */ + fwrite(buf, 1, reclen, stdout); + } + } + free(buf); + } + return (0); +} + +/* + * The -o option has the form object_type=object_value. Identify the object + * components. + */ +void +parse_object_type(char *name, char *val) +{ + if (val == NULL) + return; + + if (!strcmp(name, FILEOBJ)) { + p_fileobj = val; + SETOPT(opttochk, OPT_of); + } else if (!strcmp(name, MSGQIDOBJ)) { + p_msgqobj = val; + SETOPT(opttochk, OPT_om); + } else if (!strcmp(name, PIDOBJ)) { + p_pidobj = val; + SETOPT(opttochk, OPT_op); + } else if (!strcmp(name, SEMIDOBJ)) { + p_semobj = val; + SETOPT(opttochk, OPT_ose); + } else if (!strcmp(name, SHMIDOBJ)) { + p_shmobj = val; + SETOPT(opttochk, OPT_osh); + } else if (!strcmp(name, SOCKOBJ)) { + p_sockobj = val; + SETOPT(opttochk, OPT_oso); + } else + usage("unknown value for -o"); +} + +int +main(int argc, char **argv) +{ + struct group *grp; + struct passwd *pw; + struct tm tm; + au_event_t *n; + FILE *fp; + int i; + char *objval, *converr; + char ch; + char timestr[128]; + char *fname; + + converr = NULL; + + while ((ch = getopt(argc, argv, "Aa:b:c:d:e:f:g:j:m:o:r:u:")) != -1) { + switch(ch) { + case 'A': + SETOPT(opttochk, OPT_A); + break; + + case 'a': + if (ISOPTSET(opttochk, OPT_a)) { + usage("d is exclusive with a and b"); + } + SETOPT(opttochk, OPT_a); + strptime(optarg, "%Y%m%d%H%M%S", &tm); + strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S", + &tm); + /* fprintf(stderr, "Time converted = %s\n", timestr); */ + p_atime = mktime(&tm); + break; + + case 'b': + if (ISOPTSET(opttochk, OPT_b)) { + usage("d is exclusive with a and b"); + } + SETOPT(opttochk, OPT_b); + strptime(optarg, "%Y%m%d%H%M%S", &tm); + strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S", + &tm); + /* fprintf(stderr, "Time converted = %s\n", timestr); */ + p_btime = mktime(&tm); + break; + + case 'c': + if (0 != getauditflagsbin(optarg, &maskp)) { + /* Incorrect class */ + usage("Incorrect class"); + } + SETOPT(opttochk, OPT_c); + break; + + case 'd': + if (ISOPTSET(opttochk, OPT_b) || ISOPTSET(opttochk, + OPT_a)) + usage("'d' is exclusive with 'a' and 'b'"); + SETOPT(opttochk, OPT_d); + strptime(optarg, "%Y%m%d", &tm); + strftime(timestr, sizeof(timestr), "%Y%m%d", &tm); + /* fprintf(stderr, "Time converted = %s\n", timestr); */ + p_atime = mktime(&tm); + tm.tm_hour = 23; + tm.tm_min = 59; + tm.tm_sec = 59; + strftime(timestr, sizeof(timestr), "%Y%m%d", &tm); + /* fprintf(stderr, "Time converted = %s\n", timestr); */ + p_btime = mktime(&tm); + break; + + case 'e': + p_euid = strtol(optarg, &converr, 10); + if (*converr != '\0') { + /* Try the actual name */ + if ((pw = getpwnam(optarg)) == NULL) + break; + p_euid = pw->pw_uid; + } + SETOPT(opttochk, OPT_e); + break; + + case 'f': + p_egid = strtol(optarg, &converr, 10); + if (*converr != '\0') { + /* Try actual group name. */ + if ((grp = getgrnam(optarg)) == NULL) + break; + p_egid = grp->gr_gid; + } + SETOPT(opttochk, OPT_f); + break; + + case 'g': + p_rgid = strtol(optarg, &converr, 10); + if (*converr != '\0') { + /* Try actual group name. */ + if ((grp = getgrnam(optarg)) == NULL) + break; + p_rgid = grp->gr_gid; + } + SETOPT(opttochk, OPT_g); + break; + + case 'j': + p_subid = strtol(optarg, (char **)NULL, 10); + SETOPT(opttochk, OPT_j); + break; + + case 'm': + p_evtype = strtol(optarg, (char **)NULL, 10); + if (p_evtype == 0) { + /* Could be the string representation. */ + n = getauevnonam(optarg); + if (n == NULL) + usage("Incorrect event name"); + p_evtype = *n; + free(n); + } + SETOPT(opttochk, OPT_m); + break; + + case 'o': + objval = strchr(optarg, '='); + if (objval != NULL) { + *objval = '\0'; + objval += 1; + parse_object_type(optarg, objval); + } + break; + + case 'r': + p_ruid = strtol(optarg, &converr, 10); + if (*converr != '\0') { + if ((pw = getpwnam(optarg)) == NULL) + break; + p_ruid = pw->pw_uid; + } + SETOPT(opttochk, OPT_r); + break; + + case 'u': + p_auid = strtol(optarg, &converr, 10); + if (*converr != '\0') { + if ((pw = getpwnam(optarg)) == NULL) + break; + p_auid = pw->pw_uid; + } + SETOPT(opttochk, OPT_u); + break; + + case '?': + default: + usage("Unknown option"); + } + } + argv += optind; + argc -= optind; + + if (argc == 0) + usage("Filename needed"); + + /* + * XXX: We should actually be merging records here. + */ + for (i = 0; i < argc; i++) { + fname = argv[i]; + fp = fopen(fname, "r"); + if (fp == NULL) + errx(EXIT_FAILURE, "Couldn't open %s", fname); + if (select_records(fp) == -1) { + errx(EXIT_FAILURE, "Couldn't select records %s", + fname); + } + fclose(fp); + } + exit(EXIT_SUCCESS); +} diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.h b/contrib/openbsm/bin/auditreduce/auditreduce.h new file mode 100644 index 000000000000..698e27605b0f --- /dev/null +++ b/contrib/openbsm/bin/auditreduce/auditreduce.h @@ -0,0 +1,67 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#4 $ + */ + +#ifndef _AUDITREDUCE_H_ +#define _AUDITREDUCE_H_ + + +#define OPT_a 0x00000001 +#define OPT_b 0x00000002 +#define OPT_c 0x00000004 +#define OPT_d (OPT_a | OPT_b) +#define OPT_e 0x00000010 +#define OPT_f 0x00000020 +#define OPT_g 0x00000040 +#define OPT_j 0x00000080 +#define OPT_m 0x00000100 +#define OPT_of 0x00000200 +#define OPT_om 0x00000400 +#define OPT_op 0x00000800 +#define OPT_ose 0x00001000 +#define OPT_osh 0x00002000 +#define OPT_oso 0x00004000 +#define OPT_r 0x00008000 +#define OPT_u 0x00010000 +#define OPT_A 0x00020000 + +#define FILEOBJ "file" +#define MSGQIDOBJ "msgqid" +#define PIDOBJ "pid" +#define SEMIDOBJ "semid" +#define SHMIDOBJ "shmid" +#define SOCKOBJ "sock" + + +#define SETOPT(optmask, bit) (optmask |= bit) +#define ISOPTSET(optmask, bit) (optmask & bit) + + +#endif /* !_AUDITREDUCE_H_ */ diff --git a/contrib/openbsm/bin/praudit/Makefile b/contrib/openbsm/bin/praudit/Makefile new file mode 100644 index 000000000000..34e136bd0ee7 --- /dev/null +++ b/contrib/openbsm/bin/praudit/Makefile @@ -0,0 +1,12 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/Makefile#4 $ +# + +CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I. +PROG= praudit +MAN= praudit.1 +DPADD= /usr/lib/libbsm.a +LDADD= -lbsm +BINDIR= /usr/sbin + +.include <bsd.prog.mk> diff --git a/contrib/openbsm/bin/praudit/praudit.1 b/contrib/openbsm/bin/praudit/praudit.1 new file mode 100644 index 000000000000..e99463860407 --- /dev/null +++ b/contrib/openbsm/bin/praudit/praudit.1 @@ -0,0 +1,97 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#7 $ +.\" +.Dd Jan 24, 2004 +.Dt PRAUDIT 1 +.Os +.Sh NAME +.Nm praudit +.Nd "print the contents of audit trail files" +.Sh SYNOPSIS +.Nm praudit +.Op Fl lrs +.Op Fl d Ar del +.Op Ar file ... +.Sh DESCRIPTION +The +.Nm +utility prints the contents of the audit trail files to the standard output in +human-readable form. +If no filename is specified, the standard input is used +by default. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl l +Prints the entire record on the same line. +If this option is not specified, +every token is displayed on a different line. +.It Fl r +Prints the records in their raw, numeric form. +This option is exclusive from +.Fl s +.It Fl s +Prints the tokens in their short form. +Short text representations for +record and event type are displayed. +This option is exclusive from +.Fl r +.It Fl d Ar del +Specifies the delimiter. +The default delimiter is the comma. +.El +.Pp +If the raw or short forms are not specified, the default is to print the tokens +in their long form. +Events are displayed as per their descriptions given in +.Pa /etc/security/audit_event ; +uids and gids are expanded to their names; +dates and times are displayed in human-readable format. +.Sh FILES +.Bl -tag -width "/etc/security/audit_control" -compact +.It Pa /etc/security/audit_class +Descriptions of audit event classes +.It Pa /etc/security/audit_event +Descriptions of audit events +.El +.Sh SEE ALSO +.Xr audit_class 5 , +.Xr audit_event 5 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/bin/praudit/praudit.c b/contrib/openbsm/bin/praudit/praudit.c new file mode 100644 index 000000000000..920f6d46b589 --- /dev/null +++ b/contrib/openbsm/bin/praudit/praudit.c @@ -0,0 +1,157 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#7 $ + */ + +/* + * Tool used to parse audit records conforming to the BSM structure. + */ + +/* + * praudit [-lrs] [-ddel] [filenames] + */ + +#include <bsm/libbsm.h> + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> + +extern char *optarg; +extern int optind, optopt, opterr,optreset; + +static char *del = ","; /* Default delimiter. */ +static int oneline = 0; +static int raw = 0; +static int shortfrm = 0; +static int partial = 0; + +static void +usage() +{ + + fprintf(stderr, "Usage: praudit [-lrs] [-ddel] [filenames]\n"); + exit(1); +} + +/* + * Token printing for each token type . + */ +static int +print_tokens(FILE *fp) +{ + u_char *buf; + tokenstr_t tok; + int reclen; + int bytesread; + + /* Allow tail -f | praudit to work. */ + if (partial) { + u_char type = 0; + /* Record must begin with a header token. */ + do { + type = fgetc(fp); + } while(type != AU_HEADER_32_TOKEN); + ungetc(type, fp); + } + + while ((reclen = au_read_rec(fp, &buf)) != -1) { + bytesread = 0; + while (bytesread < reclen) { + /* Is this an incomplete record? */ + if (-1 == au_fetch_tok(&tok, buf + bytesread, + reclen - bytesread)) + break; + au_print_tok(stdout, &tok, del, raw, shortfrm); + bytesread += tok.len; + if (oneline) + printf("%s", del); + else + printf("\n"); + } + free(buf); + if (oneline) + printf("\n"); + } + return (0); +} + +int +main(int argc, char **argv) +{ + char ch; + int i; + FILE *fp; + + while ((ch = getopt(argc, argv, "lprsd:")) != -1) { + switch(ch) { + case 'l': + oneline = 1; + break; + + case 'r': + if (shortfrm) + usage(); /* Exclusive from shortfrm. */ + raw = 1; + break; + + case 's': + if (raw) + usage(); /* Exclusive from raw. */ + shortfrm = 1; + break; + + case 'd': + del = optarg; + break; + + case 'p': + partial = 1; + break; + + case '?': + default: + usage(); + } + } + + /* For each of the files passed as arguments dump the contents. */ + if (optind == argc) { + print_tokens(stdin); + return (1); + } + for (i = optind; i < argc; i++) { + fp = fopen(argv[i], "r"); + if ((fp == NULL) || (print_tokens(fp) == -1)) + perror(argv[i]); + if (fp != NULL) + fclose(fp); + } + return (1); +} diff --git a/contrib/openbsm/bsm/Makefile b/contrib/openbsm/bsm/Makefile new file mode 100644 index 000000000000..ba6370123110 --- /dev/null +++ b/contrib/openbsm/bsm/Makefile @@ -0,0 +1,22 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/bsm/Makefile#7 $ +# + +INCS= audit.h \ + audit_internal.h \ + audit_kevents.h \ + audit_record.h \ + audit_uevents.h \ + libbsm.h + +TARGET= ${DESTDIR}/usr/include/bsm + +all: +default: +depend: +clean: + +install: + mkdir -p -m 0755 ${TARGET} + install -o root -g wheel -m 0644 ${INCS} ${TARGET} + diff --git a/contrib/openbsm/bsm/audit.h b/contrib/openbsm/bsm/audit.h new file mode 100644 index 000000000000..1d208c1347eb --- /dev/null +++ b/contrib/openbsm/bsm/audit.h @@ -0,0 +1,327 @@ +/* + * Copyright (c) 2005 Apple Computer, Inc. + * All rights reserved. + * + * @APPLE_BSD_LICENSE_HEADER_START@ + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @APPLE_BSD_LICENSE_HEADER_END@ + * + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#14 $ + */ + +#ifndef _BSM_AUDIT_H +#define _BSM_AUDIT_H + +#define AUDIT_RECORD_MAGIC 0x828a0f1b +#define MAX_AUDIT_RECORDS 20 +#define MAX_AUDIT_RECORD_SIZE 4096 +#define MIN_AUDIT_FILE_SIZE (512 * 1024) + +/* + * Triggers for the audit daemon + */ +#define AUDIT_TRIGGER_MIN 1 +#define AUDIT_TRIGGER_LOW_SPACE 1 +#define AUDIT_TRIGGER_OPEN_NEW 2 +#define AUDIT_TRIGGER_READ_FILE 3 +#define AUDIT_TRIGGER_CLOSE_AND_DIE 4 +#define AUDIT_TRIGGER_NO_SPACE 5 +#define AUDIT_TRIGGER_MAX 5 + +/* + * File that will be read for trigger events from the kernel + */ +#define AUDIT_TRIGGER_FILE "/dev/audit" + +/* + * Pre-defined audit IDs + */ +#define AU_DEFAUDITID -1 + +/* + * Define the masks for the classes of audit events. + */ +#define AU_NULL 0x00000000 +#define AU_FREAD 0x00000001 +#define AU_FWRITE 0x00000002 +#define AU_FACCESS 0x00000004 +#define AU_FMODIFY 0x00000008 +#define AU_FCREATE 0x00000010 +#define AU_FDELETE 0x00000020 +#define AU_CLOSE 0x00000040 +#define AU_PROCESS 0x00000080 +#define AU_NET 0x00000100 +#define AU_IPC 0x00000200 +#define AU_NONAT 0x00000400 +#define AU_ADMIN 0x00000800 +#define AU_LOGIN 0x00001000 +#define AU_TFM 0x00002000 +#define AU_APPL 0x00004000 +#define AU_SETL 0x00008000 +#define AU_IFLOAT 0x00010000 +#define AU_PRIV 0x00020000 +#define AU_MAC_RW 0x00040000 +#define AU_XCONN 0x00080000 +#define AU_XCREATE 0x00100000 +#define AU_XDELETE 0x00200000 +#define AU_XIFLOAT 0x00400000 +#define AU_XPRIVS 0x00800000 +#define AU_XPRIVF 0x01000000 +#define AU_XMOVE 0x02000000 +#define AU_XDACF 0x04000000 +#define AU_XMACF 0x08000000 +#define AU_XSECATTR 0x10000000 +#define AU_IOCTL 0x20000000 +#define AU_EXEC 0x40000000 +#define AU_OTHER 0x80000000 +#define AU_ALL 0xffffffff + +/* + * IPC types + */ +#define AT_IPC_MSG ((u_char)1) /* Message IPC id. */ +#define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */ +#define AT_IPC_SHM ((u_char)3) /* Shared mem IPC id. */ + +/* + * Audit conditions. + */ +#define AUC_UNSET 0 +#define AUC_AUDITING 1 +#define AUC_NOAUDIT 2 +#define AUC_DISABLED -1 + +/* + * auditon(2) commands. + */ +#define A_GETPOLICY 2 +#define A_SETPOLICY 3 +#define A_GETKMASK 4 +#define A_SETKMASK 5 +#define A_GETQCTRL 6 +#define A_SETQCTRL 7 +#define A_GETCWD 8 +#define A_GETCAR 9 +#define A_GETSTAT 12 +#define A_SETSTAT 13 +#define A_SETUMASK 14 +#define A_SETSMASK 15 +#define A_GETCOND 20 +#define A_SETCOND 21 +#define A_GETCLASS 22 +#define A_SETCLASS 23 +#define A_GETPINFO 24 +#define A_SETPMASK 25 +#define A_SETFSIZE 26 +#define A_GETFSIZE 27 +#define A_GETPINFO_ADDR 28 +#define A_GETKAUDIT 29 +#define A_SETKAUDIT 30 +#define A_SENDTRIGGER 31 + +/* + * Audit policy controls. + */ +#define AUDIT_CNT 0x0001 +#define AUDIT_AHLT 0x0002 +#define AUDIT_ARGV 0x0004 +#define AUDIT_ARGE 0x0008 +#define AUDIT_PASSWD 0x0010 +#define AUDIT_SEQ 0x0020 +#define AUDIT_WINDATA 0x0040 +#define AUDIT_USER 0x0080 +#define AUDIT_GROUP 0x0100 +#define AUDIT_TRAIL 0x0200 +#define AUDIT_PATH 0x0400 + +/* + * Audit queue control parameters + */ +#define AQ_HIWATER 100 +#define AQ_MAXHIGH 10000 +#define AQ_LOWATER 10 +#define AQ_BUFSZ 1024 +#define AQ_MAXBUFSZ 1048576 + +/* + * Default minimum percentage free space on file system. + */ +#define AU_FS_MINFREE 20 + +/* + * Type definitions used indicating the length of variable length addresses + * in tokens containing addresses, such as header fields. + */ +#define AU_IPv4 4 +#define AU_IPv6 16 + +__BEGIN_DECLS + +typedef uid_t au_id_t; +typedef pid_t au_asid_t; +typedef u_int16_t au_event_t; +typedef u_int16_t au_emod_t; +typedef u_int32_t au_class_t; + +struct au_tid { + dev_t port; + u_int32_t machine; +}; +typedef struct au_tid au_tid_t; + +struct au_tid_addr { + dev_t at_port; + u_int32_t at_type; + u_int32_t at_addr[4]; +}; +typedef struct au_tid_addr au_tid_addr_t; + +struct au_mask { + unsigned int am_success; /* Success bits. */ + unsigned int am_failure; /* Failure bits. */ +}; +typedef struct au_mask au_mask_t; + +struct auditinfo { + au_id_t ai_auid; /* Audit user ID. */ + au_mask_t ai_mask; /* Audit masks. */ + au_tid_t ai_termid; /* Terminal ID. */ + au_asid_t ai_asid; /* Audit session ID. */ +}; +typedef struct auditinfo auditinfo_t; + +struct auditinfo_addr { + au_id_t ai_auid; /* Audit user ID. */ + au_mask_t ai_mask; /* Audit masks. */ + au_tid_addr_t ai_termid; /* Terminal ID. */ + au_asid_t ai_asid; /* Audit session ID. */ +}; +typedef struct auditinfo_addr auditinfo_addr_t; + +struct auditpinfo { + pid_t ap_pid; /* ID of target process. */ + au_id_t ap_auid; /* Audit user ID. */ + au_mask_t ap_mask; /* Audit masks. */ + au_tid_t ap_termid; /* Terminal ID. */ + au_asid_t ap_asid; /* Audit session ID. */ +}; +typedef struct auditpinfo auditpinfo_t; + +struct auditpinfo_addr { + pid_t ap_pid; /* ID of target process. */ + au_id_t ap_auid; /* Audit user ID. */ + au_mask_t ap_mask; /* Audit masks. */ + au_tid_addr_t ap_termid; /* Terminal ID. */ + au_asid_t ap_asid; /* Audit session ID. */ +}; +typedef struct auditpinfo_addr auditpinfo_addr_t; + +/* Token and record structures. */ + +struct au_token { + u_char *t_data; + size_t len; + TAILQ_ENTRY(au_token) tokens; +}; +typedef struct au_token token_t; + +struct au_record { + char used; /* Record currently in use? */ + int desc; /* Descriptor for record. */ + TAILQ_HEAD(, au_token) token_q; /* Queue of BSM tokens. */ + u_char *data; + size_t len; + LIST_ENTRY(au_record) au_rec_q; +}; +typedef struct au_record au_record_t; + +/* + * Kernel audit queue control parameters. + */ +struct au_qctrl { + size_t aq_hiwater; + size_t aq_lowater; + size_t aq_bufsz; + clock_t aq_delay; + int aq_minfree; /* Minimum filesystem percent free space. */ +}; +typedef struct au_qctrl au_qctrl_t; + +/* + * Structure for the audit statistics. + */ +struct audit_stat { + unsigned int as_version; + unsigned int as_numevent; + int as_generated; + int as_nonattring; + int as_kernel; + int as_audit; + int as_auditctl; + int as_enqueu; + int as_written; + int as_wblocked; + int as_rblocked; + int as_dropped; + int as_totalsize; + unsigned int as_memused; +}; +typedef struct audit_stat au_stat_t; + +/* + * Structure for the audit file statistics. + */ +struct audit_fstat { + u_quad_t af_filesz; + u_quad_t af_currsz; +}; +typedef struct audit_fstat au_fstat_t; + +/* + * Audit to event class mapping. + */ +struct au_evclass_map { + au_event_t ec_number; + au_class_t ec_class; +}; +typedef struct au_evclass_map au_evclass_map_t; + +#if !defined(_KERNEL) && !defined(KERNEL) +int audit(const void *, int); +int auditon(int, void *, int); +int auditctl(const char *); +int getauid(au_id_t *); +int setauid(const au_id_t *); +int getaudit(struct auditinfo *); +int setaudit(const struct auditinfo *); +int getaudit_addr(struct auditinfo_addr *, int); +int setaudit_addr(const struct auditinfo_addr *, int); +#endif /* defined(_KERNEL) || defined(KERNEL) */ + +__END_DECLS + +#endif /* !_BSM_AUDIT_H */ diff --git a/contrib/openbsm/bsm/audit_internal.h b/contrib/openbsm/bsm/audit_internal.h new file mode 100644 index 000000000000..2d98aae5c88f --- /dev/null +++ b/contrib/openbsm/bsm/audit_internal.h @@ -0,0 +1,99 @@ +/* + * Copyright (c) 2005 Apple Computer, Inc. + * Copyright (c) 2005 SPARTA, Inc. + * All rights reserved. + * + * This code was developed in part by Robert N. M. Watson, Senior Principal + * Scientist, SPARTA, Inc. + * + * @APPLE_BSD_LICENSE_HEADER_START@ + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @APPLE_BSD_LICENSE_HEADER_END@ + * + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_internal.h#7 $ + */ + +#ifndef _LIBBSM_INTERNAL_H +#define _LIBBSM_INTERNAL_H + +/* + * audit_internal.h contains private interfaces that are shared by user space + * and the kernel for the purposes of assembling audit records. Applications + * should not include this file or use the APIs found within, or it may be + * broken with future releases of OpenBSM, which may delete, modify, or + * otherwise break these interfaces or the assumptions they rely on. + */ + +/* We could determined the header and trailer sizes by + * defining appropriate structures. We hold off that approach + * till we have a consistant way of using structures for all tokens. + * This is not straightforward since these token structures may + * contain pointers of whose contents we dont know the size + * (e.g text tokens) + */ +#define BSM_HEADER_SIZE 18 +#define BSM_TRAILER_SIZE 7 + +/* + * BSM token streams store fields in big endian byte order, so as to be + * portable; when encoding and decoding, we must convert byte orders for + * typed values. + */ +#define ADD_U_CHAR(loc, val) \ + do { \ + *(loc) = (val); \ + (loc) += sizeof(u_char); \ + } while(0) + + +#define ADD_U_INT16(loc, val) \ + do { \ + be16enc((loc), (val)); \ + (loc) += sizeof(u_int16_t); \ + } while(0) + +#define ADD_U_INT32(loc, val) \ + do { \ + be32enc((loc), (val)); \ + (loc) += sizeof(u_int32_t); \ + } while(0) + +#define ADD_U_INT64(loc, val) \ + do { \ + be64enc((loc), (val)); \ + (loc) += sizeof(u_int64_t); \ + } while(0) + +#define ADD_MEM(loc, data, size) \ + do { \ + memcpy((loc), (data), (size)); \ + (loc) += size; \ + } while(0) + +#define ADD_STRING(loc, data, size) ADD_MEM(loc, data, size) + +#endif /* !_LIBBSM_INTERNAL_H_ */ diff --git a/contrib/openbsm/bsm/audit_kevents.h b/contrib/openbsm/bsm/audit_kevents.h new file mode 100644 index 000000000000..54cc308fc002 --- /dev/null +++ b/contrib/openbsm/bsm/audit_kevents.h @@ -0,0 +1,494 @@ +/* + * Copyright (c) 2005 Apple Computer, Inc. + * All rights reserved. + * + * @APPLE_BSD_LICENSE_HEADER_START@ + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @APPLE_BSD_LICENSE_HEADER_END@ + * + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#29 $ + */ + +#ifndef _BSM_AUDIT_KEVENTS_H_ +#define _BSM_AUDIT_KEVENTS_H_ + +/* + * Values marked as AUE_NULL are not required to be audited as per CAPP. + * + * Some conflicts exist in the assignment of name to event number mappings + * between BSM implementations. In general, we prefer the OpenSolaris + * definition as we consider Solaris BSM to be authoritative. _DARWIN_ has + * been inserted for the Darwin variants. If necessary, other tags will be + * added in the future. + */ + +#define AUE_NULL 0 +#define AUE_EXIT 1 +#define AUE_FORK 2 +#define AUE_OPEN 3 +#define AUE_CREAT 4 +#define AUE_LINK 5 +#define AUE_UNLINK 6 +#define AUE_DELETE AUE_UNLINK +#define AUE_EXEC 7 +#define AUE_CHDIR 8 +#define AUE_MKNOD 9 +#define AUE_CHMOD 10 +#define AUE_CHOWN 11 +#define AUE_UMOUNT 12 +#define AUE_JUNK 13 /* Solaris-specific. */ +#define AUE_ACCESS 14 +#define AUE_CHECKUSERACCESS AUE_ACCESS +#define AUE_KILL 15 +#define AUE_STAT 16 +#define AUE_LSTAT 17 +#define AUE_ACCT 18 +#define AUE_MCTL 19 /* Solaris-specific. */ +#define AUE_REBOOT 20 /* XXX: Darwin conflict. */ +#define AUE_SYMLINK 21 +#define AUE_READLINK 22 +#define AUE_EXECVE 23 +#define AUE_CHROOT 24 +#define AUE_VFORK 25 +#define AUE_SETGROUPS 26 +#define AUE_SETPGRP 27 +#define AUE_SWAPON 28 +#define AUE_SETHOSTNAME 29 /* XXX: Darwin conflict. */ +#define AUE_FCNTL 30 +#define AUE_SETPRIORITY 31 /* XXX: Darwin conflict. */ +#define AUE_CONNECT 32 +#define AUE_ACCEPT 33 +#define AUE_BIND 34 +#define AUE_SETSOCKOPT 35 +#define AUE_VTRACE 36 /* Solaris-specific. */ +#define AUE_SETTIMEOFDAY 37 /* XXX: Darwin conflict. */ +#define AUE_FCHOWN 38 +#define AUE_FCHMOD 39 +#define AUE_SETREUID 40 +#define AUE_SETREGID 41 +#define AUE_RENAME 42 +#define AUE_TRUNCATE 43 /* XXX: Darwin conflict. */ +#define AUE_FTRUNCATE 44 /* XXX: Darwin conflict. */ +#define AUE_FLOCK 45 /* XXX: Darwin conflict. */ +#define AUE_SHUTDOWN 46 +#define AUE_MKDIR 47 +#define AUE_RMDIR 48 +#define AUE_UTIMES 49 +#define AUE_ADJTIME 50 +#define AUE_SETRLIMIT 51 +#define AUE_KILLPG 52 +#define AUE_NFS_SVC 53 /* XXX: Darwin conflict. */ +#define AUE_STATFS 54 +#define AUE_FSTATFS 55 +#define AUE_UNMOUNT 56 /* XXX: Darwin conflict. */ +#define AUE_ASYNC_DAEMON 57 +#define AUE_NFS_GETFH 58 /* XXX: Darwin conflict. */ +#define AUE_SETDOMAINNAME 59 +#define AUE_QUOTACTL 60 /* XXX: Darwin conflict. */ +#define AUE_EXPORTFS 61 +#define AUE_MOUNT 62 +#define AUE_SEMSYS 63 +#define AUE_MSGSYS 64 +#define AUE_SHMSYS 65 +#define AUE_BSMSYS 66 /* Solaris-specific. */ +#define AUE_RFSSYS 67 /* Solaris-specific. */ +#define AUE_FCHDIR 68 +#define AUE_FCHROOT 69 +#define AUE_VPIXSYS 70 /* Solaris-specific. */ +#define AUE_PATHCONF 71 +#define AUE_OPEN_R 72 +#define AUE_OPEN_RC 73 +#define AUE_OPEN_RT 74 +#define AUE_OPEN_RTC 75 +#define AUE_OPEN_W 76 +#define AUE_OPEN_WC 77 +#define AUE_OPEN_WT 78 +#define AUE_OPEN_WTC 79 +#define AUE_OPEN_RW 80 +#define AUE_OPEN_RWC 81 +#define AUE_OPEN_RWT 82 +#define AUE_OPEN_RWTC 83 +#define AUE_MSGCTL 84 +#define AUE_MSGCTL_RMID 85 +#define AUE_MSGCTL_SET 86 +#define AUE_MSGCTL_STAT 87 +#define AUE_MSGGET 88 +#define AUE_MSGRCV 89 +#define AUE_MSGSND 90 +#define AUE_SHMCTL 91 +#define AUE_SHMCTL_RMID 92 +#define AUE_SHMCTL_SET 93 +#define AUE_SHMCTL_STAT 94 +#define AUE_SHMGET 95 +#define AUE_SHMAT 96 +#define AUE_SHMDT 97 +#define AUE_SEMCTL 98 +#define AUE_SEMCTL_RMID 99 +#define AUE_SEMCTL_SET 100 +#define AUE_SEMCTL_STAT 101 +#define AUE_SEMCTL_GETNCNT 102 +#define AUE_SEMCTL_GETPID 103 +#define AUE_SEMCTL_GETVAL 104 +#define AUE_SEMCTL_GETALL 105 +#define AUE_SEMCTL_GETZCNT 106 +#define AUE_SEMCTL_SETVAL 107 +#define AUE_SEMCTL_SETALL 108 +#define AUE_SEMGET 109 +#define AUE_SEMOP 110 +#define AUE_CORE 111 /* Solaris-specific, currently. */ +#define AUE_CLOSE 112 +#define AUE_SYSTEMBOOT 113 +#define AUE_ASYNC_DAEMON_EXIT 114 /* Solaris-specific. */ +#define AUE_NFSSVC_EXIT 115 /* Solaris-specific. */ +#define AUE_WRITEL 128 /* Solaris-specific. */ +#define AUE_WRITEVL 129 /* Solaris-specific. */ +#define AUE_GETAUID 130 +#define AUE_SETAUID 131 +#define AUE_GETAUDIT 132 +#define AUE_SETAUDIT 133 +#define AUE_GETUSERAUDIT 134 /* Solaris-specific. */ +#define AUE_SETUSERAUDIT 135 /* Solaris-specific. */ +#define AUE_AUDITSVC 136 /* Solaris-specific. */ +#define AUE_AUDITUSER 137 /* Solaris-specific. */ +#define AUE_AUDITON 138 +#define AUE_AUDITON_GTERMID 139 /* Solaris-specific. */ +#define AUE_AUDITON_STERMID 140 /* Solaris-specific. */ +#define AUE_AUDITON_GPOLICY 141 +#define AUE_AUDITON_SPOLICY 142 +#define AUE_AUDITON_GQCTRL 145 +#define AUE_AUDITON_SQCTRL 146 +#define AUE_GETKERNSTATE 147 /* Solaris-specific. */ +#define AUE_SETKERNSTATE 148 /* Solaris-specific. */ +#define AUE_GETPORTAUDIT 149 /* Solaris-specific. */ +#define AUE_AUDISTAT 150 /* Solaris-specific. */ +#define AUE_ENTERPROM 153 /* Solaris-specific. */ +#define AUE_EXITPROM 154 /* Solaris-specific. */ +#define AUE_IOCTL 158 +#define AUE_SOCKET 183 +#define AUE_SENDTO 184 +#define AUE_PIPE 185 +#define AUE_SOCKETPAIR 186 /* XXX: Darwin conflict. */ +#define AUE_SEND 187 +#define AUE_SENDMSG 188 +#define AUE_RECV 189 +#define AUE_RECVMSG 190 +#define AUE_RECVFROM 191 +#define AUE_READ 192 +#define AUE_LSEEK 194 +#define AUE_WRITE 195 +#define AUE_WRITEV 196 +#define AUE_NFS 197 /* Solaris-specific. */ +#define AUE_READV 198 + /* XXXRW: XXX Solaris old stat()? */ +#define AUE_SETUID 200 /* XXXRW: Solaris old setuid? */ +#define AUE_STIME 201 /* XXXRW: Solaris old stime? */ +#define AUE_UTIME 202 /* XXXRW: Solaris old utime? */ +#define AUE_NICE 203 /* XXXRW: Solaris old nice? */ + /* XXXRW: Solaris old setpgrp? */ +#define AUE_SETGID 205 /* XXXRW: Solaris old setgid? */ + /* XXXRW: Solaris readl? */ + /* XXXRW: Solaris readvl()? */ +#define AUE_DUP2 209 +#define AUE_MMAP 210 +#define AUE_AUDIT 211 +#define AUE_PRIOCNTLSYS 212 +#define AUE_MUNMAP 213 +#define AUE_SETEGID 214 +#define AUE_SETEUID 215 +#define AUE_PUTMSG 216 +#define AUE_GETMSG 217 /* Solaris-specific. */ +#define AUE_PUTPMSG 218 /* Solaris-specific. */ +#define AUE_GETPMSG 219 /* Solaris-specific. */ +#define AUE_AUDITSYS 220 /* Solaris-specific. */ +#define AUE_AUDITON_GETKMASK 221 +#define AUE_AUDITON_SETKMASK 222 +#define AUE_AUDITON_GETCWD 223 +#define AUE_AUDITON_GETCAR 224 +#define AUE_AUDITON_GETSTAT 225 +#define AUE_AUDITON_SETSTAT 226 +#define AUE_AUDITON_SETUMASK 227 +#define AUE_AUDITON_SETSMASK 228 +#define AUE_AUDITON_GETCOND 229 +#define AUE_AUDITON_SETCOND 230 +#define AUE_AUDITON_GETCLASS 231 +#define AUE_AUDITON_SETCLASS 232 +#define AUE_UTSSYS 233 /* Solaris-specific. */ +#define AUE_STATVFS 234 +#define AUE_XSTAT 235 +#define AUE_LXSTAT 236 +#define AUE_LCHOWN 237 +#define AUE_MEMCNTL 238 /* Solaris-specific. */ +#define AUE_SYSINFO 239 /* Solaris-specific. */ +#define AUE_XMKNOD 240 /* Solaris-specific. */ +#define AUE_FORK1 241 + /* XXXRW: Solaris modctl()? */ +#define AUE_MODLOAD 243 +#define AUE_MODUNLOAD 244 +#define AUE_MODCONFIG 245 /* Solaris-specific. */ +#define AUE_MODADDMAJ 246 /* Solaris-specific. */ +#define AUE_SOCKACCEPT 247 +#define AUE_SOCKCONNECT 248 +#define AUE_SOCKSEND 249 +#define AUE_SOCKRECEIVE 250 +#define AUE_ACLSET 251 +#define AUE_FACLSET 252 +#define AUE_DOORFS_DOOR_CALL 254 /* Solaris-specific. */ +#define AUE_DOORFS_DOOR_RETURN 255 /* Solaris-specific. */ +#define AUE_DOORFS_DOOR_CREATE 256 /* Solaris-specific. */ +#define AUE_DOORFS_DOOR_REVOKE 257 /* Solaris-specific. */ +#define AUE_DOORFS_DOOR_INFO 258 /* Solaris-specific. */ +#define AUE_DOORFS_DOOR_CRED 259 /* Solaris-specific. */ +#define AUE_DOORFS_DOOR_BIND 260 /* Solaris-specific. */ +#define AUE_DOORFS_DOOR_UNBIND 261 /* Solaris-specific. */ +#define AUE_P_ONLINE 262 /* Solaris-specific. */ +#define AUE_PROCESSOR_BIND 263 /* Solaris-specific. */ +#define AUE_INST_SYNC 264 /* Solaris-specific. */ +#define AUE_SOCK_CONFIG 265 /* Solaris-specific. */ +#define AUE_SETAUDIT_ADDR 266 +#define AUE_GETAUDIT_ADDR 267 +#define AUE_CLOCK_SETTIME 287 +#define AUE_NTP_ADJTIME 288 + +/* + * Events not present in OpenSolaris BSM, generally derived from Apple Darwin + * BSM or added in OpenBSM. This start a little too close to the top end of + * the OpenSolaris event list for my comfort. + */ +#define AUE_GETFSSTAT 301 +#define AUE_PTRACE 302 +#define AUE_CHFLAGS 303 +#define AUE_FCHFLAGS 304 +#define AUE_PROFILE 305 +#define AUE_KTRACE 306 +#define AUE_SETLOGIN 307 +#define AUE_DARWIN_REBOOT 308 /* XXX: See AUE_REBOOT. */ +#define AUE_REVOKE 309 +#define AUE_UMASK 310 +#define AUE_MPROTECT 311 +#define AUE_DARWIN_SETPRIORITY 312 /* XXX: See AUE_SETPRIORITY. */ +#define AUE_DARWIN_SETTIMEOFDAY 313 /* XXX: See AUE_SETTIMEOFDAY. */ +#define AUE_DARWIN_FLOCK 314 /* XXX: See AUE_FLOCK. */ +#define AUE_MKFIFO 315 +#define AUE_POLL 316 +#define AUE_DARWIN_SOCKETPAIR 317 /* XXXRW: See AUE_SOCKETPAIR. */ +#define AUE_FUTIMES 318 +#define AUE_SETSID 319 +#define AUE_SETPRIVEXEC 320 /* Darwin-specific. */ +#define AUE_DARWIN_NFSSVC 321 /* XXX: See AUE_NFS_SVC. */ +#define AUE_DARWIN_GETFH 322 /* XXX: See AUE_NFS_GETFH. */ +#define AUE_DARWIN_QUOTACTL 323 /* XXX: See AUE_QUOTACTL. */ +#define AUE_ADDPROFILE 324 /* Darwin-specific. */ +#define AUE_KDEBUGTRACE 325 /* Darwin-specific. */ +#define AUE_KDBUGTRACE AUE_KDEBUGTRACE +#define AUE_FSTAT 326 +#define AUE_FPATHCONF 327 +#define AUE_GETDIRENTRIES 328 +#define AUE_DARWIN_TRUNCATE 329 /* XXX: See AUE_TRUNCATE. */ +#define AUE_DARWIN_FTRUNCATE 330 /* XXX: See AUE_FTRUNCATE. */ +#define AUE_SYSCTL 331 +#define AUE_MLOCK 332 +#define AUE_MUNLOCK 333 +#define AUE_UNDELETE 334 +#define AUE_GETATTRLIST 335 /* Darwin-specific. */ +#define AUE_SETATTRLIST 336 /* Darwin-specific. */ +#define AUE_GETDIRENTRIESATTR 337 /* Darwin-specific. */ +#define AUE_EXCHANGEDATA 338 /* Darwin-specific. */ +#define AUE_SEARCHFS 339 /* Darwin-specific. */ +#define AUE_MINHERIT 340 +#define AUE_SEMCONFIG 341 +#define AUE_SEMOPEN 342 +#define AUE_SEMCLOSE 343 +#define AUE_SEMUNLINK 344 +#define AUE_SHMOPEN 345 +#define AUE_SHMUNLINK 346 +#define AUE_LOADSHFILE 347 /* Darwin-specific. */ +#define AUE_RESETSHFILE 348 /* Darwin-specific. */ +#define AUE_NEWSYSTEMSHREG 349 /* Darwin-specific. */ +#define AUE_PTHREADKILL 350 /* Darwin-specific. */ +#define AUE_PTHREADSIGMASK 351 /* Darwin-specific. */ +#define AUE_AUDITCTL 352 +#define AUE_RFORK 353 +#define AUE_LCHMOD 354 +#define AUE_SWAPOFF 355 +#define AUE_INITPROCESS 356 /* Darwin-specific. */ +#define AUE_MAPFD 357 /* Darwin-specific. */ +#define AUE_TASKFORPID 358 /* Darwin-specific. */ +#define AUE_PIDFORTASK 359 /* Darwin-specific. */ +#define AUE_SYSCTL_NONADMIN 360 +#define AUE_COPYFILE 361 /* Darwin-specific. */ +#define AUE_LUTIMES 362 +#define AUE_LCHFLAGS 363 /* FreeBSD-specific. */ +#define AUE_SENDFILE 364 /* BSD/Linux-specific. */ +#define AUE_USELIB 365 /* Linux-specific. */ +#define AUE_GETRESUID 366 +#define AUE_SETRESUID 367 +#define AUE_GETRESGID 368 +#define AUE_SETRESGID 369 +#define AUE_WAIT4 370 /* FreeBSD-specific. */ +#define AUE_LGETFH 371 /* FreeBSD-specific. */ +#define AUE_FHSTATFS 372 /* FreeBSD-specific. */ +#define AUE_FHOPEN 373 /* FreeBSD-specific. */ +#define AUE_FHSTAT 374 /* FreeBSD-specific. */ +#define AUE_JAIL 375 /* FreeBSD-specific. */ +#define AUE_EACCESS 376 /* FreeBSD-specific. */ +#define AUE_KQUEUE 377 /* FreeBSD-specific. */ +#define AUE_KEVENT 378 /* FreeBSD-specific. */ +#define AUE_FSYNC 379 +#define AUE_NMOUNT 380 /* FreeBSD-specific. */ + +/* + * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the + * normal Solaris BSM identifiers. _O_ refers to it being an old, or compat + * interface. In most cases, Darwin has never implemented these system calls + * but picked up the fields in their system call table from their FreeBSD + * import. Happily, these have different names than the AUE_O* definitions + * in Solaris BSM. + */ +#define AUE_O_CREAT AUE_OPEN_RWTC /* Darwin */ +#define AUE_O_EXECVE AUE_NULL /* Darwin */ +#define AUE_O_SBREAK AUE_NULL /* Darwin */ +#define AUE_O_LSEEK AUE_NULL /* Darwin */ +#define AUE_O_MOUNT AUE_NULL /* Darwin */ +#define AUE_O_UMOUNT AUE_NULL /* Darwin */ +#define AUE_O_STAT AUE_STAT /* Darwin */ +#define AUE_O_LSTAT AUE_LSTAT /* Darwin */ +#define AUE_O_FSTAT AUE_FSTAT /* Darwin */ +#define AUE_O_GETPAGESIZE AUE_NULL /* Darwin */ +#define AUE_O_VREAD AUE_NULL /* Darwin */ +#define AUE_O_VWRITE AUE_NULL /* Darwin */ +#define AUE_O_MMAP AUE_MMAP /* Darwin */ +#define AUE_O_VADVISE AUE_NULL /* Darwin */ +#define AUE_O_VHANGUP AUE_NULL /* Darwin */ +#define AUE_O_VLIMIT AUE_NULL /* Darwin */ +#define AUE_O_WAIT AUE_NULL /* Darwin */ +#define AUE_O_GETHOSTNAME AUE_NULL /* Darwin */ +#define AUE_O_SETHOSTNAME AUE_SYSCTL /* Darwin */ +#define AUE_O_GETDOPT AUE_NULL /* Darwin */ +#define AUE_O_SETDOPT AUE_NULL /* Darwin */ +#define AUE_O_ACCEPT AUE_NULL /* Darwin */ +#define AUE_O_SEND AUE_SENDMSG /* Darwin */ +#define AUE_O_RECV AUE_RECVMSG /* Darwin */ +#define AUE_O_VTIMES AUE_NULL /* Darwin */ +#define AUE_O_SIGVEC AUE_NULL /* Darwin */ +#define AUE_O_SIGBLOCK AUE_NULL /* Darwin */ +#define AUE_O_SIGSETMASK AUE_NULL /* Darwin */ +#define AUE_O_SIGSTACK AUE_NULL /* Darwin */ +#define AUE_O_RECVMSG AUE_RECVMSG /* Darwin */ +#define AUE_O_SENDMSG AUE_SENDMSG /* Darwin */ +#define AUE_O_VTRACE AUE_NULL /* Darwin */ +#define AUE_O_RESUBA AUE_NULL /* Darwin */ +#define AUE_O_RECVFROM AUE_RECVFROM /* Darwin */ +#define AUE_O_SETREUID AUE_SETREUID /* Darwin */ +#define AUE_O_SETREGID AUE_SETREGID /* Darwin */ +#define AUE_O_TRUNCATE AUE_TRUNCATE /* Darwin */ +#define AUE_O_FTRUNCATE AUE_FTRUNCATE /* Darwin */ +#define AUE_O_GETPEERNAME AUE_NULL /* Darwin */ +#define AUE_O_GETHOSTID AUE_NULL /* Darwin */ +#define AUE_O_SETHOSTID AUE_NULL /* Darwin */ +#define AUE_O_GETRLIMIT AUE_NULL /* Darwin */ +#define AUE_O_SETRLIMIT AUE_SETRLIMIT /* Darwin */ +#define AUE_O_KILLPG AUE_KILL /* Darwin */ +#define AUE_O_SETQUOTA AUE_NULL /* Darwin */ +#define AUE_O_QUOTA AUE_NULL /* Darwin */ +#define AUE_O_GETSOCKNAME AUE_NULL /* Darwin */ +#define AUE_O_GETDIREENTRIES AUE_GETDIREENTRIES /* Darwin */ +#define AUE_O_ASYNCDAEMON AUE_NULL /* Darwin */ +#define AUE_O_GETDOMAINNAME AUE_NULL /* Darwin */ +#define AUE_O_SETDOMAINNAME AUE_SYSCTL /* Darwin */ +#define AUE_O_PCFS_MOUNT AUE_NULL /* Darwin */ +#define AUE_O_EXPORTFS AUE_NULL /* Darwin */ +#define AUE_O_USTATE AUE_NULL /* Darwin */ +#define AUE_O_WAIT3 AUE_NULL /* Darwin */ +#define AUE_O_RPAUSE AUE_NULL /* Darwin */ +#define AUE_O_GETDENTS AUE_NULL /* Darwin */ + +/* + * Possible desired future values based on review of BSD/Darwin system calls. + */ +#define AUE_DUP AUE_NULL +#define AUE_FSCTL AUE_NULL +#define AUE_FSTATV AUE_NULL +#define AUE_GCCONTROL AUE_NULL +#define AUE_GETDTABLESIZE AUE_NULL +#define AUE_GETEGID AUE_NULL +#define AUE_GETEUID AUE_NULL +#define AUE_GETGID AUE_NULL +#define AUE_GETGROUPS AUE_NULL +#define AUE_GETITIMER AUE_NULL +#define AUE_GETLOGIN AUE_NULL +#define AUE_GETPEERNAME AUE_NULL +#define AUE_GETPGID AUE_NULL +#define AUE_GETPGRP AUE_NULL +#define AUE_GETPID AUE_NULL +#define AUE_GETPPID AUE_NULL +#define AUE_GETPRIORITY AUE_NULL +#define AUE_GETRLIMIT AUE_NULL +#define AUE_GETRUSAGE AUE_NULL +#define AUE_GETSID AUE_NULL +#define AUE_GETSOCKNAME AUE_NULL +#define AUE_GETTIMEOFDAY AUE_NULL +#define AUE_GETUID AUE_NULL +#define AUE_GETSOCKOPT AUE_NULL +#define AUE_GTSOCKOPT AUE_GETSOCKOPT /* XXX: Typo in Darwin. */ +#define AUE_ISSETUGID AUE_NULL +#define AUE_LISTEN AUE_NULL +#define AUE_LSTATV AUE_NULL +#define AUE_MADVISE AUE_NULL +#define AUE_MINCORE AUE_NULL +#define AUE_MKCOMPLEX AUE_NULL +#define AUE_MLOCKALL AUE_NULL +#define AUE_MODWATCH AUE_NULL +#define AUE_MSGCL AUE_NULL +#define AUE_MSYNC AUE_NULL +#define AUE_MUNLOCKALL AUE_NULL +#define AUE_PREAD AUE_NULL +#define AUE_PWRITE AUE_NULL +#define AUE_SBRK AUE_NULL +#define AUE_SELECT AUE_NULL +#define AUE_SEMDESTROY AUE_NULL +#define AUE_SEMGETVALUE AUE_NULL +#define AUE_SEMINIT AUE_NULL +#define AUE_SEMPOST AUE_NULL +#define AUE_SEMTRYWAIT AUE_NULL +#define AUE_SEMWAIT AUE_NULL +#define AUE_SETITIMER AUE_NULL +#define AUE_SIGACTION AUE_NULL +#define AUE_SIGALTSTACK AUE_NULL +#define AUE_SIGPENDING AUE_NULL +#define AUE_SIGPROCMASK AUE_NULL +#define AUE_SIGRETURN AUE_NULL +#define AUE_SIGSUSPEND AUE_NULL +#define AUE_SIGWAIT AUE_NULL +#define AUE_SSTK AUE_NULL +#define AUE_STATV AUE_NULL +#define AUE_SYNC AUE_NULL +#define AUE_SYSCALL AUE_NULL +#define AUE_TABLE AUE_NULL +#define AUE_WAITEVENT AUE_NULL +#define AUE_WATCHEVENT AUE_NULL + +#endif /* !_BSM_AUDIT_KEVENTS_H_ */ diff --git a/contrib/openbsm/bsm/audit_record.h b/contrib/openbsm/bsm/audit_record.h new file mode 100644 index 000000000000..af9ba4d4e76c --- /dev/null +++ b/contrib/openbsm/bsm/audit_record.h @@ -0,0 +1,325 @@ +/* + * Copyright (c) 2005 Apple Computer, Inc. + * All rights reserved. + * + * @APPLE_BSD_LICENSE_HEADER_START@ + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @APPLE_BSD_LICENSE_HEADER_END@ + * + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_record.h#14 $ + */ + +#ifndef _BSM_AUDIT_RECORD_H_ +#define _BSM_AUDIT_RECORD_H_ + +/* Various token id types */ + +/* + * Values inside the comments are not documented in the BSM pages and + * have been picked up from the header files + */ + +/* + * Values marked as XXX do not have a value defined in the BSM header files + */ + +#define AUT_INVALID 0x00 +#define AUT_OTHER_FILE32 0x11 +#define AUT_OHEADER 0x12 +#define AUT_TRAILER 0x13 +#define AUT_HEADER32 0x14 +#define AUT_HEADER32_EX 0x15 +#define AUT_DATA 0x21 +#define AUT_IPC 0x22 +#define AUT_PATH 0x23 +#define AUT_SUBJECT32 0x24 +#define AUT_SERVER32 0x25 +#define AUT_PROCESS32 0x26 +#define AUT_RETURN32 0x27 +#define AUT_TEXT 0x28 +#define AUT_OPAQUE 0x29 +#define AUT_IN_ADDR 0x2a +#define AUT_IP 0x2b +#define AUT_IPORT 0x2c +#define AUT_ARG32 0x2d +#define AUT_SOCKET 0x2e +#define AUT_SEQ 0x2f +#define AUT_ACL 0x30 +#define AUT_ATTR 0x31 +#define AUT_IPC_PERM 0x32 +#define AUT_LABEL 0x33 +#define AUT_GROUPS 0x34 +#define AUT_ILABEL 0x35 +#define AUT_SLABEL 0x36 +#define AUT_CLEAR 0x37 +#define AUT_PRIV 0x38 +#define AUT_UPRIV 0x39 +#define AUT_LIAISON 0x3a +#define AUT_NEWGROUPS 0x3b +#define AUT_EXEC_ARGS 0x3c +#define AUT_EXEC_ENV 0x3d +#define AUT_ATTR32 0x3e +/* #define AUT_???? 0x3f */ +#define AUT_XATOM 0x40 +#define AUT_XOBJ 0x41 +#define AUT_XPROTO 0x42 +#define AUT_XSELECT 0x43 +/* XXXRW: Additional X11 tokens not defined? */ +#define AUT_CMD 0x51 +#define AUT_EXIT 0x52 +/* XXXRW: OpenBSM AUT_HOST 0x70? */ +#define AUT_ARG64 0x71 +#define AUT_RETURN64 0x72 +#define AUT_ATTR64 0x73 +#define AUT_HEADER64 0x74 +#define AUT_SUBJECT64 0x75 +#define AUT_SERVER64 0x76 +#define AUT_PROCESS64 0x77 +#define AUT_OTHER_FILE64 0x78 +#define AUT_HEADER64_EX 0x79 +#define AUT_SUBJECT32_EX 0x7a +#define AUT_PROCESS32_EX 0x7b +#define AUT_SUBJECT64_EX 0x7c +#define AUT_PROCESS64_EX 0x7d +#define AUT_IN_ADDR_EX 0x7e +#define AUT_SOCKET_EX 0x7f + +/* + * Pre-64-bit BSM, 32-bit tokens weren't explicitly named as '32'. We have + * compatibility defines. + */ +#define AUT_HEADER AUT_HEADER32 +#define AUT_ARG AUT_ARG32 +#define AUT_RETURN AUT_RETURN32 +#define AUT_SUBJECT AUT_SUBJECT32 +#define AUT_SERVER AUT_SERVER32 +#define AUT_PROCESS AUT_PROCESS32 +#define AUT_OTHER_FILE AUT_OTHER_FILE32 + +/* + * Darwin's bsm distribution uses the following non-BSM token name defines. + * We provide them for a single OpenBSM release for compatibility reasons. + */ +#define AU_FILE_TOKEN AUT_OTHER_FILE32 +#define AU_TRAILER_TOKEN AUT_TRAILER +#define AU_HEADER_32_TOKEN AUT_HEADER32 +#define AU_DATA_TOKEN AUT_DATA +#define AU_ARB_TOKEN AUT_DATA +#define AU_IPC_TOKEN AUT_IPC +#define AU_PATH_TOKEN AUT_PATH +#define AU_SUBJECT_32_TOKEN AUT_SUBJECT32 +#define AU_PROCESS_32_TOKEN AUT_PROCESS32 +#define AU_RETURN_32_TOKEN AUT_RETURN32 +#define AU_TEXT_TOKEN AUT_TEXT +#define AU_OPAQUE_TOKEN AUT_OPAQUE +#define AU_IN_ADDR_TOKEN AUT_IN_ADDR +#define AU_IP_TOKEN AUT_IP +#define AU_IPORT_TOKEN AUT_IPORT +#define AU_ARG32_TOKEN AUT_ARG32 +#define AU_SOCK_TOKEN AUT_SOCKET +#define AU_SEQ_TOKEN AUT_SEQ +#define AU_ATTR_TOKEN AUT_ATTR +#define AU_IPCPERM_TOKEN AUT_IPC_PERM +#define AU_NEWGROUPS_TOKEN AUT_NEWGROUPS +#define AU_EXEC_ARG_TOKEN AUT_EXEC_ARGS +#define AU_EXEC_ENV_TOKEN AUT_EXEC_ENV +#define AU_ATTR32_TOKEN AUT_ATTR32 +#define AU_CMD_TOKEN AUT_CMD +#define AU_EXIT_TOKEN AUT_EXIT +#define AU_ARG64_TOKEN AUT_ARG64 +#define AU_RETURN_64_TOKEN AUT_RETURN64 +#define AU_ATTR64_TOKEN AUT_ATTR64 +#define AU_HEADER_64_TOKEN AUT_HEADER64 +#define AU_SUBJECT_64_TOKEN AUT_SUBJECT64 +#define AU_PROCESS_64_TOKEN AUT_PROCESS64 +#define AU_HEADER_64_EX_TOKEN AUT_HEADER64_EX +#define AU_SUBJECT_32_EX_TOKEN AUT_SUBJECT32_EX +#define AU_PROCESS_32_EX_TOKEN AUT_PROCESS32_EX +#define AU_SUBJECT_64_EX_TOKEN AUT_SUBJECT64_EX +#define AU_PROCESS_64_EX_TOKEN AUT_PROCESS64_EX +#define AU_IN_ADDR_EX_TOKEN AUT_IN_ADDR_EX +#define AU_SOCK_32_EX_TOKEN AUT_SOCKET_EX + +/* + * The values for the following token ids are not defined by BSM. + * + * XXXRW: Not sure how to handle these in OpenBSM yet, but I'll give them + * names more consistent with Sun's BSM. These originally came from Apple's + * BSM. + */ +#define AUT_SOCKINET32 0x80 /* XXX */ +#define AUT_SOCKINET128 0x81 /* XXX */ +#define AUT_SOCKUNIX 0x82 /* XXX */ +#define AU_SOCK_INET_32_TOKEN AUT_SOCKINET32 +#define AU_SOCK_INET_128_TOKEN AUT_SOCKINET128 +#define AU_SOCK_UNIX_TOKEN AUT_SOCKUNIX + +/* print values for the arbitrary token */ +#define AUP_BINARY 0 +#define AUP_OCTAL 1 +#define AUP_DECIMAL 2 +#define AUP_HEX 3 +#define AUP_STRING 4 + +/* data-types for the arbitrary token */ +#define AUR_BYTE 0 +#define AUR_SHORT 1 +#define AUR_LONG 2 + +/* ... and their sizes */ +#define AUR_BYTE_SIZE sizeof(u_char) +#define AUR_SHORT_SIZE sizeof(uint16_t) +#define AUR_LONG_SIZE sizeof(uint32_t) + +/* Modifiers for the header token */ +#define PAD_NOTATTR 0x4000 /* nonattributable event */ +#define PAD_FAILURE 0x8000 /* fail audit event */ + + +#define BSM_MAX_GROUPS 16 +#define HEADER_VERSION 1 + +/* + * BSM define is AUT_TRAILER_MAGIC; Apple BSM define is TRAILER_PAD_MAGIC; we + * split the difference, will remove the Apple define for the next release. + */ +#define AUT_TRAILER_MAGIC 0xb105 +#define TRAILER_PAD_MAGIC AUT_TRAILER_MAGIC + +/* BSM library calls */ + +__BEGIN_DECLS + +struct in_addr; +struct in6_addr; +struct ip; +struct ipc_perm; +struct kevent; +struct sockaddr_in; +struct sockaddr_in6; +struct sockaddr_un; +#if defined(_KERNEL) || defined(KERNEL) +struct vnode_au_info; +#endif + +int au_open(void); +int au_write(int d, token_t *m); +int au_close(int d, int keep, short event); +int au_close_buffer(int d, short event, u_char *buffer, size_t *buflen); + +#if defined(KERNEL) || defined(_KERNEL) +token_t *au_to_file(char *file, struct timeval tm); +#else +token_t *au_to_file(char *file); +#endif + +#if defined(KERNEL) || defined(_KERNEL) +token_t *au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod, + struct timeval tm); +token_t *au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod, + struct timeval tm); +#else +token_t *au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod); +token_t *au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod); +#endif + +token_t *au_to_header64(int rec_size, au_event_t e_type, au_emod_t e_mod); +token_t *au_to_me(void); +token_t *au_to_arg(char n, char *text, uint32_t v); +token_t *au_to_arg32(char n, char *text, uint32_t v); +token_t *au_to_arg64(char n, char *text, uint64_t v); + +#if defined(_KERNEL) || defined(KERNEL) +token_t *au_to_attr(struct vnode_au_info *vni); +token_t *au_to_attr32(struct vnode_au_info *vni); +token_t *au_to_attr64(struct vnode_au_info *vni); +#endif + +token_t *au_to_data(char unit_print, char unit_type, char unit_count, + char *p); +token_t *au_to_exit(int retval, int err); +token_t *au_to_groups(int *groups); +token_t *au_to_newgroups(uint16_t n, gid_t *groups); +token_t *au_to_in_addr(struct in_addr *internet_addr); +token_t *au_to_in_addr_ex(struct in6_addr *internet_addr); +token_t *au_to_ip(struct ip *ip); +token_t *au_to_ipc(char type, int id); +token_t *au_to_ipc_perm(struct ipc_perm *perm); +token_t *au_to_iport(uint16_t iport); +token_t *au_to_opaque(char *data, uint16_t bytes); +token_t *au_to_path(char *path); +token_t *au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); +token_t *au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); +token_t *au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); +token_t *au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); +token_t *au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, + uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid, + au_tid_addr_t *tid); +token_t *au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); +token_t *au_to_return(char status, uint32_t ret); +token_t *au_to_return32(char status, uint32_t ret); +token_t *au_to_return64(char status, uint64_t ret); +token_t *au_to_seq(long audit_count); + +#if defined(_KERNEL) || defined(KERNEL) +token_t *au_to_socket(struct socket *so); +token_t *au_to_socket_ex_32(uint16_t lp, uint16_t rp, struct sockaddr *la, + struct sockaddr *ta); +token_t *au_to_socket_ex_128(uint16_t lp, uint16_t rp, struct sockaddr *la, + struct sockaddr *ta); +#endif + +token_t *au_to_sock_inet(struct sockaddr_in *so); +token_t *au_to_sock_inet32(struct sockaddr_in *so); +token_t *au_to_sock_inet128(struct sockaddr_in6 *so); +token_t *au_to_sock_unix(struct sockaddr_un *so); +token_t *au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); +token_t *au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); +token_t *au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); +token_t *au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); +token_t *au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); +token_t *au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); +token_t *au_to_exec_args(const char **); +token_t *au_to_exec_env(const char **); +token_t *au_to_text(char *text); +token_t *au_to_kevent(struct kevent *kev); +token_t *au_to_trailer(int rec_size); + +__END_DECLS + +#endif /* ! _BSM_AUDIT_RECORD_H_ */ diff --git a/contrib/openbsm/bsm/audit_uevents.h b/contrib/openbsm/bsm/audit_uevents.h new file mode 100644 index 000000000000..0493e31272b2 --- /dev/null +++ b/contrib/openbsm/bsm/audit_uevents.h @@ -0,0 +1,102 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_uevents.h#7 $ + */ + +#ifndef _BSM_AUDIT_UEVENTS_H_ +#define _BSM_AUDIT_UEVENTS_H_ + +/*- + * User level audit event numbers + * + * Range of audit event numbers: + * 0 Reserved, invalid + * 1 - 2047 Reserved for kernel events + * 2048 - 32767 Defined by BSM for user events + * 32768 - 36864 Reserved for Mac OS-X applications + * 36865 - 65535 Reserved for applications + * + */ +#define AUE_at_create 6144 +#define AUE_at_delete 6145 +#define AUE_at_perm 6146 +#define AUE_cron_invoke 6147 +#define AUE_crontab_create 6148 +#define AUE_crontab_delete 6149 +#define AUE_crontab_perm 6150 +#define AUE_inetd_connect 6151 +#define AUE_login 6152 +#define AUE_logout 6153 +#define AUE_telnet 6154 +#define AUE_rlogin 6155 +#define AUE_mountd_mount 6156 +#define AUE_mountd_umount 6157 +#define AUE_rshd 6158 +#define AUE_su 6159 +#define AUE_halt 6160 +#define AUE_reboot 6161 +#define AUE_rexecd 6162 +#define AUE_passwd 6163 +#define AUE_rexd 6164 +#define AUE_ftpd 6165 +#define AUE_init 6166 +#define AUE_uadmin 6167 +#define AUE_shutdown 6168 +#define AUE_poweroff 6169 +#define AUE_crontab_mod 6170 +#define AUE_audit_startup 6171 +#define AUE_audit_shutdown 6172 +#define AUE_allocate_succ 6200 +#define AUE_allocate_fail 6201 +#define AUE_deallocate_succ 6202 +#define AUE_deallocate_fail 6203 +#define AUE_listdevice_succ 6205 +#define AUE_listdevice_fail 6206 +#define AUE_create_user 6207 +#define AUE_modify_user 6208 +#define AUE_delete_user 6209 +#define AUE_disable_user 6210 +#define AUE_enable_user 6211 +#define AUE_sudo 6300 +#define AUE_modify_password 6501 /* Not assigned by Sun. */ +#define AUE_create_group 6511 /* Not assigned by Sun. */ +#define AUE_delete_group 6512 /* Not assigned by Sun. */ +#define AUE_modify_group 6513 /* Not assigned by Sun. */ +#define AUE_add_to_group 6514 /* Not assigned by Sun. */ +#define AUE_remove_from_group 6515 /* Not assigned by Sun. */ +#define AUE_revoke_obj 6521 /* Not assigned by Sun; not used. */ +#define AUE_lw_login 6600 /* Not assigned by Sun; tentative. */ +#define AUE_lw_logout 6601 /* Not assigned by Sun; tentative. */ +#define AUE_auth_user 7000 /* Not assigned by Sun. */ +#define AUE_ssconn 7001 /* Not assigned by Sun. */ +#define AUE_ssauthorize 7002 /* Not assigned by Sun. */ +#define AUE_ssauthint 7003 /* Not assigned by Sun. */ +#define AUE_openssh 32800 + +#endif /* !_BSM_AUDIT_UEVENTS_H_ */ diff --git a/contrib/openbsm/bsm/libbsm.h b/contrib/openbsm/bsm/libbsm.h new file mode 100644 index 000000000000..baf9f1479d07 --- /dev/null +++ b/contrib/openbsm/bsm/libbsm.h @@ -0,0 +1,1175 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#14 $ + */ + +#ifndef _LIBBSM_H_ +#define _LIBBSM_H_ + +/* + * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced + * solely to allow OpenSSH to compile; Darwin/Apple code should not use them. + */ + +#define MAX_ARGS 10 +#define MAX_ENV 10 + +#include <sys/types.h> +#include <sys/cdefs.h> +#include <sys/queue.h> + +#include <bsm/audit.h> +#include <bsm/audit_record.h> + +#include <stdio.h> +#include <stdint.h> + +#ifdef __APPLE__ +#include <mach/mach.h> /* audit_token_t */ +#endif + +#define AU_PRS_SUCCESS 1 +#define AU_PRS_FAILURE 2 +#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) + +#define AU_PRS_USECACHE 0 +#define AU_PRS_REREAD 1 + +#define AUDIT_EVENT_FILE "/etc/security/audit_event" +#define AUDIT_CLASS_FILE "/etc/security/audit_class" +#define AUDIT_CONTROL_FILE "/etc/security/audit_control" +#define AUDIT_USER_FILE "/etc/security/audit_user" + +#define DIR_CONTROL_ENTRY "dir" +#define MINFREE_CONTROL_ENTRY "minfree" +#define FLAGS_CONTROL_ENTRY "flags" +#define NA_CONTROL_ENTRY "naflags" + +#define AU_CLASS_NAME_MAX 8 +#define AU_CLASS_DESC_MAX 72 +#define AU_EVENT_NAME_MAX 30 +#define AU_EVENT_DESC_MAX 50 +#define AU_USER_NAME_MAX 50 +#define AU_LINE_MAX 256 +#define MAX_AUDITSTRING_LEN 256 +#define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */ + +/* + * These are referenced in Solaris 9 au_open(3BSM); values are guesses. + * Provided for OpenSSH compatibility. + */ +#define AU_TO_NO_WRITE 0 +#define AU_TO_WRITE 1 + +__BEGIN_DECLS +struct au_event_ent { + au_event_t ae_number; + char *ae_name; + char *ae_desc; + au_class_t ae_class; +}; +typedef struct au_event_ent au_event_ent_t; + +struct au_class_ent { + char *ac_name; + au_class_t ac_class; + char *ac_desc; +}; +typedef struct au_class_ent au_class_ent_t; + +struct au_user_ent { + char *au_name; + au_mask_t au_always; + au_mask_t au_never; +}; +typedef struct au_user_ent au_user_ent_t; +__END_DECLS + +#define ADD_TO_MASK(m, c, sel) do { \ + if (sel & AU_PRS_SUCCESS) \ + (m)->am_success |= c; \ + if (sel & AU_PRS_FAILURE) \ + (m)->am_failure |= c; \ +} while (0) + +#define SUB_FROM_MASK(m, c, sel) do { \ + if (sel & AU_PRS_SUCCESS) \ + (m)->am_success &= ((m)->am_success ^ c); \ + if (sel & AU_PRS_FAILURE) \ + (m)->am_failure &= ((m)->am_failure ^ c); \ +} while (0) + +#define ADDMASK(m, v) do { \ + (m)->am_success |= (v)->am_success; \ + (m)->am_failure |= (v)->am_failure; \ +} while(0) + +#define SUBMASK(m, v) do { \ + (m)->am_success &= ((m)->am_success ^ (v)->am_success); \ + (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \ +} while(0) + +__BEGIN_DECLS + +/* + * Internal representation of audit user in libnsl. + */ +typedef struct au_user_str_s { + char *au_name; + char *au_always; + char *au_never; +} au_user_str_t; + +typedef struct au_tid32 { + u_int32_t port; + u_int32_t addr; +} au_tid32_t; + +typedef struct au_tid64 { + u_int64_t port; + u_int32_t addr; +} au_tid64_t; + +typedef struct au_tidaddr32 { + u_int32_t port; + u_int32_t type; + u_int32_t addr[4]; +} au_tidaddr32_t; + +/* + * argument # 1 byte + * argument value 4 bytes/8 bytes (32-bit/64-bit value) + * text length 2 bytes + * text N bytes + 1 terminating NULL byte + */ +typedef struct { + u_char no; + u_int32_t val; + u_int16_t len; + char *text; +} au_arg32_t; + +typedef struct { + u_char no; + u_int64_t val; + u_int16_t len; + char *text; +} au_arg64_t; + +/* + * how to print 1 byte + * basic unit 1 byte + * unit count 1 byte + * data items (depends on basic unit) + */ +typedef struct { + u_char howtopr; + u_char bu; + u_char uc; + u_char *data; +} au_arb_t; + +/* + * file access mode 4 bytes + * owner user ID 4 bytes + * owner group ID 4 bytes + * file system ID 4 bytes + * node ID 8 bytes + * device 4 bytes/8 bytes (32-bit/64-bit) + */ +typedef struct { + u_int32_t mode; + u_int32_t uid; + u_int32_t gid; + u_int32_t fsid; + u_int64_t nid; + u_int32_t dev; +} au_attr32_t; + +typedef struct { + u_int32_t mode; + u_int32_t uid; + u_int32_t gid; + u_int32_t fsid; + u_int64_t nid; + u_int64_t dev; +} au_attr64_t; + +/* + * count 4 bytes + * text count null-terminated string(s) + */ +typedef struct { + u_int32_t count; + char *text[MAX_ARGS]; +} au_execarg_t; + +/* + * count 4 bytes + * text count null-terminated string(s) + */ +typedef struct { + u_int32_t count; + char *text[MAX_ENV]; +} au_execenv_t; + +/* + * status 4 bytes + * return value 4 bytes + */ +typedef struct { + u_int32_t status; + u_int32_t ret; +} au_exit_t; + +/* + * seconds of time 4 bytes + * milliseconds of time 4 bytes + * file name length 2 bytes + * file pathname N bytes + 1 terminating NULL byte + */ +typedef struct { + u_int32_t s; + u_int32_t ms; + u_int16_t len; + char *name; +} au_file_t; + + +/* + * number groups 2 bytes + * group list N * 4 bytes + */ +typedef struct { + u_int16_t no; + u_int32_t list[BSM_MAX_GROUPS]; +} au_groups_t; + +/* + * record byte count 4 bytes + * version # 1 byte [2] + * event type 2 bytes + * event modifier 2 bytes + * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) + * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) + */ +typedef struct { + u_int32_t size; + u_char version; + u_int16_t e_type; + u_int16_t e_mod; + u_int32_t s; + u_int32_t ms; +} au_header32_t; + +/* + * record byte count 4 bytes + * version # 1 byte [2] + * event type 2 bytes + * event modifier 2 bytes + * address type/length 1 byte (XXX: actually, 4 bytes) + * machine address 4 bytes/16 bytes (IPv4/IPv6 address) + * seconds of time 4 bytes/8 bytes (32/64-bits) + * nanoseconds of time 4 bytes/8 bytes (32/64-bits) + */ +typedef struct { + u_int32_t size; + u_char version; + u_int16_t e_type; + u_int16_t e_mod; + u_int32_t ad_type; + u_int32_t addr[4]; + u_int32_t s; + u_int32_t ms; +} au_header32_ex_t; + +typedef struct { + u_int32_t size; + u_char version; + u_int16_t e_type; + u_int16_t e_mod; + u_int64_t s; + u_int64_t ms; +} au_header64_t; + +typedef struct { + u_int32_t size; + u_char version; + u_int16_t e_type; + u_int16_t e_mod; + u_int32_t ad_type; + u_int32_t addr[4]; + u_int64_t s; + u_int64_t ms; +} au_header64_ex_t; + +/* + * internet address 4 bytes + */ +typedef struct { + u_int32_t addr; +} au_inaddr_t; + +/* + * type 4 bytes + * internet address 16 bytes + */ +typedef struct { + u_int32_t type; + u_int32_t addr[4]; +} au_inaddr_ex_t; + +/* + * version and ihl 1 byte + * type of service 1 byte + * length 2 bytes + * id 2 bytes + * offset 2 bytes + * ttl 1 byte + * protocol 1 byte + * checksum 2 bytes + * source address 4 bytes + * destination address 4 bytes + */ +typedef struct { + u_char version; + u_char tos; + u_int16_t len; + u_int16_t id; + u_int16_t offset; + u_char ttl; + u_char prot; + u_int16_t chksm; + u_int32_t src; + u_int32_t dest; +} au_ip_t; + +/* + * object ID type 1 byte + * object ID 4 bytes + */ +typedef struct { + u_char type; + u_int32_t id; +} au_ipc_t; + +/* + * owner user ID 4 bytes + * owner group ID 4 bytes + * creator user ID 4 bytes + * creator group ID 4 bytes + * access mode 4 bytes + * slot sequence # 4 bytes + * key 4 bytes + */ +typedef struct { + u_int32_t uid; + u_int32_t gid; + u_int32_t puid; + u_int32_t pgid; + u_int32_t mode; + u_int32_t seq; + u_int32_t key; +} au_ipcperm_t; + +/* + * port IP address 2 bytes + */ +typedef struct { + u_int16_t port; +} au_iport_t; + +/* + * length 2 bytes + * data length bytes + */ +typedef struct { + u_int16_t size; + char *data; +} au_opaque_t; + +/* + * path length 2 bytes + * path N bytes + 1 terminating NULL byte + */ +typedef struct { + u_int16_t len; + char *path; +} au_path_t; + +/* + * audit ID 4 bytes + * effective user ID 4 bytes + * effective group ID 4 bytes + * real user ID 4 bytes + * real group ID 4 bytes + * process ID 4 bytes + * session ID 4 bytes + * terminal ID + * port ID 4 bytes/8 bytes (32-bit/64-bit value) + * machine address 4 bytes + */ +typedef struct { + u_int32_t auid; + u_int32_t euid; + u_int32_t egid; + u_int32_t ruid; + u_int32_t rgid; + u_int32_t pid; + u_int32_t sid; + au_tid32_t tid; +} au_proc32_t; + +typedef struct { + u_int32_t auid; + u_int32_t euid; + u_int32_t egid; + u_int32_t ruid; + u_int32_t rgid; + u_int32_t pid; + u_int32_t sid; + au_tid64_t tid; +} au_proc64_t; + +/* + * audit ID 4 bytes + * effective user ID 4 bytes + * effective group ID 4 bytes + * real user ID 4 bytes + * real group ID 4 bytes + * process ID 4 bytes + * session ID 4 bytes + * terminal ID + * port ID 4 bytes/8 bytes (32-bit/64-bit value) + * type 4 bytes + * machine address 16 bytes + */ +typedef struct { + u_int32_t auid; + u_int32_t euid; + u_int32_t egid; + u_int32_t ruid; + u_int32_t rgid; + u_int32_t pid; + u_int32_t sid; + au_tidaddr32_t tid; +} au_proc32ex_t; + +/* + * error status 1 byte + * return value 4 bytes/8 bytes (32-bit/64-bit value) + */ +typedef struct { + u_char status; + u_int32_t ret; +} au_ret32_t; + +typedef struct { + u_char err; + u_int64_t val; +} au_ret64_t; + +/* + * sequence number 4 bytes + */ +typedef struct { + u_int32_t seqno; +} au_seq_t; + +/* + * socket type 2 bytes + * local port 2 bytes + * local Internet address 4 bytes + * remote port 2 bytes + * remote Internet address 4 bytes + */ +typedef struct { + u_int16_t type; + u_int16_t l_port; + u_int32_t l_addr; + u_int16_t r_port; + u_int32_t r_addr; +} au_socket_t; + +/* + * socket type 2 bytes + * local port 2 bytes + * address type/length 4 bytes + * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) + * remote port 4 bytes + * address type/length 4 bytes + * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) + */ +typedef struct { + u_int16_t type; + u_int16_t l_port; + u_int32_t l_ad_type; + u_int32_t l_addr; + u_int32_t r_port; + u_int32_t r_ad_type; + u_int32_t r_addr; +} au_socket_ex32_t; + +/* + * socket family 2 bytes + * local port 2 bytes + * socket address 4 bytes/16 bytes (IPv4/IPv6 address) + */ +typedef struct { + u_int16_t family; + u_int16_t port; + u_int32_t addr; +} au_socketinet32_t; + +/* + * socket family 2 bytes + * path 104 bytes + */ +typedef struct { + u_int16_t family; + char path[104]; +} au_socketunix_t; + +/* + * audit ID 4 bytes + * effective user ID 4 bytes + * effective group ID 4 bytes + * real user ID 4 bytes + * real group ID 4 bytes + * process ID 4 bytes + * session ID 4 bytes + * terminal ID + * port ID 4 bytes/8 bytes (32-bit/64-bit value) + * machine address 4 bytes + */ +typedef struct { + u_int32_t auid; + u_int32_t euid; + u_int32_t egid; + u_int32_t ruid; + u_int32_t rgid; + u_int32_t pid; + u_int32_t sid; + au_tid32_t tid; +} au_subject32_t; + +typedef struct { + u_int32_t auid; + u_int32_t euid; + u_int32_t egid; + u_int32_t ruid; + u_int32_t rgid; + u_int32_t pid; + u_int32_t sid; + au_tid64_t tid; +} au_subject64_t; + +/* + * audit ID 4 bytes + * effective user ID 4 bytes + * effective group ID 4 bytes + * real user ID 4 bytes + * real group ID 4 bytes + * process ID 4 bytes + * session ID 4 bytes + * terminal ID + * port ID 4 bytes/8 bytes (32-bit/64-bit value) + * type 4 bytes + * machine address 16 bytes + */ +typedef struct { + u_int32_t auid; + u_int32_t euid; + u_int32_t egid; + u_int32_t ruid; + u_int32_t rgid; + u_int32_t pid; + u_int32_t sid; + au_tidaddr32_t tid; +} au_subject32ex_t; + +/* + * text length 2 bytes + * text N bytes + 1 terminating NULL byte + */ +typedef struct { + u_int16_t len; + char *text; +} au_text_t; + +typedef struct { + u_int32_t ident; + u_int16_t filter; + u_int16_t flags; + u_int32_t fflags; + u_int32_t data; +} au_kevent_t; + +typedef struct { + u_int16_t length; + char *data; +} au_invalid_t; + +/* + * trailer magic number 2 bytes + * record byte count 4 bytes + */ +typedef struct { + u_int16_t magic; + u_int32_t count; +} au_trailer_t; + +struct tokenstr { + u_char id; + u_char *data; + size_t len; + union { + au_arg32_t arg32; + au_arg64_t arg64; + au_arb_t arb; + au_attr32_t attr32; + au_attr64_t attr64; + au_execarg_t execarg; + au_execenv_t execenv; + au_exit_t exit; + au_file_t file; + au_groups_t grps; + au_header32_t hdr32; + au_header32_ex_t hdr32_ex; + au_header64_t hdr64; + au_header64_ex_t hdr64_ex; + au_inaddr_t inaddr; + au_inaddr_ex_t inaddr_ex; + au_ip_t ip; + au_ipc_t ipc; + au_ipcperm_t ipcperm; + au_iport_t iport; + au_opaque_t opaque; + au_path_t path; + au_proc32_t proc32; + au_proc64_t proc64; + au_proc32ex_t proc32_ex; + au_ret32_t ret32; + au_ret64_t ret64; + au_seq_t seq; + au_socket_t socket; + au_socket_ex32_t socket_ex32; + au_socketinet32_t sockinet32; + au_socketunix_t sockunix; + au_subject32_t subj32; + au_subject64_t subj64; + au_subject32ex_t subj32_ex; + au_text_t text; + au_kevent_t kevent; + au_invalid_t invalid; + au_trailer_t trail; + } tt; /* The token is one of the above types */ +}; + +typedef struct tokenstr tokenstr_t; + +/* + * Functions relating to querying audit class information. + */ +void setauclass(void); +void endauclass(void); +struct au_class_ent *getauclassent(void); +struct au_class_ent *getauclassent_r(au_class_ent_t *class_int); +struct au_class_ent *getauclassnam(const char *name); +struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int, + const char *name); +struct au_class_ent *getauclassnum(au_class_t class_number); +struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int, + au_class_t class_number); + +/* + * Functions relating to querying audit control information. + */ +void setac(void); +void endac(void); +int getacdir(char *name, int len); +int getacmin(int *min_val); +int getacflg(char *auditstr, int len); +int getacna(char *auditstr, int len); +int getauditflagsbin(char *auditstr, au_mask_t *masks); +int getauditflagschar(char *auditstr, au_mask_t *masks, + int verbose); +int au_preselect(au_event_t event, au_mask_t *mask_p, + int sorf, int flag); + +/* + * Functions relating to querying audit event information. + * + * XXXRW: getauevnonam() has no _r version? + */ +void setauevent(void); +void endauevent(void); +struct au_event_ent *getauevent(void); +struct au_event_ent *getauevent_r(struct au_event_ent *e); +struct au_event_ent *getauevnam(const char *name); +struct au_event_ent *getauevnam_r(struct au_event_ent *e, + const char *name); +struct au_event_ent *getauevnum(au_event_t event_number); +struct au_event_ent *getauevnum_r(struct au_event_ent *e, + au_event_t event_number); +au_event_t *getauevnonam(const char *event_name); +au_event_t *getauevnonam_r(au_event_t *ev, + const char *event_name); + +/* + * Functions relating to querying audit user information. + */ +void setauuser(void); +void endauuser(void); +struct au_user_ent *getauuserent(void); +struct au_user_ent *getauuserent_r(struct au_user_ent *u); +struct au_user_ent *getauusernam(const char *name); +struct au_user_ent *getauusernam_r(struct au_user_ent *u, + const char *name); +int au_user_mask(char *username, au_mask_t *mask_p); +int getfauditflags(au_mask_t *usremask, + au_mask_t *usrdmask, au_mask_t *lastmask); + +/* + * Functions for reading and printing records and tokens from audit trails. + */ +int au_read_rec(FILE *fp, u_char **buf); +int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len); +//XXX The following interface has different prototype from BSM +void au_print_tok(FILE *outfp, tokenstr_t *tok, + char *del, char raw, char sfrm); +__END_DECLS + +#ifdef __APPLE__ +#include <sys/appleapiopts.h> + +/************************************************************************** + ************************************************************************** + ** The following definitions, functions, etc., are NOT officially + ** supported: they may be changed or removed in the future. Do not use + ** them unless you are prepared to cope with that eventuality. + ************************************************************************** + **************************************************************************/ + +#ifdef __APPLE_API_PRIVATE +#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" +#endif /* __APPLE_API_PRIVATE */ + +/* + * au_get_state() return values + * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and + * AUDIT_ON are deprecated and WILL be removed. + */ +#ifdef __APPLE_API_PRIVATE +#define AUDIT_OFF AUC_NOAUDIT +#define AUDIT_ON AUC_AUDITING +#endif /* __APPLE_API_PRIVATE */ +#endif /* !__APPLE__ */ + +/* + * Error return codes for audit_set_terminal_id(), audit_write() and its + * brethren. We have 255 (not including kAUNoErr) to play with. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +enum { + kAUNoErr = 0, + kAUBadParamErr = -66049, + kAUStatErr, + kAUSysctlErr, + kAUOpenErr, + kAUMakeSubjectTokErr, + kAUWriteSubjectTokErr, + kAUWriteCallerTokErr, + kAUMakeReturnTokErr, + kAUWriteReturnTokErr, + kAUCloseErr, + kAUMakeTextTokErr, + kAULastErr +}; + +#ifdef __APPLE__ +/* + * Error return codes for au_get_state() and/or its private support + * functions. These codes are designed to be compatible with the + * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping. + * Any changes to notify(3) may cause these values to change in future. + * + * AU_UNIMPL should never happen unless you've changed your system software + * without rebooting. Shame on you. + */ +#ifdef __APPLE_API_PRIVATE +#define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */ +#endif /* __APPLE_API_PRIVATE */ +#endif /* !__APPLE__ */ + +__BEGIN_DECLS +/* + * XXX This prototype should be in audit_record.h + * + * au_free_token() + * + * @summary - au_free_token() deallocates a token_t created by any of + * the au_to_*() BSM API functions. + * + * The BSM API generally manages deallocation of token_t objects. However, + * if au_write() is passed a bad audit descriptor, the token_t * parameter + * will be left untouched. In that case, the caller can deallocate the + * token_t using au_free_token() if desired. This is, in fact, what + * audit_write() does, in keeping with the existing memory management model + * of the BSM API. + * + * @param tok - A token_t * generated by one of the au_to_*() BSM API + * calls. For convenience, tok may be NULL, in which case + * au_free_token() returns immediately. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +void au_free_token(token_t *tok); + +/* + * Lightweight check to determine if auditing is enabled. If a client + * wants to use this to govern whether an entire series of audit calls + * should be made--as in the common case of a caller building a set of + * tokens, then writing them--it should cache the audit status in a local + * variable. This call always returns the current state of auditing. + * + * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred. + * Otherwise the function can return any of the errno values defined for + * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by + * the system. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +int au_get_state(void); +__END_DECLS + +/* OpenSSH compatibility */ +#define cannot_audit(x) (!(au_get_state() == AUC_AUDITING)) + +__BEGIN_DECLS +/* + * audit_set_terminal_id() + * + * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is + * used in audit session initialization by processes like /usr/bin/login. + * + * @param tid - A pointer to an au_tid_t struct. + * + * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr + * or kAUSysctlErr if one of the underlying system calls fails (a message + * is sent to the system log in those cases). + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +int audit_set_terminal_id(au_tid_t *tid); + +/* + * BEGIN au_write() WRAPPERS + * + * The following calls all wrap the existing BSM API. They use the + * provided subject information, if any, to construct the subject token + * required for every log message. They use the provided return/error + * value(s), if any, to construct the success/failure indication required + * for every log message. They only permit one "miscellaneous" token, + * which should contain the event-specific logging information mandated by + * CAPP. + * + * All these calls assume the caller has previously determined that + * auditing is enabled by calling au_get_state(). + */ + +/* + * audit_write() + * + * @summary - audit_write() is the basis for the other audit_write_*() + * calls. Performs a basic write of an audit record (subject, additional + * info, success/failure). Note that this call only permits logging one + * caller-specified token; clients needing to log more flexibly must use + * the existing BSM API (au_open(), et al.) directly. + * + * Note on memory management: audit_write() guarantees that the token_t *s + * passed to it will be deallocated whether or not the underlying write to + * the audit log succeeded. This addresses an inconsistency in the + * underlying BSM API in which token_t *s are usually but not always + * deallocated. + * + * @param event_code - The code for the event being logged. This should + * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. + * + * @param subject - A token_t * generated by au_to_subject(), + * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is + * required, subject should be NULL. + * + * @param misctok - A token_t * generated by one of the au_to_*() BSM API + * calls. This should correspond to the additional information required by + * CAPP for the event being audited. If no additional information is + * required, misctok should be NULL. + * + * @param retval - The return value to be logged for this event. This + * should be 0 (zero) for success, otherwise the value is event-specific. + * + * @param errcode - Any error code associated with the return value (e.g., + * errno or h_errno). If there was no error, errcode should be 0 (zero). + * + * @return - The status of the call: 0 (zero) on success, else one of the + * kAU*Err values defined above. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +int audit_write(short event_code, token_t *subject, token_t *misctok, + char retval, int errcode); + +/* + * audit_write_success() + * + * @summary - audit_write_success() records an auditable event that did not + * encounter an error. The interface is designed to require as little + * direct use of the au_to_*() API as possible. It builds a subject token + * from the information passed in and uses that to invoke audit_write(). + * A subject, as defined by CAPP, is a process acting on the user's behalf. + * + * If the subject information is the same as the current process, use + * au_write_success_self(). + * + * @param event_code - The code for the event being logged. This should + * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. + * + * @param misctok - A token_t * generated by one of the au_to_*() BSM API + * calls. This should correspond to the additional information required by + * CAPP for the event being audited. If no additional information is + * required, misctok should be NULL. + * + * @param auid - The subject's audit ID. + * + * @param euid - The subject's effective user ID. + * + * @param egid - The subject's effective group ID. + * + * @param ruid - The subject's real user ID. + * + * @param rgid - The subject's real group ID. + * + * @param pid - The subject's process ID. + * + * @param sid - The subject's session ID. + * + * @param tid - The subject's terminal ID. + * + * @return - The status of the call: 0 (zero) on success, else one of the + * kAU*Err values defined above. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +int audit_write_success(short event_code, token_t *misctok, au_id_t auid, + uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, + au_asid_t sid, au_tid_t *tid); + +/* + * audit_write_success_self() + * + * @summary - Similar to audit_write_success(), but used when the subject + * (process) is owned and operated by the auditable user him/herself. + * + * @param event_code - The code for the event being logged. This should + * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. + * + * @param misctok - A token_t * generated by one of the au_to_*() BSM API + * calls. This should correspond to the additional information required by + * CAPP for the event being audited. If no additional information is + * required, misctok should be NULL. + * + * @return - The status of the call: 0 (zero) on success, else one of the + * kAU*Err values defined above. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +int audit_write_success_self(short event_code, token_t *misctok); + +/* + * audit_write_failure() + * + * @summary - audit_write_failure() records an auditable event that + * encountered an error. The interface is designed to require as little + * direct use of the au_to_*() API as possible. It builds a subject token + * from the information passed in and uses that to invoke audit_write(). + * A subject, as defined by CAPP, is a process acting on the user's behalf. + * + * If the subject information is the same as the current process, use + * au_write_failure_self(). + * + * @param event_code - The code for the event being logged. This should + * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. + * + * @param errmsg - A text message providing additional information about + * the event being audited. + * + * @param errret - A numerical value providing additional information about + * the error. This is intended to store the value of errno or h_errno if + * it's relevant. This can be 0 (zero) if no additional information is + * available. + * + * @param auid - The subject's audit ID. + * + * @param euid - The subject's effective user ID. + * + * @param egid - The subject's effective group ID. + * + * @param ruid - The subject's real user ID. + * + * @param rgid - The subject's real group ID. + * + * @param pid - The subject's process ID. + * + * @param sid - The subject's session ID. + * + * @param tid - The subject's terminal ID. + * + * @return - The status of the call: 0 (zero) on success, else one of the + * kAU*Err values defined above. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +int audit_write_failure(short event_code, char *errmsg, int errret, + au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, + pid_t pid, au_asid_t sid, au_tid_t *tid); + +/* + * audit_write_failure_self() + * + * @summary - Similar to audit_write_failure(), but used when the subject + * (process) is owned and operated by the auditable user him/herself. + * + * @param event_code - The code for the event being logged. This should + * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. + * + * @param errmsg - A text message providing additional information about + * the event being audited. + * + * @param errret - A numerical value providing additional information about + * the error. This is intended to store the value of errno or h_errno if + * it's relevant. This can be 0 (zero) if no additional information is + * available. + * + * @return - The status of the call: 0 (zero) on success, else one of the + * kAU*Err values defined above. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +int audit_write_failure_self(short event_code, char *errmsg, int errret); + +/* + * audit_write_failure_na() + * + * @summary - audit_write_failure_na() records errors during login. Such + * errors are implicitly non-attributable (i.e., not ascribable to any user). + * + * @param event_code - The code for the event being logged. This should + * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. + * + * @param errmsg - A text message providing additional information about + * the event being audited. + * + * @param errret - A numerical value providing additional information about + * the error. This is intended to store the value of errno or h_errno if + * it's relevant. This can be 0 (zero) if no additional information is + * available. + * + * @param euid - The subject's effective user ID. + * + * @param egid - The subject's effective group ID. + * + * @param pid - The subject's process ID. + * + * @param tid - The subject's terminal ID. + * + * @return - The status of the call: 0 (zero) on success, else one of the + * kAU*Err values defined above. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +int audit_write_failure_na(short event_code, char *errmsg, int errret, + uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid); + +/* END au_write() WRAPPERS */ + +#ifdef __APPLE__ +/* + * audit_token_to_au32() + * + * @summary - Extract information from an audit_token_t, used to identify + * Mach tasks and senders of Mach messages as subjects to the audit system. + * audit_tokent_to_au32() is the only method that should be used to parse + * an audit_token_t, since its internal representation may change over + * time. A pointer parameter may be NULL if that information is not + * needed. + * + * @param atoken - the audit token containing the desired information + * + * @param auidp - Pointer to a uid_t; on return will be set to the task or + * sender's audit user ID + * + * @param euidp - Pointer to a uid_t; on return will be set to the task or + * sender's effective user ID + * + * @param egidp - Pointer to a gid_t; on return will be set to the task or + * sender's effective group ID + * + * @param ruidp - Pointer to a uid_t; on return will be set to the task or + * sender's real user ID + * + * @param rgidp - Pointer to a gid_t; on return will be set to the task or + * sender's real group ID + * + * @param pidp - Pointer to a pid_t; on return will be set to the task or + * sender's process ID + * + * @param asidp - Pointer to an au_asid_t; on return will be set to the + * task or sender's audit session ID + * + * @param tidp - Pointer to an au_tid_t; on return will be set to the task + * or sender's terminal ID + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +void audit_token_to_au32( + audit_token_t atoken, + uid_t *auidp, + uid_t *euidp, + gid_t *egidp, + uid_t *ruidp, + gid_t *rgidp, + pid_t *pidp, + au_asid_t *asidp, + au_tid_t *tidp); +#endif /* !__APPLE__ */ + +__END_DECLS + +#endif /* !_LIBBSM_H_ */ diff --git a/contrib/openbsm/compat/endian.h b/contrib/openbsm/compat/endian.h new file mode 100644 index 000000000000..2517a41adc63 --- /dev/null +++ b/contrib/openbsm/compat/endian.h @@ -0,0 +1,264 @@ +/*- + * Copyright (c) 2002 Thomas Moestl <tmm@FreeBSD.org> + * Copyright (c) 2005 Robert N. M. Watson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * Derived from FreeBSD src/sys/sys/endian.h:1.6. + * $P4: //depot/projects/trustedbsd/openbsm/compat/endian.h#5 $ + */ + +#ifndef _COMPAT_ENDIAN_H_ +#define _COMPAT_ENDIAN_H_ + +/* + * Pick up value of BYTE_ORDER/_BYTE_ORDER if not yet included. + */ +#include <machine/endian.h> + +/* + * Some systems will have the uint/int types defined here already, others + * will need stdint.h. + */ +#include <stdint.h> + +/* + * Some operating systems do not yet have the more recent endian APIs that + * permit encoding to and decoding from byte streams. For those systems, we + * implement local non-optimized versions. + */ + +static __inline uint16_t +bswap16(uint16_t int16) +{ + const unsigned char *from; + unsigned char *to; + uint16_t t; + + from = (const unsigned char *) &int16; + to = (unsigned char *) &t; + + to[0] = from[1]; + to[1] = from[0]; + + return (t); +} + +static __inline uint32_t +bswap32(uint32_t int32) +{ + const unsigned char *from; + unsigned char *to; + uint32_t t; + + from = (const unsigned char *) &int32; + to = (unsigned char *) &t; + + to[0] = from[3]; + to[1] = from[2]; + to[2] = from[1]; + to[3] = from[0]; + + return (t); +} + +static __inline uint64_t +bswap64(uint64_t int64) +{ + const unsigned char *from; + unsigned char *to; + uint64_t t; + + from = (const unsigned char *) &int64; + to = (unsigned char *) &t; + + to[0] = from[7]; + to[1] = from[6]; + to[2] = from[5]; + to[3] = from[4]; + to[4] = from[3]; + to[5] = from[2]; + to[6] = from[1]; + to[7] = from[0]; + + return (t); +} + +#if defined(BYTE_ORDER) && !defined(_BYTE_ORDER) +#define _BYTE_ORDER BYTE_ORDER +#endif +#if !defined(_BYTE_ORDER) +#error "Neither BYTE_ORDER nor _BYTE_ORDER defined" +#endif + +#if defined(BIG_ENDIAN) && !defined(_BIG_ENDIAN) +#define _BIG_ENDIAN BIG_ENDIAN +#endif + +#if defined(LITTLE_ENDIAN) && !defined(_LITTLE_ENDIAN) +#define _LITTLE_ENDIAN LITTLE_ENDIAN +#endif + +/* + * Host to big endian, host to little endian, big endian to host, and little + * endian to host byte order functions as detailed in byteorder(9). + */ +#if _BYTE_ORDER == _LITTLE_ENDIAN +#define htobe16(x) bswap16((x)) +#define htobe32(x) bswap32((x)) +#define htobe64(x) bswap64((x)) +#define htole16(x) ((uint16_t)(x)) +#define htole32(x) ((uint32_t)(x)) +#define htole64(x) ((uint64_t)(x)) + +#define be16toh(x) bswap16((x)) +#define be32toh(x) bswap32((x)) +#define be64toh(x) bswap64((x)) +#define le16toh(x) ((uint16_t)(x)) +#define le32toh(x) ((uint32_t)(x)) +#define le64toh(x) ((uint64_t)(x)) +#else /* _BYTE_ORDER != _LITTLE_ENDIAN */ +#define htobe16(x) ((uint16_t)(x)) +#define htobe32(x) ((uint32_t)(x)) +#define htobe64(x) ((uint64_t)(x)) +#define htole16(x) bswap16((x)) +#define htole32(x) bswap32((x)) +#define htole64(x) bswap64((x)) + +#define be16toh(x) ((uint16_t)(x)) +#define be32toh(x) ((uint32_t)(x)) +#define be64toh(x) ((uint64_t)(x)) +#define le16toh(x) bswap16((x)) +#define le32toh(x) bswap32((x)) +#define le64toh(x) bswap64((x)) +#endif /* _BYTE_ORDER == _LITTLE_ENDIAN */ + +/* Alignment-agnostic encode/decode bytestream to/from little/big endian. */ + +static __inline uint16_t +be16dec(const void *pp) +{ + unsigned char const *p = (unsigned char const *)pp; + + return ((p[0] << 8) | p[1]); +} + +static __inline uint32_t +be32dec(const void *pp) +{ + unsigned char const *p = (unsigned char const *)pp; + + return ((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]); +} + +static __inline uint64_t +be64dec(const void *pp) +{ + unsigned char const *p = (unsigned char const *)pp; + + return (((uint64_t)be32dec(p) << 32) | be32dec(p + 4)); +} + +static __inline uint16_t +le16dec(const void *pp) +{ + unsigned char const *p = (unsigned char const *)pp; + + return ((p[1] << 8) | p[0]); +} + +static __inline uint32_t +le32dec(const void *pp) +{ + unsigned char const *p = (unsigned char const *)pp; + + return ((p[3] << 24) | (p[2] << 16) | (p[1] << 8) | p[0]); +} + +static __inline uint64_t +le64dec(const void *pp) +{ + unsigned char const *p = (unsigned char const *)pp; + + return (((uint64_t)le32dec(p + 4) << 32) | le32dec(p)); +} + +static __inline void +be16enc(void *pp, uint16_t u) +{ + unsigned char *p = (unsigned char *)pp; + + p[0] = (u >> 8) & 0xff; + p[1] = u & 0xff; +} + +static __inline void +be32enc(void *pp, uint32_t u) +{ + unsigned char *p = (unsigned char *)pp; + + p[0] = (u >> 24) & 0xff; + p[1] = (u >> 16) & 0xff; + p[2] = (u >> 8) & 0xff; + p[3] = u & 0xff; +} + +static __inline void +be64enc(void *pp, uint64_t u) +{ + unsigned char *p = (unsigned char *)pp; + + be32enc(p, u >> 32); + be32enc(p + 4, u & 0xffffffff); +} + +static __inline void +le16enc(void *pp, uint16_t u) +{ + unsigned char *p = (unsigned char *)pp; + + p[0] = u & 0xff; + p[1] = (u >> 8) & 0xff; +} + +static __inline void +le32enc(void *pp, uint32_t u) +{ + unsigned char *p = (unsigned char *)pp; + + p[0] = u & 0xff; + p[1] = (u >> 8) & 0xff; + p[2] = (u >> 16) & 0xff; + p[3] = (u >> 24) & 0xff; +} + +static __inline void +le64enc(void *pp, uint64_t u) +{ + unsigned char *p = (unsigned char *)pp; + + le32enc(p, u & 0xffffffff); + le32enc(p + 4, u >> 32); +} + +#endif /* _COMPAT_ENDIAN_H_ */ diff --git a/contrib/openbsm/etc/audit_class b/contrib/openbsm/etc/audit_class new file mode 100644 index 000000000000..9f596a276b9d --- /dev/null +++ b/contrib/openbsm/etc/audit_class @@ -0,0 +1,25 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_class#3 $ +# +# This file must match audit.h +# +0x00000000:no:invalid class +0x00000001:fr:file read +0x00000002:fw:file write +0x00000004:fa:file attribute access +0x00000008:fm:file attribute modify +0x00000010:fc:file create +0x00000020:fd:file delete +0x00000040:cl:file close +0x00000080:pc:process +0x00000100:nt:network +0x00000200:ip:ipc +0x00000400:na:non attributable +0x00000800:ad:administrative +0x00001000:lo:login_logout +0x00002000:tf:tfm +0x00004000:ap:application +0x20000000:io:ioctl +0x40000000:ex:exec +0x80000000:ot:miscellaneous +0xffffffff:all:all flags set diff --git a/contrib/openbsm/etc/audit_control b/contrib/openbsm/etc/audit_control new file mode 100644 index 000000000000..f6ca774e6cbd --- /dev/null +++ b/contrib/openbsm/etc/audit_control @@ -0,0 +1,7 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#2 $ +# +dir:/var/audit +flags:lo,ad,-all,^-fa,^-fc,^-cl +minfree:20 +naflags:lo diff --git a/contrib/openbsm/etc/audit_event b/contrib/openbsm/etc/audit_event new file mode 100644 index 000000000000..01a3a5b6cbd2 --- /dev/null +++ b/contrib/openbsm/etc/audit_event @@ -0,0 +1,343 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#10 $ +# +0:AUE_NULL:indir system call:no +1:AUE_EXIT:exit(2):pc +2:AUE_FORK:fork(2):pc +3:AUE_OPEN:open(2) - attr only:fa +4:AUE_CREAT:creat(2):fc +5:AUE_LINK:link(2):fc +6:AUE_UNLINK:unlink(2):fd +7:AUE_EXEC:exec(2):pc,ex +8:AUE_CHDIR:chdir(2):pc +9:AUE_MKNOD:mknod(2):fc +10:AUE_CHMOD:chmod(2):fm +11:AUE_CHOWN:chown(2):fm +12:AUE_UMOUNT:umount(2) - old version:ad +13:AUE_JUNK:junk:no +14:AUE_ACCESS:access(2):fa +15:AUE_KILL:kill(2):pc +16:AUE_STAT:stat(2):fa +17:AUE_LSTAT:lstat(2):fa +18:AUE_ACCT:acct(2):ad +19:AUE_MCTL:mctl(2):no +20:AUE_REBOOT:reboot(2):ad +21:AUE_SYMLINK:symlink(2):fc +22:AUE_READLINK:readlink(2):fr +23:AUE_EXECVE:execve(2):pc,ex +24:AUE_CHROOT:chroot(2):pc +25:AUE_VFORK:vfork(2):pc +26:AUE_SETGROUPS:setgroups(2):pc +27:AUE_SETPGRP:setpgrp(2):pc +28:AUE_SWAPON:swapon(2):ad +29:AUE_SETHOSTNAME:sethostname(2):ad +30:AUE_FCNTL:fcntl(2):fm +31:AUE_SETPRIORITY:setpriority(2):pc +32:AUE_CONNECT:connect(2):nt +33:AUE_ACCEPT:accept(2):nt +34:AUE_BIND:bind(2):nt +35:AUE_SETSOCKOPT:setsockopt(2):nt +36:AUE_VTRACE:vtrace(2):pc +37:AUE_SETTIMEOFDAY:settimeofday(2):ad +38:AUE_FCHOWN:fchown(2):fm +39:AUE_FCHMOD:fchmod(2):fm +40:AUE_SETREUID:setreuid(2):pc +41:AUE_SETREGID:setregid(2):pc +42:AUE_RENAME:rename(2):fc,fd +43:AUE_TRUNCATE:truncate(2):fw +44:AUE_FTRUNCATE:ftruncate(2):fw +45:AUE_FLOCK:flock(2):fm +46:AUE_SHUTDOWN:shutdown(2):nt +47:AUE_MKDIR:mkdir(2):fc +48:AUE_RMDIR:rmdir(2):fd +49:AUE_UTIMES:utimes(2):fm +50:AUE_ADJTIME:adjtime(2):ad +51:AUE_SETRLIMIT:setrlimit(2):pc +52:AUE_KILLPG:killpg(2):pc +53:AUE_NFS_SVC:nfs_svc(2):ad +54:AUE_STATFS:statfs(2):fa +55:AUE_FSTATFS:fstatfs(2):fa +56:AUE_UNMOUNT:unmount(2):ad +57:AUE_ASYNC_DAEMON:async_daemon(2):ad +58:AUE_NFS_GETFH:nfs_getfh(2):ad +59:AUE_SETDOMAINNAME:setdomainname(2):ad +60:AUE_QUOTACTL:quotactl(2):ad +61:AUE_EXPORTFS:exportfs(2):ad +62:AUE_MOUNT:mount(2):ad +63:AUE_SEMSYS:semsys(2):ip +64:AUE_MSGSYS:msgsys(2):ip +65:AUE_SHMSYS:shmsys(2):ip +66:AUE_BSMSYS:bsmsys(2):ad +67:AUE_RFSSYS:rfssys(2):ad +68:AUE_FCHDIR:fchdir(2):pc +69:AUE_FCHROOT:fchroot(2):pc +70:AUE_VPIXSYS:vpixsys(2):no +71:AUE_PATHCONF:pathconf(2):fa +72:AUE_OPEN_R:open(2) - read:fr +73:AUE_OPEN_RC:open(2) - read,creat:fc,fr,fa,fm +74:AUE_OPEN_RT:open(2) - read,trunc:fd,fr,fa,fm +75:AUE_OPEN_RTC:open(2) - read,creat,trunc:fc,fd,fr,fa,fm +76:AUE_OPEN_W:open(2) - write:fw +77:AUE_OPEN_WC:open(2) - write,creat:fc,fw,fa,fm +78:AUE_OPEN_WT:open(2) - write,trunc:fd,fw,fa,fm +79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw,fa,fm +80:AUE_OPEN_RW:open(2) - read,write:fr,fw +81:AUE_OPEN_RWC:open(2) - read,write,creat:fc,fw,fr,fa,fm +82:AUE_OPEN_RWT:open(2) - read,write,trunc:fd,fr,fw,fa,fm +83:AUE_OPEN_RWTC:open(2) - read,write,creat,trunc:fc,fd,fw,fr,fa,fm +84:AUE_MSGCTL:msgctl(2) - illegal command:ip +85:AUE_MSGCTL_RMID:msgctl(2) - IPC_RMID command:ip +86:AUE_MSGCTL_SET:msgctl(2) - IPC_SET command:ip +87:AUE_MSGCTL_STAT:msgctl(2) - IPC_STAT command:ip +88:AUE_MSGGET:msgget(2):ip +89:AUE_MSGRCV:msgrcv(2):ip +90:AUE_MSGSND:msgsnd(2):ip +91:AUE_SHMCTL:shmctl(2) - illegal command:ip +92:AUE_SHMCTL_RMID:shmctl(2) - IPC_RMID command:ip +93:AUE_SHMCTL_SET:shmctl(2) - IPC_SET command:ip +94:AUE_SHMCTL_STAT:shmctl(2) - IPC_STAT command:ip +95:AUE_SHMGET:shmget(2):ip +96:AUE_SHMAT:shmat(2):ip +97:AUE_SHMDT:shmdt(2):ip +98:AUE_SEMCTL:semctl(2) - illegal command:ip +99:AUE_SEMCTL_RMID:semctl(2) - IPC_RMID command:ip +100:AUE_SEMCTL_SET:semctl(2) - IPC_SET command:ip +101:AUE_SEMCTL_STAT:semctl(2) - IPC_STAT command:ip +102:AUE_SEMCTL_GETNCNT:semctl(2) - GETNCNT command:ip +103:AUE_SEMCTL_GETPID:semctl(2) - GETPID command:ip +104:AUE_SEMCTL_GETVAL:semctl(2) - GETVAL command:ip +105:AUE_SEMCTL_GETALL:semctl(2) - GETALL command:ip +106:AUE_SEMCTL_GETZCNT:semctl(2) - GETZCNT command:ip +107:AUE_SEMCTL_SETVAL:semctl(2) - SETVAL command:ip +108:AUE_SEMCTL_SETALL:semctl(2) - SETALL command:ip +109:AUE_SEMGET:semget(2):ip +110:AUE_SEMOP:semop(2):ip +111:AUE_CORE:process dumped core:fc +112:AUE_CLOSE:close(2):cl +113:AUE_SYSTEMBOOT:system booted:na +114:AUE_ASYNC_DAEMON_EXIT:async_daemon(2) exited:ad +115:AUE_NFSSVC_EXIT:nfssvc(2) exited:ad +128:AUE_WRITEL:writel(2):fw +129:AUE_WRITEVL:writevl(2):fw +130:AUE_GETAUID:getauid(2):ad +131:AUE_SETAUID:setauid(2):ad +132:AUE_GETAUDIT:getaudit(2):ad +133:AUE_SETAUDIT:setaudit(2):ad +134:AUE_GETUSERAUDIT:getuseraudit(2):ad +135:AUE_SETUSERAUDIT:setuseraudit(2):ad +136:AUE_AUDITSVC:auditsvc(2):ad +137:AUE_AUDITUSER:audituser(2):ad +138:AUE_AUDITON:auditon(2):ad +139:AUE_AUDITON_GTERMID:auditon(2) - GETTERMID command:ad +140:AUE_AUDITON_STERMID:auditon(2) - SETTERMID command:ad +141:AUE_AUDITON_GPOLICY:auditon(2) - GPOLICY command:ad +142:AUE_AUDITON_SPOLICY:auditon(2) - SPOLICY command:ad +143:AUE_AUDITON_GESTATE:auditon(2) - GESTATE command:ad +144:AUE_AUDITON_SESTATE:auditon(2) - SESTATE command:ad +145:AUE_AUDITON_GQCTRL:auditon(2) - GQCTRL command:ad +146:AUE_AUDITON_SQCTRL:auditon(2) - SQCTRL command:ad +147:AUE_GETKERNSTATE:getkernstate(2):ad +148:AUE_SETKERNSTATE:setkernstate(2):ad +149:AUE_GETPORTAUDIT:getportaudit(2):ad +150:AUE_AUDITSTAT:auditstat(2):ad +153:AUE_ENTERPROM:enter prom:ad +154:AUE_EXITPROM:exit prom:ad +158:AUE_IOCTL:ioctl(2):io +173:AUE_ONESIDE:one-sided session record:nt +174:AUE_MSGGETL:msggetl(2):ip +175:AUE_MSGRCVL:msgrcvl(2):ip +176:AUE_MSGSNDL:msgsndl(2):ip +177:AUE_SEMGETL:semgetl(2):ip +178:AUE_SHMGETL:shmgetl(2):ip +183:AUE_SOCKET:socket(2):nt +184:AUE_SENDTO:sendto(2):nt +185:AUE_PIPE:pipe(2):ip +186:AUE_SOCKETPAIR:socketpair(2):nt +187:AUE_SEND:send(2):nt +188:AUE_SENDMSG:sendmsg(2):nt +189:AUE_RECV:recv(2):nt +190:AUE_RECVMSG:recvmsg(2):nt +191:AUE_RECVFROM:recvfrom(2):nt +192:AUE_READ:read(2):no +193:AUE_GETDENTS:getdents(2):no +194:AUE_LSEEK:lseek(2):no +195:AUE_WRITE:write(2):no +196:AUE_WRITEV:writev(2):no +197:AUE_NFS:nfs server:ad +198:AUE_READV:readv(2):no +199:AUE_OSTAT:old stat(2):fa +200:AUE_SETUID:setuid(2):pc +201:AUE_STIME:old stime(2):ad +202:AUE_UTIME:old utime(2):fm +203:AUE_NICE:old nice(2):pc +204:AUE_OSETPGRP:old setpgrp(2):pc +205:AUE_SETGID:setgid(2):pc +206:AUE_READL:readl(2):no +207:AUE_READVL:readvl(2):no +209:AUE_DUP2:dup2(2):no +210:AUE_MMAP:mmap(2):no +211:AUE_AUDIT:audit(2):ot +212:AUE_PRIOCNTLSYS:priocntlsys(2):pc +213:AUE_MUNMAP:munmap(2):cl +214:AUE_SETEGID:setegid(2):pc +215:AUE_SETEUID:seteuid(2):pc +216:AUE_PUTMSG:putmsg(2):nt +217:AUE_GETMSG:getmsg(2):nt +218:AUE_PUTPMSG:putpmsg(2):nt +219:AUE_GETPMSG:getpmsg(2):nt +220:AUE_AUDITSYS:audit system calls place holder:no +221:AUE_AUDITON_GETKMASK:auditon(2) - get kernel mask:ad +222:AUE_AUDITON_SETKMASK:auditon(2) - set kernel mask:ad +223:AUE_AUDITON_GETCWD:auditon(2) - get cwd:ad +224:AUE_AUDITON_GETCAR:auditon(2) - get car:ad +225:AUE_AUDITON_GETSTAT:auditon(2) - get audit statistics:ad +226:AUE_AUDITON_SETSTAT:auditon(2) - reset audit statistics:ad +227:AUE_AUDITON_SETUMASK:auditon(2) - set mask per uid:ad +228:AUE_AUDITON_SETSMASK:auditon(2) - set mask per session ID:ad +229:AUE_AUDITON_GETCOND:auditon(2) - get audit state:ad +230:AUE_AUDITON_SETCOND:auditon(2) - set audit state:ad +231:AUE_AUDITON_GETCLASS:auditon(2) - get event class:ad +232:AUE_AUDITON_SETCLASS:auditon(2) - set event class:ad +233:AUE_UTSSYS:utssys(2) - fusers:ad +234:AUE_STATVFS:statvfs(2):fa +235:AUE_XSTAT:xstat(2):fa +236:AUE_LXSTAT:lx6stat(2):fa +237:AUE_LCHOWN:lchown(2):fm +238:AUE_MEMCNTL:memcntl(2):ot +239:AUE_SYSINFO:sysinfo(2):ad +240:AUE_XMKNOD:xmknod(2):fc +241:AUE_FORK1:fork1(2):pc +242:AUE_MODCTL:modctl(2) system call place holder:no +243:AUE_MODLOAD:modctl(2) - load module:ad +244:AUE_MODUNLOAD:modctl(2) - unload module:ad +245:AUE_MODCONFIG:modctl(2) - configure module:ad +246:AUE_MODADDMAJ:modctl(2) - bind module:ad +247:AUE_SOCKACCEPT:getmsg-accept:nt +248:AUE_SOCKCONNECT:putmsg-connect:nt +249:AUE_SOCKSEND:putmsg-send:nt +250:AUE_SOCKRECEIVE:getmsg-receive:nt +251:AUE_ACLSET:acl(2) - SETACL comand:fm +252:AUE_FACLSET:facl(2) - SETACL command:fm +253:AUE_DOORFS:doorfs(2) - system call place holder:no +254:AUE_DOORFS_DOOR_CALL:doorfs(2) - DOOR_CALL:ip +255:AUE_DOORFS_DOOR_RETURN:doorfs(2) - DOOR_RETURN:ip +256:AUE_DOORFS_DOOR_CREATE:doorfs(2) - DOOR_CREATE:ip +257:AUE_DOORFS_DOOR_REVOKE:doorfs(2) - DOOR_REVOKE:ip +258:AUE_DOORFS_DOOR_INFO:doorfs(2) - DOOR_INFO:ip +259:AUE_DOORFS_DOOR_CRED:doorfs(2) - DOOR_CRED:ip +260:AUE_DOORFS_DOOR_BIND:doorfs(2) - DOOR_BIND:ip +261:AUE_DOORFS_DOOR_UNBIND:doorfs(2) - DOOR_UNBIND:ip +262:AUE_P_ONLINE:p_online(2):ad +263:AUE_PROCESSOR_BIND:processor_bind(2):ad +264:AUE_INST_SYNC:inst_sync(2):ad +266:AUE_SETAUDIT_ADDR:setaudit_addr(2):ad +267:AUE_GETAUDIT_ADDR:getaudit_addr(2):ad +268:AUE_CLOCK_SETTIME:clock_settime(2):ad +269:AUE_NTP_ADJTIME:ntp_adjtime(2):ad +301:AUE_GETFSSTAT:getfsstat(2):fa +302:AUE_PTRACE:ptrace(2):pc +303:AUE_CHFLAGS:chflags(2):fm +304:AUE_FCHFLAGS:fchflags(2):fm +305:AUE_PROFILE:profil(2):pc +306:AUE_KTRACE:ktrace(2):pc +307:AUE_SETLOGIN:setlogin(2):pc +308:AUE_DARWIN_REBOOT:reboot(2):ad +309:AUE_REVOKE:revoke(2):cl +310:AUE_UMASK:umask(2):pc +311:AUE_MPROTECT:mprotect(2):fm +312:AUE_DARWIN_SETPRIORITY:setpriority(2):pc,ot +313:AUE_DARWIN_SETTIMEOFDAY:settimeofday(2):ad +314:AUE_DARWIN_FLOCK:flock(2):fm +315:AUE_MKFIFO:mkfifo(2):fc +316:AUE_POLL:poll(2):no +317:AUE_DARWIN_SOCKETPAIR:socketpair(2):nt +318:AUE_FUTIMES:futimes(2):fm +319:AUE_SETSID:setsid(2):pc +320:AUE_SETPRIVEXEC:setprivexec(2):pc +321:AUE_DARWIN_NFSSVC:nfssvc(2):ad +322:AUE_DARWIN_GETFH:getfh(2):fa +323:AUE_DARWIN_QUOTACTL:quotactl(2):ad +324:AUE_ADDPROFILE:system call:pc +325:AUE_KDEBUGTRACE:system call:pc +326:AUE_FSTAT:fstat(2):fa +327:AUE_FPATHCONF:fpathconf(2):fa +328:AUE_GETDIRENTRIES:getdirentries(2):fr +329:AUE_DARWIN_TRUNCATE:truncate(2):fw +330:AUE_DARWIN_FTRUNCATE:ftruncate(2):fw +331:AUE_SYSCTL:sysctl(3):ad +332:AUE_MLOCK:mlock(2):pc +333:AUE_MUNLOCK:munlock(2):pc +334:AUE_UNDELETE:undelete(2):fm +335:AUE_GETATTRLIST:getattrlist():fa +336:AUE_SETATTRLIST:setattrlist():fm +337:AUE_GETDIRENTRIESATTR:getdirentriesattr():fa +338:AUE_EXCHANGEDATA:exchangedata():fw +339:AUE_SEARCHFS:searchfs():fa +340:AUE_MINHERIT:minherit(2):pc +341:AUE_SEMCONFIG:semconfig():ip +342:AUE_SEMOPEN:sem_open(2):ip +343:AUE_SEMCLOSE:sem_close(2):ip +344:AUE_SEMUNLINK:sem_unlink(2):ip +345:AUE_SHMOPEN:shm_open(2):ip +346:AUE_SHMUNLINK:shm_unlink(2):ip +347:AUE_LOADSHFILE:load_shared_file():fr +348:AUE_RESETSHFILE:reset_shared_file():ot +349:AUE_NEWSYSTEMSHREG:new_system_share_regions():ot +350:AUE_PTHREADKILL:pthread_kill(2):pc +351:AUE_PTHREADSIGMASK:pthread_sigmask(2):pc +352:AUE_AUDITCTL:auditctl(2):ad +353:AUE_RFORK:rfork(2):pc +354:AUE_LCHMOD:lchmod(2):fm +355:AUE_SWAPOFF:swapoff():ad +356:AUE_INITPROCESS:init_process():pc +357:AUE_MAPFD:map_fd():fa +358:AUE_TASKFORPID:task_for_pid():pc +359:AUE_PIDFORTASK:pid_for_task():pc +360:AUE_SYSCTL_NONADMIN:sysctl() - non-admin:ot +361:AUE_COPYFILE:copyfile():fr,fw +362:AUE_LUTIMES:lutimes(2):fm +363:AUE_LCHFLAGS:lchflags(2):fm +364:AUE_SENDFILE:sendfile(2):nt +365:AUE_USELIB:uselib(2):fa +366:AUE_GETRESUID:getresuid(2):pc +367:AUE_SETRESUID:setresuid(2):pc +368:AUE_GETRESGID:getresgid(2):pc +369:AUE_SETRESGID:setresgid(2):pc +370:AUE_WAIT4:wait4(2):pc +371:AUE_LGETFH:lgetfh(2):fa +372:AUE_FHSTATFS:fhstatfs(2):fa +373:AUE_FHOPEN:fhopen(2):fa +374:AUE_FHSTAT:fhstat(2):fa +375:AUE_JAIL:jail(2):pc +376:AUE_EACCESS:eaccess(2):fa +377:AUE_KQUEUE:kqueue(2):no +378:AUE_KEVENT:kevent(2):no +379:AUE_FSYNC:fsync(2):fm +380:AUE_NMOUNT:nmount(2):ad +6152:AUE_login:login - local:lo +6153:AUE_logout:logout - local:lo +6159:AUE_su:su(1):lo +6160:AUE_halt:system halt:ad +6168:AUE_shutdown:system shutdown:ad +6171:AUE_audit_startup:audit startup:ad +6172:AUE_audit_shutdown:audit shutdown:ad +6207:AUE_create_user:create user:ad +6208:AUE_modify_user:modify user:ad +6209:AUE_delete_user:delete user:ad +6210:AUE_disable_user:disable user:ad +6211:AUE_enable_user::ad +6300:AUE_sudo:sudo(1):ad +6501:AUE_modify_password:modify password:ad +6511:AUE_create_group:create group:ad +6512:AUE_delete_group:delete group:ad +6513:AUE_modify_group:modify group:ad +6514:AUE_add_to_group:add to group:ad +6515:AUE_remove_from_group:remove from group:ad +6521:AUE_revoke_obj:revoke object priv:fm +6600:AUE_lw_login:loginwindow login:lo +6601:AUE_lw_logout:loginwindow logout:lo +7000:AUE_auth_user:user authentication:ad +7001:AUE_ssconn:SecSrvr connection setup:ad +7002:AUE_ssauthorize:SecSrvr AuthEngine:ad +7003:AUE_ssauthint:SecSrvr authinternal mech:ad +32800:AUE_openssh:OpenSSH login:lo diff --git a/contrib/openbsm/etc/audit_user b/contrib/openbsm/etc/audit_user new file mode 100644 index 000000000000..925729c12c66 --- /dev/null +++ b/contrib/openbsm/etc/audit_user @@ -0,0 +1,5 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#2 $ +# +root:lo:no +audit:fc:no diff --git a/contrib/openbsm/etc/audit_warn b/contrib/openbsm/etc/audit_warn new file mode 100644 index 000000000000..3612fc9227e2 --- /dev/null +++ b/contrib/openbsm/etc/audit_warn @@ -0,0 +1,5 @@ +#!/bin/sh +# +# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_warn#3 $ +# +logger -p security.warning "audit warning: $@" diff --git a/contrib/openbsm/libbsm/Makefile b/contrib/openbsm/libbsm/Makefile new file mode 100644 index 000000000000..4137f4a3da6b --- /dev/null +++ b/contrib/openbsm/libbsm/Makefile @@ -0,0 +1,119 @@ +# +# OpenBSM libbsm +# +# $P4: //depot/projects/trustedbsd/openbsm/libbsm/Makefile#11 $ +# + +LIB= bsm +SHLIB_MAJOR= 1 + +CFLAGS+=-I- \ + -I .. \ + -Wall + +SRCS= bsm_audit.c \ + bsm_class.c \ + bsm_control.c \ + bsm_event.c \ + bsm_flags.c \ + bsm_io.c \ + bsm_mask.c \ + bsm_notify.c \ + bsm_token.c \ + bsm_user.c \ + bsm_wrappers.c + +MAN= libbsm.3 \ + au_class.3 \ + au_control.3 \ + au_event.3 \ + au_free_token.3 \ + au_io.3 \ + au_mask.3 \ + au_token.3 \ + au_user.3 + +MLINKS= libbsm.3 bsm.3 \ + au_class.3 getauclassent.3 \ + au_class.3 getauclassnam.3 \ + au_class.3 setauclass.3 \ + au_class.3 endauclass.3 \ + au_control.3 setac.3 \ + au_control.3 endac.3 \ + au_control.3 getacdir.3 \ + au_control.3 getacmin.3 \ + au_control.3 getacflg.3 \ + au_control.3 getacna.3 \ + au_event.3 setauevent.3 \ + au_event.3 endauevent.3 \ + au_event.3 getauevent.3 \ + au_event.3 getauevnam.3 \ + au_event.3 getauevnum.3 \ + au_event.3 getauevnonam.3 \ + au_io.3 au_fetch_tok.3 \ + au_io.3 au_print_tok.3 \ + au_io.3 au_read_rec.3 \ + au_mask.3 au_preselect.3 \ + au_mask.3 getauditflagsbin.3 \ + au_mask.3 getauditflagschar.3 \ + au_user.3 setauuser.3 \ + au_user.3 endauuser.3 \ + au_user.3 getauuserent.3 \ + au_user.3 getauusernam.3 \ + au_user.3 au_user_mask.3 \ + au_user.3 getfauditflags.3 \ + au_token.3 au_to_arg32.3 \ + au_token.3 au_to_arg64.3 \ + au_token.3 au_to_arg.3 \ + au_token.3 au_to_attr64.3 \ + au_token.3 au_to_data.3 \ + au_token.3 au_to_exit.3 \ + au_token.3 au_to_groups.3 \ + au_token.3 au_to_newgroups.3 \ + au_token.3 au_to_in_addr.3 \ + au_token.3 au_to_in_addr_ex.3 \ + au_token.3 au_to_ip.3 \ + au_token.3 au_to_ipc.3 \ + au_token.3 au_to_ipc_perm.3 \ + au_token.3 au_to_iport.3 \ + au_token.3 au_to_opaque.3 \ + au_token.3 au_to_file.3 \ + au_token.3 au_to_text.3 \ + au_token.3 au_to_path.3 \ + au_token.3 au_to_process32.3 \ + au_token.3 au_to_process64.3 \ + au_token.3 au_to_process.3 \ + au_token.3 au_to_process32_ex.3 \ + au_token.3 au_to_process64_ex.3 \ + au_token.3 au_to_process_ex.3 \ + au_token.3 au_to_return32.3 \ + au_token.3 au_to_return64.3 \ + au_token.3 au_to_return.3 \ + au_token.3 au_to_seq.3 \ + au_token.3 au_to_socket.3 \ + au_token.3 au_to_socket_ex_32.3 \ + au_token.3 au_to_socket_ex_128.3 \ + au_token.3 au_to_sock_inet32.3 \ + au_token.3 au_to_sock_inet128.3 \ + au_token.3 au_to_sock_inet.3 \ + au_token.3 au_to_subject32.3 \ + au_token.3 au_to_subject64.3 \ + au_token.3 au_to_subject.3 \ + au_token.3 au_to_subject32_ex.3 \ + au_token.3 au_to_subject64_ex.3 \ + au_token.3 au_to_subject_ex.3 \ + au_token.3 au_to_me.3 \ + au_token.3 au_to_exec_args.3 \ + au_token.3 au_to_exec_env.3 \ + au_token.3 au_to_header.3 \ + au_token.3 au_to_header32.3 \ + au_token.3 au_to_header64.3 \ + au_token.3 au_to_trailer.3 + +beforeinstall: + if test -d ${INCSDIR}; then \ + else \ + mkdir ${INCSDIR}; \ + fi; + +.include <bsd.lib.mk> diff --git a/contrib/openbsm/libbsm/au_class.3 b/contrib/openbsm/libbsm/au_class.3 new file mode 100644 index 000000000000..f1cd9e9637f3 --- /dev/null +++ b/contrib/openbsm/libbsm/au_class.3 @@ -0,0 +1,108 @@ +.\"- +.\" Copyright (c) 2005-2006 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_class.3#3 $ +.\" +.Dd April 19, 2005 +.Dt AU_CLASS 3 +.Os +.Sh NAME +.Nm getauclassent , +.Nm getauclassent_r , +.Nm getauclassnam , +.Nm getauclassnam_r , +.Nm setauclass , +.Nm endauclass +.Nd "Look up information from the audit_class database" +.Sh LIBRARY +.Lb libbsm +.Sh SYNOPSIS +.In libbsm.h +.Ft struct au_class_ent * +.Fn getauclassent "void" +.Ft struct au_class_ent * +.Fn getauclassent_r "struct au_class_ent *e" +.Ft struct au_class_ent * +.Fn getauclassnam "const char *name" +.Ft struct au_class_ent * +.Fn getauclassnam_r "struct au_class_ent *e" "const char *name" +.Ft void +.Fn setauclass "void" +.Ft void +.Fn endauclass "void" +.Sh DESCRIPTION +These interfaces may be used to look up information from the +.Xr audit_class 5 +database, which describes audit event classes. +Audit event classes are described by +.Vt struct au_class_ent . +.Pp +.Pp +.Fn getauclassent +will return the next class found in the +.Xr audit_class 5 +database, or the first if the function has not yet been called. +.Dv NULL +will be returned if no further records are available. +.Pp +.Fn getauclassnam +looks up a class by name. +.Dv NULL +will be returned if no matching class can be found. +.Pp +.Fn setauclass +resets the iterator through the +.Xr audit_class 5 +database, causing the next call to +.Fn getauclassent +to start again from the beginning of the file. +.Pp +.Fn endauclass +closes the +.Xr audit_class 5 +database, if open. +.Sh SEE ALSO +.Xr libbsm 3 , +.Xr audit_class 5 +.Sh AUTHORS +This software was created by Robert Watson, Wayne Salamon, and Suresh +Krishnaswamy for McAfee Research, the security research division of McAfee, +Inc., under contract to Apple Computer, Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer, Inc., in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh BUGS +These routines cannot currently distinguish between an entry not being found +and an error accessing the database. +The implementation should be changed to return an error via +.Va errno +when +.Dv NULL +is returned. diff --git a/contrib/openbsm/libbsm/au_control.3 b/contrib/openbsm/libbsm/au_control.3 new file mode 100644 index 000000000000..915c5211f2d1 --- /dev/null +++ b/contrib/openbsm/libbsm/au_control.3 @@ -0,0 +1,136 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#2 $ +.\" +.Dd April 19, 2005 +.Dt AU_CONTROL 3 +.Os +.Sh NAME +.Nm setac , +.Nm endac , +.Nm getacdir , +.Nm getacmin , +.Nm getacflg , +.Nm getacna +.Nd "Look up information from the audit_control database" +.Sh LIBRARY +.Lb libbsm +.Sh SYNOPSIS +.In libbsm.h +.Ft void +.Fn setac "void" +.Ft void +.Fn endac "void" +.Ft int +.Fn getacdir "char *name" "int len" +.Ft int +.Fn getacmin "int *min_val" +.Ft int +.Fn getacflg "char *auditstr" "int len" +.Ft int +.Fn getacna "char *auditstr" "int len" +.Sh DESCRIPTION +These interfaces may be used to look up information from the +.Xr audit_control 5 +database, which contains various audit-related administrative parameters. +.Pp +.Fn setac +resets the database iterator to the beginning of the database; see the +BUGS section for more information. +.Pp +.Fn sendac +closes the +.Xr audit_control 5 +database. +.Pp +.Fn getacdir +Return the name of the directory where log data is stored via the passed +character buffer +.Va name +of length +.Va len . +.Pp +.Fn getacmin +returns the minimum free disk space for the audit log target file system via +the passed +.Va min_val +variable. +.Pp +.Fn getacflg +returns the audit system flags via the the passed character buffer +.Va auditstr +of length +.Va len . +.Pp +.Fn getacna +returns the non-attributable flags via the passed character buffer +.Va auditstr +of length +.Va len . +.Sh RETURN VALULES +.Fn getacdir , +.Fn getacmin , +.Fn getacflg , +and +.Fn getacna +return 0 on success, or a negative value on failure, along with error +information in +.Va errno . +Functions that return a string value will return a failure if there is +insufficient room in the passed character buffer for the full string. +.Sh SEE ALSO +.Xr libbsm 3 , +.Xr audit_control 5 +.Sh AUTHORS +This software was created by Robert Watson, Wayne Salamon, and Suresh +Krishnaswamy for McAfee Research, the security research division of McAfee, +Inc., under contract to Apple Computer, Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer, Inc., in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh BUGS +These routines cannot currently distinguish between an entry not being found +and an error accessing the database. +The implementation should be changed to return an error via +.Va errno +when +.Dv NULL +is returned. +.Sh BUGS +There is no reason for the +.Fn setac +interface to be exposed as part of the public API, as it is called implicitly +by other access functions and iteration is not supported. +.Pp +These interfaces inconsistently return various negative values depending on +the failure mode, and do not always set +.Va errno +on failure. diff --git a/contrib/openbsm/libbsm/au_event.3 b/contrib/openbsm/libbsm/au_event.3 new file mode 100644 index 000000000000..bd021decc2eb --- /dev/null +++ b/contrib/openbsm/libbsm/au_event.3 @@ -0,0 +1,153 @@ +.\"- +.\" Copyright (c) 2005-2006 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#3 $ +.\" +.Dd April 19, 2005 +.Dt AU_EVENT 3 +.Os +.Sh NAME +.Nm free_au_event_ent , +.Nm setauevent , +.Nm endauevent , +.Nm getauevent , +.Nm getauevent_r , +.Nm getauevnam , +.Nm getauevnam_r , +.Nm getauevnum , +.Nm getauevnum_r , +.Nm getauevnonam , +.Nm getauevnonam_r , +.Nd "Look up information from the audit_event database" +.Sh LIBRARY +.Lb libbsm +.Sh SYNOPSIS +.In libbsm.h +.Ft void +.Fn setauevent "void" +.Ft void +.Fn endauevent "void" +.Ft "struct au_event_ent *" +.Fn getauevent "void" +.Ft "struct au_event_ent *" +.Fn getauevent_r "struct au_event_ent *e" +.Ft "struct au_event_ent *" +.Fn getauevnam "char *name" +.Ft "struct au_event_ent *" +.Fn getauevnam_r "struct au_event_ent *e" "char *name" +.Ft "struct au_event_ent *" +.Fn getauevnum "au_event_t event_number" +.Ft "struct au_event_ent *" +.Fn getauevnum_r "struct au_event_ent *e" "au_event_t event_number" +.Ft "au_event_t *" +.Fn getauevnonam "char *event_name" +.Ft "au_event_t *" +.Fn getauevnonam_r "au_event_t *ev" "char *event_name" +.Sh DESCRIPTION +These interfaces may be used to look up information from the +.Xr audit_event 5 +database, which describes audit events. +Entries in the database are described by +.Vt struct au_event_ent +entries, which are returned by calls to +.Fn getauevent , +.Fn getauevnam , +or +.Fn getauevnum . +It is also possible look up an event number via a call to +.Nm getauevnonam . +.Pp +.Fn setauevent +resets the database access session for +.Xr audit_event 5 , +so that the next call to +.Fn getauevent +will start with the first entry in the database. +.Pp +.Fn endauevent +closes the +.Xr audit_event 5 +database session. +.Pp +.Fn getauevent +returns a reference to the next entry in the +.Xr audit_event 5 +database. +.Pp +.Fn getauevnam +returns a reference to the entry in the +.Xr audit_event 5 +database with a name of +.Va name . +.Pp +.Fn getauevnum +returns a reference to the entry in the +.Xr audit_event 5 +database with an event number of +.Va event_number . +.Pp +.Fn getauevnonam +returns a reference to an audit event number using the +.Xr audit_event 5 +database. +.Sh RETURN VALUES +Functions +.Fn getauevent , +.Fn getauevent_r , +.Fn getauevnam , +.Fn getauevnam_r , +.Fn getauevnum , +.Fn getauevnum_r , +and +.Fn getauevnuam +will return a reference to a +.Dt struct au_event_ent +or +.Dt au_event_t +on success, or +.Dv NULL on failure, with +.Va errno +set to provide further error information. +.Sh SEE ALSO +.Xr libbsm 3 , +.Xr audit_event 5 +.Sh AUTHORS +This software was created by Robert Watson, Wayne Salamon, and Suresh +Krishnaswamy for McAfee Research, the security research division of McAfee, +Inc., under contract to Apple Computer, Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer, Inc., in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh BUGS +.Va errno +is not always properly set following a failure. +.Pp +These routines are thread-safe, but not re-entrant, so simultaneous or +interleaved use of these functions will affect the iterator. diff --git a/contrib/openbsm/libbsm/au_free_token.3 b/contrib/openbsm/libbsm/au_free_token.3 new file mode 100644 index 000000000000..fc4ab0bde6c4 --- /dev/null +++ b/contrib/openbsm/libbsm/au_free_token.3 @@ -0,0 +1,91 @@ +.\"- +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRING LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#2 $ +.\" +.Dd April 19, 2005 +.Dt AU_FREE_TOKEN 3 +.Os +.Sh NAME +.Nm au_free_token +.Nd "Deallocate a token_t created by any of the au_to_*() BSM API functions" +.Sh LIBRARY +.Lb libbsm +.Sh SYNOPSIS +.In libbsm.h +.Ft void +.Fn au_free_tokenen "token_t *tok" +.Sh DESCRIPTION +The BSM API generally manages deallocation of +.Vt token_t +objects. +However, if +.Xr au_write 3 +is passed a bad audit descriptor, the +.Vt token_t * +parameter will be left untouched. +In that case, the caller can deallocate the +.Vt token_t +using +.Nm +if desired. +.Pp +The +.Va tok +argument is a +.Vt token_t * +generated by one of the au_to_*() BSM API calls. +For convenience, +.Va tok +may be +.Dv NULL , +in which case +.Nm +returns immediately. +.Sh IMPLEMENTATION NOTES +This is, in fact, what +.Xr audit_write 3 +does, in keeping with the existing memory management model of the BSM API. +.Sh SEE ALSO +.Xr au_write 3 , +.Xr audit_write 3 , +.Xr libbsm 3 +.Sh AUTHORS +This software was created by Robert Watson, Wayne Salamon, and Suresh +Krishnaswamy for McAfee Research, the security research division of McAfee, +Inc., under contract to Apple Computer, Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer, Inc., in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. + diff --git a/contrib/openbsm/libbsm/au_io.3 b/contrib/openbsm/libbsm/au_io.3 new file mode 100644 index 000000000000..0c520a1f6eff --- /dev/null +++ b/contrib/openbsm/libbsm/au_io.3 @@ -0,0 +1,119 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_io.3#2 $ +.\" +.Dd April 19, 2005 +.Dt AU_IO 3 +.Os +.Sh NAME +.Nm au_fetch_tok , +.Nm au_print_tok , +.Nm au_read_rec +.Nd "Perform I/O involving an audit record" +.Sh LIBRARY +.Lb libbsm +.Sh SYNOPSIS +.In libbsm.h +.Ft int +.Fn au_fetch_tok "tokenstr_t *tok" "u_char *buf" "int len" +.Ft void +.Fn au_print_tok "FILE outfp" "tokenstr_t *tok" "char *del" "char raw" "char sfrm" +.Ft int +.Fn au_read_rec "FILE *fp" "u_char **buf" +.Sh DESCRIPTION +These interfaces support input and output (I/O) involving audit records, +internalizing an audit record from a byte stream, converting a token to +either a raw or default string, and reading a single record from a file. +.Pp +.Fn au_fetch_tok +reads a token from the passed buffer +.Va buf +of length +.Va len +bytes, and returns a pointer to the token via +.Va tok . +.Pp +.Fn au_print_tok +prints a string form of the token +.Va tok +to the file output stream +.Va outfp, +either in default mode, or raw mode if +.Va raw +is set non-zero. +The delimiter +.Va del +is used when printing. +.Pp +.Fn au_read_rec +reads an audit record from the file stream +.Va fp , +and returns an allocated memory buffer containing the record via +.Va *buf , +which must be freed by the caller using +.Xr free 3 . +.Pp +A typical use of these routines might open a file with +.Xr fopen 3 , +then read records from the file sequentially by calling +.Fn au_read_rec . +Each record would be broken down into components tokens through sequential +calls to +.Fn au_fetch_tok +on the buffer, and then invoking +.Fn au_print_tok +to print each token to an output stream such as +.Dv stdout . +On completion of the processing of each record, a call to +.Xr free 3 +would be used to free the record buffer. +Finally, the source stream would be closed by a call to +.Xr fclose 3 . +.Sh RETURN VALUES +.Fn au_fetch_tok +and +.Fn au_read_rec +return 0 on success, or -1 on failure along with additional error information +returned via +.Va errno . +.Sh SEE ALSO +.Xr free 3 , +.Xr libbsm 3 +.Sh AUTHORS +This software was created by Robert Watson, Wayne Salamon, and Suresh +Krishnaswamy for McAfee Research, the security research division of McAfee, +Inc., under contract to Apple Computer, Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer, Inc., in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh BUGS +.Va errno +may not always be properly set in the event of an error. diff --git a/contrib/openbsm/libbsm/au_mask.3 b/contrib/openbsm/libbsm/au_mask.3 new file mode 100644 index 000000000000..67bb187a8fae --- /dev/null +++ b/contrib/openbsm/libbsm/au_mask.3 @@ -0,0 +1,140 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#2 $ +.\" +.Dd April 19, 2005 +.Dt AU_MASK 3 +.Os +.Sh NAME +.Nm au_preselect , +.Nm getauditflagsbin , +.Nm getauditflagschar +.Nd "Convert between string and numeric values of audit masks" +.Sh LIBRARY +.Lb libbsm +.Sh SYNOPSIS +.In libbsm.h +.Ft int +.Fn au_preselect "au_event_t event" "au_mask_t *mask_p" "int sorf" "int flag" +.Ft int +.Fn getauditflagsbin "char *auditstr" "au_mask_t *masks" +.Ft int +.Fn getauditflagschar "char *auditstr" "au_mask_t *masks" "int verbose" +.Sh DESCRIPTION +These interfaces support processing of an audit mask represented by type +.Vt au_mask_t , +including conversion between numeric and text formats, and computing whether +or not an event is matched by a mask. +.Pp +.Fn au_preselect +calculates whether or not the audit event passed via +.Va event +is matched by the audit mask passed via +.Va au_mask_t . +The +.Va sorf +argument indicates whether or not to consider the event as a success, +if the +.Dv AU_PRS_SUCCESS +flag is set, or failure, if the +.Dv AU_PRS_FAILURE +flag is set. +The +.Va flag +argument accepts additional arguments influencing the behavior of +.Fn au_preselect , +including +.Dv AU_PRS_REREAD , +which causes the event to be re-looked up rather than read from the cache, +or +.Dv AU_PRS_USECACHE +which forces use of the cache. +.Pp +.Fn getauditflagsbin +converts a string representation of an audit mask passed via a character +string pointed to by +.Va auditstr , +returning the resulting mask, if valid, via +.Va *masks . +.Pp +.Fn getauditflagschar +converts the audit event mask passed via +.Va *masks +and converts it to a character string in a buffer pointed to by +.Va auditstr . +See the BUGS section for more information on how to provide a buffer of +sufficient size. +If the +.Va verbose +flag is set, the class description string retrieved from +.Xr audit_class 5 +will be used; otherwise, the two-character class name. +.Sh RETURN VALUES +.Fn au_preselect +returns 0 on success, or returns -1 if there is a failure looking up the +event type or other database access, in which case +.Va errno +will be set to indicate the error. +It returns 1 if the event is matched; 0 if not. +.Pp +.Fn getauditflagsbin +and +.Fn getauditflagschar +returns 0 on success, or -1 if there is a failure, in which case +.Va errno +will be set to indicate the error. +.Sh IMPLEMENTATION NOTES +.Fn au_preselect +makes implicit use of various audit database routines, and may influence +the behavior of simultaenous or interleaved processing of those databases by +other code. +.Sh SEE ALSO +.Xr libbsm 3 , +.Xr audit_class 5 +.Sh AUTHORS +This software was created by Robert Watson, Wayne Salamon, and Suresh +Krishnaswamy for McAfee Research, the security research division of McAfee, +Inc., under contract to Apple Computer, Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer, Inc., in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh BUGS +.Va errno +may not always be properly set in the event of an error. +.Pp +.Fn getauditflagschar +does not provide a way to indicate how long the character buffer is, in order +to detect overflow. +As a result, the caller must always provide a buffer of sufficient length for +any possible mask, which may be calculated as three times the number of +non-zero bits in the mask argument in the event non-verbose class names are +used, and is not trivially predictable for verbose class names. +This API should be replaced with a more robust one. diff --git a/contrib/openbsm/libbsm/au_token.3 b/contrib/openbsm/libbsm/au_token.3 new file mode 100644 index 000000000000..dd0ce2762238 --- /dev/null +++ b/contrib/openbsm/libbsm/au_token.3 @@ -0,0 +1,209 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#4 $ +.\" +.Dd April 19, 2005 +.Dt AU_TOKEN 3 +.Os +.Sh NAME +.Nm au_to_arg32 , +.Nm au_to_arg64 , +.Nm au_to_arg , +.Nm au_to_attr64 , +.Nm au_to_data , +.Nm au_to_exit , +.Nm au_to_groups , +.Nm au_to_newgroups , +.Nm au_to_in_addr , +.Nm au_to_in_addr_ex , +.Nm au_to_ip , +.Nm au_to_ipc , +.Nm au_to_ipc_perm , +.Nm au_to_iport , +.Nm au_to_opaque , +.Nm au_to_file , +.Nm au_to_text , +.Nm au_to_path , +.Nm au_to_process32 , +.Nm au_to_process64 , +.Nm au_to_process , +.Nm au_to_process32_ex , +.Nm au_to_process64_ex , +.Nm au_to_process_ex , +.Nm au_to_return32 , +.Nm au_to_return64 , +.Nm au_to_return , +.Nm au_to_seq , +.Nm au_to_socket , +.Nm au_to_socket_ex_32 , +.Nm au_to_socket_ex_128 , +.Nm au_to_sock_inet32 , +.Nm au_to_sock_inet128 , +.Nm au_to_sock_inet , +.Nm au_to_subject32 , +.Nm au_to_subject64 , +.Nm au_to_subject , +.Nm au_to_subject32_ex , +.Nm au_to_subject64_ex , +.Nm au_to_subject_ex , +.Nm au_to_me , +.Nm au_to_exec_args , +.Nm au_to_exec_env , +.Nm au_to_header , +.Nm au_to_header32 , +.Nm au_to_header64 , +.Nm au_to_trailer . +.Nd "Routines for generating BSM audit tokens" +.Sh LIBRARY +.Lb libbsm +.Sh SYNOPSIS +.In libbsm.h +.Ft token_t * +.Fn au_to_arg32 "char n" "char *text" "u_int32_t v" +.Ft token_t * +.Fn au_to_arg64 "char n" "char *text" "u_int64_t v" +.Ft token_t * +.Fn au_to_arg "char n" "char *text" "u_int32_t v" +.Ft token_t * +.Fn au_to_attr32 "struct vattr *attr" +.Ft token_t * +.Fn au_to_attr64 "struct vattr *attr" +.Ft token_t * +.Fn au_to_attr "struct vattr *attr" +.Ft token_t * +.Fn au_to_data "char unit_print" "char unit_type" "char unit_count" "char *p" +.Ft token_t * +.Fn au_to_exit "int retval" "int err" +.Ft token_t * +.Fn au_to_groups "int *groups" +.Ft token_t * +.Fn au_to_newgroups "u_int16_t n" "gid_t *groups" +.Ft token_t * +.Fn au_to_in_addr "struct in_addr *internet_addr" +.Ft token_t * +.Fn au_to_in_addr_ex "struct in6_addr *internet_addr" +.Ft token_t * +.Fn au_to_ip "struct ip *ip" +.Ft token_t * +.Fn au_to_ipc "char type" "int id" +.Ft token_t * +.Fn au_to_ipc_perm "struct ipc_perm *perm" +.Ft token_t * +.Fn au_to_iport "u_int16_t iport" +.Ft token_t * +.Fn au_to_opaque "char *data" "u_int64_t bytes" +.Ft token_t * +.Fn au_to_file "char *file" +.Ft token_t * +.Fn au_to_file "char *file" +.Ft token_t * +.Fn au_to_text "char *text" +.Ft token_t * +.Fn au_to_path "char *text" +.Ft token_t * +.Fn au_to_process32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid" +.Ft token_t * +.Fn au_to_process64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid" +.Ft token_t * +.Fn au_to_process32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid" +.Ft token_t * +.Fn au_to_process64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid" +.Ft token_t * +.Fn au_to_return32 "char status" "u_int32_t ret" +.Ft token_t * +.Fn au_to_return64 "char status" "u_int64_t ret" +.Ft token_t * +.Fn au_to_return "char status" "u_int32_t ret" +.Ft token_t * +.Fn au_to_seq "long audit_count" +.Ft token_t * +.Fn au_to_socket "struct socket *so" +.Ft token_t * +.Fn au_to_socket_ex_32 "struct socket *so" +.Ft token_t * +.Fn au_to_socket_ex_128 "struct socket *so" +.Ft token_t * +.Fn au_to_sock_inet32 "struct sockaddr_in *so" +.Ft token_t * +.Fn au_to_sock_inet128 "struct sockaddr_in6 *so" +.Ft token_t * +.Fn au_to_sock_int "struct sockaddr_in *so" +.Ft token_t * +.Fn au_to_subject32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid" +.Ft token_t * +.Fn au_to_subject64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid" +.Ft token_t * +.Fn au_to_subject "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid" +.Ft token_t * +.Fn au_to_subject32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid" +.Ft token_t * +.Fn au_to_subject64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid" +.Ft token_t * +.Fn au_to_subject_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid" +.Ft token_t * +.Fn au_to_me "void" +.Ft token_t * +.Fn au_to_exec_args "const char **args" +.Ft token_t * +.Fn au_to_exec_env "const char **env" +.Ft token_t * +.Fn au_to_header "int rec_size" "au_event_t e_type" "au_emod_t emod" +.Ft token_t * +.Fn au_to_header32 "int rec_size" "au_event_t e_type" "au_emod_t emod" +.Ft token_t * +.Fn au_to_header64 "int rec_size" "au_event_t e_type" "au_emod_t e_mod" +.Ft token_t * +.Fn au_to_trailer "int rec_size" +.Sh DESCRIPTION +These interfaces support the allocation of BSM audit tokens, represented by +.Dt token_t , +for various data types. +.Sh RETURN VALUES +On sucess, a pointer to a +.Vt token_t +will be returned; the allocated +.Vt token_t +can be freed via a call to +.Xr au_free_token 3 . +On failure, +.Dv NULL +will be returned, and an error condition returned via +.Va errno . +.Sh SEE ALSO +.Xr libbsm 3 +.Sh AUTHORS +This software was created by Robert Watson, Wayne Salamon, and Suresh +Krishnaswamy for McAfee Research, the security research division of McAfee, +Inc., under contract to Apple Computer, Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer, Inc., in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh BUGS diff --git a/contrib/openbsm/libbsm/au_user.3 b/contrib/openbsm/libbsm/au_user.3 new file mode 100644 index 000000000000..e71deae6c7e2 --- /dev/null +++ b/contrib/openbsm/libbsm/au_user.3 @@ -0,0 +1,136 @@ +.\"- +.\" Copyright (c) 2005-2006 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#3 $ +.\" +.Dd April 19, 2005 +.Dt AU_USER 3 +.Os +.Sh NAME +.Nm setauuser , +.Nm endauuser , +.Nm getauuserent , +.Nm getauuserent_r , +.Nm getauusernam , +.Nm getauusernam_r , +.Nm au_user_mask , +.Nm getfauditflags +.Nd "Look up information from the audit_user database" +.Sh LIBRARY +.Lb libbsm +.Sh SYNOPSIS +.In libbsm.h +.Ft void +.Fn setauuser "void" +.Ft void +.Fn endauuser "void" +.Ft struct au_user_ent * +.Fn getauuserent "void" +.Ft struct au_user_ent * +.Fn getauuserent_r "struct au_user_ent *u" "void" +.Ft struct au_user_ent * +.Fn getauusernam "const char *name" +.Ft struct au_user_ent * +.Fn getauusernam_r "struct au_user_ent *u" "const char *name" +.Ft int +.Fn au_user_mask "char *username" "au_mask_t *mask_p" +.Ft int +.Fn getfauditflags "au_mask_t *usremask" "au_mask_t *usrdmask" "au_mask_t *lastmask" +.Sh DESCRIPTION +These interfaces may be used to look up information from the +.Xr audit_user 5 +database, which describes per-user audit configuration. +Audit user entries are described by a +.Vt au_user_ent , +which stores the user's name in +.Dv au_name , +events to always audit in +.Dv au_always , +and events never to audit +.Dv au_never . +.Pp +.Fn getauuserent +return the next user found in the +.Xr audit_user 5 +database, or the first if the function has not yet been called. +.Dv NULL +will be returned if no further records are available. +.Pp +.Fn getauusernam +looks up a user by name. +.Dv NULL +will be returned if no matching class can be found. +.Pp +.Fn setauuser +resets the iterator through the +.Xr audit_user 5 +database, causing the next call to +.Fn getauuserent +to start again from the beginning of the file. +.Pp +.Fn endauuser +closes the +.Xr audit_user 5 +database, if open. +.Pp +.Nm au_user_mask +calculate a new session audit mask to be returned via +.Dv mask_p +for the user identified by +.Dv username . +If the user audit configuration is not found, the default system audit +properties returned by +.Xr getacflg 3 . +The resulting mask may be set via a call to +.Xr setaudit 3 +or related variants. +.Pp +.Nm getfauditflags +XXXXXXXXXXXXXXXXX +.Sh SEE ALSO +.Xr libbsm 3 , +.Xr getacflg 3 , +.Xr setaudit 3 , +.Xr audit_user 5 +.Sh AUTHORS +This software was created by Robert Watson, Wayne Salamon, and Suresh +Krishnaswamy for McAfee Research, the security research division of McAfee, +Inc., under contract to Apple Computer, Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer, Inc., in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh BUGS +These routines cannot currently distinguish between an entry not being found +and an error accessing the database. +The implementation should be changed to return an error via +.Va errno +when +.Dv NULL +is returned. diff --git a/contrib/openbsm/libbsm/bsm_audit.c b/contrib/openbsm/libbsm/bsm_audit.c new file mode 100644 index 000000000000..c4374cd64eb0 --- /dev/null +++ b/contrib/openbsm/libbsm/bsm_audit.c @@ -0,0 +1,354 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * Copyright (c) 2005 SPARTA, Inc. + * All rights reserved. + * + * This code was developed in part by Robert N. M. Watson, Senior Principal + * Scientist, SPARTA, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_audit.c#18 $ + */ + +#include <sys/types.h> +#include <sys/queue.h> + +#include <bsm/audit_internal.h> +#include <bsm/libbsm.h> + +#include <errno.h> +#include <pthread.h> +#include <stdlib.h> +#include <string.h> + +/* array of used descriptors */ +static au_record_t *open_desc_table[MAX_AUDIT_RECORDS]; + +/* The current number of active record descriptors */ +static int bsm_rec_count = 0; + +/* + * Records that can be recycled are maintained in the list given below. The + * maximum number of elements that can be present in this list is bounded by + * MAX_AUDIT_RECORDS. Memory allocated for these records are never freed. + */ +static LIST_HEAD(, au_record) bsm_free_q; + +static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; + +/* + * This call frees a token_t and its internal data. + */ +void +au_free_token(token_t *tok) +{ + + if (tok != NULL) { + if (tok->t_data) + free(tok->t_data); + free(tok); + } +} + +/* + * This call reserves memory for the audit record. Memory must be guaranteed + * before any auditable event can be generated. The au_record_t structure + * maintains a reference to the memory allocated above and also the list of + * tokens associated with this record. Descriptors are recyled once the + * records are added to the audit trail following au_close(). + */ +int +au_open(void) +{ + au_record_t *rec = NULL; + + pthread_mutex_lock(&mutex); + + if (bsm_rec_count == 0) + LIST_INIT(&bsm_free_q); + + /* + * Find an unused descriptor, remove it from the free list, mark as + * used. + */ + if (!LIST_EMPTY(&bsm_free_q)) { + rec = LIST_FIRST(&bsm_free_q); + rec->used = 1; + LIST_REMOVE(rec, au_rec_q); + } + + pthread_mutex_unlock(&mutex); + + if (rec == NULL) { + /* + * Create a new au_record_t if no descriptors are available. + */ + rec = malloc (sizeof(au_record_t)); + if (rec == NULL) + return (-1); + + rec->data = malloc (MAX_AUDIT_RECORD_SIZE * sizeof(u_char)); + if (rec->data == NULL) { + free(rec); + errno = ENOMEM; + return (-1); + } + + pthread_mutex_lock(&mutex); + + if (bsm_rec_count == MAX_AUDIT_RECORDS) { + pthread_mutex_unlock(&mutex); + free(rec->data); + free(rec); + + /* XXX We need to increase size of MAX_AUDIT_RECORDS */ + errno = ENOMEM; + return (-1); + } + rec->desc = bsm_rec_count; + open_desc_table[bsm_rec_count] = rec; + bsm_rec_count++; + + pthread_mutex_unlock(&mutex); + + } + + memset(rec->data, 0, MAX_AUDIT_RECORD_SIZE); + + TAILQ_INIT(&rec->token_q); + rec->len = 0; + rec->used = 1; + + return (rec->desc); +} + +/* + * Store the token with the record descriptor. + * + * Don't permit writing more to the buffer than would let the trailer be + * appended later. + */ +int +au_write(int d, token_t *tok) +{ + au_record_t *rec; + + if (tok == NULL) { + errno = EINVAL; + return (-1); /* Invalid Token */ + } + + /* Write the token to the record descriptor */ + rec = open_desc_table[d]; + if ((rec == NULL) || (rec->used == 0)) { + errno = EINVAL; + return (-1); /* Invalid descriptor */ + } + + if (rec->len + tok->len + BSM_TRAILER_SIZE > MAX_AUDIT_RECORD_SIZE) { + errno = ENOMEM; + return (-1); + } + + /* Add the token to the tail */ + /* + * XXX Not locking here -- we should not be writing to + * XXX the same descriptor from different threads + */ + TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); + + rec->len += tok->len; /* grow record length by token size bytes */ + + /* Token should not be available after this call */ + tok = NULL; + return (0); /* Success */ +} + +/* + * Assemble an audit record out of its tokens, including allocating header and + * trailer tokens. Does not free the token chain, which must be done by the + * caller if desirable. + * + * XXX: Assumes there is sufficient space for the header and trailer. + */ +static int +au_assemble(au_record_t *rec, short event) +{ + token_t *header, *tok, *trailer; + size_t tot_rec_size; + u_char *dptr; + int error; + + tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE; + header = au_to_header32(tot_rec_size, event, 0); + if (header == NULL) + return (-1); + + trailer = au_to_trailer(tot_rec_size); + if (trailer == NULL) { + error = errno; + au_free_token(header); + errno = error; + return (-1); + } + + TAILQ_INSERT_HEAD(&rec->token_q, header, tokens); + TAILQ_INSERT_TAIL(&rec->token_q, trailer, tokens); + + rec->len = tot_rec_size; + dptr = rec->data; + + TAILQ_FOREACH(tok, &rec->token_q, tokens) { + memcpy(dptr, tok->t_data, tok->len); + dptr += tok->len; + } + + return (0); +} + +/* + * Given a record that is no longer of interest, tear it down and convert to a + * free record. + */ +static void +au_teardown(au_record_t *rec) +{ + token_t *tok; + + /* Free the token list */ + while ((tok = TAILQ_FIRST(&rec->token_q)) != NULL) { + TAILQ_REMOVE(&rec->token_q, tok, tokens); + free(tok->t_data); + free(tok); + } + + rec->used = 0; + rec->len = 0; + + pthread_mutex_lock(&mutex); + + /* Add the record to the freelist tail */ + LIST_INSERT_HEAD(&bsm_free_q, rec, au_rec_q); + + pthread_mutex_unlock(&mutex); +} + +/* + * Add the header token, identify any missing tokens. Write out the tokens to + * the record memory and finally, call audit. + */ +int au_close(int d, int keep, short event) +{ + au_record_t *rec; + size_t tot_rec_size; + int retval = 0; + + rec = open_desc_table[d]; + if ((rec == NULL) || (rec->used == 0)) { + errno = EINVAL; + return (-1); /* Invalid descriptor */ + } + + if (!keep) { + retval = 0; + goto cleanup; + } + + + tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE; + + if (tot_rec_size > MAX_AUDIT_RECORD_SIZE) { + /* + * XXXRW: Since au_write() is supposed to prevent this, spew + * an error here. + */ + fprintf(stderr, "au_close failed"); + errno = ENOMEM; + retval = -1; + goto cleanup; + } + + if (au_assemble(rec, event) < 0) { + /* + * XXXRW: This is also not supposed to happen, but might if we + * are unable to allocate header and trailer memory. + */ + retval = -1; + goto cleanup; + } + + /* Call the kernel interface to audit */ + retval = audit(rec->data, rec->len); + +cleanup: + /* CLEANUP */ + au_teardown(rec); + return (retval); +} + +/* + * au_close(), except onto an in-memory buffer. Buffer size as an argument, + * record size returned via same argument on success. + */ +int +au_close_buffer(int d, short event, u_char *buffer, size_t *buflen) +{ + size_t tot_rec_size; + au_record_t *rec; + int retval; + + rec = open_desc_table[d]; + if ((rec == NULL) || (rec->used == 0)) { + errno = EINVAL; + return (-1); + } + + retval = 0; + tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE; + if ((tot_rec_size > MAX_AUDIT_RECORD_SIZE) || + (tot_rec_size > *buflen)) { + /* + * XXXRW: See au_close() comment. + */ + fprintf(stderr, "au_close_buffer failed %zd", tot_rec_size); + errno = ENOMEM; + retval = -1; + goto cleanup; + } + + if (au_assemble(rec, event) < 0) { + /* XXXRW: See au_close() comment. */ + retval = -1; + goto cleanup; + } + + memcpy(buffer, rec->data, rec->len); + *buflen = rec->len; + +cleanup: + au_teardown(rec); + return (retval); +} diff --git a/contrib/openbsm/libbsm/bsm_class.c b/contrib/openbsm/libbsm/bsm_class.c new file mode 100644 index 000000000000..5982d7e7c177 --- /dev/null +++ b/contrib/openbsm/libbsm/bsm_class.c @@ -0,0 +1,267 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * Copyright (c) 2006 Robert N. M. Watson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_class.c#11 $ + */ + +#include <bsm/libbsm.h> + +#include <string.h> +#include <pthread.h> +#include <stdio.h> +#include <stdlib.h> + +/* + * Parse the contents of the audit_class file to return struct au_class_ent + * entries. + */ +static FILE *fp = NULL; +static char linestr[AU_LINE_MAX]; +static const char *classdelim = ":"; + +static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; + +/* + * Parse a single line from the audit_class file passed in str to the struct + * au_class_ent elements; store the result in c. + */ +static struct au_class_ent * +classfromstr(char *str, struct au_class_ent *c) +{ + char *classname, *classdesc, *classflag; + char *last; + + /* Each line contains flag:name:desc. */ + classflag = strtok_r(str, classdelim, &last); + classname = strtok_r(NULL, classdelim, &last); + classdesc = strtok_r(NULL, classdelim, &last); + + if ((classflag == NULL) || (classname == NULL) || (classdesc == NULL)) + return (NULL); + + /* + * Check for very large classnames. + */ + if (strlen(classname) >= AU_CLASS_NAME_MAX) + return (NULL); + + strcpy(c->ac_name, classname); + + /* + * Check for very large class description. + */ + if (strlen(classdesc) >= AU_CLASS_DESC_MAX) + return (NULL); + strcpy(c->ac_desc, classdesc); + c->ac_class = strtoul(classflag, (char **) NULL, 0); + + return (c); +} + +/* + * Return the next au_class_ent structure from the file setauclass should be + * called before invoking this function for the first time. + * + * Must be called with mutex held. + */ +static struct au_class_ent * +getauclassent_r_locked(struct au_class_ent *c) +{ + char *tokptr, *nl; + + if ((fp == NULL) && ((fp = fopen(AUDIT_CLASS_FILE, "r")) == NULL)) + return (NULL); + + /* + * Read until next non-comment line is found, or EOF. + */ + while (1) { + if (fgets(linestr, AU_LINE_MAX, fp) == NULL) + return (NULL); + + /* Skip comments. */ + if (linestr[0] == '#') + continue; + + /* Remove trailing new line character. */ + if ((nl = strrchr(linestr, '\n')) != NULL) + *nl = '\0'; + + /* Parse tokptr to au_class_ent components. */ + tokptr = linestr; + if (classfromstr(tokptr, c) == NULL) + return (NULL); + break; + } + + return (c); +} + +struct au_class_ent * +getauclassent_r(struct au_class_ent *c) +{ + struct au_class_ent *cp; + + pthread_mutex_lock(&mutex); + cp = getauclassent_r_locked(c); + pthread_mutex_unlock(&mutex); + return (cp); +} + +struct au_class_ent * +getauclassent(void) +{ + static char class_ent_name[AU_CLASS_NAME_MAX]; + static char class_ent_desc[AU_CLASS_DESC_MAX]; + static struct au_class_ent c, *cp; + + bzero(&c, sizeof(c)); + bzero(class_ent_name, sizeof(class_ent_name)); + bzero(class_ent_desc, sizeof(class_ent_desc)); + c.ac_name = class_ent_name; + c.ac_desc = class_ent_desc; + + pthread_mutex_lock(&mutex); + cp = getauclassent_r_locked(&c); + pthread_mutex_unlock(&mutex); + return (cp); +} + +/* + * Rewind to the beginning of the enumeration. + * + * Must be called with mutex held. + */ +static void +setauclass_locked(void) +{ + + if (fp != NULL) + fseek(fp, 0, SEEK_SET); +} + +void +setauclass(void) +{ + + pthread_mutex_lock(&mutex); + setauclass_locked(); + pthread_mutex_unlock(&mutex); +} + +/* + * Return the next au_class_entry having the given class name. + */ +struct au_class_ent * +getauclassnam_r(struct au_class_ent *c, const char *name) +{ + struct au_class_ent *cp; + + if (name == NULL) + return (NULL); + + pthread_mutex_lock(&mutex); + setauclass_locked(); + while ((cp = getauclassent_r_locked(c)) != NULL) { + if (strcmp(name, cp->ac_name) == 0) { + pthread_mutex_unlock(&mutex); + return (cp); + } + } + pthread_mutex_unlock(&mutex); + return (NULL); +} + +struct au_class_ent * +getauclassnam(const char *name) +{ + static char class_ent_name[AU_CLASS_NAME_MAX]; + static char class_ent_desc[AU_CLASS_DESC_MAX]; + static struct au_class_ent c; + + bzero(&c, sizeof(c)); + bzero(class_ent_name, sizeof(class_ent_name)); + bzero(class_ent_desc, sizeof(class_ent_desc)); + c.ac_name = class_ent_name; + c.ac_desc = class_ent_desc; + + return (getauclassnam_r(&c, name)); +} + + +/* + * Return the next au_class_entry having the given class number. + * + * OpenBSM extension. + */ +struct au_class_ent * +getauclassnum_r(struct au_class_ent *c, au_class_t class_number) +{ + struct au_class_ent *cp; + + pthread_mutex_lock(&mutex); + setauclass_locked(); + while ((cp = getauclassent_r_locked(c)) != NULL) { + if (class_number == cp->ac_class) + return (cp); + } + pthread_mutex_unlock(&mutex); + return (NULL); +} + +struct au_class_ent * +getauclassnum(au_class_t class_number) +{ + static char class_ent_name[AU_CLASS_NAME_MAX]; + static char class_ent_desc[AU_CLASS_DESC_MAX]; + static struct au_class_ent c; + + bzero(&c, sizeof(c)); + bzero(class_ent_name, sizeof(class_ent_name)); + bzero(class_ent_desc, sizeof(class_ent_desc)); + c.ac_name = class_ent_name; + c.ac_desc = class_ent_desc; + + return (getauclassnum_r(&c, class_number)); +} + +/* + * audit_class processing is complete; close any open files. + */ +void +endauclass(void) +{ + + pthread_mutex_lock(&mutex); + if (fp != NULL) { + fclose(fp); + fp = NULL; + } + pthread_mutex_unlock(&mutex); +} diff --git a/contrib/openbsm/libbsm/bsm_control.c b/contrib/openbsm/libbsm/bsm_control.c new file mode 100644 index 000000000000..438082bca892 --- /dev/null +++ b/contrib/openbsm/libbsm/bsm_control.c @@ -0,0 +1,275 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#13 $ + */ + +#include <bsm/libbsm.h> + +#include <errno.h> +#include <string.h> +#include <pthread.h> +#include <stdio.h> +#include <stdlib.h> + +/* + * Parse the contents of the audit_control file to return the audit control + * parameters. + */ +static FILE *fp = NULL; +static char linestr[AU_LINE_MAX]; +static char *delim = ":"; + +static char inacdir = 0; +static char ptrmoved = 0; + +static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; + +/* + * Returns the string value corresponding to the given label from the + * configuration file. + * + * Must be called with mutex held. + */ +static int +getstrfromtype_locked(char *name, char **str) +{ + char *type, *nl; + char *tokptr; + char *last; + + *str = NULL; + + if ((fp == NULL) && ((fp = fopen(AUDIT_CONTROL_FILE, "r")) == NULL)) + return (-1); /* Error */ + + while (1) { + if (fgets(linestr, AU_LINE_MAX, fp) == NULL) { + if (ferror(fp)) + return (-1); + return (0); /* EOF */ + } + + if (linestr[0] == '#') + continue; + + /* Remove trailing new line character. */ + if ((nl = strrchr(linestr, '\n')) != NULL) + *nl = '\0'; + + tokptr = linestr; + if ((type = strtok_r(tokptr, delim, &last)) != NULL) { + if (strcmp(name, type) == 0) { + /* Found matching name. */ + *str = strtok_r(NULL, delim, &last); + if (*str == NULL) { + errno = EINVAL; + return (-1); /* Parse error in file */ + } + return (0); /* Success */ + } + } + } +} + +/* + * Rewind the file pointer to beginning. + */ +void +setac(void) +{ + + pthread_mutex_lock(&mutex); + ptrmoved = 1; + if (fp != NULL) + fseek(fp, 0, SEEK_SET); + pthread_mutex_unlock(&mutex); +} + +/* + * Close the audit_control file + */ +void +endac(void) +{ + + pthread_mutex_lock(&mutex); + ptrmoved = 1; + if (fp != NULL) { + fclose(fp); + fp = NULL; + } + pthread_mutex_unlock(&mutex); +} + +/* + * Return audit directory information from the audit control file. + */ +int +getacdir(char *name, int len) +{ + char *dir; + int ret = 0; + + if (name == NULL) { + errno = EINVAL; + return (-2); + } + + pthread_mutex_lock(&mutex); + + /* + * Check if another function was called between + * successive calls to getacdir + */ + if (inacdir && ptrmoved) { + ptrmoved = 0; + if (fp != NULL) + fseek(fp, 0, SEEK_SET); + ret = 2; + } + + + if (getstrfromtype_locked(DIR_CONTROL_ENTRY, &dir) < 0) { + pthread_mutex_unlock(&mutex); + return (-2); + } + + pthread_mutex_unlock(&mutex); + + if (dir == NULL) + return (-1); + + if (strlen(dir) >= len) + return (-3); + + strcpy(name, dir); + + return (ret); +} + +/* + * Return the minimum free diskspace value from the audit control file + */ +int +getacmin(int *min_val) +{ + char *min; + + setac(); + + if (min_val == NULL) { + errno = EINVAL; + return (-2); + } + + pthread_mutex_lock(&mutex); + + if (getstrfromtype_locked(MINFREE_CONTROL_ENTRY, &min) < 0) { + pthread_mutex_unlock(&mutex); + return (-2); + } + + pthread_mutex_unlock(&mutex); + + if (min == NULL) + return (1); + + *min_val = atoi(min); + + return (0); +} + +/* + * Return the system audit value from the audit contol file. + */ +int +getacflg(char *auditstr, int len) +{ + char *str; + + setac(); + + if (auditstr == NULL) { + errno = EINVAL; + return (-2); + } + + pthread_mutex_lock(&mutex); + + if (getstrfromtype_locked(FLAGS_CONTROL_ENTRY, &str) < 0) { + pthread_mutex_unlock(&mutex); + return (-2); + } + + pthread_mutex_unlock(&mutex); + + if (str == NULL) + return (1); + + if (strlen(str) >= len) + return (-3); + + strcpy(auditstr, str); + + return (0); +} + +/* + * Return the non attributable flags from the audit contol file. + */ +int +getacna(char *auditstr, int len) +{ + char *str; + + setac(); + + if (auditstr == NULL) { + errno = EINVAL; + return (-2); + } + + pthread_mutex_lock(&mutex); + + if (getstrfromtype_locked(NA_CONTROL_ENTRY, &str) < 0) { + pthread_mutex_unlock(&mutex); + return (-2); + } + pthread_mutex_unlock(&mutex); + + if (str == NULL) + return (1); + + if (strlen(str) >= len) + return (-3); + + strcpy(auditstr, str); + + return (0); +} diff --git a/contrib/openbsm/libbsm/bsm_event.c b/contrib/openbsm/libbsm/bsm_event.c new file mode 100644 index 000000000000..6e22e4c15b73 --- /dev/null +++ b/contrib/openbsm/libbsm/bsm_event.c @@ -0,0 +1,327 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * Copyright (c) 2006 Robert N. M. Watson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_event.c#11 $ + */ + +#include <bsm/libbsm.h> + +#include <string.h> +#include <pthread.h> +#include <stdio.h> +#include <stdlib.h> + +/* + * Parse the contents of the audit_event file to return + * au_event_ent entries + */ +static FILE *fp = NULL; +static char linestr[AU_LINE_MAX]; +static const char *eventdelim = ":"; + +static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; + +/* + * Parse one line from the audit_event file into the au_event_ent structure. + */ +static struct au_event_ent * +eventfromstr(char *str, struct au_event_ent *e) +{ + char *evno, *evname, *evdesc, *evclass; + struct au_mask evmask; + char *last; + + evno = strtok_r(str, eventdelim, &last); + evname = strtok_r(NULL, eventdelim, &last); + evdesc = strtok_r(NULL, eventdelim, &last); + evclass = strtok_r(NULL, eventdelim, &last); + + if ((evno == NULL) || (evname == NULL) || (evdesc == NULL) || + (evclass == NULL)) + return (NULL); + + if (strlen(evname) >= AU_EVENT_NAME_MAX) + return (NULL); + + strcpy(e->ae_name, evname); + if (strlen(evdesc) >= AU_EVENT_DESC_MAX) + return (NULL); + strcpy(e->ae_desc, evdesc); + + e->ae_number = atoi(evno); + + /* + * Find out the mask that corresponds to the given list of classes. + */ + if (getauditflagsbin(evclass, &evmask) != 0) + e->ae_class = AU_NULL; + else + e->ae_class = evmask.am_success; + + return (e); +} + +/* + * Rewind the audit_event file. + */ +static void +setauevent_locked(void) +{ + + if (fp != NULL) + fseek(fp, 0, SEEK_SET); +} + +void +setauevent(void) +{ + + pthread_mutex_lock(&mutex); + setauevent_locked(); + pthread_mutex_unlock(&mutex); +} + +/* + * Close the open file pointers. + */ +void +endauevent(void) +{ + + pthread_mutex_lock(&mutex); + if (fp != NULL) { + fclose(fp); + fp = NULL; + } + pthread_mutex_unlock(&mutex); +} + +/* + * Enumerate the au_event_ent entries. + */ +static struct au_event_ent * +getauevent_r_locked(struct au_event_ent *e) +{ + char *nl; + + if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL)) + return (NULL); + + while (1) { + if (fgets(linestr, AU_LINE_MAX, fp) == NULL) + return (NULL); + + /* Remove new lines. */ + if ((nl = strrchr(linestr, '\n')) != NULL) + *nl = '\0'; + + /* Skip comments. */ + if (linestr[0] == '#') + continue; + + /* Get the next event structure. */ + if (eventfromstr(linestr, e) == NULL) + return (NULL); + break; + } + + return (e); +} + +struct au_event_ent * +getauevent_r(struct au_event_ent *e) +{ + struct au_event_ent *ep; + + pthread_mutex_lock(&mutex); + ep = getauevent_r_locked(e); + pthread_mutex_unlock(&mutex); + return (ep); +} + +struct au_event_ent * +getauevent(void) +{ + static char event_ent_name[AU_EVENT_NAME_MAX]; + static char event_ent_desc[AU_EVENT_DESC_MAX]; + static struct au_event_ent e; + + bzero(&e, sizeof(e)); + bzero(event_ent_name, sizeof(event_ent_name)); + bzero(event_ent_desc, sizeof(event_ent_desc)); + e.ae_name = event_ent_name; + e.ae_desc = event_ent_desc; + return (getauevent_r(&e)); +} + +/* + * Search for an audit event structure having the given event name. + * + * XXXRW: Why accept NULL name? + */ +static struct au_event_ent * +getauevnam_r_locked(struct au_event_ent *e, const char *name) +{ + char *nl; + + if (name == NULL) + return (NULL); + + /* Rewind to beginning of the file. */ + setauevent_locked(); + + if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL)) + return (NULL); + + while (fgets(linestr, AU_LINE_MAX, fp) != NULL) { + /* Remove new lines. */ + if ((nl = strrchr(linestr, '\n')) != NULL) + *nl = '\0'; + + if (eventfromstr(linestr, e) != NULL) { + if (strcmp(name, e->ae_name) == 0) + return (e); + } + } + + return (NULL); +} + +struct au_event_ent * +getauevnam_r(struct au_event_ent *e, const char *name) +{ + struct au_event_ent *ep; + + pthread_mutex_lock(&mutex); + ep = getauevnam_r_locked(e, name); + pthread_mutex_unlock(&mutex); + return (ep); +} + +struct au_event_ent * +getauevnam(const char *name) +{ + static char event_ent_name[AU_EVENT_NAME_MAX]; + static char event_ent_desc[AU_EVENT_DESC_MAX]; + static struct au_event_ent e; + + bzero(&e, sizeof(e)); + bzero(event_ent_name, sizeof(event_ent_name)); + bzero(event_ent_desc, sizeof(event_ent_desc)); + e.ae_name = event_ent_name; + e.ae_desc = event_ent_desc; + return (getauevnam_r(&e, name)); +} + +/* + * Search for an audit event structure having the given event number. + */ +static struct au_event_ent * +getauevnum_r_locked(struct au_event_ent *e, au_event_t event_number) +{ + char *nl; + + /* Rewind to beginning of the file. */ + setauevent_locked(); + + if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL)) + return (NULL); + + while (fgets(linestr, AU_LINE_MAX, fp) != NULL) { + /* Remove new lines. */ + if ((nl = strrchr(linestr, '\n')) != NULL) + *nl = '\0'; + + if (eventfromstr(linestr, e) != NULL) { + if (event_number == e->ae_number) + return (e); + } + } + + return (NULL); +} + +struct au_event_ent * +getauevnum_r(struct au_event_ent *e, au_event_t event_number) +{ + struct au_event_ent *ep; + + pthread_mutex_lock(&mutex); + ep = getauevnum_r_locked(e, event_number); + pthread_mutex_unlock(&mutex); + return (ep); +} + +struct au_event_ent * +getauevnum(au_event_t event_number) +{ + static char event_ent_name[AU_EVENT_NAME_MAX]; + static char event_ent_desc[AU_EVENT_DESC_MAX]; + static struct au_event_ent e; + + bzero(&e, sizeof(e)); + bzero(event_ent_name, sizeof(event_ent_name)); + bzero(event_ent_desc, sizeof(event_ent_desc)); + e.ae_name = event_ent_name; + e.ae_desc = event_ent_desc; + return (getauevnum_r(&e, event_number)); +} + +/* + * Search for an audit_event entry with a given event_name and returns the + * corresponding event number. + */ +au_event_t * +getauevnonam_r(au_event_t *ev, const char *event_name) +{ + static char event_ent_name[AU_EVENT_NAME_MAX]; + static char event_ent_desc[AU_EVENT_DESC_MAX]; + static struct au_event_ent e, *ep; + + bzero(event_ent_name, sizeof(event_ent_name)); + bzero(event_ent_desc, sizeof(event_ent_desc)); + bzero(&e, sizeof(e)); + e.ae_name = event_ent_name; + e.ae_desc = event_ent_desc; + + ep = getauevnam_r(&e, event_name); + if (ep == NULL) + return (NULL); + + *ev = e.ae_number; + return (ev); +} + +au_event_t * +getauevnonam(const char *event_name) +{ + static au_event_t event; + + return (getauevnonam_r(&event, event_name)); +} diff --git a/contrib/openbsm/libbsm/bsm_flags.c b/contrib/openbsm/libbsm/bsm_flags.c new file mode 100644 index 000000000000..e514c86080f4 --- /dev/null +++ b/contrib/openbsm/libbsm/bsm_flags.c @@ -0,0 +1,176 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * Copyright (c) 2006 Robert N. M. Watson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_flags.c#13 $ + */ + +#include <bsm/libbsm.h> + +#include <errno.h> +#include <stdio.h> +#include <string.h> + +static const char *flagdelim = ","; + +/* + * Convert the character representation of audit values into the au_mask_t + * field. + */ +int +getauditflagsbin(char *auditstr, au_mask_t *masks) +{ + char class_ent_name[AU_CLASS_NAME_MAX]; + char class_ent_desc[AU_CLASS_DESC_MAX]; + struct au_class_ent c; + char *tok; + char sel, sub; + char *last; + + bzero(&c, sizeof(c)); + bzero(class_ent_name, sizeof(class_ent_name)); + bzero(class_ent_desc, sizeof(class_ent_desc)); + c.ac_name = class_ent_name; + c.ac_desc = class_ent_desc; + + masks->am_success = 0; + masks->am_failure = 0; + + tok = strtok_r(auditstr, flagdelim, &last); + while (tok != NULL) { + /* Check for the events that should not be audited. */ + if (tok[0] == '^') { + sub = 1; + tok++; + } else + sub = 0; + + /* Check for the events to be audited for success. */ + if (tok[0] == '+') { + sel = AU_PRS_SUCCESS; + tok++; + } else if (tok[0] == '-') { + sel = AU_PRS_FAILURE; + tok++; + } else + sel = AU_PRS_BOTH; + + if ((getauclassnam_r(&c, tok)) != NULL) { + if (sub) + SUB_FROM_MASK(masks, c.ac_class, sel); + else + ADD_TO_MASK(masks, c.ac_class, sel); + } else { + errno = EINVAL; + return (-1); + } + + /* Get the next class. */ + tok = strtok_r(NULL, flagdelim, &last); + } + return (0); +} + +/* + * Convert the au_mask_t fields into a string value. If verbose is non-zero + * the long flag names are used else the short (2-character)flag names are + * used. + * + * XXXRW: If bits are specified that are not matched by any class, they are + * omitted rather than rejected with EINVAL. + * + * XXXRW: This is not thread-safe as it relies on atomicity between + * setauclass() and sequential calls to getauclassent(). This could be + * fixed by iterating through the bitmask fields rather than iterating + * through the classes. + */ +int +getauditflagschar(char *auditstr, au_mask_t *masks, int verbose) +{ + char class_ent_name[AU_CLASS_NAME_MAX]; + char class_ent_desc[AU_CLASS_DESC_MAX]; + struct au_class_ent c; + char *strptr = auditstr; + u_char sel; + + bzero(&c, sizeof(c)); + bzero(class_ent_name, sizeof(class_ent_name)); + bzero(class_ent_desc, sizeof(class_ent_desc)); + c.ac_name = class_ent_name; + c.ac_desc = class_ent_desc; + + /* + * Enumerate the class entries, check if each is selected in either + * the success or failure masks. + */ + setauclass(); + while ((getauclassent_r(&c)) != NULL) { + sel = 0; + + /* Dont do anything for class = no. */ + if (c.ac_class == 0) + continue; + + sel |= ((c.ac_class & masks->am_success) == c.ac_class) ? + AU_PRS_SUCCESS : 0; + sel |= ((c.ac_class & masks->am_failure) == c.ac_class) ? + AU_PRS_FAILURE : 0; + + /* + * No prefix should be attached if both success and failure + * are selected. + */ + if ((sel & AU_PRS_BOTH) == 0) { + if ((sel & AU_PRS_SUCCESS) != 0) { + *strptr = '+'; + strptr = strptr + 1; + } else if ((sel & AU_PRS_FAILURE) != 0) { + *strptr = '-'; + strptr = strptr + 1; + } + } + + if (sel != 0) { + if (verbose) { + strcpy(strptr, c.ac_desc); + strptr += strlen(c.ac_desc); + } else { + strcpy(strptr, c.ac_name); + strptr += strlen(c.ac_name); + } + *strptr = ','; /* delimiter */ + strptr = strptr + 1; + } + } + + /* Overwrite the last delimiter with the string terminator. */ + if (strptr != auditstr) + *(strptr-1) = '\0'; + + return (0); +} diff --git a/contrib/openbsm/libbsm/bsm_io.c b/contrib/openbsm/libbsm/bsm_io.c new file mode 100644 index 000000000000..bfdd366a994c --- /dev/null +++ b/contrib/openbsm/libbsm/bsm_io.c @@ -0,0 +1,2831 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * Copyright (c) 2005 SPARTA, Inc. + * Copyright (c) 2006 Robert N. M. Watson + * All rights reserved. + * + * This code was developed in part by Robert N. M. Watson, Senior Principal + * Scientist, SPARTA, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#29 $ + */ + +#include <sys/types.h> +#ifdef __APPLE__ +#include <compat/endian.h> +#else /* !__APPLE__ */ +#include <sys/endian.h> +#endif /* __APPLE__*/ +#include <sys/stat.h> +#include <sys/socket.h> + +#include <bsm/libbsm.h> + +#include <unistd.h> +#include <netinet/in.h> +#include <arpa/inet.h> +#include <errno.h> +#include <time.h> +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <pwd.h> +#include <grp.h> + +#include <bsm/audit_internal.h> + +#define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ + if (bytesread + size > len) { \ + err = 1; \ + } else { \ + memcpy(dest, buf + bytesread, size); \ + bytesread += size; \ + } \ +} while (0) + +#define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ + if (bytesread + sizeof(u_char) <= len) { \ + dest = buf[bytesread]; \ + bytesread += sizeof(u_char); \ + } else \ + err = 1; \ +} while (0) + +#define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ + if (bytesread + sizeof(u_int16_t) <= len) { \ + dest = be16dec(buf + bytesread); \ + bytesread += sizeof(u_int16_t); \ + } else \ + err = 1; \ +} while (0) + +#define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ + if (bytesread + sizeof(u_int32_t) <= len) { \ + dest = be32dec(buf + bytesread); \ + bytesread += sizeof(u_int32_t); \ + } else \ + err = 1; \ +} while (0) + +#define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ + if (bytesread + sizeof(u_int64_t) <= len) { \ + dest = be64dec(buf + bytesread); \ + bytesread += sizeof(u_int64_t); \ + } else \ + err = 1; \ +} while (0) + +#define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ + if ((bytesread) + (size) > (len)) \ + (err) = 1; \ + else { \ + (ptr) = (buf) + (bytesread); \ + (bytesread) += (size); \ + } \ +} while (0) + +/* + * Prints the delimiter string. + */ +static void +print_delim(FILE *fp, const char *del) +{ + + fprintf(fp, "%s", del); +} + +/* + * Prints a single byte in the given format. + */ +static void +print_1_byte(FILE *fp, u_char val, const char *format) +{ + + fprintf(fp, format, val); +} + +/* + * Print 2 bytes in the given format. + */ +static void +print_2_bytes(FILE *fp, u_int16_t val, const char *format) +{ + + fprintf(fp, format, val); +} + +/* + * Prints 4 bytes in the given format. + */ +static void +print_4_bytes(FILE *fp, u_int32_t val, const char *format) +{ + + fprintf(fp, format, val); +} + +/* + * Prints 8 bytes in the given format. + */ +static void +print_8_bytes(FILE *fp, u_int64_t val, const char *format) +{ + + fprintf(fp, format, val); +} + +/* + * Prints the given size of data bytes in hex. + */ +static void +print_mem(FILE *fp, u_char *data, size_t len) +{ + int i; + + if (len > 0) { + fprintf(fp, "0x"); + for (i = 0; i < len; i++) + fprintf(fp, "%x", data[i]); + } +} + +/* + * Prints the given data bytes as a string. + */ +static void +print_string(FILE *fp, u_char *str, size_t len) +{ + int i; + + if (len > 0) { + for (i = 0; i < len; i++) { + if (str[i] != '\0') + fprintf(fp, "%c", str[i]); + } + } +} + +/* + * Prints the token type in either the raw or the default form. + */ +static void +print_tok_type(FILE *fp, u_char type, const char *tokname, char raw) +{ + + if (raw) + fprintf(fp, "%u", type); + else + fprintf(fp, "%s", tokname); +} + +/* + * Prints a user value. + */ +static void +print_user(FILE *fp, u_int32_t usr, char raw) +{ + struct passwd *pwent; + + if (raw) + fprintf(fp, "%d", usr); + else { + pwent = getpwuid(usr); + if (pwent != NULL) + fprintf(fp, "%s", pwent->pw_name); + else + fprintf(fp, "%d", usr); + } +} + +/* + * Prints a group value. + */ +static void +print_group(FILE *fp, u_int32_t grp, char raw) +{ + struct group *grpent; + + if (raw) + fprintf(fp, "%d", grp); + else { + grpent = getgrgid(grp); + if (grpent != NULL) + fprintf(fp, "%s", grpent->gr_name); + else + fprintf(fp, "%d", grp); + } +} + +/* + * Prints the event from the header token in either the short, default or raw + * form. + */ +static void +print_event(FILE *fp, u_int16_t ev, char raw, char sfrm) +{ + char event_ent_name[AU_EVENT_NAME_MAX]; + char event_ent_desc[AU_EVENT_DESC_MAX]; + struct au_event_ent e, *ep; + + bzero(&e, sizeof(e)); + bzero(event_ent_name, sizeof(event_ent_name)); + bzero(event_ent_desc, sizeof(event_ent_desc)); + e.ae_name = event_ent_name; + e.ae_desc = event_ent_desc; + + ep = getauevnum_r(&e, ev); + if (ep == NULL) { + fprintf(fp, "%u", ev); + return; + } + + if (raw) + fprintf(fp, "%u", ev); + else if (sfrm) + fprintf(fp, "%s", e.ae_name); + else + fprintf(fp, "%s", e.ae_desc); +} + + +/* + * Prints the event modifier from the header token in either the default or + * raw form. + */ +static void +print_evmod(FILE *fp, u_int16_t evmod, char raw) +{ + if (raw) + fprintf(fp, "%u", evmod); + else + fprintf(fp, "%u", evmod); +} + +/* + * Prints seconds in the ctime format. + */ +static void +print_sec32(FILE *fp, u_int32_t sec, char raw) +{ + time_t timestamp; + char timestr[26]; + + if (raw) + fprintf(fp, "%u", sec); + else { + timestamp = (time_t)sec; + ctime_r(×tamp, timestr); + timestr[24] = '\0'; /* No new line */ + fprintf(fp, "%s", timestr); + } +} + +/* + * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we + * assume a 32-bit time_t, we simply truncate for now. + */ +static void +print_sec64(FILE *fp, u_int64_t sec, char raw) +{ + time_t timestamp; + char timestr[26]; + + if (raw) + fprintf(fp, "%u", (u_int32_t)sec); + else { + timestamp = (time_t)sec; + ctime_r(×tamp, timestr); + timestr[24] = '\0'; /* No new line */ + fprintf(fp, "%s", timestr); + } +} + +/* + * Prints the excess milliseconds. + */ +static void +print_msec32(FILE *fp, u_int32_t msec, char raw) +{ + if (raw) + fprintf(fp, "%u", msec); + else + fprintf(fp, " + %u msec", msec); +} + +/* + * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume + * a 32-bit msec, we simply truncate for now. + */ +static void +print_msec64(FILE *fp, u_int64_t msec, char raw) +{ + + msec &= 0xffffffff; + if (raw) + fprintf(fp, "%u", (u_int32_t)msec); + else + fprintf(fp, " + %u msec", (u_int32_t)msec); +} + +/* + * Prints a dotted form for the IP address. + */ +static void +print_ip_address(FILE *fp, u_int32_t ip) +{ + struct in_addr ipaddr; + + ipaddr.s_addr = ip; + fprintf(fp, "%s", inet_ntoa(ipaddr)); +} + +/* + * Prints a string value for the given ip address. + */ +static void +print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) +{ + struct in_addr ipv4; + struct in6_addr ipv6; + char dst[INET6_ADDRSTRLEN]; + + switch (type) { + case AU_IPv4: + ipv4.s_addr = (in_addr_t)(ipaddr[0]); + fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, + INET6_ADDRSTRLEN)); + break; + + case AU_IPv6: + ipv6.__u6_addr.__u6_addr32[0] = ipaddr[0]; + ipv6.__u6_addr.__u6_addr32[1] = ipaddr[1]; + ipv6.__u6_addr.__u6_addr32[2] = ipaddr[2]; + ipv6.__u6_addr.__u6_addr32[3] = ipaddr[3]; + fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, + INET6_ADDRSTRLEN)); + break; + + default: + fprintf(fp, "invalid"); + } +} + +/* + * Prints return value as success or failure. + */ +static void +print_retval(FILE *fp, u_char status, char raw) +{ + if (raw) + fprintf(fp, "%u", status); + else { + if (status == 0) + fprintf(fp, "success"); + else + fprintf(fp, "failure : %s", strerror(status)); + } +} + +/* + * Prints the exit value. + */ +static void +print_errval(FILE *fp, u_int32_t val) +{ + + fprintf(fp, "Error %u", val); +} + +/* + * Prints IPC type. + */ +static void +print_ipctype(FILE *fp, u_char type, char raw) +{ + if (raw) + fprintf(fp, "%u", type); + else { + if (type == AT_IPC_MSG) + fprintf(fp, "Message IPC"); + else if (type == AT_IPC_SEM) + fprintf(fp, "Semaphore IPC"); + else if (type == AT_IPC_SHM) + fprintf(fp, "Shared Memory IPC"); + else + fprintf(fp, "%u", type); + } +} + +/* + * record byte count 4 bytes + * version # 1 byte [2] + * event type 2 bytes + * event modifier 2 bytes + * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) + * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) + */ +static int +fetch_header32_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm) +{ + + print_tok_type(fp, tok->id, "header", raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.hdr32.size, "%u"); + print_delim(fp, del); + print_1_byte(fp, tok->tt.hdr32.version, "%u"); + print_delim(fp, del); + print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); + print_delim(fp, del); + print_evmod(fp, tok->tt.hdr32.e_mod, raw); + print_delim(fp, del); + print_sec32(fp, tok->tt.hdr32.s, raw); + print_delim(fp, del); + print_msec32(fp, tok->tt.hdr32.ms, raw); +} + +/* + * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit + * depending on the bit of the specifications found. The OpenSolaris source + * code uses a 4-byte address length, followed by some number of bytes of + * address data. This contrasts with the Solaris audit.log.5 man page, which + * specifies a 1-byte length field. We use the Solaris 10 definition so that + * we can parse audit trails from that system. + * + * record byte count 4 bytes + * version # 1 byte [2] + * event type 2 bytes + * event modifier 2 bytes + * address type/length 4 bytes + * [ Solaris man page: address type/length 1 byte] + * machine address 4 bytes/16 bytes (IPv4/IPv6 address) + * seconds of time 4 bytes/8 bytes (32/64-bits) + * nanoseconds of time 4 bytes/8 bytes (32/64-bits) + */ +static int +fetch_header32_ex_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); + if (err) + return (-1); + + bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); + switch (tok->tt.hdr32_ex.ad_type) { + case AU_IPv4: + READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], + sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); + if (err) + return (-1); + break; + + case AU_IPv6: + READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, + sizeof(tok->tt.hdr32_ex.addr), tok->len, err); + break; + } + + READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + char sfrm) +{ + + print_tok_type(fp, tok->id, "header_ex", raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); + print_delim(fp, del); + print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); + print_delim(fp, del); + print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); + print_delim(fp, del); + print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); + print_delim(fp, del); + print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, + tok->tt.hdr32_ex.addr); + print_delim(fp, del); + print_sec32(fp, tok->tt.hdr32_ex.s, raw); + print_delim(fp, del); + print_msec32(fp, tok->tt.hdr32_ex.ms, raw); +} + +/* + * record byte count 4 bytes + * event type 2 bytes + * event modifier 2 bytes + * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) + * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) + * version # + */ +static int +fetch_header64_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm) +{ + + print_tok_type(fp, tok->id, "header", raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.hdr64.size, "%u"); + print_delim(fp, del); + print_1_byte(fp, tok->tt.hdr64.version, "%u"); + print_delim(fp, del); + print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); + print_delim(fp, del); + print_evmod(fp, tok->tt.hdr64.e_mod, raw); + print_delim(fp, del); + print_sec64(fp, tok->tt.hdr64.s, raw); + print_delim(fp, del); + print_msec64(fp, tok->tt.hdr64.ms, raw); +} +/* + * record byte count 4 bytes + * version # 1 byte [2] + * event type 2 bytes + * event modifier 2 bytes + * address type/length 4 bytes + * [ Solaris man page: address type/length 1 byte] + * machine address 4 bytes/16 bytes (IPv4/IPv6 address) + * seconds of time 4 bytes/8 bytes (32/64-bits) + * nanoseconds of time 4 bytes/8 bytes (32/64-bits) + * + * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the + * accuracy of the BSM spec. + */ +static int +fetch_header64_ex_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); + if (err) + return (-1); + + bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); + switch (tok->tt.hdr64_ex.ad_type) { + case AU_IPv4: + READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], + sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); + if (err) + return (-1); + break; + + case AU_IPv6: + READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, + sizeof(tok->tt.hdr64_ex.addr), tok->len, err); + break; + } + + READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm) +{ + + print_tok_type(fp, tok->id, "header_ex", raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); + print_delim(fp, del); + print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); + print_delim(fp, del); + print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); + print_delim(fp, del); + print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); + print_delim(fp, del); + print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, + tok->tt.hdr64_ex.addr); + print_delim(fp, del); + print_sec64(fp, tok->tt.hdr64_ex.s, raw); + print_delim(fp, del); + print_msec64(fp, tok->tt.hdr64_ex.ms, raw); +} + +/* + * trailer magic 2 bytes + * record size 4 bytes + */ +static int +fetch_trailer_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "trailer", raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.trail.count, "%u"); +} + +/* + * argument # 1 byte + * argument value 4 bytes/8 bytes (32-bit/64-bit value) + * text length 2 bytes + * text N bytes + 1 terminating NULL byte + */ +static int +fetch_arg32_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); + if (err) + return (-1); + + SET_PTR(buf, len, tok->tt.arg32.text, tok->tt.arg32.len, tok->len, + err); + if (err) + return (-1); + + return (0); +} + +static void +print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "argument", raw); + print_delim(fp, del); + print_1_byte(fp, tok->tt.arg32.no, "%u"); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.arg32.val, "%#x"); + print_delim(fp, del); + print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); +} + +static int +fetch_arg64_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); + if (err) + return (-1); + + SET_PTR(buf, len, tok->tt.arg64.text, tok->tt.arg64.len, tok->len, + err); + if (err) + return (-1); + + return (0); +} + +static void +print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "argument", raw); + print_delim(fp, del); + print_1_byte(fp, tok->tt.arg64.no, "%u"); + print_delim(fp, del); + print_8_bytes(fp, tok->tt.arg64.val, "%#llx"); + print_delim(fp, del); + print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); +} + +/* + * how to print 1 byte + * basic unit 1 byte + * unit count 1 byte + * data items (depends on basic unit) + */ +static int +fetch_arb_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + int datasize; + + READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); + if (err) + return (-1); + + /* + * Determine the size of the basic unit. + */ + switch(tok->tt.arb.bu) { + case AUR_BYTE: + datasize = AUR_BYTE_SIZE; + break; + + case AUR_SHORT: + datasize = AUR_SHORT_SIZE; + break; + + case AUR_LONG: + datasize = AUR_LONG_SIZE; + break; + + default: + return (-1); + } + + SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, + tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + char *str; + char *format; + size_t size; + int i; + + print_tok_type(fp, tok->id, "arbitrary", raw); + print_delim(fp, del); + + switch(tok->tt.arb.howtopr) { + case AUP_BINARY: + str = "binary"; + format = " %c"; + break; + + case AUP_OCTAL: + str = "octal"; + format = " %o"; + break; + + case AUP_DECIMAL: + str = "decimal"; + format = " %d"; + break; + + case AUP_HEX: + str = "hex"; + format = " %x"; + break; + + case AUP_STRING: + str = "string"; + format = "%c"; + break; + + default: + return; + } + + print_string(fp, str, strlen(str)); + print_delim(fp, del); + switch(tok->tt.arb.bu) { + case AUR_BYTE: + str = "byte"; + size = AUR_BYTE_SIZE; + print_string(fp, str, strlen(str)); + print_delim(fp, del); + print_1_byte(fp, tok->tt.arb.uc, "%u"); + print_delim(fp, del); + for (i = 0; i<tok->tt.arb.uc; i++) + fprintf(fp, format, *(tok->tt.arb.data + (size * i))); + break; + + case AUR_SHORT: + str = "short"; + size = AUR_SHORT_SIZE; + print_string(fp, str, strlen(str)); + print_delim(fp, del); + print_1_byte(fp, tok->tt.arb.uc, "%u"); + print_delim(fp, del); + for (i = 0; i<tok->tt.arb.uc; i++) + fprintf(fp, format, *((u_int16_t *)(tok->tt.arb.data + + (size * i)))); + break; + + case AUR_LONG: + str = "int"; + size = AUR_LONG_SIZE; + print_string(fp, str, strlen(str)); + print_delim(fp, del); + print_1_byte(fp, tok->tt.arb.uc, "%u"); + print_delim(fp, del); + for (i = 0; i<tok->tt.arb.uc; i++) + fprintf(fp, format, *((u_int32_t *)(tok->tt.arb.data + + (size * i)))); + break; + + default: + return; + } +} + +/* + * file access mode 4 bytes + * owner user ID 4 bytes + * owner group ID 4 bytes + * file system ID 4 bytes + * node ID 8 bytes + * device 4 bytes/8 bytes (32-bit/64-bit) + */ +static int +fetch_attr32_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "attribute", raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.attr32.mode, "%o"); + print_delim(fp, del); + print_user(fp, tok->tt.attr32.uid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.attr32.gid, raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); + print_delim(fp, del); + print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.attr32.dev, "%u"); +} + +/* + * file access mode 4 bytes + * owner user ID 4 bytes + * owner group ID 4 bytes + * file system ID 4 bytes + * node ID 8 bytes + * device 4 bytes/8 bytes (32-bit/64-bit) + */ +static int +fetch_attr64_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "attribute", raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.attr64.mode, "%o"); + print_delim(fp, del); + print_user(fp, tok->tt.attr64.uid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.attr64.gid, raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); + print_delim(fp, del); + print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); + print_delim(fp, del); + print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); +} + +/* + * status 4 bytes + * return value 4 bytes + */ +static int +fetch_exit_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "exit", raw); + print_delim(fp, del); + print_errval(fp, tok->tt.exit.status); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.exit.ret, "%u"); +} + +/* + * count 4 bytes + * text count null-terminated string(s) + */ +static int +fetch_execarg_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + int i; + char *bptr; + + READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); + if (err) + return (-1); + + for (i = 0; i < tok->tt.execarg.count; i++) { + bptr = buf + tok->len; + tok->tt.execarg.text[i] = bptr; + + /* Look for a null terminated string. */ + while (bptr && (*bptr != '\0')) { + if (++tok->len >=len) + return (-1); + bptr = buf + tok->len; + } + if (!bptr) + return (-1); + tok->len++; /* \0 character */ + } + + return (0); +} + +static void +print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + int i; + + print_tok_type(fp, tok->id, "exec arg", raw); + for (i = 0; i < tok->tt.execarg.count; i++) { + print_delim(fp, del); + print_string(fp, tok->tt.execarg.text[i], + strlen(tok->tt.execarg.text[i])); + } +} + +/* + * count 4 bytes + * text count null-terminated string(s) + */ +static int +fetch_execenv_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + int i; + char *bptr; + + READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); + if (err) + return (-1); + + for (i = 0; i< tok->tt.execenv.count; i++) { + bptr = buf + tok->len; + tok->tt.execenv.text[i] = bptr; + + /* Look for a null terminated string. */ + while (bptr && (*bptr != '\0')) { + if (++tok->len >=len) + return (-1); + bptr = buf + tok->len; + } + if (!bptr) + return (-1); + tok->len++; /* \0 character */ + } + + return (0); +} + +static void +print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + int i; + + print_tok_type(fp, tok->id, "exec arg", raw); + for (i = 0; i< tok->tt.execenv.count; i++) { + print_delim(fp, del); + print_string(fp, tok->tt.execenv.text[i], + strlen(tok->tt.execenv.text[i])); + } +} + +/* + * seconds of time 4 bytes + * milliseconds of time 4 bytes + * file name len 2 bytes + * file pathname N bytes + 1 terminating NULL byte + */ +static int +fetch_file_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); + if (err) + return (-1); + + SET_PTR(buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "file", raw); + print_delim(fp, del); + print_sec32(fp, tok->tt.file.s, raw); + print_delim(fp, del); + print_msec32(fp, tok->tt.file.ms, raw); + print_delim(fp, del); + print_string(fp, tok->tt.file.name, tok->tt.file.len); +} + +/* + * number groups 2 bytes + * group list count * 4 bytes + */ +static int +fetch_newgroups_tok(tokenstr_t *tok, char *buf, int len) +{ + int i; + int err = 0; + + READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); + if (err) + return (-1); + + for (i = 0; i<tok->tt.grps.no; i++) { + READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, + err); + if (err) + return (-1); + } + + return (0); +} + +static void +print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + int i; + + print_tok_type(fp, tok->id, "group", raw); + for (i = 0; i < tok->tt.grps.no; i++) { + print_delim(fp, del); + print_group(fp, tok->tt.grps.list[i], raw); + } +} + +/* + * Internet addr 4 bytes + */ +static int +fetch_inaddr_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr.addr, tok->len, err); + if (err) + return (-1); + + return (0); + +} + +static void +print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "ip addr", raw); + print_delim(fp, del); + print_ip_address(fp, tok->tt.inaddr.addr); +} + +/* + * type 4 bytes + * address 16 bytes + */ +static int +fetch_inaddr_ex_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); + if (err) + return (-1); + + if (tok->tt.inaddr_ex.type == AU_IPv4) { + READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], + sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); + if (err) + return (-1); + } else if (tok->tt.inaddr_ex.type == AU_IPv6) { + READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, + sizeof(tok->tt.inaddr_ex.addr), tok->len, err); + if (err) + return (-1); + } else + return (-1); + + return (0); +} + +static void +print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "ip addr ex", raw); + print_delim(fp, del); + print_ip_ex_address(fp, tok->tt.inaddr_ex.type, + tok->tt.inaddr_ex.addr); +} + +/* + * ip header 20 bytes + */ +static int +fetch_ip_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.ip.len, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.ip.id, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.ip.offset, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.ip.chksm, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), + tok->len, err); + if (err) + return (-1); + + READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), + tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "ip", raw); + print_delim(fp, del); + print_mem(fp, (u_char *)(&tok->tt.ip.version), sizeof(u_char)); + print_delim(fp, del); + print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); + print_delim(fp, del); + print_2_bytes(fp, tok->tt.ip.len, "%u"); + print_delim(fp, del); + print_2_bytes(fp, tok->tt.ip.id, "%u"); + print_delim(fp, del); + print_2_bytes(fp, tok->tt.ip.offset, "%u"); + print_delim(fp, del); + print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); + print_delim(fp, del); + print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); + print_delim(fp, del); + print_2_bytes(fp, tok->tt.ip.chksm, "%u"); + print_delim(fp, del); + print_ip_address(fp, tok->tt.ip.src); + print_delim(fp, del); + print_ip_address(fp, tok->tt.ip.dest); +} + +/* + * object ID type 1 byte + * Object ID 4 bytes + */ +static int +fetch_ipc_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "IPC", raw); + print_delim(fp, del); + print_ipctype(fp, tok->tt.ipc.type, raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.ipc.id, "%u"); +} + +/* + * owner user id 4 bytes + * owner group id 4 bytes + * creator user id 4 bytes + * creator group id 4 bytes + * access mode 4 bytes + * slot seq 4 bytes + * key 4 bytes + */ +static int +fetch_ipcperm_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "IPC perm", raw); + print_delim(fp, del); + print_user(fp, tok->tt.ipcperm.uid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.ipcperm.gid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.ipcperm.puid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.ipcperm.pgid, raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); +} + +/* + * port Ip address 2 bytes + */ +static int +fetch_iport_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT16(buf, len, tok->tt.iport.port, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "ip port", raw); + print_delim(fp, del); + print_2_bytes(fp, tok->tt.iport.port, "%#x"); +} + +/* + * size 2 bytes + * data size bytes + */ +static int +fetch_opaque_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); + if (err) + return (-1); + + SET_PTR(buf, len, tok->tt.opaque.data, tok->tt.opaque.size, tok->len, + err); + if (err) + return (-1); + + return (0); +} + +static void +print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "opaque", raw); + print_delim(fp, del); + print_2_bytes(fp, tok->tt.opaque.size, "%u"); + print_delim(fp, del); + print_mem(fp, tok->tt.opaque.data, tok->tt.opaque.size); +} + +/* + * size 2 bytes + * data size bytes + */ +static int +fetch_path_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); + if (err) + return (-1); + + SET_PTR(buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "path", raw); + print_delim(fp, del); + print_string(fp, tok->tt.path.path, tok->tt.path.len); +} + +/* + * token ID 1 byte + * audit ID 4 bytes + * euid 4 bytes + * egid 4 bytes + * ruid 4 bytes + * rgid 4 bytes + * pid 4 bytes + * sessid 4 bytes + * terminal ID + * portid 4 bytes + * machine id 4 bytes + */ +static int +fetch_process32_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.addr, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "process", raw); + print_delim(fp, del); + print_user(fp, tok->tt.proc32.auid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.proc32.euid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.proc32.egid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.proc32.ruid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.proc32.rgid, raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.proc32.pid, "%u"); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.proc32.sid, "%u"); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); + print_delim(fp, del); + print_ip_address(fp, tok->tt.proc32.tid.addr); +} + +static int +fetch_process32ex_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, + err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, + err); + if (err) + return (-1); + + if (tok->tt.proc32_ex.tid.type == AU_IPv4) { + READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], + sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); + if (err) + return (-1); + } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { + READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, + sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); + if (err) + return (-1); + } else + return (-1); + + return (0); +} + +static void +print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "process_ex", raw); + print_delim(fp, del); + print_user(fp, tok->tt.proc32_ex.auid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.proc32_ex.euid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.proc32_ex.egid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.proc32_ex.ruid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.proc32_ex.rgid, raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); + print_delim(fp, del); + print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, + tok->tt.proc32_ex.tid.addr); +} + +/* + * errno 1 byte + * return value 4 bytes + */ +static int +fetch_return32_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "return", raw); + print_delim(fp, del); + print_retval(fp, tok->tt.ret32.status, raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.ret32.ret, "%u"); +} + +static int +fetch_return64_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "return", raw); + print_delim(fp, del); + print_retval(fp, tok->tt.ret64.err, raw); + print_delim(fp, del); + print_8_bytes(fp, tok->tt.ret64.val, "%lld"); +} + +/* + * seq 4 bytes + */ +static int +fetch_seq_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "sequence", raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.seq.seqno, "%u"); +} + +/* + * socket family 2 bytes + * local port 2 bytes + * socket address 4 bytes + */ +static int +fetch_sock_inet32_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len, + err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.port, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr, + sizeof(tok->tt.sockinet32.addr), tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "socket-inet", raw); + print_delim(fp, del); + print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); + print_delim(fp, del); + print_2_bytes(fp, tok->tt.sockinet32.port, "%u"); + print_delim(fp, del); + print_ip_address(fp, tok->tt.sockinet32.addr); +} + +/* + * socket family 2 bytes + * path 104 bytes + */ +static int fetch_sock_unix_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len, + err); + if (err) + return (-1); + + return (0); +} + +static void +print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "socket-unix", raw); + print_delim(fp, del); + print_2_bytes(fp, tok->tt.sockunix.family, "%u"); + print_delim(fp, del); + print_string(fp, tok->tt.sockunix.path, + strlen(tok->tt.sockunix.path)); +} + +/* + * socket type 2 bytes + * local port 2 bytes + * local address 4 bytes + * remote port 2 bytes + * remote address 4 bytes + */ +static int fetch_socket_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.socket.l_port, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, + sizeof(tok->tt.socket.l_addr), tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.socket.r_port, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, + sizeof(tok->tt.socket.r_addr), tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "socket", raw); + print_delim(fp, del); + print_2_bytes(fp, tok->tt.socket.type, "%u"); + print_delim(fp, del); + print_2_bytes(fp, tok->tt.socket.l_port, "%u"); + print_delim(fp, del); + print_ip_address(fp, tok->tt.socket.l_addr); + print_delim(fp, del); + print_2_bytes(fp, tok->tt.socket.r_port, "%u"); + print_delim(fp, del); + print_ip_address(fp, tok->tt.socket.r_addr); +} + +/* + * audit ID 4 bytes + * euid 4 bytes + * egid 4 bytes + * ruid 4 bytes + * rgid 4 bytes + * pid 4 bytes + * sessid 4 bytes + * terminal ID + * portid 4 bytes/8 bytes (32-bit/64-bit value) + * machine id 4 bytes + */ +static int +fetch_subject32_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, + sizeof(tok->tt.subj32.tid.addr), tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "subject", raw); + print_delim(fp, del); + print_user(fp, tok->tt.subj32.auid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.subj32.euid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.subj32.egid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.subj32.ruid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.subj32.rgid, raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.subj32.pid, "%u"); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.subj32.sid, "%u"); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); + print_delim(fp, del); + print_ip_address(fp, tok->tt.subj32.tid.addr); +} + +/* + * audit ID 4 bytes + * euid 4 bytes + * egid 4 bytes + * ruid 4 bytes + * rgid 4 bytes + * pid 4 bytes + * sessid 4 bytes + * terminal ID + * portid 4 bytes/8 bytes (32-bit/64-bit value) + * machine id 4 bytes + */ +static int +fetch_subject64_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, + sizeof(tok->tt.subj64.tid.addr), tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "subject", raw); + print_delim(fp, del); + print_user(fp, tok->tt.subj64.auid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.subj64.euid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.subj64.egid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.subj64.ruid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.subj64.rgid, raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.subj64.pid, "%u"); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.subj64.sid, "%u"); + print_delim(fp, del); + print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); + print_delim(fp, del); + print_ip_address(fp, tok->tt.subj64.tid.addr); +} + +/* + * audit ID 4 bytes + * euid 4 bytes + * egid 4 bytes + * ruid 4 bytes + * rgid 4 bytes + * pid 4 bytes + * sessid 4 bytes + * terminal ID + * portid 4 bytes + * type 4 bytes + * machine id 16 bytes + */ +static int +fetch_subject32ex_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, + err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, + err); + if (err) + return (-1); + + if (tok->tt.subj32_ex.tid.type == AU_IPv4) { + READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], + sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); + if (err) + return (-1); + } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { + READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, + sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); + if (err) + return (-1); + } else + return (-1); + + return (0); +} + +static void +print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "subject_ex", raw); + print_delim(fp, del); + print_user(fp, tok->tt.subj32_ex.auid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.subj32_ex.euid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.subj32_ex.egid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.subj32_ex.ruid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.subj32_ex.rgid, raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); + print_delim(fp, del); + print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, + tok->tt.subj32_ex.tid.addr); +} + +/* + * size 2 bytes + * data size bytes + */ +static int +fetch_text_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); + if (err) + return (-1); + + SET_PTR(buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, + err); + if (err) + return (-1); + + return (0); +} + +static void +print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "text", raw); + print_delim(fp, del); + print_string(fp, tok->tt.text.text, tok->tt.text.len); +} + +/* + * socket type 2 bytes + * local port 2 bytes + * address type/length 4 bytes + * local Internet address 4 bytes + * remote port 4 bytes + * address type/length 4 bytes + * remote Internet address 4 bytes + */ +static int +fetch_socketex32_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, + err); + if (err) + return (-1); + + READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.l_port, tok->len, + err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len, + err); + if (err) + return (-1); + + READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, + sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_port, tok->len, + err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len, + err); + if (err) + return (-1); + + READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, + sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "socket", raw); + print_delim(fp, del); + print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); + print_delim(fp, del); + print_2_bytes(fp, tok->tt.socket_ex32.l_port, "%#x"); + print_delim(fp, del); + print_ip_address(fp, tok->tt.socket_ex32.l_addr); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.socket_ex32.r_port, "%#x"); + print_delim(fp, del); + print_ip_address(fp, tok->tt.socket_ex32.r_addr); +} + +static int +fetch_invalid_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + int recoversize; + + recoversize = len - (tok->len + BSM_TRAILER_SIZE); + if (recoversize <= 0) + return (-1); + + tok->tt.invalid.length = recoversize; + + SET_PTR(buf, len, tok->tt.invalid.data, recoversize, tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm) +{ + + print_tok_type(fp, tok->id, "unknown", raw); + print_delim(fp, del); + print_mem(fp, tok->tt.invalid.data, tok->tt.invalid.length); +} + + +/* + * Reads the token beginning at buf into tok. + */ +int +au_fetch_tok(tokenstr_t *tok, u_char *buf, int len) +{ + + if (len <= 0) + return (-1); + + tok->len = 1; + tok->data = buf; + tok->id = *buf; + + switch(tok->id) { + case AUT_HEADER32: + return (fetch_header32_tok(tok, buf, len)); + + case AUT_HEADER32_EX: + return (fetch_header32_ex_tok(tok, buf, len)); + + case AUT_HEADER64: + return (fetch_header64_tok(tok, buf, len)); + + case AUT_HEADER64_EX: + return (fetch_header64_ex_tok(tok, buf, len)); + + case AUT_TRAILER: + return (fetch_trailer_tok(tok, buf, len)); + + case AUT_ARG32: + return (fetch_arg32_tok(tok, buf, len)); + + case AUT_ARG64: + return (fetch_arg64_tok(tok, buf, len)); + + case AUT_ATTR32: + return (fetch_attr32_tok(tok, buf, len)); + + case AUT_ATTR64: + return (fetch_attr64_tok(tok, buf, len)); + + case AUT_EXIT: + return (fetch_exit_tok(tok, buf, len)); + + case AUT_EXEC_ARGS: + return (fetch_execarg_tok(tok, buf, len)); + + case AUT_EXEC_ENV: + return (fetch_execenv_tok(tok, buf, len)); + + case AUT_OTHER_FILE32: + return (fetch_file_tok(tok, buf, len)); + + case AUT_NEWGROUPS: + return (fetch_newgroups_tok(tok, buf, len)); + + case AUT_IN_ADDR: + return (fetch_inaddr_tok(tok, buf, len)); + + case AUT_IN_ADDR_EX: + return (fetch_inaddr_ex_tok(tok, buf, len)); + + case AUT_IP: + return (fetch_ip_tok(tok, buf, len)); + + case AUT_IPC: + return (fetch_ipc_tok(tok, buf, len)); + + case AUT_IPC_PERM: + return (fetch_ipcperm_tok(tok, buf, len)); + + case AUT_IPORT: + return (fetch_iport_tok(tok, buf, len)); + + case AUT_OPAQUE: + return (fetch_opaque_tok(tok, buf, len)); + + case AUT_PATH: + return (fetch_path_tok(tok, buf, len)); + + case AUT_PROCESS32: + return (fetch_process32_tok(tok, buf, len)); + + case AUT_PROCESS32_EX: + return (fetch_process32ex_tok(tok, buf, len)); + + case AUT_RETURN32: + return (fetch_return32_tok(tok, buf, len)); + + case AUT_RETURN64: + return (fetch_return64_tok(tok, buf, len)); + + case AUT_SEQ: + return (fetch_seq_tok(tok, buf, len)); + + case AUT_SOCKET: + return (fetch_socket_tok(tok, buf, len)); + + case AUT_SOCKINET32: + return (fetch_sock_inet32_tok(tok, buf, len)); + + case AUT_SOCKUNIX: + return (fetch_sock_unix_tok(tok, buf, len)); + + case AUT_SUBJECT32: + return (fetch_subject32_tok(tok, buf, len)); + + case AUT_SUBJECT64: + return (fetch_subject64_tok(tok, buf, len)); + + case AUT_SUBJECT32_EX: + return (fetch_subject32ex_tok(tok, buf, len)); + + case AUT_TEXT: + return (fetch_text_tok(tok, buf, len)); + + case AUT_SOCKET_EX: + return (fetch_socketex32_tok(tok, buf, len)); + + case AUT_DATA: + return (fetch_arb_tok(tok, buf, len)); + + default: + return (fetch_invalid_tok(tok, buf, len)); + } +} + +/* + * 'prints' the token out to outfp + */ +void +au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) +{ + + switch(tok->id) { + case AUT_HEADER32: + print_header32_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_HEADER32_EX: + print_header32_ex_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_HEADER64: + print_header64_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_HEADER64_EX: + print_header64_ex_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_TRAILER: + print_trailer_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_ARG32: + print_arg32_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_ARG64: + print_arg64_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_DATA: + print_arb_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_ATTR32: + print_attr32_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_ATTR64: + print_attr64_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_EXIT: + print_exit_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_EXEC_ARGS: + print_execarg_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_EXEC_ENV: + print_execenv_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_OTHER_FILE32: + print_file_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_NEWGROUPS: + print_newgroups_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_IN_ADDR: + print_inaddr_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_IN_ADDR_EX: + print_inaddr_ex_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_IP: + print_ip_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_IPC: + print_ipc_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_IPC_PERM: + print_ipcperm_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_IPORT: + print_iport_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_OPAQUE: + print_opaque_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_PATH: + print_path_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_PROCESS32: + print_process32_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_PROCESS32_EX: + print_process32ex_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_RETURN32: + print_return32_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_RETURN64: + print_return64_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_SEQ: + print_seq_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_SOCKET: + print_socket_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_SOCKINET32: + print_sock_inet32_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_SOCKUNIX: + print_sock_unix_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_SUBJECT32: + print_subject32_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_SUBJECT64: + print_subject64_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_SUBJECT32_EX: + print_subject32ex_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_TEXT: + print_text_tok(outfp, tok, del, raw, sfrm); + return; + + case AUT_SOCKET_EX: + print_socketex32_tok(outfp, tok, del, raw, sfrm); + return; + + default: + print_invalid_tok(outfp, tok, del, raw, sfrm); + } +} + +/* + * Read a record from the file pointer, store data in buf memory for buf is + * also allocated in this function and has to be free'd outside this call. + * + * au_read_rec() handles two possibilities: a stand-alone file token, or a + * complete audit record. + * + * XXXRW: Note that if we hit an error, we leave the stream in an unusable + * state, because it will be partly offset into a record. We should rewind + * or do something more intelligent. Particularly interesting is the case + * where we perform a partial read of a record from a non-blockable file + * descriptor. We should return the partial read and continue...? + */ +int +au_read_rec(FILE *fp, u_char **buf) +{ + u_char *bptr; + u_int32_t recsize; + u_int32_t bytestoread; + u_char type; + + u_int32_t sec, msec; + u_int16_t filenamelen; + + type = fgetc(fp); + + switch (type) { + case AUT_HEADER32: + case AUT_HEADER32_EX: + case AUT_HEADER64: + case AUT_HEADER64_EX: + /* read the record size from the token */ + if (fread(&recsize, 1, sizeof(u_int32_t), fp) < + sizeof(u_int32_t)) { + errno = EINVAL; + return (-1); + } + recsize = be32toh(recsize); + + /* Check for recsize sanity */ + if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { + errno = EINVAL; + return (-1); + } + + *buf = malloc(recsize * sizeof(u_char)); + if (*buf == NULL) + return (-1); + bptr = *buf; + memset(bptr, 0, recsize); + + /* store the token contents already read, back to the buffer*/ + *bptr = type; + bptr++; + be32enc(bptr, recsize); + bptr += sizeof(u_int32_t); + + /* now read remaining record bytes */ + bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); + + if (fread(bptr, 1, bytestoread, fp) < bytestoread) { + free(*buf); + errno = EINVAL; + return (-1); + } + break; + + case AUT_OTHER_FILE32: + /* + * The file token is variable-length, as it includes a + * pathname. As a result, we have to read incrementally + * until we know the total length, then allocate space and + * read the rest. + */ + if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { + errno = EINVAL; + return (-1); + } + if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { + errno = EINVAL; + return (-1); + } + if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < + sizeof(filenamelen)) { + errno = EINVAL; + return (-1); + } + recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + + sizeof(filenamelen) + ntohs(filenamelen); + *buf = malloc(recsize); + if (*buf == NULL) + return (-1); + bptr = *buf; + + bcopy(&type, bptr, sizeof(type)); + bptr += sizeof(type); + bcopy(&sec, bptr, sizeof(sec)); + bptr += sizeof(sec); + bcopy(&msec, bptr, sizeof(msec)); + bptr += sizeof(msec); + bcopy(&filenamelen, bptr, sizeof(filenamelen)); + bptr += sizeof(filenamelen); + + if (fread(bptr, 1, ntohs(filenamelen), fp) < + ntohs(filenamelen)) { + free(buf); + errno = EINVAL; + return (-1); + } + break; + + default: + errno = EINVAL; + return (-1); + } + + return (recsize); +} diff --git a/contrib/openbsm/libbsm/bsm_mask.c b/contrib/openbsm/libbsm/bsm_mask.c new file mode 100644 index 000000000000..b575bbcb0b6f --- /dev/null +++ b/contrib/openbsm/libbsm/bsm_mask.c @@ -0,0 +1,194 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * Copyright (c) 2005 Robert N. M. Watson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_mask.c#11 $ + */ + +#include <sys/types.h> +#include <sys/queue.h> + +#include <bsm/libbsm.h> + +#include <pthread.h> +#include <stdlib.h> +#include <string.h> + +/* MT-Safe */ +static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; +static int firsttime = 1; + +/* + * XXX ev_cache, once created, sticks around until the calling program exits. + * This may or may not be a problem as far as absolute memory usage goes, but + * at least there don't appear to be any leaks in using the cache. + * + * XXXRW: Note that despite (mutex), load_event_table() could race with + * other consumers of the getauevents() API. + */ +struct audit_event_map { + char ev_name[AU_EVENT_NAME_MAX]; + char ev_desc[AU_EVENT_DESC_MAX]; + struct au_event_ent ev; + LIST_ENTRY(audit_event_map) ev_list; +}; +static LIST_HEAD(, audit_event_map) ev_cache; + +static struct audit_event_map * +audit_event_map_alloc(void) +{ + struct audit_event_map *aemp; + + aemp = malloc(sizeof(*aemp)); + if (aemp == NULL) + return (aemp); + bzero(aemp, sizeof(*aemp)); + aemp->ev.ae_name = aemp->ev_name; + aemp->ev.ae_desc = aemp->ev_desc; + return (aemp); +} + +static void +audit_event_map_free(struct audit_event_map *aemp) +{ + + free(aemp); +} + +/* + * When reading into the cache fails, we need to flush the entire cache to + * prevent it from containing some but not all records. + */ +static void +flush_cache(void) +{ + struct audit_event_map *aemp; + + /* XXX: Would assert 'mutex'. */ + + while ((aemp = LIST_FIRST(&ev_cache)) != NULL) { + LIST_REMOVE(aemp, ev_list); + audit_event_map_free(aemp); + } +} + +static int +load_event_table(void) +{ + struct audit_event_map *aemp; + struct au_event_ent *ep; + + /* + * XXX: Would assert 'mutex'. + * Loading of the cache happens only once; dont check if cache is + * already loaded. + */ + LIST_INIT(&ev_cache); + setauevent(); /* Rewind to beginning of entries. */ + do { + aemp = audit_event_map_alloc(); + if (aemp == NULL) { + flush_cache(); + return (-1); + } + ep = getauevent_r(&aemp->ev); + if (ep != NULL) + LIST_INSERT_HEAD(&ev_cache, aemp, ev_list); + else + audit_event_map_free(aemp); + } while (ep != NULL); + return (1); +} + +/* + * Read the event with the matching event number from the cache. + */ +static struct au_event_ent * +read_from_cache(au_event_t event) +{ + struct audit_event_map *elem; + + /* XXX: Would assert 'mutex'. */ + + LIST_FOREACH(elem, &ev_cache, ev_list) { + if (elem->ev.ae_number == event) + return (&elem->ev); + } + + return (NULL); +} + +/* + * Check if the audit event is preselected against the preselection mask. + */ +int +au_preselect(au_event_t event, au_mask_t *mask_p, int sorf, int flag) +{ + struct au_event_ent *ev; + au_class_t effmask = 0; + + if (mask_p == NULL) + return (-1); + + + pthread_mutex_lock(&mutex); + if (firsttime) { + firsttime = 0; + if ( -1 == load_event_table()) { + pthread_mutex_unlock(&mutex); + return (-1); + } + } + switch (flag) { + case AU_PRS_REREAD: + flush_cache(); + if (load_event_table() == -1) { + pthread_mutex_unlock(&mutex); + return (-1); + } + ev = read_from_cache(event); + break; + case AU_PRS_USECACHE: + ev = read_from_cache(event); + break; + default: + ev = NULL; + } + if (ev == NULL) { + pthread_mutex_unlock(&mutex); + return (-1); + } + if (sorf & AU_PRS_SUCCESS) + effmask |= (mask_p->am_success & ev->ae_class); + if (sorf & AU_PRS_FAILURE) + effmask |= (mask_p->am_failure & ev->ae_class); + pthread_mutex_unlock(&mutex); + if (effmask != 0) + return (1); + return (0); +} diff --git a/contrib/openbsm/libbsm/bsm_notify.c b/contrib/openbsm/libbsm/bsm_notify.c new file mode 100644 index 000000000000..92f9b504d7fc --- /dev/null +++ b/contrib/openbsm/libbsm/bsm_notify.c @@ -0,0 +1,149 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_notify.c#8 $ + */ + +#ifdef __APPLE__ + +/* + * Based on sample code from Marc Majka. + */ +#include <notify.h> +#include <string.h> /* strerror() */ +#include <sys/errno.h> /* errno */ +#include <bsm/libbsm.h> +#include <stdint.h> /* uint32_t */ +#include <syslog.h> /* syslog() */ +#include <stdarg.h> /* syslog() */ + +/* If 1, assumes a kernel that sends the right notification. */ +#define AUDIT_NOTIFICATION_ENABLED 1 + +#if AUDIT_NOTIFICATION_ENABLED +static int token = 0; +#endif /* AUDIT_NOTIFICATION_ENABLED */ + +static long au_cond = AUC_UNSET; /* <bsm/audit.h> */ + +uint32_t +au_notify_initialize(void) +{ +#if AUDIT_NOTIFICATION_ENABLED + uint32_t status, ignore_first; + + status = notify_register_check(__BSM_INTERNAL_NOTIFY_KEY, &token); + if (status != NOTIFY_STATUS_OK) + return (status); + status = notify_check(token, &ignore_first); + if (status != NOTIFY_STATUS_OK) + return (status); +#endif + + if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) { + syslog(LOG_ERR, "Initial audit status check failed (%s)", + strerror(errno)); + if (errno == ENOSYS) /* auditon() unimplemented. */ + return (AU_UNIMPL); + return (NOTIFY_STATUS_FAILED); /* Is there a better code? */ + } + return (NOTIFY_STATUS_OK); +} + +int +au_notify_terminate(void) +{ + +#if AUDIT_NOTIFICATION_ENABLED + return ((notify_cancel(token) == NOTIFY_STATUS_OK) ? 0 : -1); +#else + return (0); +#endif +} + +/* + * On error of any notify(3) call, reset 'au_cond' to ensure we re-run + * au_notify_initialize() next time 'round--but assume auditing is on. This + * is a slight performance hit if auditing is off, but at least the system + * will behave correctly. The notification calls are unlikely to fail, + * anyway. + */ +int +au_get_state(void) +{ +#if AUDIT_NOTIFICATION_ENABLED + uint32_t did_notify; +#endif + int status; + + /* + * Don't make the client initialize this set of routines, but take the + * slight performance hit by checking ourselves every time. + */ + if (au_cond == AUC_UNSET) { + status = au_notify_initialize(); + if (status != NOTIFY_STATUS_OK) { + if (status == AU_UNIMPL) + return (AU_UNIMPL); + return (AUC_AUDITING); + } else + return (au_cond); + } +#if AUDIT_NOTIFICATION_ENABLED + status = notify_check(token, &did_notify); + if (status != NOTIFY_STATUS_OK) { + au_cond = AUC_UNSET; + return (AUC_AUDITING); + } + + if (did_notify == 0) + return (au_cond); +#endif + + if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) { + /* XXX Reset au_cond to AUC_UNSET? */ + syslog(LOG_ERR, "Audit status check failed (%s)", + strerror(errno)); + if (errno == ENOSYS) /* Function unimplemented. */ + return (AU_UNIMPL); + return (errno); + } + + switch (au_cond) { + case AUC_NOAUDIT: /* Auditing suspended. */ + case AUC_DISABLED: /* Auditing shut off. */ + return (AUC_NOAUDIT); + + case AUC_UNSET: /* Uninitialized; shouldn't get here. */ + case AUC_AUDITING: /* Audit on. */ + default: + return (AUC_AUDITING); + } +} + +#endif /* !__APPLE__ */ diff --git a/contrib/openbsm/libbsm/bsm_token.c b/contrib/openbsm/libbsm/bsm_token.c new file mode 100644 index 000000000000..d7eadb28f808 --- /dev/null +++ b/contrib/openbsm/libbsm/bsm_token.c @@ -0,0 +1,1219 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * Copyright (c) 2005 SPARTA, Inc. + * All rights reserved. + * + * This code was developed in part by Robert N. M. Watson, Senior Principal + * Scientist, SPARTA, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#34 $ + */ + +#include <sys/types.h> +#ifdef __APPLE__ +#include <compat/endian.h> +#else /* !__APPLE__ */ +#include <sys/endian.h> +#endif /* __APPLE__*/ +#include <sys/socket.h> +#include <sys/time.h> +#include <sys/un.h> + +#include <sys/ipc.h> + +#include <netinet/in.h> +#include <netinet/in_systm.h> +#include <netinet/ip.h> + +#include <assert.h> +#include <errno.h> +#include <string.h> +#include <stdlib.h> +#include <unistd.h> +#include <sys/socketvar.h> + +#include <bsm/audit_internal.h> +#include <bsm/libbsm.h> + +#define GET_TOKEN_AREA(t, dptr, length) do { \ + (t) = malloc(sizeof(token_t)); \ + if ((t) != NULL) { \ + (t)->len = (length); \ + (dptr) = (t->t_data) = malloc((length) * sizeof(u_char)); \ + if ((dptr) == NULL) { \ + free(t); \ + (t) = NULL; \ + } else \ + memset((dptr), 0, (length)); \ + } else \ + (dptr) = NULL; \ + assert(t == NULL || dptr != NULL); \ +} while (0) + +/* + * token ID 1 byte + * argument # 1 byte + * argument value 4 bytes/8 bytes (32-bit/64-bit value) + * text length 2 bytes + * text N bytes + 1 terminating NULL byte + */ +token_t * +au_to_arg32(char n, char *text, u_int32_t v) +{ + token_t *t; + u_char *dptr = NULL; + u_int16_t textlen; + + textlen = strlen(text); + textlen += 1; + + GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) + + sizeof(u_int16_t) + textlen); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_ARG32); + ADD_U_CHAR(dptr, n); + ADD_U_INT32(dptr, v); + ADD_U_INT16(dptr, textlen); + ADD_STRING(dptr, text, textlen); + + return (t); + +} + +token_t * +au_to_arg64(char n, char *text, u_int64_t v) +{ + token_t *t; + u_char *dptr = NULL; + u_int16_t textlen; + + textlen = strlen(text); + textlen += 1; + + GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) + + sizeof(u_int16_t) + textlen); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_ARG64); + ADD_U_CHAR(dptr, n); + ADD_U_INT64(dptr, v); + ADD_U_INT16(dptr, textlen); + ADD_STRING(dptr, text, textlen); + + return (t); + +} + +token_t * +au_to_arg(char n, char *text, u_int32_t v) +{ + + return (au_to_arg32(n, text, v)); +} + +#if defined(_KERNEL) || defined(KERNEL) +/* + * token ID 1 byte + * file access mode 4 bytes + * owner user ID 4 bytes + * owner group ID 4 bytes + * file system ID 4 bytes + * node ID 8 bytes + * device 4 bytes/8 bytes (32-bit/64-bit) + */ +token_t * +au_to_attr32(struct vnode_au_info *vni) +{ + token_t *t; + u_char *dptr = NULL; + u_int16_t pad0_16 = 0; + u_int16_t pad0_32 = 0; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + + 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_ATTR32); + + /* + * Darwin defines the size for the file mode + * as 2 bytes; BSM defines 4 so pad with 0 + */ + ADD_U_INT16(dptr, pad0_16); + ADD_U_INT16(dptr, vni->vn_mode); + + ADD_U_INT32(dptr, vni->vn_uid); + ADD_U_INT32(dptr, vni->vn_gid); + ADD_U_INT32(dptr, vni->vn_fsid); + + /* + * Some systems use 32-bit file ID's, other's use 64-bit file IDs. + * Attempt to handle both, and let the compiler sort it out. If we + * could pick this out at compile-time, it would be better, so as to + * avoid the else case below. + */ + if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { + ADD_U_INT32(dptr, pad0_32); + ADD_U_INT32(dptr, vni->vn_fileid); + } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) + ADD_U_INT64(dptr, vni->vn_fileid); + else + ADD_U_INT64(dptr, 0LL); + + ADD_U_INT32(dptr, vni->vn_dev); + + return (t); +} + +token_t * +au_to_attr64(struct vnode_au_info *vni) +{ + + errno = ENOTSUP; + return (NULL); +} + +token_t * +au_to_attr(struct vnode_au_info *vni) +{ + + return (au_to_attr32(vni)); +} +#endif /* !(defined(_KERNEL) || defined(KERNEL) */ + +/* + * token ID 1 byte + * how to print 1 byte + * basic unit 1 byte + * unit count 1 byte + * data items (depends on basic unit) + */ +token_t * +au_to_data(char unit_print, char unit_type, char unit_count, char *p) +{ + token_t *t; + u_char *dptr = NULL; + size_t datasize, totdata; + + /* Determine the size of the basic unit. */ + switch (unit_type) { + case AUR_BYTE: + datasize = AUR_BYTE_SIZE; + break; + + case AUR_SHORT: + datasize = AUR_SHORT_SIZE; + break; + + case AUR_LONG: + datasize = AUR_LONG_SIZE; + break; + + default: + errno = EINVAL; + return (NULL); + } + + totdata = datasize * unit_count; + + GET_TOKEN_AREA(t, dptr, totdata + 4 * sizeof(u_char)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_DATA); + ADD_U_CHAR(dptr, unit_print); + ADD_U_CHAR(dptr, unit_type); + ADD_U_CHAR(dptr, unit_count); + ADD_MEM(dptr, p, totdata); + + return (t); +} + + +/* + * token ID 1 byte + * status 4 bytes + * return value 4 bytes + */ +token_t * +au_to_exit(int retval, int err) +{ + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_EXIT); + ADD_U_INT32(dptr, err); + ADD_U_INT32(dptr, retval); + + return (t); +} + +/* + */ +token_t * +au_to_groups(int *groups) +{ + + return (au_to_newgroups(BSM_MAX_GROUPS, groups)); +} + +/* + * token ID 1 byte + * number groups 2 bytes + * group list count * 4 bytes + */ +token_t * +au_to_newgroups(u_int16_t n, gid_t *groups) +{ + token_t *t; + u_char *dptr = NULL; + int i; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + + n * sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_NEWGROUPS); + ADD_U_INT16(dptr, n); + for (i = 0; i < n; i++) + ADD_U_INT32(dptr, groups[i]); + + return (t); +} + +/* + * token ID 1 byte + * internet address 4 bytes + */ +token_t * +au_to_in_addr(struct in_addr *internet_addr) +{ + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_IN_ADDR); + ADD_U_INT32(dptr, internet_addr->s_addr); + + return (t); +} + +/* + * token ID 1 byte + * address type/length 4 bytes + * Address 16 bytes + */ +token_t * +au_to_in_addr_ex(struct in6_addr *internet_addr) +{ + token_t *t; + u_char *dptr = NULL; + u_int32_t type = AF_INET6; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_IN_ADDR_EX); + ADD_U_INT32(dptr, type); + ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[0]); + ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[1]); + ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[2]); + ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[3]); + + return (t); +} + +/* + * token ID 1 byte + * ip header 20 bytes + */ +token_t * +au_to_ip(struct ip *ip) +{ + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_IP); + /* + * XXXRW: Any byte order work needed on the IP header before writing? + */ + ADD_MEM(dptr, ip, sizeof(struct ip)); + + return (t); +} + +/* + * token ID 1 byte + * object ID type 1 byte + * object ID 4 bytes + */ +token_t * +au_to_ipc(char type, int id) +{ + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_IPC); + ADD_U_CHAR(dptr, type); + ADD_U_INT32(dptr, id); + + return (t); +} + +/* + * token ID 1 byte + * owner user ID 4 bytes + * owner group ID 4 bytes + * creator user ID 4 bytes + * creator group ID 4 bytes + * access mode 4 bytes + * slot sequence # 4 bytes + * key 4 bytes + */ +token_t * +au_to_ipc_perm(struct ipc_perm *perm) +{ + token_t *t; + u_char *dptr = NULL; + u_int16_t pad0 = 0; + + GET_TOKEN_AREA(t, dptr, 12 * sizeof(u_int16_t) + sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_IPC_PERM); + + /* + * Darwin defines the sizes for ipc_perm members + * as 2 bytes; BSM defines 4 so pad with 0 + */ + ADD_U_INT16(dptr, pad0); + ADD_U_INT16(dptr, perm->uid); + + ADD_U_INT16(dptr, pad0); + ADD_U_INT16(dptr, perm->gid); + + ADD_U_INT16(dptr, pad0); + ADD_U_INT16(dptr, perm->cuid); + + ADD_U_INT16(dptr, pad0); + ADD_U_INT16(dptr, perm->cgid); + + ADD_U_INT16(dptr, pad0); + ADD_U_INT16(dptr, perm->mode); + + ADD_U_INT16(dptr, pad0); + ADD_U_INT16(dptr, perm->seq); + + ADD_U_INT32(dptr, perm->key); + + return (t); +} + +/* + * token ID 1 byte + * port IP address 2 bytes + */ +token_t * +au_to_iport(u_int16_t iport) +{ + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_IPORT); + ADD_U_INT16(dptr, iport); + + return (t); +} + +/* + * token ID 1 byte + * size 2 bytes + * data size bytes + */ +token_t * +au_to_opaque(char *data, u_int16_t bytes) +{ + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_OPAQUE); + ADD_U_INT16(dptr, bytes); + ADD_MEM(dptr, data, bytes); + + return (t); +} + +/* + * token ID 1 byte + * seconds of time 4 bytes + * milliseconds of time 4 bytes + * file name len 2 bytes + * file pathname N bytes + 1 terminating NULL byte + */ +token_t * +#if defined(KERNEL) || defined(_KERNEL) +au_to_file(char *file, struct timeval tm) +#else +au_to_file(char *file) +#endif +{ + token_t *t; + u_char *dptr = NULL; + u_int16_t filelen; + u_int32_t timems; +#if !defined(KERNEL) && !defined(_KERNEL) + struct timeval tm; + struct timezone tzp; + + if (gettimeofday(&tm, &tzp) == -1) + return (NULL); +#endif + + filelen = strlen(file); + filelen += 1; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) + + sizeof(u_int16_t) + filelen); + if (t == NULL) + return (NULL); + + timems = tm.tv_usec/1000; + + ADD_U_CHAR(dptr, AUT_OTHER_FILE32); + ADD_U_INT32(dptr, tm.tv_sec); + ADD_U_INT32(dptr, timems); /* We need time in ms. */ + ADD_U_INT16(dptr, filelen); + ADD_STRING(dptr, file, filelen); + + return (t); +} + +/* + * token ID 1 byte + * text length 2 bytes + * text N bytes + 1 terminating NULL byte + */ +token_t * +au_to_text(char *text) +{ + token_t *t; + u_char *dptr = NULL; + u_int16_t textlen; + + textlen = strlen(text); + textlen += 1; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_TEXT); + ADD_U_INT16(dptr, textlen); + ADD_STRING(dptr, text, textlen); + + return (t); +} + +/* + * token ID 1 byte + * path length 2 bytes + * path N bytes + 1 terminating NULL byte + */ +token_t * +au_to_path(char *text) +{ + token_t *t; + u_char *dptr = NULL; + u_int16_t textlen; + + textlen = strlen(text); + textlen += 1; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_PATH); + ADD_U_INT16(dptr, textlen); + ADD_STRING(dptr, text, textlen); + + return (t); +} + +/* + * token ID 1 byte + * audit ID 4 bytes + * effective user ID 4 bytes + * effective group ID 4 bytes + * real user ID 4 bytes + * real group ID 4 bytes + * process ID 4 bytes + * session ID 4 bytes + * terminal ID + * port ID 4 bytes/8 bytes (32-bit/64-bit value) + * machine address 4 bytes + */ +token_t * +au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, + pid_t pid, au_asid_t sid, au_tid_t *tid) +{ + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_PROCESS32); + ADD_U_INT32(dptr, auid); + ADD_U_INT32(dptr, euid); + ADD_U_INT32(dptr, egid); + ADD_U_INT32(dptr, ruid); + ADD_U_INT32(dptr, rgid); + ADD_U_INT32(dptr, pid); + ADD_U_INT32(dptr, sid); + ADD_U_INT32(dptr, tid->port); + ADD_U_INT32(dptr, tid->machine); + + return (t); +} + +token_t * +au_to_process64(__unused au_id_t auid, __unused uid_t euid, + __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid, + __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid) +{ + + errno = ENOTSUP; + return (NULL); +} + +token_t * +au_to_process(__unused au_id_t auid, __unused uid_t euid, + __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid, + __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid) +{ + + return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid, + tid)); +} + +/* + * token ID 1 byte + * audit ID 4 bytes + * effective user ID 4 bytes + * effective group ID 4 bytes + * real user ID 4 bytes + * real group ID 4 bytes + * process ID 4 bytes + * session ID 4 bytes + * terminal ID + * port ID 4 bytes/8 bytes (32-bit/64-bit value) + * address type-len 4 bytes + * machine address 16 bytes + */ +token_t * +au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) +{ + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_PROCESS32_EX); + ADD_U_INT32(dptr, auid); + ADD_U_INT32(dptr, euid); + ADD_U_INT32(dptr, egid); + ADD_U_INT32(dptr, ruid); + ADD_U_INT32(dptr, rgid); + ADD_U_INT32(dptr, pid); + ADD_U_INT32(dptr, sid); + ADD_U_INT32(dptr, tid->at_port); + ADD_U_INT32(dptr, tid->at_type); + ADD_U_INT32(dptr, tid->at_addr[0]); + ADD_U_INT32(dptr, tid->at_addr[1]); + ADD_U_INT32(dptr, tid->at_addr[2]); + ADD_U_INT32(dptr, tid->at_addr[3]); + + return (t); +} + +token_t * +au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) +{ + + errno = ENOTSUP; + return (NULL); +} + +token_t * +au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) +{ + + return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid, + tid)); +} + +/* + * token ID 1 byte + * error status 1 byte + * return value 4 bytes/8 bytes (32-bit/64-bit value) + */ +token_t * +au_to_return32(char status, u_int32_t ret) +{ + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_RETURN32); + ADD_U_CHAR(dptr, status); + ADD_U_INT32(dptr, ret); + + return (t); +} + +token_t * +au_to_return64(char status, u_int64_t ret) +{ + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_RETURN64); + ADD_U_CHAR(dptr, status); + ADD_U_INT64(dptr, ret); + + return (t); +} + +token_t * +au_to_return(char status, u_int32_t ret) +{ + + return (au_to_return32(status, ret)); +} + +/* + * token ID 1 byte + * sequence number 4 bytes + */ +token_t * +au_to_seq(long audit_count) +{ + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_SEQ); + ADD_U_INT32(dptr, audit_count); + + return (t); +} + +/* + * token ID 1 byte + * socket type 2 bytes + * local port 2 bytes + * local Internet address 4 bytes + * remote port 2 bytes + * remote Internet address 4 bytes + */ +token_t * +au_to_socket(struct socket *so) +{ + + errno = ENOTSUP; + return (NULL); +} + +/* + * token ID 1 byte + * socket type 2 bytes + * local port 2 bytes + * address type/length 4 bytes + * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) + * remote port 4 bytes + * address type/length 4 bytes + * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) + */ +token_t * +au_to_socket_ex_32(u_int16_t lp, u_int16_t rp, struct sockaddr *la, + struct sockaddr *ra) +{ + + errno = ENOTSUP; + return (NULL); +} + +token_t * +au_to_socket_ex_128(u_int16_t lp, u_int16_t rp, struct sockaddr *la, + struct sockaddr *ra) +{ + + errno = ENOTSUP; + return (NULL); +} + +/* + * token ID 1 byte + * socket family 2 bytes + * path 104 bytes + */ +token_t * +au_to_sock_unix(struct sockaddr_un *so) +{ + token_t *t; + u_char *dptr; + + GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AU_SOCK_UNIX_TOKEN); + /* BSM token has two bytes for family */ + ADD_U_CHAR(dptr, 0); + ADD_U_CHAR(dptr, so->sun_family); + ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1); + + return (t); +} + +/* + * token ID 1 byte + * socket family 2 bytes + * local port 2 bytes + * socket address 4 bytes + */ +token_t * +au_to_sock_inet32(struct sockaddr_in *so) +{ + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) + + sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_SOCKINET32); + /* + * In Darwin, sin_family is one octet, but BSM defines the token + * to store two. So we copy in a 0 first. + */ + ADD_U_CHAR(dptr, 0); + ADD_U_CHAR(dptr, so->sin_family); + ADD_U_INT16(dptr, so->sin_port); + ADD_U_INT32(dptr, so->sin_addr.s_addr); + + return (t); + +} + +token_t * +au_to_sock_inet128(struct sockaddr_in6 *so) +{ + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) + + 4 * sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_SOCKINET128); + /* + * In Darwin, sin6_family is one octet, but BSM defines the token + * to store two. So we copy in a 0 first. + */ + ADD_U_CHAR(dptr, 0); + ADD_U_CHAR(dptr, so->sin6_family); + + ADD_U_INT16(dptr, so->sin6_port); + ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[0]); + ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[1]); + ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[2]); + ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[3]); + + return (t); + +} + +token_t * +au_to_sock_inet(struct sockaddr_in *so) +{ + + return (au_to_sock_inet32(so)); +} + +/* + * token ID 1 byte + * audit ID 4 bytes + * effective user ID 4 bytes + * effective group ID 4 bytes + * real user ID 4 bytes + * real group ID 4 bytes + * process ID 4 bytes + * session ID 4 bytes + * terminal ID + * port ID 4 bytes/8 bytes (32-bit/64-bit value) + * machine address 4 bytes + */ +token_t * +au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, + pid_t pid, au_asid_t sid, au_tid_t *tid) +{ + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_SUBJECT32); + ADD_U_INT32(dptr, auid); + ADD_U_INT32(dptr, euid); + ADD_U_INT32(dptr, egid); + ADD_U_INT32(dptr, ruid); + ADD_U_INT32(dptr, rgid); + ADD_U_INT32(dptr, pid); + ADD_U_INT32(dptr, sid); + ADD_U_INT32(dptr, tid->port); + ADD_U_INT32(dptr, tid->machine); + + return (t); +} + +token_t * +au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, + pid_t pid, au_asid_t sid, au_tid_t *tid) +{ + + errno = ENOTSUP; + return (NULL); +} + +token_t * +au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, + pid_t pid, au_asid_t sid, au_tid_t *tid) +{ + + return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, + tid)); +} + +/* + * token ID 1 byte + * audit ID 4 bytes + * effective user ID 4 bytes + * effective group ID 4 bytes + * real user ID 4 bytes + * real group ID 4 bytes + * process ID 4 bytes + * session ID 4 bytes + * terminal ID + * port ID 4 bytes/8 bytes (32-bit/64-bit value) + * address type/length 4 bytes + * machine address 16 bytes + */ +token_t * +au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) +{ + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_SUBJECT32_EX); + ADD_U_INT32(dptr, auid); + ADD_U_INT32(dptr, euid); + ADD_U_INT32(dptr, egid); + ADD_U_INT32(dptr, ruid); + ADD_U_INT32(dptr, rgid); + ADD_U_INT32(dptr, pid); + ADD_U_INT32(dptr, sid); + ADD_U_INT32(dptr, tid->at_port); + ADD_U_INT32(dptr, tid->at_type); + ADD_U_INT32(dptr, tid->at_addr[0]); + ADD_U_INT32(dptr, tid->at_addr[1]); + ADD_U_INT32(dptr, tid->at_addr[2]); + ADD_U_INT32(dptr, tid->at_addr[3]); + + return (t); +} + +token_t * +au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) +{ + + errno = ENOTSUP; + return (NULL); +} + +token_t * +au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) +{ + + return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid, + tid)); +} + +#if !defined(_KERNEL) && !defined(KERNEL) +/* + * Collects audit information for the current process + * and creates a subject token from it + */ +token_t * +au_to_me(void) +{ + auditinfo_t auinfo; + + if (getaudit(&auinfo) != 0) + return (NULL); + + return (au_to_subject32(auinfo.ai_auid, geteuid(), getegid(), + getuid(), getgid(), getpid(), auinfo.ai_asid, &auinfo.ai_termid)); +} +#endif + +/* + * token ID 1 byte + * count 4 bytes + * text count null-terminated strings + */ +token_t * +au_to_exec_args(const char **args) +{ + token_t *t; + u_char *dptr = NULL; + const char *nextarg; + int i, count = 0; + size_t totlen = 0; + + nextarg = *args; + + while (nextarg != NULL) { + int nextlen; + + nextlen = strlen(nextarg); + totlen += nextlen + 1; + count++; + nextarg = *(args + count); + } + + totlen += count * sizeof(char); /* nul terminations. */ + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_EXEC_ARGS); + ADD_U_INT32(dptr, count); + + for (i = 0; i < count; i++) { + nextarg = *(args + i); + ADD_MEM(dptr, nextarg, strlen(nextarg) + 1); + } + + return (t); +} + +/* + * token ID 1 byte + * count 4 bytes + * text count null-terminated strings + */ +token_t * +au_to_exec_env(const char **env) +{ + token_t *t; + u_char *dptr = NULL; + int i, count = 0; + size_t totlen = 0; + const char *nextenv; + + nextenv = *env; + + while (nextenv != NULL) { + int nextlen; + + nextlen = strlen(nextenv); + totlen += nextlen + 1; + count++; + nextenv = *(env + count); + } + + totlen += sizeof(char) * count; + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_EXEC_ENV); + ADD_U_INT32(dptr, count); + + for (i = 0; i < count; i++) { + nextenv = *(env + i); + ADD_MEM(dptr, nextenv, strlen(nextenv) + 1); + } + + return (t); +} + +/* + * token ID 1 byte + * record byte count 4 bytes + * version # 1 byte [2] + * event type 2 bytes + * event modifier 2 bytes + * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) + * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) + */ +token_t * +#if defined(KERNEL) || defined(_KERNEL) +au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod, + struct timeval tm) +#else +au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod) +#endif +{ + token_t *t; + u_char *dptr = NULL; + u_int32_t timems; +#if !defined(KERNEL) && !defined(_KERNEL) + struct timeval tm; + struct timezone tzp; + + if (gettimeofday(&tm, &tzp) == -1) + return (NULL); +#endif + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + + sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_HEADER32); + ADD_U_INT32(dptr, rec_size); + ADD_U_CHAR(dptr, HEADER_VERSION); + ADD_U_INT16(dptr, e_type); + ADD_U_INT16(dptr, e_mod); + + timems = tm.tv_usec/1000; + /* Add the timestamp */ + ADD_U_INT32(dptr, tm.tv_sec); + ADD_U_INT32(dptr, timems); /* We need time in ms. */ + + return (t); +} + +token_t * +au_to_header64(__unused int rec_size, __unused au_event_t e_type, + __unused au_emod_t e_mod) +{ + + errno = ENOTSUP; + return (NULL); +} + +token_t * +au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod) +{ + + return (au_to_header32(rec_size, e_type, e_mod)); +} + +/* + * token ID 1 byte + * trailer magic number 2 bytes + * record byte count 4 bytes + */ +token_t * +au_to_trailer(int rec_size) +{ + token_t *t; + u_char *dptr = NULL; + u_int16_t magic = TRAILER_PAD_MAGIC; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + + sizeof(u_int32_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_TRAILER); + ADD_U_INT16(dptr, magic); + ADD_U_INT32(dptr, rec_size); + + return (t); +} diff --git a/contrib/openbsm/libbsm/bsm_user.c b/contrib/openbsm/libbsm/bsm_user.c new file mode 100644 index 000000000000..3927423f5119 --- /dev/null +++ b/contrib/openbsm/libbsm/bsm_user.c @@ -0,0 +1,268 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * Copyright (c) 2006 Robert N. M. Watson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_user.c#14 $ + */ + +#include <bsm/libbsm.h> + +#include <string.h> +#include <pthread.h> +#include <stdio.h> +#include <stdlib.h> + +/* + * Parse the contents of the audit_user file into au_user_ent structures. + */ + +static FILE *fp = NULL; +static char linestr[AU_LINE_MAX]; +static const char *user_delim = ":"; + +static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; + +/* + * Parse one line from the audit_user file into the au_user_ent structure. + */ +static struct au_user_ent * +userfromstr(char *str, struct au_user_ent *u) +{ + char *username, *always, *never; + char *last; + + username = strtok_r(str, user_delim, &last); + always = strtok_r(NULL, user_delim, &last); + never = strtok_r(NULL, user_delim, &last); + + if ((username == NULL) || (always == NULL) || (never == NULL)) + return (NULL); + + if (strlen(username) >= AU_USER_NAME_MAX) + return (NULL); + + strcpy(u->au_name, username); + if (getauditflagsbin(always, &(u->au_always)) == -1) + return (NULL); + + if (getauditflagsbin(never, &(u->au_never)) == -1) + return (NULL); + + return (u); +} + +/* + * Rewind to beginning of the file + */ +static void +setauuser_locked(void) +{ + + if (fp != NULL) + fseek(fp, 0, SEEK_SET); +} + +void +setauuser(void) +{ + + pthread_mutex_lock(&mutex); + setauuser_locked(); + pthread_mutex_unlock(&mutex); +} + +/* + * Close the file descriptor + */ +void +endauuser(void) +{ + + pthread_mutex_lock(&mutex); + if (fp != NULL) { + fclose(fp); + fp = NULL; + } + pthread_mutex_unlock(&mutex); +} + +/* + * Enumerate the au_user_ent structures from the file + */ +static struct au_user_ent * +getauuserent_r_locked(struct au_user_ent *u) +{ + char *nl; + + if ((fp == NULL) && ((fp = fopen(AUDIT_USER_FILE, "r")) == NULL)) + return (NULL); + + while (1) { + if (fgets(linestr, AU_LINE_MAX, fp) == NULL) + return (NULL); + + /* Remove new lines. */ + if ((nl = strrchr(linestr, '\n')) != NULL) + *nl = '\0'; + + /* Skip comments. */ + if (linestr[0] == '#') + continue; + + /* Get the next structure. */ + if (userfromstr(linestr, u) == NULL) + return (NULL); + break; + } + + return (u); +} + +struct au_user_ent * +getauuserent_r(struct au_user_ent *u) +{ + struct au_user_ent *up; + + pthread_mutex_lock(&mutex); + up = getauuserent_r_locked(u); + pthread_mutex_unlock(&mutex); + return (up); +} + +struct au_user_ent * +getauuserent(void) +{ + static char user_ent_name[AU_USER_NAME_MAX]; + static struct au_user_ent u; + + bzero(&u, sizeof(u)); + bzero(user_ent_name, sizeof(user_ent_name)); + u.au_name = user_ent_name; + + return (getauuserent_r(&u)); +} + +/* + * Find a au_user_ent structure matching the given user name. + */ +struct au_user_ent * +getauusernam_r(struct au_user_ent *u, const char *name) +{ + struct au_user_ent *up; + + if (name == NULL) + return (NULL); + + pthread_mutex_lock(&mutex); + + setauuser_locked(); + while ((up = getauuserent_r_locked(u)) != NULL) { + if (strcmp(name, u->au_name) == 0) { + pthread_mutex_unlock(&mutex); + return (u); + } + } + + pthread_mutex_unlock(&mutex); + return (NULL); + +} + +struct au_user_ent * +getauusernam(const char *name) +{ + static char user_ent_name[AU_USER_NAME_MAX]; + static struct au_user_ent u; + + bzero(&u, sizeof(u)); + bzero(user_ent_name, sizeof(user_ent_name)); + u.au_name = user_ent_name; + + return (getauusernam_r(&u, name)); +} + +/* + * Read the default system wide audit classes from audit_control, combine with + * the per-user audit class and update the binary preselection mask. + */ +int +au_user_mask(char *username, au_mask_t *mask_p) +{ + char auditstring[MAX_AUDITSTRING_LEN + 1]; + char user_ent_name[AU_USER_NAME_MAX]; + struct au_user_ent u, *up; + + bzero(&u, sizeof(u)); + bzero(user_ent_name, sizeof(user_ent_name)); + u.au_name = user_ent_name; + + /* Get user mask. */ + if ((up = getauusernam_r(&u, username)) != NULL) { + if (-1 == getfauditflags(&up->au_always, &up->au_never, + mask_p)) + return (-1); + return (0); + } + + /* Read the default system mask. */ + if (getacflg(auditstring, MAX_AUDITSTRING_LEN) == 0) { + if (-1 == getauditflagsbin(auditstring, mask_p)) + return (-1); + return (0); + } + + /* No masks defined. */ + return (-1); +} + +/* + * Generate the process audit state by combining the audit masks passed as + * parameters with the system audit masks. + */ +int +getfauditflags(au_mask_t *usremask, au_mask_t *usrdmask, au_mask_t *lastmask) +{ + char auditstring[MAX_AUDITSTRING_LEN + 1]; + + if ((usremask == NULL) || (usrdmask == NULL) || (lastmask == NULL)) + return (-1); + + lastmask->am_success = 0; + lastmask->am_failure = 0; + + /* Get the system mask. */ + if (getacflg(auditstring, MAX_AUDITSTRING_LEN) == 0) { + if (getauditflagsbin(auditstring, lastmask) != 0) + return (-1); + } + + ADDMASK(lastmask, usremask); + SUBMASK(lastmask, usrdmask); + + return (0); +} diff --git a/contrib/openbsm/libbsm/bsm_wrappers.c b/contrib/openbsm/libbsm/bsm_wrappers.c new file mode 100644 index 000000000000..e7600e7f5ee2 --- /dev/null +++ b/contrib/openbsm/libbsm/bsm_wrappers.c @@ -0,0 +1,322 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#14 $ + */ + +#include <sys/param.h> +#include <sys/stat.h> +#include <sys/sysctl.h> + +#include <bsm/libbsm.h> + +#include <unistd.h> +#include <syslog.h> +#include <string.h> +#include <errno.h> + +/* These are not advertised in libbsm.h */ +int audit_set_terminal_port(dev_t *p); +int audit_set_terminal_host(uint32_t *m); + +int +audit_set_terminal_port(dev_t *p) +{ + struct stat st; + + if (p == NULL) + return (kAUBadParamErr); + + *p = NODEV; + + /* for /usr/bin/login, try fstat() first */ + if (fstat(STDIN_FILENO, &st) != 0) { + if (errno != EBADF) { + syslog(LOG_ERR, "fstat() failed (%s)", + strerror(errno)); + return (kAUStatErr); + } + if (stat("/dev/console", &st) != 0) { + syslog(LOG_ERR, "stat() failed (%s)", + strerror(errno)); + return (kAUStatErr); + } + } + *p = st.st_rdev; + return (kAUNoErr); +} + +int +audit_set_terminal_host(uint32_t *m) +{ + int name[2] = { CTL_KERN, KERN_HOSTID }; + size_t len; + + if (m == NULL) + return (kAUBadParamErr); + *m = 0; + len = sizeof(*m); + if (sysctl(name, 2, m, &len, NULL, 0) != 0) { + syslog(LOG_ERR, "sysctl() failed (%s)", strerror(errno)); + return (kAUSysctlErr); + } + return (kAUNoErr); +} + +int +audit_set_terminal_id(au_tid_t *tid) +{ + int ret; + + if (tid == NULL) + return (kAUBadParamErr); + if ((ret = audit_set_terminal_port(&tid->port)) != kAUNoErr) + return (ret); + return (audit_set_terminal_host(&tid->machine)); +} + +/* + * This is OK for those callers who have only one token to write. If you have + * multiple tokens that logically form part of the same audit record, you need + * to use the existing au_open()/au_write()/au_close() API: + * + * aufd = au_open(); + * tok = au_to_random_token_1(...); + * au_write(aufd, tok); + * tok = au_to_random_token_2(...); + * au_write(aufd, tok); + * ... + * au_close(aufd, 1, AUE_your_event_type); + * + * Assumes, like all wrapper calls, that the caller has previously checked + * that auditing is enabled via the audit_get_state() call. + * + * XXX: Should be more robust against bad arguments. + */ +int +audit_write(short event_code, token_t *subject, token_t *misctok, char retval, + int errcode) +{ + int aufd; + char *func = "audit_write()"; + token_t *rettok; + + if ((aufd = au_open()) == -1) { + au_free_token(subject); + au_free_token(misctok); + syslog(LOG_ERR, "%s: au_open() failed", func); + return (kAUOpenErr); + } + + /* Save subject. */ + if (subject && au_write(aufd, subject) == -1) { + au_free_token(subject); + au_free_token(misctok); + (void)au_close(aufd, 0, event_code); + syslog(LOG_ERR, "%s: write of subject failed", func); + return (kAUWriteSubjectTokErr); + } + + /* Save the event-specific token. */ + if (misctok && au_write(aufd, misctok) == -1) { + au_free_token(misctok); + (void)au_close(aufd, 0, event_code); + syslog(LOG_ERR, "%s: write of caller token failed", func); + return (kAUWriteCallerTokErr); + } + + /* Tokenize and save the return value. */ + if ((rettok = au_to_return32(retval, errcode)) == NULL) { + (void)au_close(aufd, 0, event_code); + syslog(LOG_ERR, "%s: au_to_return32() failed", func); + return (kAUMakeReturnTokErr); + } + + if (au_write(aufd, rettok) == -1) { + au_free_token(rettok); + (void)au_close(aufd, 0, event_code); + syslog(LOG_ERR, "%s: write of return code failed", func); + return (kAUWriteReturnTokErr); + } + + /* + * au_close()'s second argument is "keep": if keep == 0, the record is + * discarded. We assume the caller wouldn't have bothered with this + * function if it hadn't already decided to keep the record. + */ + if (au_close(aufd, 1, event_code) < 0) { + syslog(LOG_ERR, "%s: au_close() failed", func); + return (kAUCloseErr); + } + + return (kAUNoErr); +} + +/* + * Same caveats as audit_write(). In addition, this function explicitly + * assumes success; use audit_write_failure() on error. + */ +int +audit_write_success(short event_code, token_t *tok, au_id_t auid, uid_t euid, + gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid, + au_tid_t *tid) +{ + char *func = "audit_write_success()"; + token_t *subject = NULL; + + /* Tokenize and save subject. */ + subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, + tid); + if (subject == NULL) { + syslog(LOG_ERR, "%s: au_to_subject32() failed", func); + return kAUMakeSubjectTokErr; + } + + return (audit_write(event_code, subject, tok, 0, 0)); +} + +/* + * Same caveats as audit_write(). In addition, this function explicitly + * assumes success; use audit_write_failure_self() on error. + */ +int +audit_write_success_self(short event_code, token_t *tok) +{ + token_t *subject; + char *func = "audit_write_success_self()"; + + if ((subject = au_to_me()) == NULL) { + syslog(LOG_ERR, "%s: au_to_me() failed", func); + return (kAUMakeSubjectTokErr); + } + + return (audit_write(event_code, subject, tok, 0, 0)); +} + +/* + * Same caveats as audit_write(). In addition, this function explicitly + * assumes failure; use audit_write_success() otherwise. + * + * XXX This should let the caller pass an error return value rather than + * hard-coding -1. + */ +int +audit_write_failure(short event_code, char *errmsg, int errcode, au_id_t auid, + uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid, + au_tid_t *tid) +{ + char *func = "audit_write_failure()"; + token_t *subject, *errtok; + + subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, tid); + if (subject == NULL) { + syslog(LOG_ERR, "%s: au_to_subject32() failed", func); + return (kAUMakeSubjectTokErr); + } + + /* tokenize and save the error message */ + if ((errtok = au_to_text(errmsg)) == NULL) { + au_free_token(subject); + syslog(LOG_ERR, "%s: au_to_text() failed", func); + return (kAUMakeTextTokErr); + } + + return (audit_write(event_code, subject, errtok, -1, errcode)); +} + +/* + * Same caveats as audit_write(). In addition, this function explicitly + * assumes failure; use audit_write_success_self() otherwise. + * + * XXX This should let the caller pass an error return value rather than + * hard-coding -1. + */ +int +audit_write_failure_self(short event_code, char *errmsg, int errret) +{ + char *func = "audit_write_failure_self()"; + token_t *subject, *errtok; + + if ((subject = au_to_me()) == NULL) { + syslog(LOG_ERR, "%s: au_to_me() failed", func); + return (kAUMakeSubjectTokErr); + } + /* tokenize and save the error message */ + if ((errtok = au_to_text(errmsg)) == NULL) { + au_free_token(subject); + syslog(LOG_ERR, "%s: au_to_text() failed", func); + return (kAUMakeTextTokErr); + } + return (audit_write(event_code, subject, errtok, -1, errret)); +} + +/* + * For auditing errors during login. Such errors are implicitly + * non-attributable (i.e., not ascribable to any user). + * + * Assumes, like all wrapper calls, that the caller has previously checked + * that auditing is enabled via the audit_get_state() call. + */ +int +audit_write_failure_na(short event_code, char *errmsg, int errret, uid_t euid, + uid_t egid, pid_t pid, au_tid_t *tid) +{ + + return (audit_write_failure(event_code, errmsg, errret, -1, euid, + egid, -1, -1, pid, -1, tid)); +} + +/* END OF au_write() WRAPPERS */ + +#ifdef __APPLE__ +void +audit_token_to_au32(audit_token_t atoken, uid_t *auidp, uid_t *euidp, + gid_t *egidp, uid_t *ruidp, gid_t *rgidp, pid_t *pidp, au_asid_t *asidp, + au_tid_t *tidp) +{ + + if (auidp != NULL) + *auidp = (uid_t)atoken.val[0]; + if (euidp != NULL) + *euidp = (uid_t)atoken.val[1]; + if (egidp != NULL) + *egidp = (gid_t)atoken.val[2]; + if (ruidp != NULL) + *ruidp = (uid_t)atoken.val[3]; + if (rgidp != NULL) + *rgidp = (gid_t)atoken.val[4]; + if (pidp != NULL) + *pidp = (pid_t)atoken.val[5]; + if (asidp != NULL) + *asidp = (au_asid_t)atoken.val[6]; + if (tidp != NULL) { + audit_set_terminal_host(&tidp->machine); + tidp->port = (dev_t)atoken.val[7]; + } +} +#endif /* !__APPLE__ */ diff --git a/contrib/openbsm/libbsm/libbsm.3 b/contrib/openbsm/libbsm/libbsm.3 new file mode 100644 index 000000000000..3ec8168435a2 --- /dev/null +++ b/contrib/openbsm/libbsm/libbsm.3 @@ -0,0 +1,220 @@ +.\"- +.\" Copyright (c) 2005-2006 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#3 $ +.\" +.Dd April 19, 2005 +.Dt LIBBSM 3 +.Os +.Sh NAME +.Nm libbsm +.Nd "Basic Security Module (BSM) Audit API" +.Sh LIBRARY +.Lb libbsm +.Sh SYNOPSIS +.In libbsm.h +.Sh DESCRIPTION +The +.Nm +library routines provide an interface to BSM audit record streams, allowing +both the parsing of existing audit streams, as well as the creation of new +audit records and streams. +.Sh INTERFACES +.Nm +provides a large number of Audit programming interfaces in several classes: +event stream interfaces, class interfaces, control interfaces, event +interfaces, I/O interfaces, mask interfaces, notification interfaces, token +interfaces, and user interfaces. +These are described respectively in the +.Xr au_stream 3 , +.Xr au_class 3 , +.Xr au_control 3 , +.Xr au_event 3 , +.Xr au_mask 3 , +.Xr au_notify 3 , +.Xr au_token 3 , +.Xr au_user 3 +man pages. +.Ss Audit Event Stream Interfaces +Audit event stream interfaces support interaction with file-backed audit +event streams: +.Xr au_free_token 3 , +.Xr au_free_token 3 , +.Xr au_open 3 , +.Xr au_write 3 , +.Xr au_close 3 . +.Ss Audit Class Interfaces +Audit class interfaces support the look up of information from the +.Xr audit_class 5 +database: +.Xr getauclassent 3 , +.Xr getauclassent_r 3 , +.Xr getauclassnam 3 , +.Xr getauclassnam_r 3 , +.Xr setauclass 3 , +.Xr endauclass 3 . +.Ss Audit Control Interfaces +Audit control interfaces support the look up of information from the +.Xr audit_control 5 +database: +.Xr setac 3 , +.Xr endac 3 , +.Xr getacdir 3 , +.Xr getacmin 3 , +.Xr getacflg 3 , +.Xr getacna 3 . +.Ss Audit Event Interfaces +Audit event interfaces support the look up of information from the +.Xr audit_event 5 +database: +.Xr setauevent 3 , +.Xr endauevent 3 , +.Xr getauevent 3 , +.Xr getauevent_r 3 , +.Xr getauevnam 3 , +.Xr getauevnam_r 3 , +.Xr getauevnum 3 , +.Xr getauevnum_r 3 , +.Xr getauevnonam 3 , +.Xr getauevnonam_r 3 , +.Ss Audit I/O Interfaces +Audit I/O interfaces support the processing and printing of tokens, as well +as the reading of audit records: +.Xr au_fetch_tok 3 , +.Xr au_print_tok 3 , +.Xr au_read_rec 3 . +.Ss Audit Mask Interfaces +Audit mask interfaces convert support the conversion between strings and +.Vt au_mask_t +values. +They may also be used to determine if a particular audit event is matched +by a mask: +.Xr au_preselect 3 , +.Xr getauditflagsbin 3 , +.Xr getauditflagschar 3 . +.Ss Audit Notification Interfaces +Audit notification routines track audit state in a form permitting efficient +update, avoiding frequent system calls to check the kernel audit state: +.Xr au_notify_initialize 3 , +.Xr au_notify_terminate 3 , +.Xr au_get_state 3 . +These interfaces are implemented only for Darwin/Mac OS X. +.Ss Audit Token Interface +Audit token interfaces permit the creation of tokens for use in creating +audit records for submission to event streams. +Each interface converts a C type to its +.Vt token_t +representation. +.Xr au_to_arg32 3 , +.Xr au_to_arg64 3 , +.Xr au_to_arg 3 , +.Xr au_to_attr64 3 , +.Xr au_to_data 3 , +.Xr au_to_exit 3 , +.Xr au_to_groups 3 , +.Xr au_to_newgroups 3 , +.Xr au_to_in_addr 3 , +.Xr au_to_in_addr_ex 3 , +.Xr au_to_ip 3 , +.Xr au_to_ipc 3 , +.Xr au_to_ipc_perm 3 , +.Xr au_to_iport 3 , +.Xr au_to_opaque 3 , +.Xr au_to_file 3 , +.Xr au_to_text 3 , +.Xr au_to_path 3 , +.Xr au_to_process32 3 , +.Xr au_to_process64 3 , +.Xr au_to_process 3 , +.Xr au_to_process32_ex 3 , +.Xr au_to_process64_ex 3 , +.Xr au_to_process_ex 3 , +.Xr au_to_return32 3 , +.Xr au_to_return64 3 , +.Xr au_to_return 3 , +.Xr au_to_seq 3 , +.Xr au_to_socket 3 , +.Xr au_to_socket_ex_32 3 , +.Xr au_to_socket_ex_128 3 , +.Xr au_to_sock_inet32 3 , +.Xr au_to_sock_inet128 3 , +.Xr au_to_sock_inet 3 , +.Xr au_to_subject32 3 , +.Xr au_to_subject64 3 , +.Xr au_to_subject 3 , +.Xr au_to_subject32_ex 3 , +.Xr au_to_subject64_ex 3 , +.Xr au_to_subject_ex 3 , +.Xr au_to_me 3 , +.Xr au_to_exec_args 3 , +.Xr au_to_exec_env 3 , +.Xr au_to_header32 3 , +.Xr au_to_header64 3 , +.Xr au_to_trailer 3 . +.Ss Audit User Interfaces +Audit user interfaces support the look up of information from the +.Xr audit_user 5 +database: +.Xr setauuser 3 , +.Xr endauuser 3 , +.Xr getauuserent 3 , +.Xr getauuserent_r 3 , +.Xr getauusernam 3 , +.Xr getauusernam_r 3 , +.Xr au_user_mask 3 , +.Xr getfauditflags 3 . +.Sh SEE ALSO +.Xr au_class 3 , +.Xr au_mask 3 , +.Xr au_notify 3 , +.Xr au_stream 3 , +.Xr au_token 3 , +.Xr au_user 3 , +.Xr audit_class 5 , +.Xr audit_control 5 +.Sh AUTHORS +This software was created by Robert Watson, Wayne Salamon, and Suresh +Krishnaswamy for McAfee Research, the security research division of McAfee, +Inc., under contract to Apple Computer, Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer, Inc., in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh BUGS +Bugs would not be unlikely. +.Pp +The +.Nm +library implementations are generally thread-safe, but not reentrant. +.Pp +The assignment of routines to classes could use some work, as it is +decidely ad hoc. +For example, +.Fn au_read_rec +should probably be considered a stream routine. diff --git a/contrib/openbsm/man/Makefile b/contrib/openbsm/man/Makefile new file mode 100644 index 000000000000..fec665106ef0 --- /dev/null +++ b/contrib/openbsm/man/Makefile @@ -0,0 +1,19 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/man/Makefile#5 $ +# + +MAN= audit.2 \ + auditctl.2 \ + auditon.2 \ + getaudit.2 \ + getauid.2 \ + setaudit.2 \ + setauid.2 \ + audit.log.5 \ + audit_class.5 \ + audit_control.5 \ + audit_event.5 \ + audit_user.5 \ + audit_warn.5 + +.include <bsd.prog.mk> diff --git a/contrib/openbsm/man/audit.2 b/contrib/openbsm/man/audit.2 new file mode 100644 index 000000000000..6e14899c2ad1 --- /dev/null +++ b/contrib/openbsm/man/audit.2 @@ -0,0 +1,96 @@ +.\"- +.\" Copyright (c) 2005 Tom Rhodes +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#6 $ +.\" +.Dd April 19, 2005 +.Dt AUDIT 2 +.Os +.Sh NAME +.Nm audit +.Nd "Commit a BSM audit record to the audit log" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn audit "const char *record" "u_int length" +.Sh DESCRIPTION +.Fn audit +submits a completed BSM audit record to the system audit log. +.Pp +.Fa record +is a pointer to the the specific event to be recorded and +.Vt length +is the size in bytes of the data to be written. +.Sh RETURN VALUES +.Rv -std +.Sh ERRORS +The +.Fn audit +system call will fail and the data never written if: +.Bl -tag -width Er +.It Bq Er EFAULT +The +.Fa record +argument is beyond the allocated address space of the process. +.It Bq Er EINVAL +The token ID is invalid or +.Vt length +is larger than +.Vt MAXAUDITDATA . +.It Bq Er EPERM +The process does not have sufficient permission to complete +the operation. +.El +.Sh SEE ALSO +.Xr auditon 2 , +.Xr getauid 2 , +.Xr setauid 2 , +.Xr getaudit 2 , +.Xr setaudit 2 , +.Xr getaudit_addr 2 , +.Xr setaudit_addr 2 , +.Xr libbsm 3 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Tom Rhodes Aq trhodes@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh BUGS +The +.Fx +kernel does not fully validate that the argument passed is syntactically +valid BSM. +Submitting invalid audit records may corrupt the audit log. diff --git a/contrib/openbsm/man/audit.log.5 b/contrib/openbsm/man/audit.log.5 new file mode 100644 index 000000000000..5d2dec4f91d5 --- /dev/null +++ b/contrib/openbsm/man/audit.log.5 @@ -0,0 +1,622 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#6 $ +.\" +.Dd May 1, 2005 +.Dt AUDIT.LOG 5 +.Os +.Sh NAME +.Nm audit +.Nd "Basic Security Module (BSM) File Format" +.Sh DESCRIPTION +The +.Nm +file format is based on Sun's Basic Security Module (BSM) file format, a +token-based record stream to represent system audit data. +This file format is both flexible and extensible, able to describe a broad +range of data types, and easily extended to describe new data types in a +moderately backward and forward compatible way. +.Pp +BSM token streams typically begin and end with a +.Dv file +token, which provides time stamp and file name information for the stream; +when processing a BSM token stream from a stream as opposed to a single file +source, file tokens may be seen at any point between ordinary records +identifying when particular parts of the stream begin and end. +All other tokens will appear in the context of a complete BSM audit record, +which begins with a +.Dv header +token, and ends with a +.Dv trailer +token, which describe the audit record. +Between these two tokens will appear a variety of data tokens, such as +process information, file path names, IPC object information, MAC labels, +socket information, and so on. +.Pp +The BSM file format defines specific token orders for each record event type; +however, some variation may occur depending on the operating system in use, +what system options, such as mandatory access control, are present. +.Pp +This manual page documents the common token types and their binary format, and +is intended for reference purposes only. +It is recommended that application programmers use the +.Xr libbsm 3 +interface to read and write tokens, rather than parsing or constructing +records by hand. +.Ss File Token +The +.Dv file +token is used at the beginning and end of an audit log file to indicate +when the audit log begins and ends. +It includes a pathname so that, if concatenated together, original file +boundaries are still observable, and gaps in the audit log can be identified. +A +.Dv file +token can be created using +.Xr au_to_file 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Seconds" Ta "4 bytes" Ta "File time stamp" +.It Li "Microseconds" Ta "4 bytes" Ta "File time stamp" +.It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail" +.It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail" +.El +.Ss Header Token +The +.Dv header +token is used to mark the beginning of a complete audit record, and includes +the length of the total record in bytes, a version number for the record +layout, the event type and subtype, and the time at which the event occurred. +A +.Dv header +token can be created using +.Xr au_to_header32 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" +.It Li "Version Number" Ta "2 bytes" Ta "Record version number" +.It Li "Event Type" Ta "2 bytes" Ta "Event type" +.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type" +.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)" +.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)" +.El +.Ss Expanded Header Token +The +.Dv expanded header +token is an expanded version of the +.Dv header +token, with the addition of a machine IPv4 or IPv6 address. +The +.Xr libbsm 3 +API cannot currently create an +.Dv expanded header +token. +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" +.It Li "Version Number" Ta "2 bytes" Ta "Record version number" +.It Li "Event Type" Ta "2 bytes" Ta "Event type" +.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type" +.It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length" +.It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address" +.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)" +.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)" +.El +.Ss Trailer Token +The +.Dv trailer +terminates a BSM audit record, and contains a magic number, +.Dv TRAILER_PAD_MAGIC +and length that can be used to validate that the record was read properly. +A +.Dv trailer +token can be created using +.Xr au_to_trailer 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number" +.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" +.El +.Ss Arbitrary Data Token +The +.Dv arbitrary data +token contains a byte stream of opaque (untyped) data. +The size of the data is calculated as the size of each unit of data +multipled by the number of units of data. +A +.Dv How to print +field is present to specify how to print the data, but interpretation of +that field is not currently defined. +The +.Xr libbsm 3 +API cannot currently create an +.Dv arbitrary data +token. +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "How to Print" Ta "1 byte" Ta "User-defined printing information" +.It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes" +.It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present" +.It Li "Data Items" Ta "Variable" Ta "User data" +.El +.Ss in_addr Token +The +.Dv in_addr +token holds a network byte order IPv4 or IPv6 address. +An +.Dv in_addr +token can be created using +.Xr au_to_in_addr 3 +for an IPv4 address, or +.Xr au_to_in_addr_ex 3 +for an IPv6 address. +.Pp +See the BUGS section for information on the storage of this token. +.Pp +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "IP Address Type" Ta "1 byte" Ta "Type of address" +.It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address" +.El +.Ss Expanded in_addr Token +The +.Dv expanded in_addr +token ... +.Pp +See the BUGS section for information on the storage of this token. +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It XXXX +.El +.Ss ip Token +The +.Dv ip +token contains an IP packet header in network byte order. +An +.Dv ip +token can be cread using +.Xr au_to_ip 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length" +.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field" +.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order" +.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly" +.It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order" +.It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live" +.It Li "Protocol" Ta "1 byte" Ta "IP protocol number" +.It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order" +.It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address" +.It Li "Desintation Address" Ta "4 bytes" Ta "IPv4 destination address" +.El +.Ss Expanded ip Token +The +.Dv expanded ip +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It XXXX +.El +.Ss iport Token +The +.Dv iport +token stores an IP port number in network byte order. +An +.Dv iport +token can be created using +.Xr au_to_iport 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order" +.El +.Ss Path Token +The +.Dv path +token contains a pathname. +A +.Dv path +token can be created using +.Xr auto_path 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes" +.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name" +.El +.Ss path_attr Token +The +.Dv path_attr +token contains a set of nul-terminated path names. +The +.Xr libbsm 3 +API cannot currently create an +.Dv path_attr +token. +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token" +.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)" +.El +.Ss Process Token +The +.Dv process +token contains a description of the security properties of a process +involved as the target of an auditable event, such as the destination for +signal delivery. +It should not be confused with the +.Dv subject +token, which describes the subject performing an auditable event. +This includes both the traditional +.Ux +security properties, such as user IDs and group IDs, but also audit +information such as the audit user ID and sesion. +A +.Dv process +token can be created using +.Xr au_to_process32 3 +or +.Xr au_to_process64 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" +.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" +.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" +.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" +.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" +.It Li "Process ID" Ta "4 bytes" Ta "Process ID" +.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" +.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" +.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine" +.El +.Ss Expanded Process Token +The .Dv expanded process +token contains the contents of the +.Dv process +token, with the addition of a machine address type and variable length +address storage capable of containing IPv6 addresses. +A +.Dv expanded process +token can be created using +.Xr au_to_process32_ex 3 +or +.Xr au_to_process64 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" +.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" +.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" +.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" +.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" +.It Li "Process ID" Ta "4 bytes" Ta "Process ID" +.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" +.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" +.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address" +.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine" +.El +.Ss Return Token +The +.Dv return +token contains a system call or library function return condition, including +return value and error number associated with the global variable +.Er errno . +A +.Dv return +token can be created using +.Xr au_to_return32 3 +or +.Xr au_to_return64 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined" +.It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)" +.El +.Ss Subject Token +The +.Dv subject +token contains information on the subject performing the operation described +by an audit record, and includes similar information to that found in the +.Dv process +and +.Dv expanded process +tokens. +However, those tokens are used where the process being described is the +target of the operation, not the authorizing party. +A +.Dv subject +token can be created using +.Xr au_to_subject32 3 +and +.Xr au_to_subject64 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" +.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" +.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" +.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" +.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" +.It Li "Process ID" Ta "4 bytes" Ta "Process ID" +.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" +.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" +.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine" +.El +.Ss Expanded Subject Token +The +.Dv expanded subject +token consists of the same elements as the +.Dv subject +token, with the addition of type/length and variable size machine address +information in the terminal ID. +A +.Dv expanded subject +token can be created using +.Xr au_to_subject32_ex 3 +or +.Xr au_to_subject64_ex 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" +.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" +.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" +.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" +.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" +.It Li "Process ID" Ta "4 bytes" Ta "Process ID" +.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" +.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" +.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address" +.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine" +.El +.Ss System V IPC Token +The +.Dv System V IPC +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Text Token +The +.Dv text +token contains a single nul-terminated text string. +A +.Dv text +token may be created using +.Xr au_to_text 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul" +.It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul" +.El +.Ss Attribute Token +The +.Dv attribute +token describes the attributes of a file associated with the audit event. +As files may be identified by 0, 1, or many path names, a path name is not +included with the attribute block for a file; optional +.Dv path +tokens may also be present in an audit record indicating which path, if any, +was used to reach the object. +A +.Dv attribute +token can be created using +.Xr au_to_attr32 3 +or +.Xr au_to_attr64 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file" +.It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file" +.It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file" +.It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file" +.It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file" +.It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)" +.El +.Ss Groups Token +The +.Dv groups +token contains a list of group IDs associated with the audit event. +A +.Dv groups +token can be created using +.Xr au_to_groups 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token" +.It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs" +.El +.Ss System V IPC Permission Token +The +.Dv System V IPC permission +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Arg Token +The +.Dv arg +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss exec_args Token +The +.Dv exec_args +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss exec_env Token +The +.Dv exec_env +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Exit Token +The +.Dv exit +token contains process exit/return code information. +An +.Dv exit +token can be created using +.Xr au_to_exit 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Status" Ta "4 bytes" Ta "Process status on exit" +.It Li "Return Value" ta "4 bytes" Ta "Process return value on exit" +.El +.Ss Socket Token +The +.Dv socket +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Expanded Socket Token +The +.Dv expanded socket +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Seq Token +The +.Dv seq +token contains a unique and monotonically increasing audit event sequence ID. +Due to the limited range of 32 bits, serial number arithmetic and caution +should be used when comparing sequence numbers. +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number" +.El +.Ss privilege Token +The +.Dv privilege +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Use-of-auth Token +The +.Dv use-of-auth +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Command Token +The +.Dv command +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss ACL Token +The +.Dv ACL +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Zonename Token +The +.Dv zonename +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Sh SEE ALSO +.Xr libbsm 3 +.Sh AUTHORS +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh BUGS +The +.Dv How to print +field in the +.Dv arbitrary data +token has undefined values. +.Pp +The +.Dv in_addr +and +.Dv in_addr_ex +token layout documented here appears to be in conflict with the +.Xr libbsm 3 +implementations of +.Xr au_to_in_addr 3 +and +.Xr au_to_in_addr_ex 3 . diff --git a/contrib/openbsm/man/audit_class.5 b/contrib/openbsm/man/audit_class.5 new file mode 100644 index 000000000000..81b60cb5c7ea --- /dev/null +++ b/contrib/openbsm/man/audit_class.5 @@ -0,0 +1,70 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#5 $ +.\" +.Dd Jan 24, 2004 +.Dt AUDIT_CLASS 5 +.Os +.Sh NAME +.Nm audit_class +.Nd "contains audit event class descriptions" +.Sh DESCRIPTION +The +.Nm +file contains descriptions of the auditable event classes on the system. +Each auditable event is a member of an event class. +Each line maps an audit event +mask (bitmap) to a class and a description. +Entries are of the form +.Dl classmask:eventclass:description. +.Pp +Example entries in this file are: +.Bd -literal -offset indent +0x00000000:no:invalid class +0x00000001:fr:file read +0x00000002:fw:file write +0x00000004:fa:file attribute access +0x00000080:pc:process +0xffffffff:all:all flags set +.Ed +.Sh FILES +.Bl -tag -width "/etc/security/audit_class" -compact +.It Pa /etc/security/audit_class +.El +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/audit_control.5 b/contrib/openbsm/man/audit_control.5 new file mode 100644 index 000000000000..d39b68129cff --- /dev/null +++ b/contrib/openbsm/man/audit_control.5 @@ -0,0 +1,121 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#5 $ +.\" +.Dd Jan 24, 2004 +.Dt AUDIT_CONTROL 5 +.Os +.Sh NAME +.Nm audit_control +.Nd "contains audit system parameters" +.Sh DESCRIPTION +The +.Nm +file contains several audit system parameters. +Each line of this file is of the form: +.Dl parameter:value. +The parameters are: +.Bl -tag -width Ds +.It Pa dir +The directory where audit log files are stored. +There may be more than one of these entries. +Changes to this entry can only be enacted by restarting the +audit system. +See +.Xr audit 1 +for a description of how to restart the audit system. +.It Va flags +Specifies which audit event classes are audited for all users. +.Xr audit_user 5 +describes how to audit events for individual users. +See the information below for the format of the audit flags. +.It Va naflags +Contains the audit flags that define what classes of events are audited when +an action cannot be attributed to a specific user. +.It Va minfree +The minimum free space required on the file system audit logs are being written to. +When the free space falls below this limit a warning will be issued. +Not currently used as the value of 20 percent is chosen by the kernel. +.El +.Sh AUDIT FLAGS +Audit flags are a comma delimited list of audit classes as defined in the +audit_class file. +See +.Xr audit_class 5 +for details. +Event classes may be preceded by a prefix which changes their interpretation. +The following prefixes may be used for each class: +.Bl -tag -width Ds -compact -offset indent +.It + +Record successful events +.It - +Record failed events +.It ^ +Record both successful and failed events +.It ^+ +Don't record successful events +.It ^- +Don't record failed events +.El +.Sh DEFAULT +The following settings appear in the default +.Nm +file: +.Bd -literal -offset indent +dir:/var/audit +flags:lo,ad,-all,^-fc,^-cl +minfree:20 +naflags:lo +.Ed +.Pp +The +.Va flags +parameter above specifies the system-wide mask corresponding to login/logout +events, administrative events, and all failures except for failures in creating +or closing files. +.Sh FILES +.Bl -tag -width "/etc/security/audit_control" -compact +.It Pa /etc/security/audit_control +.El +.Sh SEE ALSO +.Xr audit 1 , +.Xr auditd 8 , +.Xr audit_class 5 , +.Xr audit_user 5 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/audit_event.5 b/contrib/openbsm/man/audit_event.5 new file mode 100644 index 000000000000..36029ef3b90f --- /dev/null +++ b/contrib/openbsm/man/audit_event.5 @@ -0,0 +1,74 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#5 $ +.\" +.Dd Jan 24, 2004 +.Dt AUDIT_EVENT 5 +.Os +.Sh NAME +.Nm audit_event +.Nd "contains audit event descriptions" +.Sh DESCRIPTION +The +.Nm +file contains descriptions of the auditable events on the system. +Each line maps an audit event number to a name, a description, and a class. +Entries are of the form +.Dl eventnum:eventname:description:eventclass . +Each +.Vt eventclass +should have a corresponding entry in the audit_class file. +See +.Xr audit_class 5 +for details. +.Pp +Example entries in this file are: +.Bd -literal -offset indent +0:AUE_NULL:indir system call:no +1:AUE_EXIT:exit(2):pc +2:AUE_FORK:fork(2):pc +3:AUE_OPEN:open(2):fa +.Ed +.Sh FILES +.Bl -tag -width "/etc/security/audit_event" -compact +.It Pa /etc/security/audit_event +.El +.Sh SEE ALSO +.Xr audit_class 5 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/audit_user.5 b/contrib/openbsm/man/audit_user.5 new file mode 100644 index 000000000000..abb74a322123 --- /dev/null +++ b/contrib/openbsm/man/audit_user.5 @@ -0,0 +1,91 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#5 $ +.\" +.Dd Jan 24, 2004 +.Dt AUDIT_USER 5 +.Os +.Sh NAME +.Nm audit_user +.Nd "specifies events to be audited for the given users" +.Sh DESCRIPTION +The +.Nm +file specifies which audit event classes are to be audited for the given users. +If specified, these flags are combined with the system-wide audit flags in the +.Pa audit_control +file to determine which classes of events to audit for that user. +These settings take effect when the user logs in. +.Pp +Each line maps a user name to a list of classes that should be audited and a +list of classes that should not be audited. +Entries are of the form of +.Dl username:alwaysaudit:neveraudit , +where +.Vt alwaysaudit +is a set of event classes that are always audited, and +.Vt neveraudit +is a set of event classes that should not be audited. +These sets can indicate +the inclusion or exclusion of multiple classes, and whether to audit successful +or failed events. +See +.Xr audit_control 5 +for more information about audit flags. +.Pp +Example entries in this file are: +.Bd -literal -offset indent +root:lo,ad:no +jdoe:-fc,ad:+fw +.Ed +.Pp +These settings would cause login and administrative events that succeed on +behalf of user root to be audited. +No failure events are audited. +For the user +.Em jdoe , +failed file creation events are audited, administrative events are +audited, and successful file write events are never audited. +.Sh FILES +.Bl -tag -width "/etc/security/audit_user" -compact +.It Pa /etc/security/audit_user +.El +.Sh SEE ALSO +.Xr audit_control 5 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/audit_warn.5 b/contrib/openbsm/man/audit_warn.5 new file mode 100644 index 000000000000..4581d8c87bf6 --- /dev/null +++ b/contrib/openbsm/man/audit_warn.5 @@ -0,0 +1,69 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#5 $ +.\" +.Dd Mar 17, 2004 +.Dt AUDIT_WARN 5 +.Os +.Sh NAME +.Nm audit_warn +.Nd "alert when audit daemon issues warnings" +.Sh DESCRIPTION +.Nm +runs when +.Xr auditd 8 +generates warning messages. +.Pp +The default +.Nm +is a script whose first parameter is the type of warning; the script +appends its arguments to +.Pa /etc/security/audit_messages . +Administrators may replace this script: a more comprehensive one would take +different actions based on the type of warning. +For example, a low-space warning +could result in an email message being sent to the administrator. +.Sh FILES +.Bl -tag -width "/etc/security/audit_warn" -compact +.It Pa /etc/security/audit_warn +.It Pa /etc/security/audit_messages +.El +.Sh SEE ALSO +.Xr auditd 8 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/auditctl.2 b/contrib/openbsm/man/auditctl.2 new file mode 100644 index 000000000000..48bec1cd2cbb --- /dev/null +++ b/contrib/openbsm/man/auditctl.2 @@ -0,0 +1,78 @@ +.\"- +.\" Copyright (c) 2005-2006 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#4 $ +.\" +.Dd April 19, 2005 +.Dt AUDITCTL 2 +.Os +.Sh NAME +.Nm auditctl +.Nd "Configure system audit parameters" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn auditon "const char *path" +.Sh DESCRIPTION +The +.Fn auditctl +system call directs the kernel to open a new audit trail log file. +.Fn auditctl +requires appropriate privilege. +In the +.Fx +implementation, +.Fn auditctl +opens new files, but +.Fn auditon +is used to disable the audit log. +In the Mac OS X implementation, passing +.Va NULL +to +.Fn auditctl +will disable the audit log. +.Sh RETURN VALUES +.Nm +returns 0 on success, or returns -1 on failure, providing additional error +information via +.Va errno . +.Sh SEE ALSO +.Xr libbsm 3 , +.Xr auditd 8 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/auditon.2 b/contrib/openbsm/man/auditon.2 new file mode 100644 index 000000000000..4e38dc4f68fc --- /dev/null +++ b/contrib/openbsm/man/auditon.2 @@ -0,0 +1,288 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" Copyright (c) 2005 Tom Rhodes +.\" Copyright (c) 2005 Wayne J. Salamon +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#6 $ +.\" +.Dd April 19, 2005 +.Dt AUDITON 2 +.Os +.Sh NAME +.Nm auditon +.Nd "Configure system audit parameters" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn auditon "int cmd" "void *data" "u_int length" +.Sh DESCRIPTION +The +.Nm +system call is used to manipulate various audit control operations. +.Ft *data +should point to a structure whose type depends on the command. +.Ft length +specifies the size of the +.Em data +in bytes. +.Ft cmd +may be any of the following: +.Bl -tag -width ".It Dv A_GETPINFO_ADDR" +.It Dv A_SETPOLICY +Set audit policy flags. +.Ft *data +must point to an long value set to one of the audit +policy control values defined in audit.h. +Currently, only +.Dv AUDIT_CNT +and +.Dv AUDIT_AHLT +are implemented. +In the +.Dv AUDIT_CNT +case, the action will continue regardless if +an event will not be audited. +In the +.Dv AUDIT_AHLT +case, a +.Xr panic 9 +will result if an event will not be written to the +audit log file. +.It Dv A_SETKAUDIT +Return +.Er ENOSYS . +.It Dv A_SETKMASK +Set the kernel preselection masks (success and failure). +.Ft *data +must point to a +.Ft au_mask_t +structure containing the mask values. +These masks are used for non-attributable audit event preselection. +.It Dv A_SETQCTRL +Set kernel audit queue parameters. +.Ft *data +must point to a +.Ft au_qctrl_t +structure containing the +kernel audit queue control settings: +.Va high water , +.Va low water , +.Va output buffer size , +.Va percent min free disk space , +and +.Em delay +(not currently used). +.It Dv A_SETSTAT +Return +.Er ENOSYS . +.It Dv A_SETUMASK +Return +.Er ENOSYS . +.It Dv A_SETSMASK +Return +.Er ENOSYS . +.It Dv A_SETCOND +Set the current auditing condition. +.Ft *data +must point to an long value containing the new +audit condition, one of +.Dv AUC_AUDITING , +.Dv AUC_NOAUDIT , +or +.Dv AUC_DISABLED . +.It Dv A_SETCLASS +Set the event class preselection mask for an audit event. +.Ft *data +must point to a +.Ft au_evclass_map_t +structure containing the audit event and mask. +.It Dv A_SETPMASK +Set the preselection masks for a process. +.Ft *data +must point to a +.Ft auditpinfo_t +structure that contains the given process's audit +preselection masks for both success and failure. +.It Dv A_SETFSIZE +Set the maximum size of the audit log file. +.Ft *data +must point to a +.Ft au_fstat_t +structure with the +.Ft af_filesz +field set to the maximum audit log file size. A value of 0 +indicates no limit to the size. +.It Dv A_SETKAUDIT +Return +.Er ENOSYS . +.It Dv A_GETCLASS +Return the event to class mapping for the designated audit event. +.Ft *data +must point to a +.Ft au_evclass_map_t +structure. +.It Dv A_GETKAUDIT +Return +.Er ENOSYS . +.It Dv A_GETPINFO +Return the audit settings for a process. +.Ft *data +must point to a +.Ft auditpinfo_t +structure which will be set to contain +the audit ID, preselection mask, terminal ID, and audit session +ID of the given process. +.It Dv A_GETPINFO_ADDR +Return +.Er ENOSYS . +.It Dv A_GETKMASK +Return the current kernel preselection masks. +.Ft *data +must point to a +.Ft au_mask_t +structure which will be set to +the current kernel preselection masks for non-attributable events. +.It Dv A_GETPOLICY +Return the current audit policy setting. +.Ft *data +must point to an long value which will be set to +one of the current audit policy flags. +Currently, only +.Dv AUDIT_CNT +and +.Dv AUDIT_AHLT +are implemented. +.It Dv A_GETQCTRL +Return the current kernel audit queue control parameters. +.Ft *data +must point to a +.Ft au_qctrl_t +structure which will be set to the current +kernel audit queue control parameters. +.It Dv A_GETFSIZE +Returns the maximum size of the audit log file. +.Ft *data +must point to a +.Ft au_fstat_t +structure. The +.Ft af_filesz +field will set to the maximum audit log file size. A value of 0 +indicates no limit to the size. +The +.Ft af_filesz +will be set to the current audit log file size. +.It Dv A_GETCWD +.\" [COMMENTED OUT]: Valid description, not yet implemented. +.\" Return the current working directory as stored in the audit subsystem. +Return +.Er ENOSYS . +.It Dv A_GETCAR +.\" [COMMENTED OUT]: Valid description, not yet implemented. +.\"Stores and returns the current active root as stored in the audit +.\"subsystem. +Return +.Er ENOSYS . +.It Dv A_GETSTAT +.\" [COMMENTED OUT]: Valid description, not yet implemented. +.\"Return the statistics stored in the audit system. +Return +.Er ENOSYS . +.It Dv A_GETCOND +Return the current auditing condition. +.Ft *data +must point to a long value which will be set to +the current audit condition, either +.Dv AUC_AUDITING +or +.Dv AUC_NOAUDIT . +.It Dv A_SENDTRIGGER +Send a trigger to the audit daemon. +.Fr *data +must point to a long value set to one of the acceptable +trigger values: +.Dv AUDIT_TRIGGER_LOW_SPACE +(low disk space where the audit log resides), +.Dv AUDIT_TRIGGER_OPEN_NEW +(open a new audit log file), +.Dv AUDIT_TRIGGER_READ_FILE +(read the audit_control file), +.Dv AUDIT_TRIGGER_CLOSE_AND_DIE +(close the current log file and exit), +or +.Dv AUDIT_TRIGGER_NO_SPACE +(no disk space left for audit log file). +.El +.Sh RETURN VALUES +.Rv -std +.Sh ERRORS +The +.Fn auditon +function will fail if: +.Bl -tag -width Er +.It Bq Er ENOSYS +Returned by options not yet implemented. +.It Bq Er EFAULT +A failure occurred while data transferred to or from +the kernel failed. +.It Bq Er EINVAL +Illegal argument was passed by a system call. +.It Bq Er EPERM +The process does not have sufficient permission to complete +the operation. +.El +.Pp +The +.Dv A_SENDTRIGGER +command is specific to the +.Fx +and Mac OS X implementations, and is not present in Solaris. +.Sh SEE ALSO +.Xr audit 2 , +.Xr auditctl 2 , +.Xr getauid 2 , +.Xr setauid 2 , +.Xr getaudit 2 , +.Xr setaudit 2 , +.Xr getaudit_addr 2 , +.Xr setaudit_addr 2 , +.Xr libbsm 3 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Tom Rhodes Aq trhodes@FreeBSD.org , +.An Robert Watson Aq rwatson@FreeBSD.org , +and +.An Wayne Salamon Aq wsalamon@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2003. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/getaudit.2 b/contrib/openbsm/man/getaudit.2 new file mode 100644 index 000000000000..c20aab00073d --- /dev/null +++ b/contrib/openbsm/man/getaudit.2 @@ -0,0 +1,80 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#4 $ +.\" +.Dd April 19, 2005 +.Dt GETAUDIT 2 +.Os +.Sh NAME +.Nm getaudit , +.Nm getaudit_addr +.Nd "Retrieve audit session state" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn getaudit "auditinfo_t *auditinfo" +.Ft int +.Fn getaudit_addr "auditinfo_addr_t *auditinfo_addr" "u_int length" +.Sh DESCRIPTION +.Fn getaudit +retrieves the active audit session state for the current process via the +.Vt auditinfo_t +pointed to by +.Va auditinfo . +.Fn getaudit_addr +retrieves extended state via +.Va auditinfo_addr +and +.Va length . +.Pp +This system call required appropriate privilege to complete. +.Sh RETURN VALUES +.Nm +returns 0 on success, or returns -1 on failure, providing additional error +information via +.Va errno . +.Sh SEE ALSO +.Xr audit 2 , +.Xr auditon 2 , +.Xr getauid 2 , +.Xr setauid 2 , +.Xr setaudit 2 , +.Xr libbsm 3 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/getauid.2 b/contrib/openbsm/man/getauid.2 new file mode 100644 index 000000000000..de36f731df3c --- /dev/null +++ b/contrib/openbsm/man/getauid.2 @@ -0,0 +1,74 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#4 $ +.\" +.Dd April 19, 2005 +.Dt GETAUID 2 +.Os +.Sh NAME +.Nm getauid +.Nd "Retrieve audit session ID" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn getauid "au_id_t *auid" +.Sh DESCRIPTION +.Nm +retrieves the active audit session ID for the current process via the +.Vt au_id_t +pointed to by +.Va auid . +.Pp +This system call required appropriate privilege to complete. +.Sh RETURN VALUES +.Nm +returns 0 on success, or returns -1 on failure, providing additional error +information via +.Va errno . +.Sh SEE ALSO +.Xr audit 2 , +.Xr auditon 2 , +.Xr setauid 2 , +.Xr getaudit 2 , +.Xr setaudit 2 , +.Xr getaudit_addr 2 , +.Xr setaudit_addr 2 , +.Xr libbsm 3 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/setaudit.2 b/contrib/openbsm/man/setaudit.2 new file mode 100644 index 000000000000..2d994ecfb0cf --- /dev/null +++ b/contrib/openbsm/man/setaudit.2 @@ -0,0 +1,81 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#4 $ +.\" +.Dd April 19, 2005 +.Dt SETAUDIT 2 +.Os +.Sh NAME +.Nm setaudit , +.Nm setaudit_addr +.Nd "Set audit session state" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn setaudit "auditinfo_t *auditinfo" +.Ft int +.Fn setaudit_addr "auditinfo_addr_t *auditinfo" "u_int length" +.Sh DESCRIPTION +.Nm +sets the active audit session state for the current process via the +.Vt auditinfo_t +pointed to by +.Va auditinfo . +.Fn setaudit_addr +sets extended state via +.Va auditinfo_addr +and +.Va length . +.Pp +This system call required appropriate privilege to complete. +.Sh RETURN VALUES +.Nm +returns 0 on success, or returns -1 on failure, providing additional error +information via +.Va errno . +.Sh SEE ALSO +.Xr audit 2 , +.Xr auditon 2 , +.Xr getaudit 2 , +.Xr getauid 2 , +.Xr setauid 2 , +.Xr getaudit 2 , +.Xr libbsm 3 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/setauid.2 b/contrib/openbsm/man/setauid.2 new file mode 100644 index 000000000000..d03b0d9474e9 --- /dev/null +++ b/contrib/openbsm/man/setauid.2 @@ -0,0 +1,74 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#4 $ +.\" +.Dd April 19, 2005 +.Dt SETAUID 2 +.Os +.Sh NAME +.Nm setauid +.Nd "Set audit session ID" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn setauid "au_id_t *auid" +.Sh DESCRIPTION +.Nm +sets the active audit session ID for the current process from the +.Vt au_id_t +pointed to by +.Va auid . +.Pp +This system call required appropriate privilege to complete. +.Sh RETURN VALUES +.Nm +returns 0 on success, or returns -1 on failure, providing additional error +information via +.Va errno . +.Sh SEE ALSO +.Xr audit 2 , +.Xr auditon 2 , +.Xr getauid 2 , +.Xr getaudit 2 , +.Xr setaudit 2 , +.Xr getaudit_addr 2 , +.Xr setaudit_addr 2 , +.Xr libbsm 3 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/tools/Makefile b/contrib/openbsm/tools/Makefile new file mode 100644 index 000000000000..79e582d03f1d --- /dev/null +++ b/contrib/openbsm/tools/Makefile @@ -0,0 +1,13 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/tools/Makefile#3 $ +# + +CFLAGS+= -I- -I .. -I ../libbsm -L ../libbsm -I. +PROG= audump +NO_MAN= +DPADD= /usr/lib/libbsm.a +LDADD= -lbsm +BINDIR= /usr/sbin +WARNS= 3 + +.include <bsd.prog.mk> diff --git a/contrib/openbsm/tools/audump.c b/contrib/openbsm/tools/audump.c new file mode 100644 index 000000000000..f1429b599fef --- /dev/null +++ b/contrib/openbsm/tools/audump.c @@ -0,0 +1,234 @@ +/*- + * Copyright (c) 2005 Robert N. M. Watson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#4 $ + */ + +#include <bsm/libbsm.h> +#include <string.h> +#include <err.h> +#include <limits.h> +#include <stdio.h> +#include <stdlib.h> + +/* + * Simple tool to dump various /etc/security databases using the defined APIs. + */ + +static void +usage(void) +{ + + fprintf(stderr, "usage: dump [class|class_r|control|event|event_r|" + "user|user_r]\n"); + exit(-1); +} + +static void +audump_class(void) +{ + au_class_ent_t *cp; + + while ((cp = getauclassent()) != NULL) + printf("0x%08x:%s:%s\n", cp->ac_class, cp->ac_name, + cp->ac_desc); +} + +static void +audump_class_r(void) +{ + char class_ent_name[AU_CLASS_NAME_MAX]; + char class_ent_desc[AU_CLASS_DESC_MAX]; + au_class_ent_t c, *cp; + + bzero(&c, sizeof(c)); + bzero(class_ent_name, sizeof(class_ent_name)); + bzero(class_ent_desc, sizeof(class_ent_desc)); + c.ac_name = class_ent_name; + c.ac_desc = class_ent_desc; + + while ((cp = getauclassent_r(&c)) != NULL) + printf("0x%08x:%s:%s\n", cp->ac_class, cp->ac_name, + cp->ac_desc); +} + +static void +audump_control(void) +{ + char string[PATH_MAX]; + int ret, val; + + ret = getacflg(string, PATH_MAX); + if (ret == -2) + err(-1, "getacflg"); + if (ret != 0) + errx(-1, "getacflg: %d", ret); + + printf("flags:%s\n", string); + + ret = getacmin(&val); + if (ret == -2) + err(-1, "getacmin"); + if (ret != 0) + errx(-1, "getacmin: %d", ret); + + printf("min:%d\n", val); + + ret = getacna(string, PATH_MAX); + if (ret == -2) + err(-1, "getacna"); + if (ret != 0) + errx(-1, "getacna: %d", ret); + + printf("naflags:%s\n", string); + + setac(); + do { + ret = getacdir(string, PATH_MAX); + if (ret == -1) + break; + if (ret == -2) + err(-1, "getacdir"); + if (ret != 0) + errx(-1, "getacdir: %d", ret); + printf("dir:%s\n", string); + + } while (ret == 0); +} + +static void +printf_classmask(au_class_t classmask) +{ + au_class_ent_t *c; + u_int32_t i; + int first; + + first = 1; + for (i = 0; i < 32; i++) { + if (classmask & (2 << i)) { + if (first) + first = 0; + else + printf(","); + c = getauclassnum(2 << i); + if (c != NULL) + printf("%s", c->ac_name); + else + printf("0x%x", 2 << i); + } + } +} + +static void +audump_event(void) +{ + au_event_ent_t *ep; + + while ((ep = getauevent()) != NULL) { + printf("%d:%s:%s:", ep->ae_number, ep->ae_name, ep->ae_desc); + printf_classmask(ep->ae_class); + printf("\n"); + } +} + +static void +audump_event_r(void) +{ + char event_ent_name[AU_EVENT_NAME_MAX]; + char event_ent_desc[AU_EVENT_DESC_MAX]; + au_event_ent_t e, *ep; + + bzero(&e, sizeof(e)); + bzero(event_ent_name, sizeof(event_ent_name)); + bzero(event_ent_desc, sizeof(event_ent_desc)); + e.ae_name = event_ent_name; + e.ae_desc = event_ent_desc; + + while ((ep = getauevent_r(&e)) != NULL) { + printf("%d:%s:%s:", ep->ae_number, ep->ae_name, ep->ae_desc); + printf_classmask(ep->ae_class); + printf("\n"); + } +} + +static void +audump_user(void) +{ + au_user_ent_t *up; + + while ((up = getauuserent()) != NULL) { + printf("%s:", up->au_name); + // printf_classmask(up->au_always); + printf(":"); + // printf_classmask(up->au_never); + printf("\n"); + } +} + +static void +audump_user_r(void) +{ + char user_ent_name[AU_USER_NAME_MAX]; + au_user_ent_t u, *up; + + bzero(&u, sizeof(u)); + bzero(user_ent_name, sizeof(user_ent_name)); + u.au_name = user_ent_name; + + while ((up = getauuserent_r(&u)) != NULL) { + printf("%s:", up->au_name); + // printf_classmask(up->au_always); + printf(":"); + // printf_classmask(up->au_never); + printf("\n"); + } +} + +int +main(int argc, char *argv[]) +{ + + if (argc != 2) + usage(); + + if (strcmp(argv[1], "class") == 0) + audump_class(); + else if (strcmp(argv[1], "class_r") == 0) + audump_class_r(); + else if (strcmp(argv[1], "control") == 0) + audump_control(); + else if (strcmp(argv[1], "event") == 0) + audump_event(); + else if (strcmp(argv[1], "event_r") == 0) + audump_event_r(); + else if (strcmp(argv[1], "user") == 0) + audump_user(); + else if (strcmp(argv[1], "user_r") == 0) + audump_user_r(); + else + usage(); + + return (0); +} |