/*
* Check if the specified event is selected (enabled) for auditing.
* Returns 1 if the event is selected, 0 if not and -1 on failure.
*/
static int
selected(char *username, uid_t uid, au_event_t event, int sf)
{
int rc, sorf;
char naflags[512];
struct au_mask mask;
mask.am_success = mask.am_failure = 0;
if (uid < 0) {
/* get flags for non-attributable (to a real user) events */
rc = getacna(naflags, sizeof(naflags));
if (rc == 0)
(void) getauditflagsbin(naflags, &mask);
} else
rc = au_user_mask(username, &mask);
sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE;
return(au_preselect(event, &mask, sorf, AU_PRS_REREAD));
}
/*
* Check if the specified event is selected (enabled) for auditing.
* Returns 1 if the event is selected, 0 if not and -1 on failure.
*/
static int
selected(char *username, uid_t uid, au_event_t event, int sf)
{
int rc, sorf;
char naflags[512];
struct au_mask mask;
mask.am_success = mask.am_failure = 0;
#if __APPLE__
if (uid == (uid_t)-1) {
#else
if (uid < 0) {
#endif
/* get flags for non-attributable (to a real user) events */
rc = getacna(naflags, sizeof(naflags));
if (rc == 0)
(void) getauditflagsbin(naflags, &mask);
} else
rc = au_user_mask(username, &mask);
sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE;
return(au_preselect(event, &mask, sorf, AU_PRS_REREAD));
}
static void
bsm_audit_record(int typ, char *string, au_event_t event_no)
{
int ad, rc, sel;
uid_t uid = -1;
gid_t gid = -1;
pid_t pid = getpid();
AuditInfoTermID tid = ssh_bsm_tid;
if (the_authctxt == NULL) {
error("BSM audit: audit record internal error (NULL ctxt)");
abort();
}
if (the_authctxt->valid) {
uid = the_authctxt->pw->pw_uid;
gid = the_authctxt->pw->pw_gid;
}
rc = (typ == 0) ? 0 : -1;
sel = selected(the_authctxt->user, uid, event_no, rc);
debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
if (!sel)
return; /* audit event does not match mask, do not write */
debug3("BSM audit: writing audit new record");
ad = au_open();
(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
pid, pid, &tid));
(void) au_write(ad, au_to_text(string));
(void) au_write(ad, AUToReturnFunc(typ, rc));
#ifdef BROKEN_BSM_API
/* The last argument is the event modifier flags. For
some seemingly undocumented reason it was added in
Solaris 11. */
rc = au_close(ad, AU_TO_WRITE, event_no, 0);
#else
rc = au_close(ad, AU_TO_WRITE, event_no);
#endif
if (rc < 0)
error("BSM audit: %s failed to write \"%s\" record: %s",
__func__, string, strerror(errno));
}
static void
audump_control(void)
{
char string[PATH_MAX], string2[PATH_MAX];
int ret, val;
long policy;
time_t age;
size_t size;
ret = getacflg(string, PATH_MAX);
if (ret == -2)
err(-1, "getacflg");
if (ret != 0)
errx(-1, "getacflg: %d", ret);
printf("flags:%s\n", string);
ret = getacmin(&val);
if (ret == -2)
err(-1, "getacmin");
if (ret != 0)
errx(-1, "getacmin: %d", ret);
printf("min:%d\n", val);
ret = getacna(string, PATH_MAX);
if (ret == -2)
err(-1, "getacna");
if (ret != 0)
errx(-1, "getacna: %d", ret);
printf("naflags:%s\n", string);
setac();
do {
ret = getacdir(string, PATH_MAX);
if (ret == -1)
break;
if (ret == -2)
err(-1, "getacdir");
if (ret != 0)
errx(-1, "getacdir: %d", ret);
printf("dir:%s\n", string);
} while (ret == 0);
ret = getacpol(string, PATH_MAX);
if (ret != 0)
err(-1, "getacpol");
if (au_strtopol(string, &policy) < 0)
err(-1, "au_strtopol");
if (au_poltostr(policy, PATH_MAX, string2) < 0)
err(-1, "au_poltostr");
printf("policy:%s\n", string2);
ret = getacfilesz(&size);
if (ret == -2)
err(-1, "getacfilesz");
if (ret != 0)
err(-1, "getacfilesz: %d", ret);
printf("filesz:%ldB\n", size);
ret = getachost(string, PATH_MAX);
if (ret == -2)
err(-1, "getachost");
if (ret == -3)
err(-1, "getachost: %d", ret);
if (ret == 0 && ret != 1)
printf("host:%s\n", string);
ret = getacexpire(&val, &age, &size);
if (ret == -2)
err(-1, "getacexpire");
if (ret == -1)
err(-1, "getacexpire: %d", ret);
if (ret == 0 && ret != 1)
printf("expire-after:%ldB %s %lds\n", size,
val ? "AND" : "OR", age);
}
