/*
* The following tokens are included in the audit record for a logout:
* header, subject, return.
*/
void
audit_logout(void)
{
token_t *tok;
int aufd;
uid_t uid = pwd->pw_uid;
gid_t gid = pwd->pw_gid;
pid_t pid = getpid();
int au_cond;
/* If we are not auditing, don't cut an audit record; just return. */
if (auditon(A_GETCOND, &au_cond, sizeof(int)) < 0) {
if (errno == ENOSYS)
return;
errx(1, "could not determine audit condition");
}
if (au_cond == AUC_NOAUDIT)
return;
if ((aufd = au_open()) == -1)
errx(1, "audit error: au_open() failed");
/* The subject that is created (euid, egid of the current process). */
if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid, gid, pid,
pid, &tid)) == NULL)
errx(1, "audit error: au_to_subject32() failed");
au_write(aufd, tok);
if ((tok = au_to_return32(0, 0)) == NULL)
errx(1, "audit error: au_to_return32() failed");
au_write(aufd, tok);
if (au_close(aufd, 1, AUE_logout) == -1)
errx(1, "audit record was not committed.");
}
int
audit_save_me(door_data_t *door_dp)
{
door_cred_t client_cred;
int ret_val;
int i;
ret_val = door_cred(&client_cred);
if (ret_val == -1)
return (ret_val);
door_dp->audit_ap.ap_pid = client_cred.dc_pid;
ret_val = auditon(A_GETPINFO_ADDR, (caddr_t)&door_dp->audit_ap,
sizeof (door_dp->audit_ap));
if (ret_val == -1)
return (ret_val);
door_dp->audit_auid = door_dp->audit_ap.ap_auid;
door_dp->audit_euid = client_cred.dc_euid;
door_dp->audit_egid = client_cred.dc_egid;
door_dp->audit_uid = client_cred.dc_ruid;
door_dp->audit_gid = client_cred.dc_rgid;
door_dp->audit_pid = client_cred.dc_pid;
door_dp->audit_asid = door_dp->audit_ap.ap_asid;
door_dp->audit_tid.at_port = door_dp->audit_ap.ap_termid.at_port;
door_dp->audit_tid.at_type = door_dp->audit_ap.ap_termid.at_type;
for (i = 0; i < (door_dp->audit_ap.ap_termid.at_type/4); i++)
door_dp->audit_tid.at_addr[i] =
door_dp->audit_ap.ap_termid.at_addr[i];
(void) audit_save_policy(door_dp);
return (0);
}
static boolean_t
is_valid_zone(boolean_t show_err)
{
uint32_t policy;
if (auditon(A_GETPOLICY, (char *)&policy, 0) == -1) {
if (!silent) {
(void) fprintf(stderr, gettext(
"%s: Cannot read audit policy: %s\n"),
progname, strerror(errno));
}
return (0);
}
if (policy & AUDIT_PERZONE)
return (1);
if (getzoneid() != GLOBAL_ZONEID) {
if (show_err)
(void) fprintf(stderr,
gettext("%s: Not valid in a local zone.\n"),
progname);
return (0);
} else {
return (1);
}
}
void
bsm_audit_failure(char **exec_args, char const *const fmt, va_list ap)
{
auditinfo_addr_t ainfo_addr;
auditinfo_t ainfo;
char text[256];
token_t *tok;
long au_cond;
au_id_t auid;
pid_t pid;
int aufd;
debug_decl(bsm_audit_success, SUDO_DEBUG_AUDIT)
pid = getpid();
/*
* If we are not auditing, don't cut an audit record; just return.
*/
if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {
if (errno == AUDIT_NOT_CONFIGURED)
debug_return;
error(1, _("Could not determine audit condition"));
}
if (au_cond == AUC_NOAUDIT)
debug_return;
if (!audit_sudo_selected(1))
debug_return;
if (getauid(&auid) < 0)
error(1, _("getauid: failed"));
if ((aufd = au_open()) == -1)
error(1, _("au_open: failed"));
if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) == 0) {
tok = au_to_subject_ex(auid, geteuid(), getegid(), getuid(),
getuid(), pid, pid, &ainfo_addr.ai_termid);
} else if (errno == ENOSYS) {
if (getaudit(&ainfo) < 0)
error(1, _("getaudit: failed"));
tok = au_to_subject(auid, geteuid(), getegid(), getuid(),
getuid(), pid, pid, &ainfo.ai_termid);
} else
error(1, _("getaudit: failed"));
if (tok == NULL)
error(1, _("au_to_subject: failed"));
au_write(aufd, tok);
tok = au_to_exec_args(exec_args);
if (tok == NULL)
error(1, _("au_to_exec_args: failed"));
au_write(aufd, tok);
(void) vsnprintf(text, sizeof(text), fmt, ap);
tok = au_to_text(text);
if (tok == NULL)
error(1, _("au_to_text: failed"));
au_write(aufd, tok);
tok = au_to_return32(EPERM, 1);
if (tok == NULL)
error(1, _("au_to_return32: failed"));
au_write(aufd, tok);
if (au_close(aufd, 1, AUE_sudo) == -1)
error(1, _("unable to commit audit record"));
debug_return;
}
/*
* if auditd isn't running, start it. Otherwise refresh.
* First check to see if c2audit is loaded via the auditon()
* system call, then check SMF state.
*/
static void
start_auditd()
{
int audit_state;
char *state;
if (auditon(A_GETCOND, (caddr_t)&audit_state,
sizeof (audit_state)) != 0)
exit(1);
if ((state = smf_get_state(AUDITD_FMRI)) == NULL) {
display_smf_error();
exit(1);
}
if (strcmp(SCF_STATE_STRING_ONLINE, state) != 0) {
if (smf_enable_instance(AUDITD_FMRI, 0) != 0) {
display_smf_error();
free(state);
exit(1);
}
} else {
if (smf_refresh_instance(AUDITD_FMRI) != 0) {
display_smf_error();
free(state);
exit(1);
}
}
free(state);
}
int
audit_set_policy(int *policy)
{
int ret;
ret = auditon(A_SETPOLICY, policy, sizeof(*policy));
#ifdef A_OLDSETPOLICY
if ((0 != ret) && (EINVAL == errno)){
long lpolicy = (long)*policy;
ret = auditon(A_OLDSETPOLICY, &lpolicy, sizeof(lpolicy));
*policy = (int)lpolicy;
}
#endif
return (ret);
}
static int
selected(
uid_t uid,
char *locuser,
au_event_t event,
int err)
{
int sorf;
struct au_mask mask;
mask.am_success = mask.am_failure = 0;
if (uid > MAXEPHUID) {
/* get non-attrib flags */
(void) auditon(A_GETKMASK, (caddr_t)&mask, sizeof (mask));
} else {
(void) au_user_mask(locuser, &mask);
}
if (err == 0) {
sorf = AU_PRS_SUCCESS;
} else if (err >= 1) {
sorf = AU_PRS_FAILURE;
} else {
sorf = AU_PRS_BOTH;
}
return (au_preselect(event, &mask, sorf, AU_PRS_REREAD));
}
int
audit_set_cond(int *cond)
{
int ret;
ret = auditon(A_SETCOND, cond, sizeof(*cond));
#ifdef A_OLDSETCOND
if ((0 != ret) && (EINVAL == errno)) {
long lcond = (long)*cond;
ret = auditon(A_OLDSETCOND, &lcond, sizeof(lcond));
*cond = (int)lcond;
}
#endif
return (ret);
}
int
audit_set_kmask(au_mask_t *kmask, size_t sz)
{
if (sizeof(*kmask) != sz) {
errno = EINVAL;
return (-1);
}
return (auditon(A_SETKMASK, kmask, sz));
}
static int
audit_save_policy(door_data_t *door_dp)
{
uint32_t policy;
if (auditon(A_GETPOLICY, (caddr_t)&policy, sizeof (policy))) {
return (-1);
}
door_dp->audit_policy = policy;
return (0);
}
int
audit_set_pmask(auditpinfo_t *api, size_t sz)
{
if (sizeof(*api) != sz) {
errno = EINVAL;
return (-1);
}
return (auditon(A_SETPMASK, api, sz));
}
int
audit_set_stat(au_stat_t *stats, size_t sz)
{
if (sizeof(*stats) != sz) {
errno = EINVAL;
return (-1);
}
return (auditon(A_GETSTAT, stats, sz));
}
int
audit_get_sinfo_addr(auditinfo_addr_t *aia, size_t sz)
{
if (sizeof(*aia) != sz) {
errno = EINVAL;
return (-1);
}
return (auditon(A_GETSINFO_ADDR, aia, sz));
}
int
audit_set_fsize(au_fstat_t *fstat, size_t sz)
{
if (sizeof(*fstat) != sz) {
errno = EINVAL;
return (-1);
}
return (auditon(A_SETFSIZE, fstat, sz));
}
int
audit_set_event(au_evname_map_t *evn_map, size_t sz)
{
if (sizeof(*evn_map) != sz) {
errno = EINVAL;
return (-1);
}
return (auditon(A_SETEVENT, evn_map, sz));
}
int
audit_set_class(au_evclass_map_t *evc_map, size_t sz)
{
if (sizeof(*evc_map) != sz) {
errno = EINVAL;
return (-1);
}
return (auditon(A_SETCLASS, evc_map, sz));
}
int
audit_set_kaudit(auditinfo_addr_t *aia, size_t sz)
{
if (sizeof(*aia) != sz) {
errno = EINVAL;
return (-1);
}
return (auditon(A_SETKAUDIT, aia, sz));
}
int
audit_get_pinfo(auditpinfo_t *api, size_t sz)
{
if (sizeof(*api) != sz) {
errno = EINVAL;
return (-1);
}
return (auditon(A_GETPINFO, api, sz));
}
/*
* The following tokens are included in the audit record for failed
* login attempts: header, subject, text, return.
*/
void
au_login_fail(const char *errmsg, int na)
{
token_t *tok;
int aufd;
int au_cond;
uid_t uid;
gid_t gid;
pid_t pid = getpid();
/* If we are not auditing, don't cut an audit record; just return. */
if (auditon(A_GETCOND, &au_cond, sizeof(au_cond)) < 0) {
if (errno == ENOSYS)
return;
errx(1, "could not determine audit condition");
}
if (au_cond == AUC_NOAUDIT)
return;
if ((aufd = au_open()) == -1)
errx(1, "audit error: au_open() failed");
if (na) {
/*
* Non attributable event. Assuming that login is not called
* within a user's session => auid,asid == -1.
*/
if ((tok = au_to_subject32(-1, geteuid(), getegid(), -1, -1,
pid, -1, &tid)) == NULL)
errx(1, "audit error: au_to_subject32() failed");
} else {
/* We know the subject -- so use its value instead. */
uid = pwd->pw_uid;
gid = pwd->pw_gid;
if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid,
gid, pid, pid, &tid)) == NULL)
errx(1, "audit error: au_to_subject32() failed");
}
au_write(aufd, tok);
/* Include the error message. */
if ((tok = au_to_text(errmsg)) == NULL)
errx(1, "audit error: au_to_text() failed");
au_write(aufd, tok);
if ((tok = au_to_return32(1, errno)) == NULL)
errx(1, "audit error: au_to_return32() failed");
au_write(aufd, tok);
if (au_close(aufd, 1, AUE_login) == -1)
errx(1, "audit error: au_close() was not committed");
}
int
audit_crontab_process_not_audited() {
struct auditpinfo_addr info;
int rc;
info.ap_pid = getpid();
if (auditon(A_GETPINFO_ADDR, (caddr_t)&info, sizeof (info)) != 0)
rc = 0; /* audit failure: not enabled */
else
rc = (info.ap_auid == AU_NOAUDITID);
return (rc);
}
static void
wait_for_auqueue()
{
au_stat_t au_stat;
int retries = 10;
while (retries-- && auditon(A_GETSTAT, (caddr_t)&au_stat, NULL) == 0) {
if (au_stat.as_enqueue == au_stat.as_written) {
break;
}
(void) sleep(1);
}
}
int
audit_set_qctrl(au_qctrl_t *qctrl, size_t sz)
{
int ret;
if (sizeof(*qctrl) != sz) {
errno = EINVAL;
return (-1);
}
ret = auditon(A_SETQCTRL, qctrl, sz);
#ifdef A_OLDSETQCTRL
if ((0 != ret) && (EINVAL == errno)) {
struct old_qctrl {
size_t oq_hiwater;
size_t oq_lowater;
size_t oq_bufsz;
clock_t oq_delay;
int oq_minfree;
} oq;
oq.oq_hiwater = (size_t)qctrl->aq_hiwater;
oq.oq_lowater = (size_t)qctrl->aq_lowater;
oq.oq_bufsz = (size_t)qctrl->aq_bufsz;
oq.oq_delay = (clock_t)qctrl->aq_delay;
oq.oq_minfree = qctrl->aq_minfree;
ret = auditon(A_OLDSETQCTRL, &oq, sizeof(oq));
qctrl->aq_hiwater = (int)oq.oq_hiwater;
qctrl->aq_lowater = (int)oq.oq_lowater;
qctrl->aq_bufsz = (int)oq.oq_bufsz;
qctrl->aq_delay = (int)oq.oq_delay;
qctrl->aq_minfree = oq.oq_minfree;
}
#endif /* A_OLDSETQCTRL */
return (ret);
}
/*
* can_audit:
* Return 1 if audit module is loaded.
* Return 0 otherwise.
*
*/
int
can_audit(void)
{
static int auc = AUC_UNSET;
int cond = 0;
if (auditon(A_GETCOND, (caddr_t)&cond, sizeof (cond))) {
auc = AUC_DISABLED;
} else {
auc = cond;
}
if (auc == AUC_DISABLED)
return (0);
else return (1);
}
/*
* set_transq_count_max() - sets the transq_count_max value based on kernel
* audit queue high water mark. This is backup solution for a case, when the
* the default qsize zero value is (intentionally) set in the audit_remote(5)
* plugin configuration.
*/
static auditd_rc_t
set_transq_count_max()
{
struct au_qctrl qctrl;
if (auditon(A_GETQCTRL, (caddr_t)&qctrl, 0) != -1) {
transq_count_max = qctrl.aq_hiwater;
DPRINT((dfile, "Transmission queue max length set to %ld\n",
transq_count_max));
return (AUDITD_SUCCESS);
}
DPRINT((dfile, "Setting the transmission queue max length failed\n"));
return (AUDITD_RETRY);
}
/*
* The following tokens are included in the audit record for a successful
* login: header, subject, return.
*/
void
au_login_success(void)
{
token_t *tok;
int aufd;
au_mask_t aumask;
auditinfo_t auinfo;
uid_t uid = pwd->pw_uid;
gid_t gid = pwd->pw_gid;
pid_t pid = getpid();
int au_cond;
/* If we are not auditing, don't cut an audit record; just return. */
if (auditon(A_GETCOND, &au_cond, sizeof(au_cond)) < 0) {
if (errno == ENOSYS)
return;
errx(1, "could not determine audit condition");
}
if (au_cond == AUC_NOAUDIT)
return;
/* Compute and set the user's preselection mask. */
if (au_user_mask(pwd->pw_name, &aumask) == -1)
errx(1, "could not set audit mask");
/* Set the audit info for the user. */
auinfo.ai_auid = uid;
auinfo.ai_asid = pid;
bcopy(&tid, &auinfo.ai_termid, sizeof(auinfo.ai_termid));
bcopy(&aumask, &auinfo.ai_mask, sizeof(auinfo.ai_mask));
if (setaudit(&auinfo) != 0)
err(1, "setaudit failed");
if ((aufd = au_open()) == -1)
errx(1, "audit error: au_open() failed");
if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid, gid, pid,
pid, &tid)) == NULL)
errx(1, "audit error: au_to_subject32() failed");
au_write(aufd, tok);
if ((tok = au_to_return32(0, 0)) == NULL)
errx(1, "audit error: au_to_return32() failed");
au_write(aufd, tok);
if (au_close(aufd, 1, AUE_login) == -1)
errx(1, "audit record was not committed.");
}
/*
* audit_save_namask():
* Save the namask using the naflags entry in the audit_control file.
* Return 0 if successful.
* Return -1, and don't change the namask, if failed.
* Side Effect: Sets audit_na to -1 if error, 1 if successful.
*/
static int
audit_save_namask(door_data_t *door_dp)
{
au_mask_t mask;
door_dp->audit_na = -1;
/*
* get non-attributable system event mask from kernel.
*/
if (auditon(A_GETKMASK, (caddr_t)&mask, sizeof (mask)) != 0) {
return (-1);
}
door_dp->audit_namask.am_success = mask.am_success;
door_dp->audit_namask.am_failure = mask.am_failure;
door_dp->audit_na = 1;
return (0);
}
void
priv_audit_control(int asroot, int injail, struct test *test)
{
long policy;
int error;
error = auditon(A_GETPOLICY, &policy, sizeof(policy));
if (asroot && injail)
expect("priv_audit_control(asroot, injail)", error, -1,
ENOSYS);
if (asroot && !injail)
expect("priv_audit_control(asroot, !injail)", error, 0, 0);
if (!asroot && injail)
expect("priv_audit_control(!asroot, injail)", error, -1,
ENOSYS);
if (!asroot && !injail)
expect("priv_audit_control(!asroot, !injail)", error, -1,
EPERM);
}
/*
* update_kcontext() - updates the non-/attributable preselection masks in
* the kernel context. Returns B_TRUE on success, B_FALSE otherwise.
*/
boolean_t
update_kcontext(int cmd, char *cmask)
{
au_mask_t bmask;
(void) getauditflagsbin(cmask, &bmask);
if (auditon(cmd, (caddr_t)&bmask, sizeof (bmask)) == -1) {
(void) printf("Could not update kernel context (%s).\n",
cmd == A_SETAMASK ? "A_SETAMASK" : "A_SETKMASK");
return (B_FALSE);
}
#ifdef DEBUG
(void) printf("svc-auditset: %s mask set to %s",
cmd == A_SETAMASK ? "Attributable" : "Non-Attributable", cmask);
#endif
return (B_TRUE);
}
int
audit_get_car(char *path, size_t sz)
{
return (auditon(A_GETCAR, path, sz));
}
int
audit_get_cwd(char *path, size_t sz)
{
return (auditon(A_GETCWD, path, sz));
}
