1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * 25 * private interfaces for auditd plugins and auditd. 26 */ 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <bsm/audit.h> 30 #include <bsm/audit_record.h> 31 #include <bsm/audit_uevents.h> 32 #include <bsm/libbsm.h> 33 #include <errno.h> 34 #include <fcntl.h> 35 #include <libintl.h> 36 #include <pthread.h> 37 #include <stdio.h> 38 #include <stdlib.h> 39 #include <string.h> 40 #include <sys/file.h> 41 #include <sys/stat.h> 42 #include <sys/types.h> 43 #include <syslog.h> 44 #include <unistd.h> 45 #include <wait.h> 46 #include "audit_plugin.h" 47 48 static char auditwarn[] = "/etc/security/audit_warn"; 49 static pthread_mutex_t syslog_lock; 50 51 static void 52 init_syslog_mutex() 53 { 54 (void) pthread_mutex_init(&syslog_lock, NULL); 55 } 56 57 /* 58 * audit_syslog() -- generate syslog messages from threads that use 59 * different severity, facility code, and application names. 60 * 61 * The syslog() call does NOT use its format capability since the 62 * format string is used for generating the ID, and I want equal 63 * ID's to really be equal. 64 * 65 * syslog(3C) is thread safe, but the set openlog() / syslog() / 66 * closelog() is not. 67 * 68 * Assumption: the app_name and facility code are paired, i.e., 69 * if the facility code for this call is the same as for the 70 * the previous, the app_name hasn't changed. 71 */ 72 void 73 __audit_syslog( 74 const char *app_name, 75 int flags, 76 int facility, 77 int severity, 78 const char *message) 79 { 80 pthread_once_t once_control = PTHREAD_ONCE_INIT; 81 static int logopen = 0; 82 static int prev_facility = -1; 83 84 (void) pthread_once(&once_control, init_syslog_mutex); 85 86 (void) pthread_mutex_lock(&syslog_lock); 87 if (prev_facility != facility) { 88 if (logopen) 89 closelog(); 90 openlog(app_name, flags, facility); 91 syslog(severity, message); 92 (void) pthread_mutex_unlock(&syslog_lock); 93 } else { 94 syslog(severity, message); 95 (void) pthread_mutex_unlock(&syslog_lock); 96 } 97 } 98 99 /* 100 * __audit_dowarn - invoke the shell script auditwarn to notify the 101 * adminstrator about a given problem. 102 * parameters - 103 * option - what the problem is 104 * text - when used with options soft and hard: which file was being 105 * used when the filesystem filled up 106 * when used with the plugin option: error detail 107 * count - used with various options: how many times auditwarn has 108 * been called for this problem since it was last cleared. 109 */ 110 void 111 __audit_dowarn(char *option, char *text, int count) 112 { 113 pid_t pid; 114 int st; 115 char countstr[5]; 116 char warnstring[80]; 117 char empty[1] = ""; 118 119 if ((pid = fork1()) == -1) { 120 __audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS, 121 LOG_DAEMON, LOG_ALERT, gettext("audit_warn fork failed\n")); 122 return; 123 } 124 if (pid != 0) { 125 (void) waitpid(pid, &st, 0); 126 return; 127 } 128 (void) sprintf(countstr, "%d", count); 129 if (text == NULL) 130 text = empty; 131 132 if (strcmp(option, "soft") == 0 || strcmp(option, "hard") == 0) 133 (void) execl(auditwarn, auditwarn, option, text, 0); 134 135 else if (strcmp(option, "allhard") == 0 || 136 strcmp(option, "getacdir") == 0) 137 (void) execl(auditwarn, auditwarn, option, countstr, 0); 138 else if (strcmp(option, "plugin") == 0) 139 (void) execl(auditwarn, auditwarn, option, text, countstr, 0); 140 else 141 (void) execl(auditwarn, auditwarn, option, 0); 142 /* 143 * (execl failed) 144 */ 145 if (strcmp(option, "soft") == 0) 146 (void) sprintf(warnstring, 147 gettext("soft limit in %s.\n"), text); 148 else if (strcmp(option, "hard") == 0) 149 (void) sprintf(warnstring, 150 gettext("hard limit in %s.\n"), text); 151 else if (strcmp(option, "allhard") == 0) 152 (void) sprintf(warnstring, 153 gettext("All audit filesystems are full.\n")); 154 else if (strcmp(option, "getacmin") == 0) 155 (void) sprintf(warnstring, 156 gettext("audit_control minfree error.\n")); 157 else if (strcmp(option, "getacdir") == 0) 158 (void) sprintf(warnstring, 159 gettext("audit_control directory error.\n")); 160 else 161 (void) sprintf(warnstring, 162 gettext("error %s.\n"), option); 163 164 __audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS, LOG_AUTH, 165 LOG_ALERT, (const char *)warnstring); 166 167 exit(1); 168 } 169 170 /* 171 * __audit_dowarn2 - invoke the shell script auditwarn to notify the 172 * adminstrator about a given problem. 173 * parameters - 174 * option - what the problem is 175 * name - entity reporting the problem (ie, plugin name) 176 * error - error string 177 * text - when used with options soft and hard: which file was being 178 * used when the filesystem filled up 179 * when used with the plugin option: error detail 180 * count - used with various options: how many times auditwarn has 181 * been called for this problem since it was last cleared. 182 */ 183 void 184 __audit_dowarn2(char *option, char *name, char *error, char *text, int count) 185 { 186 pid_t pid; 187 int st; 188 char countstr[5]; 189 char warnstring[80]; 190 char empty[4] = "..."; 191 char none[3] = "--"; 192 193 if ((pid = fork()) == -1) { 194 __audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS, 195 LOG_DAEMON, LOG_ALERT, gettext("audit_warn fork failed\n")); 196 return; 197 } 198 if (pid != 0) { 199 (void) waitpid(pid, &st, 0); 200 return; 201 } 202 (void) sprintf(countstr, "%d", count); 203 if ((text == NULL) || (*text == '\0')) 204 text = empty; 205 if ((name == NULL) || (*name == '\0')) 206 name = none; 207 208 (void) execl(auditwarn, auditwarn, option, name, error, text, 209 countstr, 0); 210 211 /* 212 * (execl failed) 213 */ 214 (void) sprintf(warnstring, 215 gettext("audit_control plugin error: %s\n"), text); 216 217 __audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS, LOG_AUTH, 218 LOG_ALERT, (const char *)warnstring); 219 220 exit(1); 221 } 222 223 /* 224 * logpost - post the new audit log file name to audit_data. 225 * 226 * This is not re-entrant code; it is called from auditd.c when 227 * audit_binfile.so is not running and from binfile after auditd 228 * is done. 229 */ 230 int 231 __logpost(char *name) 232 { 233 char buffer[MAXPATHLEN]; 234 char empty[] = ""; 235 236 static int first = 1; 237 static char auditdata[] = AUDITDATAFILE; 238 static int audit_data_fd; /* file descriptor of audit_data */ 239 240 if (first) { 241 first = 0; 242 /* 243 * Open the audit_data file. Use O_APPEND so that the contents 244 * are not destroyed if there is another auditd running. 245 */ 246 if ((audit_data_fd = open(auditdata, 247 O_RDWR | O_APPEND | O_CREAT, 0660)) < 0) { 248 __audit_dowarn("tmpfile", "", 0); 249 return (1); 250 } 251 } 252 if (name == NULL) 253 name = empty; 254 255 (void) snprintf(buffer, sizeof (buffer), "%d:%s\n", 256 (int)getpid(), name); 257 258 (void) ftruncate(audit_data_fd, (off_t)0); 259 (void) write(audit_data_fd, buffer, strlen(buffer)); 260 (void) fsync(audit_data_fd); 261 262 return (0); 263 } 264 265 /* 266 * debug use - open a file for auditd and its plugins for debug 267 */ 268 FILE * 269 __auditd_debug_file_open() { 270 static FILE *fp = NULL; 271 272 if (fp != NULL) 273 return (fp); 274 if ((fp = fopen("/var/audit/dump", "aF")) == NULL) 275 (void) fprintf(stderr, "failed to open debug file: %s\n", 276 strerror(errno)); 277 278 return (fp); 279 } 280