17a0a89d2SRobert Watson /*-
206edd2f1SRobert Watson * Copyright (c) 2008-2009 Apple Inc.
35e386598SRobert Watson * Copyright (c) 2016 Robert N. M. Watson
47a0a89d2SRobert Watson * All rights reserved.
57a0a89d2SRobert Watson *
65e386598SRobert Watson * Portions of this software were developed by BAE Systems, the University of
75e386598SRobert Watson * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
85e386598SRobert Watson * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
95e386598SRobert Watson * Computing (TC) research program.
105e386598SRobert Watson *
117a0a89d2SRobert Watson * Redistribution and use in source and binary forms, with or without
127a0a89d2SRobert Watson * modification, are permitted provided that the following conditions
137a0a89d2SRobert Watson * are met:
147a0a89d2SRobert Watson * 1. Redistributions of source code must retain the above copyright
157a0a89d2SRobert Watson * notice, this list of conditions and the following disclaimer.
167a0a89d2SRobert Watson * 2. Redistributions in binary form must reproduce the above copyright
177a0a89d2SRobert Watson * notice, this list of conditions and the following disclaimer in the
187a0a89d2SRobert Watson * documentation and/or other materials provided with the distribution.
197a0a89d2SRobert Watson * 3. Neither the name of Apple Inc. ("Apple") nor the names of
207a0a89d2SRobert Watson * its contributors may be used to endorse or promote products derived
217a0a89d2SRobert Watson * from this software without specific prior written permission.
227a0a89d2SRobert Watson *
237a0a89d2SRobert Watson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
247a0a89d2SRobert Watson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
257a0a89d2SRobert Watson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
267a0a89d2SRobert Watson * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
277a0a89d2SRobert Watson * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
287a0a89d2SRobert Watson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
297a0a89d2SRobert Watson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
307a0a89d2SRobert Watson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
317a0a89d2SRobert Watson * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
327a0a89d2SRobert Watson * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
337a0a89d2SRobert Watson * POSSIBILITY OF SUCH DAMAGE.
347a0a89d2SRobert Watson */
357a0a89d2SRobert Watson
367a0a89d2SRobert Watson #include <sys/param.h>
377a0a89d2SRobert Watson
387a0a89d2SRobert Watson #include <config/config.h>
397a0a89d2SRobert Watson
407a0a89d2SRobert Watson #include <sys/dirent.h>
417a0a89d2SRobert Watson #ifdef HAVE_FULL_QUEUE_H
427a0a89d2SRobert Watson #include <sys/queue.h>
437a0a89d2SRobert Watson #else /* !HAVE_FULL_QUEUE_H */
447a0a89d2SRobert Watson #include <compat/queue.h>
457a0a89d2SRobert Watson #endif /* !HAVE_FULL_QUEUE_H */
46c0020399SRobert Watson #include <sys/mount.h>
47c0020399SRobert Watson #include <sys/socket.h>
487a0a89d2SRobert Watson
497a0a89d2SRobert Watson #include <sys/stat.h>
507a0a89d2SRobert Watson #include <sys/time.h>
517a0a89d2SRobert Watson
527a0a89d2SRobert Watson #include <netinet/in.h>
537a0a89d2SRobert Watson
547a0a89d2SRobert Watson #include <bsm/audit.h>
557a0a89d2SRobert Watson #include <bsm/audit_uevents.h>
567a0a89d2SRobert Watson #include <bsm/auditd_lib.h>
577a0a89d2SRobert Watson #include <bsm/libbsm.h>
587a0a89d2SRobert Watson
59aa772005SRobert Watson #include <assert.h>
6006edd2f1SRobert Watson #include <dirent.h>
617a0a89d2SRobert Watson #include <err.h>
627a0a89d2SRobert Watson #include <errno.h>
637a0a89d2SRobert Watson #include <fcntl.h>
647a0a89d2SRobert Watson #include <stdio.h>
657a0a89d2SRobert Watson #include <string.h>
667a0a89d2SRobert Watson #include <stdlib.h>
677a0a89d2SRobert Watson #include <time.h>
687a0a89d2SRobert Watson #include <unistd.h>
697a0a89d2SRobert Watson #include <netdb.h>
707a0a89d2SRobert Watson
717a0a89d2SRobert Watson #ifdef __APPLE__
727a0a89d2SRobert Watson #include <notify.h>
737a0a89d2SRobert Watson #ifndef __BSM_INTERNAL_NOTIFY_KEY
747a0a89d2SRobert Watson #define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change"
757a0a89d2SRobert Watson #endif /* __BSM_INTERNAL_NOTIFY_KEY */
767a0a89d2SRobert Watson #endif /* __APPLE__ */
777a0a89d2SRobert Watson
787a0a89d2SRobert Watson /*
797a0a89d2SRobert Watson * XXX This is temporary until this is moved to <bsm/audit.h> and shared with
807a0a89d2SRobert Watson * the kernel.
817a0a89d2SRobert Watson */
827a0a89d2SRobert Watson #ifndef AUDIT_HARD_LIMIT_FREE_BLOCKS
837a0a89d2SRobert Watson #define AUDIT_HARD_LIMIT_FREE_BLOCKS 4
847a0a89d2SRobert Watson #endif
857a0a89d2SRobert Watson
8606edd2f1SRobert Watson /*
8706edd2f1SRobert Watson * Number of seconds to January 1, 2000
8806edd2f1SRobert Watson */
8906edd2f1SRobert Watson #define JAN_01_2000 946598400
9006edd2f1SRobert Watson
917a0a89d2SRobert Watson struct dir_ent {
927a0a89d2SRobert Watson char *dirname;
937a0a89d2SRobert Watson uint8_t softlim;
947a0a89d2SRobert Watson uint8_t hardlim;
957a0a89d2SRobert Watson TAILQ_ENTRY(dir_ent) dirs;
967a0a89d2SRobert Watson };
977a0a89d2SRobert Watson
987a0a89d2SRobert Watson static TAILQ_HEAD(, dir_ent) dir_q;
9906edd2f1SRobert Watson
10006edd2f1SRobert Watson struct audit_trail {
10106edd2f1SRobert Watson time_t at_time;
10206edd2f1SRobert Watson char *at_path;
10306edd2f1SRobert Watson off_t at_size;
10406edd2f1SRobert Watson
10506edd2f1SRobert Watson TAILQ_ENTRY(audit_trail) at_trls;
10606edd2f1SRobert Watson };
10706edd2f1SRobert Watson
10806edd2f1SRobert Watson static int auditd_minval = -1;
109aa772005SRobert Watson static int auditd_dist = 0;
11006edd2f1SRobert Watson
11106edd2f1SRobert Watson static char auditd_host[MAXHOSTNAMELEN];
11206edd2f1SRobert Watson static int auditd_hostlen = -1;
1137a0a89d2SRobert Watson
1147a0a89d2SRobert Watson static char *auditd_errmsg[] = {
1157a0a89d2SRobert Watson "no error", /* ADE_NOERR ( 0) */
1167a0a89d2SRobert Watson "could not parse audit_control(5) file", /* ADE_PARSE ( 1) */
1177a0a89d2SRobert Watson "auditon(2) failed", /* ADE_AUDITON ( 2) */
1187a0a89d2SRobert Watson "malloc(3) failed", /* ADE_NOMEM ( 3) */
1197a0a89d2SRobert Watson "all audit log directories over soft limit", /* ADE_SOFTLIM ( 4) */
1207a0a89d2SRobert Watson "all audit log directories over hard limit", /* ADE_HARDLIM ( 5) */
1217a0a89d2SRobert Watson "could not create file name string", /* ADE_STRERR ( 6) */
1227a0a89d2SRobert Watson "could not open audit record", /* ADE_AU_OPEN ( 7) */
1237a0a89d2SRobert Watson "could not close audit record", /* ADE_AU_CLOSE ( 8) */
1247a0a89d2SRobert Watson "could not set active audit session state", /* ADE_SETAUDIT ( 9) */
1257a0a89d2SRobert Watson "auditctl(2) failed (trail still swapped)", /* ADE_ACTL (10) */
1267a0a89d2SRobert Watson "auditctl(2) failed (trail not swapped)", /* ADE_ACTLERR (11) */
1277a0a89d2SRobert Watson "could not swap audit trail file", /* ADE_SWAPERR (12) */
1287a0a89d2SRobert Watson "could not rename crash recovery file", /* ADE_RENAME (13) */
1297a0a89d2SRobert Watson "could not read 'current' link file", /* ADE_READLINK (14) */
1307a0a89d2SRobert Watson "could not create 'current' link file", /* ADE_SYMLINK (15) */
1317a0a89d2SRobert Watson "invalid argument", /* ADE_INVAL (16) */
1327a0a89d2SRobert Watson "could not resolve hostname to address", /* ADE_GETADDR (17) */
1337a0a89d2SRobert Watson "address family not supported", /* ADE_ADDRFAM (18) */
13406edd2f1SRobert Watson "error expiring audit trail files", /* ADE_EXPIRE (19) */
1357a0a89d2SRobert Watson };
1367a0a89d2SRobert Watson
1377a0a89d2SRobert Watson #define MAXERRCODE (sizeof(auditd_errmsg) / sizeof(auditd_errmsg[0]))
1387a0a89d2SRobert Watson
139597df30eSRobert Watson #define NA_EVENT_STR_SIZE 128
1407a0a89d2SRobert Watson #define POL_STR_SIZE 128
1417a0a89d2SRobert Watson
1427a0a89d2SRobert Watson
1437a0a89d2SRobert Watson /*
1447a0a89d2SRobert Watson * Look up and return the error string for the given audit error code.
1457a0a89d2SRobert Watson */
1467a0a89d2SRobert Watson const char *
auditd_strerror(int errcode)1477a0a89d2SRobert Watson auditd_strerror(int errcode)
1487a0a89d2SRobert Watson {
1497a0a89d2SRobert Watson int idx = -errcode;
1507a0a89d2SRobert Watson
1517a0a89d2SRobert Watson if (idx < 0 || idx > (int)MAXERRCODE)
1527a0a89d2SRobert Watson return ("Invalid auditd error code");
1537a0a89d2SRobert Watson
1547a0a89d2SRobert Watson return (auditd_errmsg[idx]);
1557a0a89d2SRobert Watson }
1567a0a89d2SRobert Watson
1577a0a89d2SRobert Watson
1587a0a89d2SRobert Watson /*
159aa772005SRobert Watson * Free our local list of directory names and init list.
1607a0a89d2SRobert Watson */
1617a0a89d2SRobert Watson static void
free_dir_q(void)1627a0a89d2SRobert Watson free_dir_q(void)
1637a0a89d2SRobert Watson {
1647a0a89d2SRobert Watson struct dir_ent *d1, *d2;
1657a0a89d2SRobert Watson
1667a0a89d2SRobert Watson d1 = TAILQ_FIRST(&dir_q);
1677a0a89d2SRobert Watson while (d1 != NULL) {
1687a0a89d2SRobert Watson d2 = TAILQ_NEXT(d1, dirs);
1697a0a89d2SRobert Watson free(d1->dirname);
1707a0a89d2SRobert Watson free(d1);
1717a0a89d2SRobert Watson d1 = d2;
1727a0a89d2SRobert Watson }
1737a0a89d2SRobert Watson TAILQ_INIT(&dir_q);
1747a0a89d2SRobert Watson }
1757a0a89d2SRobert Watson
1767a0a89d2SRobert Watson /*
1777a0a89d2SRobert Watson * Concat the directory name to the given file name.
1787a0a89d2SRobert Watson * XXX We should affix the hostname also
1797a0a89d2SRobert Watson */
1807a0a89d2SRobert Watson static char *
affixdir(char * name,struct dir_ent * dirent)1817a0a89d2SRobert Watson affixdir(char *name, struct dir_ent *dirent)
1827a0a89d2SRobert Watson {
1837a0a89d2SRobert Watson char *fn = NULL;
1847a0a89d2SRobert Watson
1857a0a89d2SRobert Watson /*
1867a0a89d2SRobert Watson * Sanity check on file name.
1877a0a89d2SRobert Watson */
188aa772005SRobert Watson if (strlen(name) != FILENAME_LEN) {
1897a0a89d2SRobert Watson errno = EINVAL;
1907a0a89d2SRobert Watson return (NULL);
1917a0a89d2SRobert Watson }
1927a0a89d2SRobert Watson
19306edd2f1SRobert Watson /*
19406edd2f1SRobert Watson * If the host is set then also add the hostname to the filename.
19506edd2f1SRobert Watson */
1966d4db583SPawel Jakub Dawidek if (auditd_hostlen > 0)
19706edd2f1SRobert Watson asprintf(&fn, "%s/%s.%s", dirent->dirname, name, auditd_host);
19806edd2f1SRobert Watson else
1997a0a89d2SRobert Watson asprintf(&fn, "%s/%s", dirent->dirname, name);
2007a0a89d2SRobert Watson return (fn);
2017a0a89d2SRobert Watson }
2027a0a89d2SRobert Watson
2037a0a89d2SRobert Watson /*
2047a0a89d2SRobert Watson * Insert the directory entry in the list by the way they are ordered in
2057a0a89d2SRobert Watson * audit_control(5). Move the entries that are over the soft and hard limits
2067a0a89d2SRobert Watson * toward the tail.
2077a0a89d2SRobert Watson */
2087a0a89d2SRobert Watson static void
insert_orderly(struct dir_ent * denew)2097a0a89d2SRobert Watson insert_orderly(struct dir_ent *denew)
2107a0a89d2SRobert Watson {
2117a0a89d2SRobert Watson struct dir_ent *dep;
2127a0a89d2SRobert Watson
2137a0a89d2SRobert Watson TAILQ_FOREACH(dep, &dir_q, dirs) {
2147a0a89d2SRobert Watson if (dep->softlim == 1 && denew->softlim == 0) {
2157a0a89d2SRobert Watson TAILQ_INSERT_BEFORE(dep, denew, dirs);
2167a0a89d2SRobert Watson return;
2177a0a89d2SRobert Watson }
2187a0a89d2SRobert Watson if (dep->hardlim == 1 && denew->hardlim == 0) {
2197a0a89d2SRobert Watson TAILQ_INSERT_BEFORE(dep, denew, dirs);
2207a0a89d2SRobert Watson return;
2217a0a89d2SRobert Watson }
2227a0a89d2SRobert Watson }
2237a0a89d2SRobert Watson TAILQ_INSERT_TAIL(&dir_q, denew, dirs);
2247a0a89d2SRobert Watson }
2257a0a89d2SRobert Watson
2267a0a89d2SRobert Watson /*
227aa772005SRobert Watson * Get the min percentage of free blocks from audit_control(5) and that
228aa772005SRobert Watson * value in the kernel. Return:
229aa772005SRobert Watson * ADE_NOERR on success,
230aa772005SRobert Watson * ADE_PARSE error parsing audit_control(5),
231aa772005SRobert Watson */
232aa772005SRobert Watson int
auditd_set_dist(void)233aa772005SRobert Watson auditd_set_dist(void)
234aa772005SRobert Watson {
235aa772005SRobert Watson int ret;
236aa772005SRobert Watson
237aa772005SRobert Watson ret = getacdist();
238aa772005SRobert Watson if (ret < 0)
239aa772005SRobert Watson return (ADE_PARSE);
240aa772005SRobert Watson
241aa772005SRobert Watson auditd_dist = ret;
242aa772005SRobert Watson
243aa772005SRobert Watson return (ADE_NOERR);
244aa772005SRobert Watson }
245aa772005SRobert Watson
246aa772005SRobert Watson /*
2477a0a89d2SRobert Watson * Get the host from audit_control(5) and set it in the audit kernel
2487a0a89d2SRobert Watson * information. Return:
2497a0a89d2SRobert Watson * ADE_NOERR on success.
2507a0a89d2SRobert Watson * ADE_PARSE error parsing audit_control(5).
2517a0a89d2SRobert Watson * ADE_AUDITON error getting/setting auditon(2) value.
2527a0a89d2SRobert Watson * ADE_GETADDR error getting address info for host.
2537a0a89d2SRobert Watson * ADE_ADDRFAM un-supported address family.
2547a0a89d2SRobert Watson */
2557a0a89d2SRobert Watson int
auditd_set_host(void)2567a0a89d2SRobert Watson auditd_set_host(void)
2577a0a89d2SRobert Watson {
2587a0a89d2SRobert Watson struct sockaddr_in6 *sin6;
2597a0a89d2SRobert Watson struct sockaddr_in *sin;
2607a0a89d2SRobert Watson struct addrinfo *res;
2617a0a89d2SRobert Watson struct auditinfo_addr aia;
2627a0a89d2SRobert Watson int error, ret = ADE_NOERR;
2637a0a89d2SRobert Watson
2646e3b0894SAlan Somers if ((getachost(auditd_host, sizeof(auditd_host)) != 0) ||
2656e3b0894SAlan Somers ((auditd_hostlen = strlen(auditd_host)) == 0)) {
2667a0a89d2SRobert Watson ret = ADE_PARSE;
2677a0a89d2SRobert Watson
2687a0a89d2SRobert Watson /*
2697a0a89d2SRobert Watson * To maintain reverse compatability with older audit_control
2707a0a89d2SRobert Watson * files, simply drop a warning if the host parameter has not
2717a0a89d2SRobert Watson * been set. However, we will explicitly disable the
2727a0a89d2SRobert Watson * generation of extended audit header by passing in a zeroed
2737a0a89d2SRobert Watson * termid structure.
2747a0a89d2SRobert Watson */
2757a0a89d2SRobert Watson bzero(&aia, sizeof(aia));
2767a0a89d2SRobert Watson aia.ai_termid.at_type = AU_IPv4;
277c0020399SRobert Watson error = audit_set_kaudit(&aia, sizeof(aia));
2787a0a89d2SRobert Watson if (error < 0 && errno != ENOSYS)
2797a0a89d2SRobert Watson ret = ADE_AUDITON;
2807a0a89d2SRobert Watson return (ret);
2817a0a89d2SRobert Watson }
28206edd2f1SRobert Watson error = getaddrinfo(auditd_host, NULL, NULL, &res);
2837a0a89d2SRobert Watson if (error)
2847a0a89d2SRobert Watson return (ADE_GETADDR);
2857a0a89d2SRobert Watson switch (res->ai_family) {
2867a0a89d2SRobert Watson case PF_INET6:
2877a0a89d2SRobert Watson sin6 = (struct sockaddr_in6 *) res->ai_addr;
2887a0a89d2SRobert Watson bcopy(&sin6->sin6_addr.s6_addr,
2897a0a89d2SRobert Watson &aia.ai_termid.at_addr[0], sizeof(struct in6_addr));
2907a0a89d2SRobert Watson aia.ai_termid.at_type = AU_IPv6;
2917a0a89d2SRobert Watson break;
2927a0a89d2SRobert Watson
2937a0a89d2SRobert Watson case PF_INET:
2947a0a89d2SRobert Watson sin = (struct sockaddr_in *) res->ai_addr;
2957a0a89d2SRobert Watson bcopy(&sin->sin_addr.s_addr,
2967a0a89d2SRobert Watson &aia.ai_termid.at_addr[0], sizeof(struct in_addr));
2977a0a89d2SRobert Watson aia.ai_termid.at_type = AU_IPv4;
2987a0a89d2SRobert Watson break;
2997a0a89d2SRobert Watson
3007a0a89d2SRobert Watson default:
3017a0a89d2SRobert Watson /* Un-supported address family in host parameter. */
3027a0a89d2SRobert Watson errno = EAFNOSUPPORT;
3037a0a89d2SRobert Watson return (ADE_ADDRFAM);
3047a0a89d2SRobert Watson }
3057a0a89d2SRobert Watson
306c0020399SRobert Watson if (audit_set_kaudit(&aia, sizeof(aia)) < 0)
3077a0a89d2SRobert Watson ret = ADE_AUDITON;
3087a0a89d2SRobert Watson
3097a0a89d2SRobert Watson return (ret);
3107a0a89d2SRobert Watson }
3117a0a89d2SRobert Watson
3127a0a89d2SRobert Watson /*
3137a0a89d2SRobert Watson * Get the min percentage of free blocks from audit_control(5) and that
3147a0a89d2SRobert Watson * value in the kernel. Return:
3157a0a89d2SRobert Watson * ADE_NOERR on success,
3167a0a89d2SRobert Watson * ADE_PARSE error parsing audit_control(5),
3177a0a89d2SRobert Watson * ADE_AUDITON error getting/setting auditon(2) value.
3187a0a89d2SRobert Watson */
3197a0a89d2SRobert Watson int
auditd_set_minfree(void)3207a0a89d2SRobert Watson auditd_set_minfree(void)
3217a0a89d2SRobert Watson {
3227a0a89d2SRobert Watson au_qctrl_t qctrl;
3237a0a89d2SRobert Watson
32406edd2f1SRobert Watson if (getacmin(&auditd_minval) != 0)
3257a0a89d2SRobert Watson return (ADE_PARSE);
3267a0a89d2SRobert Watson
327c0020399SRobert Watson if (audit_get_qctrl(&qctrl, sizeof(qctrl)) != 0)
3287a0a89d2SRobert Watson return (ADE_AUDITON);
3297a0a89d2SRobert Watson
33006edd2f1SRobert Watson if (qctrl.aq_minfree != auditd_minval) {
33106edd2f1SRobert Watson qctrl.aq_minfree = auditd_minval;
332c0020399SRobert Watson if (audit_set_qctrl(&qctrl, sizeof(qctrl)) != 0)
3337a0a89d2SRobert Watson return (ADE_AUDITON);
3347a0a89d2SRobert Watson }
3357a0a89d2SRobert Watson
3367a0a89d2SRobert Watson return (0);
3377a0a89d2SRobert Watson }
3387a0a89d2SRobert Watson
3397a0a89d2SRobert Watson /*
34006edd2f1SRobert Watson * Convert a trailname into a timestamp (seconds). Return 0 if the conversion
34106edd2f1SRobert Watson * was successful.
34206edd2f1SRobert Watson */
34306edd2f1SRobert Watson static int
trailname_to_tstamp(char * fn,time_t * tstamp)34406edd2f1SRobert Watson trailname_to_tstamp(char *fn, time_t *tstamp)
34506edd2f1SRobert Watson {
34606edd2f1SRobert Watson struct tm tm;
347aa772005SRobert Watson char ts[TIMESTAMP_LEN + 1];
34806edd2f1SRobert Watson char *p;
34906edd2f1SRobert Watson
35006edd2f1SRobert Watson *tstamp = 0;
35106edd2f1SRobert Watson
35206edd2f1SRobert Watson /*
35306edd2f1SRobert Watson * Get the ending time stamp.
35406edd2f1SRobert Watson */
35506edd2f1SRobert Watson if ((p = strchr(fn, '.')) == NULL)
35606edd2f1SRobert Watson return (1);
357aa772005SRobert Watson strlcpy(ts, ++p, sizeof(ts));
35806edd2f1SRobert Watson if (strlen(ts) != POSTFIX_LEN)
35906edd2f1SRobert Watson return (1);
36006edd2f1SRobert Watson
36106edd2f1SRobert Watson bzero(&tm, sizeof(tm));
36206edd2f1SRobert Watson
36306edd2f1SRobert Watson /* seconds (0-60) */
36406edd2f1SRobert Watson p = ts + POSTFIX_LEN - 2;
36506edd2f1SRobert Watson tm.tm_sec = atol(p);
36606edd2f1SRobert Watson if (tm.tm_sec < 0 || tm.tm_sec > 60)
36706edd2f1SRobert Watson return (1);
36806edd2f1SRobert Watson
36906edd2f1SRobert Watson /* minutes (0-59) */
37006edd2f1SRobert Watson *p = '\0'; p -= 2;
37106edd2f1SRobert Watson tm.tm_min = atol(p);
37206edd2f1SRobert Watson if (tm.tm_min < 0 || tm.tm_min > 59)
37306edd2f1SRobert Watson return (1);
37406edd2f1SRobert Watson
37506edd2f1SRobert Watson /* hours (0 - 23) */
37606edd2f1SRobert Watson *p = '\0'; p -= 2;
37706edd2f1SRobert Watson tm.tm_hour = atol(p);
37806edd2f1SRobert Watson if (tm.tm_hour < 0 || tm.tm_hour > 23)
37906edd2f1SRobert Watson return (1);
38006edd2f1SRobert Watson
38106edd2f1SRobert Watson /* day of month (1-31) */
38206edd2f1SRobert Watson *p = '\0'; p -= 2;
38306edd2f1SRobert Watson tm.tm_mday = atol(p);
38406edd2f1SRobert Watson if (tm.tm_mday < 1 || tm.tm_mday > 31)
38506edd2f1SRobert Watson return (1);
38606edd2f1SRobert Watson
38706edd2f1SRobert Watson /* month (0 - 11) */
38806edd2f1SRobert Watson *p = '\0'; p -= 2;
38906edd2f1SRobert Watson tm.tm_mon = atol(p) - 1;
39006edd2f1SRobert Watson if (tm.tm_mon < 0 || tm.tm_mon > 11)
39106edd2f1SRobert Watson return (1);
39206edd2f1SRobert Watson
39306edd2f1SRobert Watson /* year (year - 1900) */
39406edd2f1SRobert Watson *p = '\0'; p -= 4;
39506edd2f1SRobert Watson tm.tm_year = atol(p) - 1900;
39606edd2f1SRobert Watson if (tm.tm_year < 0)
39706edd2f1SRobert Watson return (1);
39806edd2f1SRobert Watson
39906edd2f1SRobert Watson *tstamp = timegm(&tm);
40006edd2f1SRobert Watson
40106edd2f1SRobert Watson return (0);
40206edd2f1SRobert Watson }
40306edd2f1SRobert Watson
40406edd2f1SRobert Watson /*
40506edd2f1SRobert Watson * Remove audit trails files according to the expiration conditions. Returns:
40606edd2f1SRobert Watson * ADE_NOERR on success or there is nothing to do.
40706edd2f1SRobert Watson * ADE_PARSE if error parsing audit_control(5).
40806edd2f1SRobert Watson * ADE_NOMEM if could not allocate memory.
409b6a05070SChristian Brueffer * ADE_READLINK if could not read link file.
410b6a05070SChristian Brueffer * ADE_EXPIRE if there was an unexpected error.
41106edd2f1SRobert Watson */
41206edd2f1SRobert Watson int
auditd_expire_trails(int (* warn_expired)(char *))41306edd2f1SRobert Watson auditd_expire_trails(int (*warn_expired)(char *))
41406edd2f1SRobert Watson {
415b6a05070SChristian Brueffer int andflg, len, ret = ADE_NOERR;
41606edd2f1SRobert Watson size_t expire_size, total_size = 0L;
41706edd2f1SRobert Watson time_t expire_age, oldest_time, current_time = time(NULL);
41806edd2f1SRobert Watson struct dir_ent *traildir;
41906edd2f1SRobert Watson struct audit_trail *at;
42006edd2f1SRobert Watson char *afnp, *pn;
42106edd2f1SRobert Watson TAILQ_HEAD(au_trls_head, audit_trail) head =
42206edd2f1SRobert Watson TAILQ_HEAD_INITIALIZER(head);
42306edd2f1SRobert Watson struct stat stbuf;
42406edd2f1SRobert Watson char activefn[MAXPATHLEN];
42506edd2f1SRobert Watson
42606edd2f1SRobert Watson /*
42706edd2f1SRobert Watson * Read the expiration conditions. If no conditions then return no
42806edd2f1SRobert Watson * error.
42906edd2f1SRobert Watson */
43006edd2f1SRobert Watson if (getacexpire(&andflg, &expire_age, &expire_size) < 0)
43106edd2f1SRobert Watson return (ADE_PARSE);
43206edd2f1SRobert Watson if (!expire_age && !expire_size)
43306edd2f1SRobert Watson return (ADE_NOERR);
43406edd2f1SRobert Watson
43506edd2f1SRobert Watson /*
43606edd2f1SRobert Watson * Read the 'current' trail file name. Trim off directory path.
43706edd2f1SRobert Watson */
43806edd2f1SRobert Watson activefn[0] = '\0';
439b6a05070SChristian Brueffer len = readlink(AUDIT_CURRENT_LINK, activefn, MAXPATHLEN - 1);
440b6a05070SChristian Brueffer if (len < 0)
441b6a05070SChristian Brueffer return (ADE_READLINK);
44206edd2f1SRobert Watson if ((afnp = strrchr(activefn, '/')) != NULL)
44306edd2f1SRobert Watson afnp++;
44406edd2f1SRobert Watson
44506edd2f1SRobert Watson
44606edd2f1SRobert Watson /*
44706edd2f1SRobert Watson * Build tail queue of the trail files.
44806edd2f1SRobert Watson */
44906edd2f1SRobert Watson TAILQ_FOREACH(traildir, &dir_q, dirs) {
45006edd2f1SRobert Watson DIR *dirp;
45106edd2f1SRobert Watson struct dirent *dp;
45206edd2f1SRobert Watson
45306edd2f1SRobert Watson dirp = opendir(traildir->dirname);
45406edd2f1SRobert Watson while ((dp = readdir(dirp)) != NULL) {
45506edd2f1SRobert Watson time_t tstamp = 0;
45606edd2f1SRobert Watson struct audit_trail *new;
45706edd2f1SRobert Watson
45806edd2f1SRobert Watson /*
45906edd2f1SRobert Watson * Quickly filter non-trail files.
46006edd2f1SRobert Watson */
461aa772005SRobert Watson if (dp->d_namlen < FILENAME_LEN ||
46206edd2f1SRobert Watson dp->d_name[POSTFIX_LEN] != '.')
46306edd2f1SRobert Watson continue;
46406edd2f1SRobert Watson
46506edd2f1SRobert Watson if (asprintf(&pn, "%s/%s", traildir->dirname,
46606edd2f1SRobert Watson dp->d_name) < 0) {
46706edd2f1SRobert Watson ret = ADE_NOMEM;
46806edd2f1SRobert Watson break;
46906edd2f1SRobert Watson }
47006edd2f1SRobert Watson
47106edd2f1SRobert Watson if (stat(pn, &stbuf) < 0 || !S_ISREG(stbuf.st_mode)) {
47206edd2f1SRobert Watson free(pn);
47306edd2f1SRobert Watson continue;
47406edd2f1SRobert Watson }
47506edd2f1SRobert Watson
47606edd2f1SRobert Watson total_size += stbuf.st_size;
47706edd2f1SRobert Watson
47806edd2f1SRobert Watson /*
47906edd2f1SRobert Watson * If this is the 'current' audit trail then
48006edd2f1SRobert Watson * don't add it to the tail queue.
48106edd2f1SRobert Watson */
482aa772005SRobert Watson if (NULL != afnp && strcmp(dp->d_name, afnp) == 0) {
48306edd2f1SRobert Watson free(pn);
48406edd2f1SRobert Watson continue;
48506edd2f1SRobert Watson }
48606edd2f1SRobert Watson
48706edd2f1SRobert Watson /*
48806edd2f1SRobert Watson * Get the ending time stamp encoded in the trail
48906edd2f1SRobert Watson * name. If we can't read it or if it is older
49006edd2f1SRobert Watson * than Jan 1, 2000 then use the mtime.
49106edd2f1SRobert Watson */
49206edd2f1SRobert Watson if (trailname_to_tstamp(dp->d_name, &tstamp) != 0 ||
49306edd2f1SRobert Watson tstamp < JAN_01_2000)
49406edd2f1SRobert Watson tstamp = stbuf.st_mtime;
49506edd2f1SRobert Watson
49606edd2f1SRobert Watson /*
49706edd2f1SRobert Watson * If the time stamp is older than Jan 1, 2000 then
49806edd2f1SRobert Watson * update the mtime of the trail file to the current
49906edd2f1SRobert Watson * time. This is so we don't prematurely remove a trail
50006edd2f1SRobert Watson * file that was created while the system clock reset
5013008333dSChristian S.J. Peron * to the "beginning of time" but later the system
50206edd2f1SRobert Watson * clock is set to the correct current time.
50306edd2f1SRobert Watson */
50406edd2f1SRobert Watson if (current_time >= JAN_01_2000 &&
50506edd2f1SRobert Watson tstamp < JAN_01_2000) {
50606edd2f1SRobert Watson struct timeval tv[2];
50706edd2f1SRobert Watson
50806edd2f1SRobert Watson tstamp = stbuf.st_mtime = current_time;
50906edd2f1SRobert Watson TIMESPEC_TO_TIMEVAL(&tv[0],
51006edd2f1SRobert Watson &stbuf.st_atimespec);
51106edd2f1SRobert Watson TIMESPEC_TO_TIMEVAL(&tv[1],
51206edd2f1SRobert Watson &stbuf.st_mtimespec);
51306edd2f1SRobert Watson utimes(pn, tv);
51406edd2f1SRobert Watson }
51506edd2f1SRobert Watson
51606edd2f1SRobert Watson /*
51706edd2f1SRobert Watson * Allocate and populate the new entry.
51806edd2f1SRobert Watson */
51906edd2f1SRobert Watson new = malloc(sizeof(*new));
52006edd2f1SRobert Watson if (NULL == new) {
52106edd2f1SRobert Watson free(pn);
52206edd2f1SRobert Watson ret = ADE_NOMEM;
52306edd2f1SRobert Watson break;
52406edd2f1SRobert Watson }
52506edd2f1SRobert Watson new->at_time = tstamp;
52606edd2f1SRobert Watson new->at_size = stbuf.st_size;
52706edd2f1SRobert Watson new->at_path = pn;
52806edd2f1SRobert Watson
52906edd2f1SRobert Watson /*
53006edd2f1SRobert Watson * Check to see if we have a new head. Otherwise,
53106edd2f1SRobert Watson * walk the tailq from the tail first and do a simple
53206edd2f1SRobert Watson * insertion sort.
53306edd2f1SRobert Watson */
53406edd2f1SRobert Watson if (TAILQ_EMPTY(&head) ||
535aa772005SRobert Watson new->at_time <= TAILQ_FIRST(&head)->at_time) {
53606edd2f1SRobert Watson TAILQ_INSERT_HEAD(&head, new, at_trls);
53706edd2f1SRobert Watson continue;
53806edd2f1SRobert Watson }
53906edd2f1SRobert Watson
54006edd2f1SRobert Watson TAILQ_FOREACH_REVERSE(at, &head, au_trls_head, at_trls)
54106edd2f1SRobert Watson if (new->at_time >= at->at_time) {
54206edd2f1SRobert Watson TAILQ_INSERT_AFTER(&head, at, new,
54306edd2f1SRobert Watson at_trls);
54406edd2f1SRobert Watson break;
54506edd2f1SRobert Watson }
54606edd2f1SRobert Watson
54706edd2f1SRobert Watson }
5483ee3cd17SRobert Watson closedir(dirp);
54906edd2f1SRobert Watson }
55006edd2f1SRobert Watson
55106edd2f1SRobert Watson oldest_time = current_time - expire_age;
55206edd2f1SRobert Watson
55306edd2f1SRobert Watson /*
55406edd2f1SRobert Watson * Expire trail files, oldest (mtime) first, if the given
55506edd2f1SRobert Watson * conditions are met.
55606edd2f1SRobert Watson */
55706edd2f1SRobert Watson at = TAILQ_FIRST(&head);
55806edd2f1SRobert Watson while (NULL != at) {
55906edd2f1SRobert Watson struct audit_trail *at_next = TAILQ_NEXT(at, at_trls);
56006edd2f1SRobert Watson
56106edd2f1SRobert Watson if (andflg) {
56206edd2f1SRobert Watson if ((expire_size && total_size > expire_size) &&
56306edd2f1SRobert Watson (expire_age && at->at_time < oldest_time)) {
56406edd2f1SRobert Watson if (warn_expired)
56506edd2f1SRobert Watson (*warn_expired)(at->at_path);
56606edd2f1SRobert Watson if (unlink(at->at_path) < 0)
56706edd2f1SRobert Watson ret = ADE_EXPIRE;
56806edd2f1SRobert Watson total_size -= at->at_size;
56906edd2f1SRobert Watson }
57006edd2f1SRobert Watson } else {
57106edd2f1SRobert Watson if ((expire_size && total_size > expire_size) ||
57206edd2f1SRobert Watson (expire_age && at->at_time < oldest_time)) {
57306edd2f1SRobert Watson if (warn_expired)
57406edd2f1SRobert Watson (*warn_expired)(at->at_path);
57506edd2f1SRobert Watson if (unlink(at->at_path) < 0)
57606edd2f1SRobert Watson ret = ADE_EXPIRE;
57706edd2f1SRobert Watson total_size -= at->at_size;
57806edd2f1SRobert Watson }
57906edd2f1SRobert Watson }
58006edd2f1SRobert Watson
58106edd2f1SRobert Watson free(at->at_path);
58206edd2f1SRobert Watson free(at);
58306edd2f1SRobert Watson at = at_next;
58406edd2f1SRobert Watson }
58506edd2f1SRobert Watson
58606edd2f1SRobert Watson return (ret);
58706edd2f1SRobert Watson }
58806edd2f1SRobert Watson
58906edd2f1SRobert Watson /*
5907a0a89d2SRobert Watson * Parses the "dir" entry in audit_control(5) into an ordered list. Also, will
59106edd2f1SRobert Watson * set the minfree and host values if not already set. Arguments include
59206edd2f1SRobert Watson * function pointers to audit_warn functions for soft and hard limits. Returns:
5937a0a89d2SRobert Watson * ADE_NOERR on success,
5947a0a89d2SRobert Watson * ADE_PARSE error parsing audit_control(5),
5957a0a89d2SRobert Watson * ADE_AUDITON error getting/setting auditon(2) value,
5967a0a89d2SRobert Watson * ADE_NOMEM error allocating memory,
5977a0a89d2SRobert Watson * ADE_SOFTLIM if all the directories are over the soft limit,
5987a0a89d2SRobert Watson * ADE_HARDLIM if all the directories are over the hard limit,
5997a0a89d2SRobert Watson */
6007a0a89d2SRobert Watson int
auditd_read_dirs(int (* warn_soft)(char *),int (* warn_hard)(char *))6017a0a89d2SRobert Watson auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *))
6027a0a89d2SRobert Watson {
6037a0a89d2SRobert Watson char cur_dir[MAXNAMLEN];
6047a0a89d2SRobert Watson struct dir_ent *dirent;
6057a0a89d2SRobert Watson struct statfs sfs;
6067a0a89d2SRobert Watson int err;
6077a0a89d2SRobert Watson char soft, hard;
6087a0a89d2SRobert Watson int tcnt = 0;
6097a0a89d2SRobert Watson int scnt = 0;
6107a0a89d2SRobert Watson int hcnt = 0;
6117a0a89d2SRobert Watson
61206edd2f1SRobert Watson if (auditd_minval == -1 && (err = auditd_set_minfree()) != 0)
6137a0a89d2SRobert Watson return (err);
6147a0a89d2SRobert Watson
61506edd2f1SRobert Watson if (auditd_hostlen == -1)
61606edd2f1SRobert Watson auditd_set_host();
61706edd2f1SRobert Watson
6187a0a89d2SRobert Watson /*
6197a0a89d2SRobert Watson * Init directory q. Force a re-read of the file the next time.
6207a0a89d2SRobert Watson */
6217a0a89d2SRobert Watson free_dir_q();
6227a0a89d2SRobert Watson endac();
6237a0a89d2SRobert Watson
6247a0a89d2SRobert Watson /*
6257a0a89d2SRobert Watson * Read the list of directories into an ordered linked list
6267a0a89d2SRobert Watson * admin's preference, then those over soft limit and, finally,
6277a0a89d2SRobert Watson * those over the hard limit.
6287a0a89d2SRobert Watson *
6297a0a89d2SRobert Watson * XXX We should use the reentrant interfaces once they are
6307a0a89d2SRobert Watson * available.
6317a0a89d2SRobert Watson */
6327a0a89d2SRobert Watson while (getacdir(cur_dir, MAXNAMLEN) >= 0) {
6337a0a89d2SRobert Watson if (statfs(cur_dir, &sfs) < 0)
6347a0a89d2SRobert Watson continue; /* XXX should warn */
635aa772005SRobert Watson soft = (sfs.f_bfree < (sfs.f_blocks * auditd_minval / 100 )) ?
63606edd2f1SRobert Watson 1 : 0;
6377a0a89d2SRobert Watson hard = (sfs.f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) ? 1 : 0;
6387a0a89d2SRobert Watson if (soft) {
6397a0a89d2SRobert Watson if (warn_soft)
6407a0a89d2SRobert Watson (*warn_soft)(cur_dir);
6417a0a89d2SRobert Watson scnt++;
6427a0a89d2SRobert Watson }
6437a0a89d2SRobert Watson if (hard) {
6447a0a89d2SRobert Watson if (warn_hard)
6457a0a89d2SRobert Watson (*warn_hard)(cur_dir);
6467a0a89d2SRobert Watson hcnt++;
6477a0a89d2SRobert Watson }
6487a0a89d2SRobert Watson dirent = (struct dir_ent *) malloc(sizeof(struct dir_ent));
6497a0a89d2SRobert Watson if (dirent == NULL)
6507a0a89d2SRobert Watson return (ADE_NOMEM);
6517a0a89d2SRobert Watson dirent->softlim = soft;
6527a0a89d2SRobert Watson dirent->hardlim = hard;
6537a0a89d2SRobert Watson dirent->dirname = (char *) malloc(MAXNAMLEN);
6547a0a89d2SRobert Watson if (dirent->dirname == NULL) {
6557a0a89d2SRobert Watson free(dirent);
6567a0a89d2SRobert Watson return (ADE_NOMEM);
6577a0a89d2SRobert Watson }
6587a0a89d2SRobert Watson strlcpy(dirent->dirname, cur_dir, MAXNAMLEN);
6597a0a89d2SRobert Watson insert_orderly(dirent);
6607a0a89d2SRobert Watson tcnt++;
6617a0a89d2SRobert Watson }
6627a0a89d2SRobert Watson
6637a0a89d2SRobert Watson if (hcnt == tcnt)
6647a0a89d2SRobert Watson return (ADE_HARDLIM);
6657a0a89d2SRobert Watson if (scnt == tcnt)
6667a0a89d2SRobert Watson return (ADE_SOFTLIM);
6677a0a89d2SRobert Watson return (0);
6687a0a89d2SRobert Watson }
6697a0a89d2SRobert Watson
6707a0a89d2SRobert Watson void
auditd_close_dirs(void)6717a0a89d2SRobert Watson auditd_close_dirs(void)
6727a0a89d2SRobert Watson {
6737a0a89d2SRobert Watson free_dir_q();
67406edd2f1SRobert Watson auditd_minval = -1;
67506edd2f1SRobert Watson auditd_hostlen = -1;
6767a0a89d2SRobert Watson }
6777a0a89d2SRobert Watson
6787a0a89d2SRobert Watson
6797a0a89d2SRobert Watson /*
6807a0a89d2SRobert Watson * Process the audit event file, obtaining a class mapping for each event, and
6817a0a89d2SRobert Watson * set that mapping into the kernel. Return:
6827a0a89d2SRobert Watson * n number of event mappings that were successfully processed,
6837a0a89d2SRobert Watson * ADE_NOMEM if there was an error allocating memory.
6845e386598SRobert Watson *
6855e386598SRobert Watson * Historically, this code only set up the in-kernel class mapping. On
6865e386598SRobert Watson * systems with an in-kernel event-to-name mapping, it also now installs that,
6875e386598SRobert Watson * as it is iterating over the event list anyway. Failures there will be
6885e386598SRobert Watson * ignored as not all kernels support the feature.
6897a0a89d2SRobert Watson */
6907a0a89d2SRobert Watson int
auditd_set_evcmap(void)6917a0a89d2SRobert Watson auditd_set_evcmap(void)
6927a0a89d2SRobert Watson {
6937a0a89d2SRobert Watson au_event_ent_t ev, *evp;
6947a0a89d2SRobert Watson au_evclass_map_t evc_map;
6955e386598SRobert Watson au_evname_map_t evn_map;
6967a0a89d2SRobert Watson int ctr = 0;
6977a0a89d2SRobert Watson
6987a0a89d2SRobert Watson /*
6997a0a89d2SRobert Watson * XXX There's a risk here that the BSM library will return NULL
7007a0a89d2SRobert Watson * for an event when it can't properly map it to a class. In that
7017a0a89d2SRobert Watson * case, we will not process any events beyond the one that failed,
7027a0a89d2SRobert Watson * but should. We need a way to get a count of the events.
7037a0a89d2SRobert Watson */
7047a0a89d2SRobert Watson ev.ae_name = (char *)malloc(AU_EVENT_NAME_MAX);
7057a0a89d2SRobert Watson ev.ae_desc = (char *)malloc(AU_EVENT_DESC_MAX);
706aa772005SRobert Watson if (ev.ae_name == NULL || ev.ae_desc == NULL) {
7077a0a89d2SRobert Watson if (ev.ae_name != NULL)
7087a0a89d2SRobert Watson free(ev.ae_name);
7097a0a89d2SRobert Watson return (ADE_NOMEM);
7107a0a89d2SRobert Watson }
7117a0a89d2SRobert Watson
7127a0a89d2SRobert Watson /*
7137a0a89d2SRobert Watson * XXXRW: Currently we have no way to remove mappings from the kernel
7147a0a89d2SRobert Watson * when they are removed from the file-based mappings.
7157a0a89d2SRobert Watson */
7167a0a89d2SRobert Watson evp = &ev;
7177a0a89d2SRobert Watson setauevent();
7187a0a89d2SRobert Watson while ((evp = getauevent_r(evp)) != NULL) {
7195e386598SRobert Watson /*
7205e386598SRobert Watson * Set the event-to-name mapping entry. If there's not room
7215e386598SRobert Watson * in the in-kernel string, then we skip the entry. Possibly
7225e386598SRobert Watson * better than truncating...?
7235e386598SRobert Watson */
7245e386598SRobert Watson if (strlcpy(evn_map.en_name, evp->ae_name,
7255e386598SRobert Watson sizeof(evn_map.en_name)) < sizeof(evn_map.en_name)) {
7265e386598SRobert Watson evn_map.en_number = evp->ae_number;
7275e386598SRobert Watson (void)audit_set_event(&evn_map, sizeof(evn_map));
7285e386598SRobert Watson }
7295e386598SRobert Watson
7305e386598SRobert Watson /*
7315e386598SRobert Watson * Set the event-to-class mapping entry.
7325e386598SRobert Watson */
7337a0a89d2SRobert Watson evc_map.ec_number = evp->ae_number;
7347a0a89d2SRobert Watson evc_map.ec_class = evp->ae_class;
735c0020399SRobert Watson if (audit_set_class(&evc_map, sizeof(evc_map)) == 0)
7367a0a89d2SRobert Watson ctr++;
7377a0a89d2SRobert Watson }
7387a0a89d2SRobert Watson endauevent();
7397a0a89d2SRobert Watson free(ev.ae_name);
7407a0a89d2SRobert Watson free(ev.ae_desc);
7417a0a89d2SRobert Watson
7427a0a89d2SRobert Watson return (ctr);
7437a0a89d2SRobert Watson }
7447a0a89d2SRobert Watson
7457a0a89d2SRobert Watson /*
7467a0a89d2SRobert Watson * Get the non-attributable event string and set the kernel mask. Return:
7477a0a89d2SRobert Watson * ADE_NOERR on success,
7487a0a89d2SRobert Watson * ADE_PARSE error parsing audit_control(5),
7497a0a89d2SRobert Watson * ADE_AUDITON error setting the mask using auditon(2).
7507a0a89d2SRobert Watson */
7517a0a89d2SRobert Watson int
auditd_set_namask(void)7527a0a89d2SRobert Watson auditd_set_namask(void)
7537a0a89d2SRobert Watson {
7547a0a89d2SRobert Watson au_mask_t aumask;
7557a0a89d2SRobert Watson char naeventstr[NA_EVENT_STR_SIZE];
7567a0a89d2SRobert Watson
757aa772005SRobert Watson if (getacna(naeventstr, NA_EVENT_STR_SIZE) != 0 ||
758aa772005SRobert Watson getauditflagsbin(naeventstr, &aumask) != 0)
7597a0a89d2SRobert Watson return (ADE_PARSE);
7607a0a89d2SRobert Watson
761c0020399SRobert Watson if (audit_set_kmask(&aumask, sizeof(aumask)) != 0)
7627a0a89d2SRobert Watson return (ADE_AUDITON);
7637a0a89d2SRobert Watson
7647a0a89d2SRobert Watson return (ADE_NOERR);
7657a0a89d2SRobert Watson }
7667a0a89d2SRobert Watson
7677a0a89d2SRobert Watson /*
7687a0a89d2SRobert Watson * Set the audit control policy if a policy is configured in audit_control(5),
7697a0a89d2SRobert Watson * implement the policy. However, if one isn't defined or if there is an error
7707a0a89d2SRobert Watson * parsing the control file, set AUDIT_CNT to avoid leaving the system in a
7717a0a89d2SRobert Watson * fragile state. Return:
7727a0a89d2SRobert Watson * ADE_NOERR on success,
7737a0a89d2SRobert Watson * ADE_PARSE error parsing audit_control(5),
7747a0a89d2SRobert Watson * ADE_AUDITON error setting policy using auditon(2).
7757a0a89d2SRobert Watson */
7767a0a89d2SRobert Watson int
auditd_set_policy(void)7777a0a89d2SRobert Watson auditd_set_policy(void)
7787a0a89d2SRobert Watson {
779c0020399SRobert Watson int policy;
7807a0a89d2SRobert Watson char polstr[POL_STR_SIZE];
7817a0a89d2SRobert Watson
782aa772005SRobert Watson if (getacpol(polstr, POL_STR_SIZE) != 0 ||
783aa772005SRobert Watson au_strtopol(polstr, &policy) != 0) {
7847a0a89d2SRobert Watson policy = AUDIT_CNT;
785c0020399SRobert Watson if (audit_set_policy(&policy) != 0)
7867a0a89d2SRobert Watson return (ADE_AUDITON);
7877a0a89d2SRobert Watson return (ADE_PARSE);
7887a0a89d2SRobert Watson }
7897a0a89d2SRobert Watson
790c0020399SRobert Watson if (audit_set_policy(&policy) != 0)
7917a0a89d2SRobert Watson return (ADE_AUDITON);
7927a0a89d2SRobert Watson
7937a0a89d2SRobert Watson return (ADE_NOERR);
7947a0a89d2SRobert Watson }
7957a0a89d2SRobert Watson
7967a0a89d2SRobert Watson /*
7977a0a89d2SRobert Watson * Set trail rotation size. Return:
7987a0a89d2SRobert Watson * ADE_NOERR on success,
7997a0a89d2SRobert Watson * ADE_PARSE error parsing audit_control(5),
8007a0a89d2SRobert Watson * ADE_AUDITON error setting file size using auditon(2).
8017a0a89d2SRobert Watson */
8027a0a89d2SRobert Watson int
auditd_set_fsize(void)8037a0a89d2SRobert Watson auditd_set_fsize(void)
8047a0a89d2SRobert Watson {
8057a0a89d2SRobert Watson size_t filesz;
8067a0a89d2SRobert Watson au_fstat_t au_fstat;
8077a0a89d2SRobert Watson
8087a0a89d2SRobert Watson /*
8097a0a89d2SRobert Watson * Set trail rotation size.
8107a0a89d2SRobert Watson */
8117a0a89d2SRobert Watson if (getacfilesz(&filesz) != 0)
8127a0a89d2SRobert Watson return (ADE_PARSE);
8137a0a89d2SRobert Watson
8147a0a89d2SRobert Watson bzero(&au_fstat, sizeof(au_fstat));
8157a0a89d2SRobert Watson au_fstat.af_filesz = filesz;
816c0020399SRobert Watson if (audit_set_fsize(&au_fstat, sizeof(au_fstat)) != 0)
8177a0a89d2SRobert Watson return (ADE_AUDITON);
8187a0a89d2SRobert Watson
8197a0a89d2SRobert Watson return (ADE_NOERR);
8207a0a89d2SRobert Watson }
8217a0a89d2SRobert Watson
8225e386598SRobert Watson /*
8235e386598SRobert Watson * Set trail rotation size. Return:
8245e386598SRobert Watson * ADE_NOERR on success,
8255e386598SRobert Watson * ADE_PARSE error parsing audit_control(5),
8265e386598SRobert Watson * ADE_AUDITON error setting queue size using auditon(2).
8275e386598SRobert Watson */
8285e386598SRobert Watson int
auditd_set_qsize(void)8295e386598SRobert Watson auditd_set_qsize(void)
8305e386598SRobert Watson {
8315e386598SRobert Watson int qsz;
8325e386598SRobert Watson au_qctrl_t au_qctrl;
8335e386598SRobert Watson
8345e386598SRobert Watson /*
8355e386598SRobert Watson * Set trail rotation size.
8365e386598SRobert Watson */
8375e386598SRobert Watson if (getacqsize(&qsz) != 0)
8385e386598SRobert Watson return (ADE_PARSE);
8395e386598SRobert Watson
8405e386598SRobert Watson if (audit_get_qctrl(&au_qctrl, sizeof(au_qctrl)) != 0)
8415e386598SRobert Watson return (ADE_AUDITON);
8425e386598SRobert Watson if (qsz != USE_DEFAULT_QSZ)
8435e386598SRobert Watson au_qctrl.aq_hiwater = qsz;
8445e386598SRobert Watson if (audit_set_qctrl(&au_qctrl, sizeof(au_qctrl)) != 0)
8455e386598SRobert Watson return (ADE_AUDITON);
8465e386598SRobert Watson
8475e386598SRobert Watson return (ADE_NOERR);
8485e386598SRobert Watson }
8495e386598SRobert Watson
850aa772005SRobert Watson static void
inject_dist(const char * fromname,char * toname,size_t tonamesize)851aa772005SRobert Watson inject_dist(const char *fromname, char *toname, size_t tonamesize)
852aa772005SRobert Watson {
853aa772005SRobert Watson char *ptr;
854aa772005SRobert Watson
855aa772005SRobert Watson ptr = strrchr(fromname, '/');
856aa772005SRobert Watson assert(ptr != NULL);
857aa772005SRobert Watson assert(ptr - fromname < (ssize_t)tonamesize);
858aa772005SRobert Watson strlcpy(toname, fromname, ptr - fromname + 1);
859aa772005SRobert Watson strlcat(toname, "/dist/", tonamesize);
860aa772005SRobert Watson strlcat(toname, ptr + 1, tonamesize);
861aa772005SRobert Watson }
862aa772005SRobert Watson
863aa772005SRobert Watson static int
auditdist_link(const char * filename)864aa772005SRobert Watson auditdist_link(const char *filename)
865aa772005SRobert Watson {
866aa772005SRobert Watson char fname[MAXPATHLEN];
867aa772005SRobert Watson
868aa772005SRobert Watson if (auditd_dist) {
869aa772005SRobert Watson inject_dist(filename, fname, sizeof(fname));
870aa772005SRobert Watson /* Ignore errors. */
871aa772005SRobert Watson (void) link(filename, fname);
872aa772005SRobert Watson }
873aa772005SRobert Watson
874aa772005SRobert Watson return (0);
875aa772005SRobert Watson }
876aa772005SRobert Watson
877aa772005SRobert Watson int
auditd_rename(const char * fromname,const char * toname)878aa772005SRobert Watson auditd_rename(const char *fromname, const char *toname)
879aa772005SRobert Watson {
880aa772005SRobert Watson char fname[MAXPATHLEN], tname[MAXPATHLEN];
881aa772005SRobert Watson
882aa772005SRobert Watson if (auditd_dist) {
883aa772005SRobert Watson inject_dist(fromname, fname, sizeof(fname));
884aa772005SRobert Watson inject_dist(toname, tname, sizeof(tname));
885aa772005SRobert Watson /* Ignore errors. */
886aa772005SRobert Watson (void) rename(fname, tname);
887aa772005SRobert Watson }
888aa772005SRobert Watson
889aa772005SRobert Watson return (rename(fromname, toname));
890aa772005SRobert Watson }
891aa772005SRobert Watson
8927a0a89d2SRobert Watson /*
893aa772005SRobert Watson * Create the new audit file with appropriate permissions and ownership.
894aa772005SRobert Watson * Call auditctl(2) for this file.
895aa772005SRobert Watson * Try to clean up if something goes wrong.
896aa772005SRobert Watson * *errorp is modified only on auditctl(2) failure.
8977a0a89d2SRobert Watson */
8987a0a89d2SRobert Watson static int
open_trail(char * fname,gid_t gid,int * errorp)899aa772005SRobert Watson open_trail(char *fname, gid_t gid, int *errorp)
9007a0a89d2SRobert Watson {
901aa772005SRobert Watson int fd;
9027a0a89d2SRobert Watson
903aa772005SRobert Watson /* XXXPJD: What should we do if the file already exists? */
904aa772005SRobert Watson fd = open(fname, O_RDONLY | O_CREAT, S_IRUSR);
9057a0a89d2SRobert Watson if (fd < 0)
9067a0a89d2SRobert Watson return (-1);
907aa772005SRobert Watson if (fchown(fd, -1, gid) < 0 || fchmod(fd, S_IRUSR | S_IRGRP) < 0) {
908aa772005SRobert Watson (void) close(fd);
9097a0a89d2SRobert Watson (void) unlink(fname);
9107a0a89d2SRobert Watson return (-1);
9117a0a89d2SRobert Watson }
912aa772005SRobert Watson (void) close(fd);
913aa772005SRobert Watson if (auditctl(fname) < 0) {
914aa772005SRobert Watson *errorp = errno;
915aa772005SRobert Watson (void) unlink(fname);
916aa772005SRobert Watson return (-1);
917aa772005SRobert Watson }
918aa772005SRobert Watson (void) auditdist_link(fname);
919aa772005SRobert Watson return (0);
9207a0a89d2SRobert Watson }
9217a0a89d2SRobert Watson
9227a0a89d2SRobert Watson /*
9237a0a89d2SRobert Watson * Create the new audit trail file, swap with existing audit file. Arguments
9247a0a89d2SRobert Watson * include timestamp for the filename, a pointer to a string for returning the
9257a0a89d2SRobert Watson * new file name, GID for trail file, and audit_warn function pointer for
9267a0a89d2SRobert Watson * 'getacdir()' errors. Returns:
9277a0a89d2SRobert Watson * ADE_NOERR on success,
9287a0a89d2SRobert Watson * ADE_STRERR if the file name string could not be created,
9297a0a89d2SRobert Watson * ADE_SWAPERR if the audit trail file could not be swapped,
9307a0a89d2SRobert Watson * ADE_ACTL if the auditctl(2) call failed but file swap still
9317a0a89d2SRobert Watson * successful.
9327a0a89d2SRobert Watson * ADE_ACTLERR if the auditctl(2) call failed and file swap failed.
9337a0a89d2SRobert Watson * ADE_SYMLINK if symlink(2) failed updating the current link.
9347a0a89d2SRobert Watson */
9357a0a89d2SRobert Watson int
auditd_swap_trail(char * TS,char ** newfile,gid_t gid,int (* warn_getacdir)(char *))9367a0a89d2SRobert Watson auditd_swap_trail(char *TS, char **newfile, gid_t gid,
9377a0a89d2SRobert Watson int (*warn_getacdir)(char *))
9387a0a89d2SRobert Watson {
939aa772005SRobert Watson char timestr[FILENAME_LEN + 1];
9407a0a89d2SRobert Watson char *fn;
9417a0a89d2SRobert Watson struct dir_ent *dirent;
9427a0a89d2SRobert Watson int saverrno = 0;
9437a0a89d2SRobert Watson
944aa772005SRobert Watson if (strlen(TS) != TIMESTAMP_LEN ||
945aa772005SRobert Watson snprintf(timestr, sizeof(timestr), "%s.%s", TS,
946aa772005SRobert Watson NOT_TERMINATED) < 0) {
9477a0a89d2SRobert Watson errno = EINVAL;
9487a0a89d2SRobert Watson return (ADE_STRERR);
9497a0a89d2SRobert Watson }
9507a0a89d2SRobert Watson
9517a0a89d2SRobert Watson /* Try until we succeed. */
95206edd2f1SRobert Watson TAILQ_FOREACH(dirent, &dir_q, dirs) {
9537a0a89d2SRobert Watson if (dirent->hardlim)
9547a0a89d2SRobert Watson continue;
9557a0a89d2SRobert Watson if ((fn = affixdir(timestr, dirent)) == NULL)
9567a0a89d2SRobert Watson return (ADE_STRERR);
9577a0a89d2SRobert Watson
9587a0a89d2SRobert Watson /*
959aa772005SRobert Watson * Create the file and pass to the kernel if all went well.
9607a0a89d2SRobert Watson */
961aa772005SRobert Watson if (open_trail(fn, gid, &saverrno) == 0) {
9627a0a89d2SRobert Watson /* Success. */
9637a0a89d2SRobert Watson *newfile = fn;
9647a0a89d2SRobert Watson if (saverrno) {
9657a0a89d2SRobert Watson /*
9667a0a89d2SRobert Watson * auditctl() failed but still
9677a0a89d2SRobert Watson * successful. Return errno and "soft"
9687a0a89d2SRobert Watson * error.
9697a0a89d2SRobert Watson */
9707a0a89d2SRobert Watson errno = saverrno;
9717a0a89d2SRobert Watson return (ADE_ACTL);
9727a0a89d2SRobert Watson }
9737a0a89d2SRobert Watson return (ADE_NOERR);
9747a0a89d2SRobert Watson }
975aa772005SRobert Watson /*
976aa772005SRobert Watson * auditctl failed setting log file. Try again.
977aa772005SRobert Watson */
9787a0a89d2SRobert Watson /*
9797a0a89d2SRobert Watson * Tell the administrator about lack of permissions for dir.
9807a0a89d2SRobert Watson */
9817a0a89d2SRobert Watson if (warn_getacdir != NULL)
9827a0a89d2SRobert Watson (*warn_getacdir)(dirent->dirname);
9837a0a89d2SRobert Watson }
9847a0a89d2SRobert Watson if (saverrno) {
9857a0a89d2SRobert Watson errno = saverrno;
9867a0a89d2SRobert Watson return (ADE_ACTLERR);
9877a0a89d2SRobert Watson } else
9887a0a89d2SRobert Watson return (ADE_SWAPERR);
9897a0a89d2SRobert Watson }
9907a0a89d2SRobert Watson
9917a0a89d2SRobert Watson /*
9927a0a89d2SRobert Watson * Mask calling process from being audited. Returns:
9937a0a89d2SRobert Watson * ADE_NOERR on success,
9947a0a89d2SRobert Watson * ADE_SETAUDIT if setaudit(2) fails.
9957a0a89d2SRobert Watson */
99606edd2f1SRobert Watson #ifdef __APPLE__
99706edd2f1SRobert Watson int
auditd_prevent_audit(void)99806edd2f1SRobert Watson auditd_prevent_audit(void)
99906edd2f1SRobert Watson {
100006edd2f1SRobert Watson auditinfo_addr_t aia;
100106edd2f1SRobert Watson
100206edd2f1SRobert Watson /*
100306edd2f1SRobert Watson * To prevent event feedback cycles and avoid audit becoming stalled if
100406edd2f1SRobert Watson * auditing is suspended we mask this processes events from being
100506edd2f1SRobert Watson * audited. We allow the uid, tid, and mask fields to be implicitly
100606edd2f1SRobert Watson * set to zero, but do set the audit session ID to the PID.
100706edd2f1SRobert Watson *
100806edd2f1SRobert Watson * XXXRW: Is there more to it than this?
100906edd2f1SRobert Watson */
101006edd2f1SRobert Watson bzero(&aia, sizeof(aia));
101106edd2f1SRobert Watson aia.ai_asid = AU_ASSIGN_ASID;
101206edd2f1SRobert Watson aia.ai_termid.at_type = AU_IPv4;
101306edd2f1SRobert Watson if (setaudit_addr(&aia, sizeof(aia)) != 0)
101406edd2f1SRobert Watson return (ADE_SETAUDIT);
101506edd2f1SRobert Watson return (ADE_NOERR);
101606edd2f1SRobert Watson }
101706edd2f1SRobert Watson #else
10187a0a89d2SRobert Watson int
auditd_prevent_audit(void)10197a0a89d2SRobert Watson auditd_prevent_audit(void)
10207a0a89d2SRobert Watson {
10217a0a89d2SRobert Watson auditinfo_t ai;
10227a0a89d2SRobert Watson
10237a0a89d2SRobert Watson /*
10247a0a89d2SRobert Watson * To prevent event feedback cycles and avoid audit becoming stalled if
10257a0a89d2SRobert Watson * auditing is suspended we mask this processes events from being
10267a0a89d2SRobert Watson * audited. We allow the uid, tid, and mask fields to be implicitly
10277a0a89d2SRobert Watson * set to zero, but do set the audit session ID to the PID.
10287a0a89d2SRobert Watson *
10297a0a89d2SRobert Watson * XXXRW: Is there more to it than this?
10307a0a89d2SRobert Watson */
10317a0a89d2SRobert Watson bzero(&ai, sizeof(ai));
10327a0a89d2SRobert Watson ai.ai_asid = getpid();
10337a0a89d2SRobert Watson if (setaudit(&ai) != 0)
10347a0a89d2SRobert Watson return (ADE_SETAUDIT);
10357a0a89d2SRobert Watson return (ADE_NOERR);
10367a0a89d2SRobert Watson }
1037aa772005SRobert Watson #endif /* !__APPLE__ */
10387a0a89d2SRobert Watson
10397a0a89d2SRobert Watson /*
10407a0a89d2SRobert Watson * Generate and submit audit record for audit startup or shutdown. The event
10417a0a89d2SRobert Watson * argument can be AUE_audit_recovery, AUE_audit_startup or
10427a0a89d2SRobert Watson * AUE_audit_shutdown. The path argument will add a path token, if not NULL.
10437a0a89d2SRobert Watson * Returns:
10447a0a89d2SRobert Watson * AUE_NOERR on success,
10457a0a89d2SRobert Watson * ADE_NOMEM if memory allocation fails,
10467a0a89d2SRobert Watson * ADE_AU_OPEN if au_open(3) fails,
10477a0a89d2SRobert Watson * ADE_AU_CLOSE if au_close(3) fails.
10487a0a89d2SRobert Watson */
10497a0a89d2SRobert Watson int
auditd_gen_record(int event,char * path)10507a0a89d2SRobert Watson auditd_gen_record(int event, char *path)
10517a0a89d2SRobert Watson {
10527a0a89d2SRobert Watson int aufd;
10537a0a89d2SRobert Watson uid_t uid;
10547a0a89d2SRobert Watson pid_t pid;
10557a0a89d2SRobert Watson char *autext = NULL;
10567a0a89d2SRobert Watson token_t *tok;
10577a0a89d2SRobert Watson struct auditinfo_addr aia;
10587a0a89d2SRobert Watson
10597a0a89d2SRobert Watson if (event == AUE_audit_startup)
10607a0a89d2SRobert Watson asprintf(&autext, "%s::Audit startup", getprogname());
10617a0a89d2SRobert Watson else if (event == AUE_audit_shutdown)
10627a0a89d2SRobert Watson asprintf(&autext, "%s::Audit shutdown", getprogname());
10637a0a89d2SRobert Watson else if (event == AUE_audit_recovery)
10647a0a89d2SRobert Watson asprintf(&autext, "%s::Audit recovery", getprogname());
10657a0a89d2SRobert Watson else
10667a0a89d2SRobert Watson return (ADE_INVAL);
10677a0a89d2SRobert Watson if (autext == NULL)
10687a0a89d2SRobert Watson return (ADE_NOMEM);
10697a0a89d2SRobert Watson
10707a0a89d2SRobert Watson if ((aufd = au_open()) == -1) {
10717a0a89d2SRobert Watson free(autext);
10727a0a89d2SRobert Watson return (ADE_AU_OPEN);
10737a0a89d2SRobert Watson }
10747a0a89d2SRobert Watson bzero(&aia, sizeof(aia));
10757a0a89d2SRobert Watson uid = getuid(); pid = getpid();
10767a0a89d2SRobert Watson if ((tok = au_to_subject32_ex(uid, geteuid(), getegid(), uid, getgid(),
10777a0a89d2SRobert Watson pid, pid, &aia.ai_termid)) != NULL)
10787a0a89d2SRobert Watson au_write(aufd, tok);
10797a0a89d2SRobert Watson if ((tok = au_to_text(autext)) != NULL)
10807a0a89d2SRobert Watson au_write(aufd, tok);
10817a0a89d2SRobert Watson free(autext);
10827a0a89d2SRobert Watson if (path != NULL && (tok = au_to_path(path)) != NULL)
10837a0a89d2SRobert Watson au_write(aufd, tok);
10847a0a89d2SRobert Watson if ((tok = au_to_return32(0, 0)) != NULL)
10857a0a89d2SRobert Watson au_write(aufd, tok);
10867a0a89d2SRobert Watson if (au_close(aufd, 1, event) == -1)
10877a0a89d2SRobert Watson return (ADE_AU_CLOSE);
10887a0a89d2SRobert Watson
10897a0a89d2SRobert Watson return (ADE_NOERR);
10907a0a89d2SRobert Watson }
10917a0a89d2SRobert Watson
10927a0a89d2SRobert Watson /*
10937a0a89d2SRobert Watson * Check for a 'current' symlink and do crash recovery, if needed. Create a new
10947a0a89d2SRobert Watson * 'current' symlink. The argument 'curfile' is the file the 'current' symlink
10957a0a89d2SRobert Watson * should point to. Returns:
10967a0a89d2SRobert Watson * ADE_NOERR on success,
10977a0a89d2SRobert Watson * ADE_AU_OPEN if au_open(3) fails,
10987a0a89d2SRobert Watson * ADE_AU_CLOSE if au_close(3) fails.
10997a0a89d2SRobert Watson * ADE_RENAME if error renaming audit trail file,
11007a0a89d2SRobert Watson * ADE_READLINK if error reading the 'current' link,
11017a0a89d2SRobert Watson * ADE_SYMLINK if error creating 'current' link.
11027a0a89d2SRobert Watson */
11037a0a89d2SRobert Watson int
auditd_new_curlink(char * curfile)11047a0a89d2SRobert Watson auditd_new_curlink(char *curfile)
11057a0a89d2SRobert Watson {
11067a0a89d2SRobert Watson int len, err;
11077a0a89d2SRobert Watson char *ptr;
11087a0a89d2SRobert Watson char *path = NULL;
11097a0a89d2SRobert Watson struct stat sb;
11107a0a89d2SRobert Watson char recoveredname[MAXPATHLEN];
11117a0a89d2SRobert Watson char newname[MAXPATHLEN];
11127a0a89d2SRobert Watson
11137a0a89d2SRobert Watson /*
11147a0a89d2SRobert Watson * Check to see if audit was shutdown properly. If not, clean up,
11157a0a89d2SRobert Watson * recover previous audit trail file, and generate audit record.
11167a0a89d2SRobert Watson */
1117aa772005SRobert Watson len = readlink(AUDIT_CURRENT_LINK, recoveredname,
1118aa772005SRobert Watson sizeof(recoveredname) - 1);
11197a0a89d2SRobert Watson if (len > 0) {
11207a0a89d2SRobert Watson /* 'current' exist but is it pointing at a valid file? */
11217a0a89d2SRobert Watson recoveredname[len++] = '\0';
11227a0a89d2SRobert Watson if (stat(recoveredname, &sb) == 0) {
11237a0a89d2SRobert Watson /* Yes, rename it to a crash recovery file. */
1124aa772005SRobert Watson strlcpy(newname, recoveredname, sizeof(newname));
11257a0a89d2SRobert Watson
11267a0a89d2SRobert Watson if ((ptr = strstr(newname, NOT_TERMINATED)) != NULL) {
112706edd2f1SRobert Watson memcpy(ptr, CRASH_RECOVERY, POSTFIX_LEN);
1128aa772005SRobert Watson if (auditd_rename(recoveredname, newname) != 0)
11297a0a89d2SRobert Watson return (ADE_RENAME);
11307a0a89d2SRobert Watson } else
11317a0a89d2SRobert Watson return (ADE_STRERR);
11327a0a89d2SRobert Watson
11337a0a89d2SRobert Watson path = newname;
11347a0a89d2SRobert Watson }
11357a0a89d2SRobert Watson
11367a0a89d2SRobert Watson /* 'current' symlink is (now) invalid so remove it. */
11377a0a89d2SRobert Watson (void) unlink(AUDIT_CURRENT_LINK);
11387a0a89d2SRobert Watson
11397a0a89d2SRobert Watson /* Note the crash recovery in current audit trail */
11407a0a89d2SRobert Watson err = auditd_gen_record(AUE_audit_recovery, path);
11417a0a89d2SRobert Watson if (err)
11427a0a89d2SRobert Watson return (err);
11437a0a89d2SRobert Watson }
11447a0a89d2SRobert Watson
11457a0a89d2SRobert Watson if (len < 0 && errno != ENOENT)
11467a0a89d2SRobert Watson return (ADE_READLINK);
11477a0a89d2SRobert Watson
11487a0a89d2SRobert Watson if (symlink(curfile, AUDIT_CURRENT_LINK) != 0)
11497a0a89d2SRobert Watson return (ADE_SYMLINK);
11507a0a89d2SRobert Watson
11517a0a89d2SRobert Watson return (0);
11527a0a89d2SRobert Watson }
11537a0a89d2SRobert Watson
11547a0a89d2SRobert Watson /*
11557a0a89d2SRobert Watson * Do just what we need to quickly start auditing. Assume no system logging or
11567a0a89d2SRobert Watson * notify. Return:
11577a0a89d2SRobert Watson * 0 on success,
11587a0a89d2SRobert Watson * -1 on failure.
11597a0a89d2SRobert Watson */
11607a0a89d2SRobert Watson int
audit_quick_start(void)11617a0a89d2SRobert Watson audit_quick_start(void)
11627a0a89d2SRobert Watson {
11637a0a89d2SRobert Watson int err;
116406edd2f1SRobert Watson char *newfile = NULL;
11657a0a89d2SRobert Watson time_t tt;
1166aa772005SRobert Watson char TS[TIMESTAMP_LEN + 1];
116706edd2f1SRobert Watson int ret = 0;
11687a0a89d2SRobert Watson
11697a0a89d2SRobert Watson /*
11707a0a89d2SRobert Watson * Mask auditing of this process.
11717a0a89d2SRobert Watson */
11727a0a89d2SRobert Watson if (auditd_prevent_audit() != 0)
11737a0a89d2SRobert Watson return (-1);
11747a0a89d2SRobert Watson
11757a0a89d2SRobert Watson /*
11767a0a89d2SRobert Watson * Read audit_control and get log directories.
11777a0a89d2SRobert Watson */
11787a0a89d2SRobert Watson err = auditd_read_dirs(NULL, NULL);
11797a0a89d2SRobert Watson if (err != ADE_NOERR && err != ADE_SOFTLIM)
11807a0a89d2SRobert Watson return (-1);
11817a0a89d2SRobert Watson
11827a0a89d2SRobert Watson /*
1183aa772005SRobert Watson * Setup trail file distribution.
1184aa772005SRobert Watson */
1185aa772005SRobert Watson (void) auditd_set_dist();
1186aa772005SRobert Watson
1187aa772005SRobert Watson /*
11887a0a89d2SRobert Watson * Create a new audit trail log.
11897a0a89d2SRobert Watson */
1190aa772005SRobert Watson if (getTSstr(tt, TS, sizeof(TS)) != 0)
11917a0a89d2SRobert Watson return (-1);
11927a0a89d2SRobert Watson err = auditd_swap_trail(TS, &newfile, getgid(), NULL);
119306edd2f1SRobert Watson if (err != ADE_NOERR && err != ADE_ACTL) {
119406edd2f1SRobert Watson ret = -1;
119506edd2f1SRobert Watson goto out;
119606edd2f1SRobert Watson }
11977a0a89d2SRobert Watson
11987a0a89d2SRobert Watson /*
11997a0a89d2SRobert Watson * Add the current symlink and recover from crash, if needed.
12007a0a89d2SRobert Watson */
120106edd2f1SRobert Watson if (auditd_new_curlink(newfile) != 0) {
120206edd2f1SRobert Watson ret = -1;
120306edd2f1SRobert Watson goto out;
120406edd2f1SRobert Watson }
12057a0a89d2SRobert Watson
12067a0a89d2SRobert Watson /*
12077a0a89d2SRobert Watson * At this point auditing has started so generate audit start-up record.
12087a0a89d2SRobert Watson */
120906edd2f1SRobert Watson if (auditd_gen_record(AUE_audit_startup, NULL) != 0) {
121006edd2f1SRobert Watson ret = -1;
121106edd2f1SRobert Watson goto out;
121206edd2f1SRobert Watson }
12137a0a89d2SRobert Watson
12147a0a89d2SRobert Watson /*
12157a0a89d2SRobert Watson * Configure the audit controls.
12167a0a89d2SRobert Watson */
12177a0a89d2SRobert Watson (void) auditd_set_evcmap();
12187a0a89d2SRobert Watson (void) auditd_set_namask();
12197a0a89d2SRobert Watson (void) auditd_set_policy();
12207a0a89d2SRobert Watson (void) auditd_set_fsize();
12217a0a89d2SRobert Watson (void) auditd_set_minfree();
12227a0a89d2SRobert Watson (void) auditd_set_host();
12237a0a89d2SRobert Watson
122406edd2f1SRobert Watson out:
122506edd2f1SRobert Watson if (newfile != NULL)
122606edd2f1SRobert Watson free(newfile);
122706edd2f1SRobert Watson
122806edd2f1SRobert Watson return (ret);
12297a0a89d2SRobert Watson }
12307a0a89d2SRobert Watson
12317a0a89d2SRobert Watson /*
12327a0a89d2SRobert Watson * Shut down auditing quickly. Assumes that is only called on system shutdown.
12337a0a89d2SRobert Watson * Returns:
12347a0a89d2SRobert Watson * 0 on success,
12357a0a89d2SRobert Watson * -1 on failure.
12367a0a89d2SRobert Watson */
12377a0a89d2SRobert Watson int
audit_quick_stop(void)12387a0a89d2SRobert Watson audit_quick_stop(void)
12397a0a89d2SRobert Watson {
12407a0a89d2SRobert Watson int len;
1241c0020399SRobert Watson int cond;
12427a0a89d2SRobert Watson char *ptr;
12437a0a89d2SRobert Watson time_t tt;
12447a0a89d2SRobert Watson char oldname[MAXPATHLEN];
12457a0a89d2SRobert Watson char newname[MAXPATHLEN];
1246aa772005SRobert Watson char TS[TIMESTAMP_LEN + 1];
12477a0a89d2SRobert Watson
12487a0a89d2SRobert Watson /*
12497a0a89d2SRobert Watson * Auditing already disabled?
12507a0a89d2SRobert Watson */
1251c0020399SRobert Watson if (audit_get_cond(&cond) != 0)
12527a0a89d2SRobert Watson return (-1);
1253c74c7b73SRobert Watson if (cond == AUC_NOAUDIT)
12547a0a89d2SRobert Watson return (0);
12557a0a89d2SRobert Watson
12567a0a89d2SRobert Watson /*
12577a0a89d2SRobert Watson * Generate audit shutdown record.
12587a0a89d2SRobert Watson */
12597a0a89d2SRobert Watson (void) auditd_gen_record(AUE_audit_shutdown, NULL);
12607a0a89d2SRobert Watson
12617a0a89d2SRobert Watson /*
12627a0a89d2SRobert Watson * Shutdown auditing in the kernel.
12637a0a89d2SRobert Watson */
12647a0a89d2SRobert Watson cond = AUC_DISABLED;
1265c0020399SRobert Watson if (audit_set_cond(&cond) != 0)
12667a0a89d2SRobert Watson return (-1);
12677a0a89d2SRobert Watson #ifdef __BSM_INTERNAL_NOTIFY_KEY
12687a0a89d2SRobert Watson notify_post(__BSM_INTERNAL_NOTIFY_KEY);
12697a0a89d2SRobert Watson #endif
12707a0a89d2SRobert Watson
12717a0a89d2SRobert Watson /*
12727a0a89d2SRobert Watson * Rename last audit trail and remove 'current' link.
12737a0a89d2SRobert Watson */
1274aa772005SRobert Watson len = readlink(AUDIT_CURRENT_LINK, oldname, sizeof(oldname) - 1);
12757a0a89d2SRobert Watson if (len < 0)
12767a0a89d2SRobert Watson return (-1);
12777a0a89d2SRobert Watson oldname[len++] = '\0';
12787a0a89d2SRobert Watson
1279aa772005SRobert Watson if (getTSstr(tt, TS, sizeof(TS)) != 0)
12807a0a89d2SRobert Watson return (-1);
12817a0a89d2SRobert Watson
1282aa772005SRobert Watson strlcpy(newname, oldname, sizeof(newname));
12837a0a89d2SRobert Watson
12847a0a89d2SRobert Watson if ((ptr = strstr(newname, NOT_TERMINATED)) != NULL) {
128506edd2f1SRobert Watson memcpy(ptr, TS, POSTFIX_LEN);
1286aa772005SRobert Watson if (auditd_rename(oldname, newname) != 0)
12877a0a89d2SRobert Watson return (-1);
12887a0a89d2SRobert Watson } else
12897a0a89d2SRobert Watson return (-1);
12907a0a89d2SRobert Watson
12917a0a89d2SRobert Watson (void) unlink(AUDIT_CURRENT_LINK);
12927a0a89d2SRobert Watson
12937a0a89d2SRobert Watson return (0);
12947a0a89d2SRobert Watson }
1295