/* * The following tokens are included in the audit record for a logout: * header, subject, return. */ void audit_logout(void) { token_t *tok; int aufd; uid_t uid = pwd->pw_uid; gid_t gid = pwd->pw_gid; pid_t pid = getpid(); int au_cond; /* If we are not auditing, don't cut an audit record; just return. */ if (auditon(A_GETCOND, &au_cond, sizeof(int)) < 0) { if (errno == ENOSYS) return; errx(1, "could not determine audit condition"); } if (au_cond == AUC_NOAUDIT) return; if ((aufd = au_open()) == -1) errx(1, "audit error: au_open() failed"); /* The subject that is created (euid, egid of the current process). */ if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid, gid, pid, pid, &tid)) == NULL) errx(1, "audit error: au_to_subject32() failed"); au_write(aufd, tok); if ((tok = au_to_return32(0, 0)) == NULL) errx(1, "audit error: au_to_return32() failed"); au_write(aufd, tok); if (au_close(aufd, 1, AUE_logout) == -1) errx(1, "audit record was not committed."); }
int audit_save_me(door_data_t *door_dp) { door_cred_t client_cred; int ret_val; int i; ret_val = door_cred(&client_cred); if (ret_val == -1) return (ret_val); door_dp->audit_ap.ap_pid = client_cred.dc_pid; ret_val = auditon(A_GETPINFO_ADDR, (caddr_t)&door_dp->audit_ap, sizeof (door_dp->audit_ap)); if (ret_val == -1) return (ret_val); door_dp->audit_auid = door_dp->audit_ap.ap_auid; door_dp->audit_euid = client_cred.dc_euid; door_dp->audit_egid = client_cred.dc_egid; door_dp->audit_uid = client_cred.dc_ruid; door_dp->audit_gid = client_cred.dc_rgid; door_dp->audit_pid = client_cred.dc_pid; door_dp->audit_asid = door_dp->audit_ap.ap_asid; door_dp->audit_tid.at_port = door_dp->audit_ap.ap_termid.at_port; door_dp->audit_tid.at_type = door_dp->audit_ap.ap_termid.at_type; for (i = 0; i < (door_dp->audit_ap.ap_termid.at_type/4); i++) door_dp->audit_tid.at_addr[i] = door_dp->audit_ap.ap_termid.at_addr[i]; (void) audit_save_policy(door_dp); return (0); }
static boolean_t is_valid_zone(boolean_t show_err) { uint32_t policy; if (auditon(A_GETPOLICY, (char *)&policy, 0) == -1) { if (!silent) { (void) fprintf(stderr, gettext( "%s: Cannot read audit policy: %s\n"), progname, strerror(errno)); } return (0); } if (policy & AUDIT_PERZONE) return (1); if (getzoneid() != GLOBAL_ZONEID) { if (show_err) (void) fprintf(stderr, gettext("%s: Not valid in a local zone.\n"), progname); return (0); } else { return (1); } }
void bsm_audit_failure(char **exec_args, char const *const fmt, va_list ap) { auditinfo_addr_t ainfo_addr; auditinfo_t ainfo; char text[256]; token_t *tok; long au_cond; au_id_t auid; pid_t pid; int aufd; debug_decl(bsm_audit_success, SUDO_DEBUG_AUDIT) pid = getpid(); /* * If we are not auditing, don't cut an audit record; just return. */ if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) { if (errno == AUDIT_NOT_CONFIGURED) debug_return; error(1, _("Could not determine audit condition")); } if (au_cond == AUC_NOAUDIT) debug_return; if (!audit_sudo_selected(1)) debug_return; if (getauid(&auid) < 0) error(1, _("getauid: failed")); if ((aufd = au_open()) == -1) error(1, _("au_open: failed")); if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) == 0) { tok = au_to_subject_ex(auid, geteuid(), getegid(), getuid(), getuid(), pid, pid, &ainfo_addr.ai_termid); } else if (errno == ENOSYS) { if (getaudit(&ainfo) < 0) error(1, _("getaudit: failed")); tok = au_to_subject(auid, geteuid(), getegid(), getuid(), getuid(), pid, pid, &ainfo.ai_termid); } else error(1, _("getaudit: failed")); if (tok == NULL) error(1, _("au_to_subject: failed")); au_write(aufd, tok); tok = au_to_exec_args(exec_args); if (tok == NULL) error(1, _("au_to_exec_args: failed")); au_write(aufd, tok); (void) vsnprintf(text, sizeof(text), fmt, ap); tok = au_to_text(text); if (tok == NULL) error(1, _("au_to_text: failed")); au_write(aufd, tok); tok = au_to_return32(EPERM, 1); if (tok == NULL) error(1, _("au_to_return32: failed")); au_write(aufd, tok); if (au_close(aufd, 1, AUE_sudo) == -1) error(1, _("unable to commit audit record")); debug_return; }
/* * if auditd isn't running, start it. Otherwise refresh. * First check to see if c2audit is loaded via the auditon() * system call, then check SMF state. */ static void start_auditd() { int audit_state; char *state; if (auditon(A_GETCOND, (caddr_t)&audit_state, sizeof (audit_state)) != 0) exit(1); if ((state = smf_get_state(AUDITD_FMRI)) == NULL) { display_smf_error(); exit(1); } if (strcmp(SCF_STATE_STRING_ONLINE, state) != 0) { if (smf_enable_instance(AUDITD_FMRI, 0) != 0) { display_smf_error(); free(state); exit(1); } } else { if (smf_refresh_instance(AUDITD_FMRI) != 0) { display_smf_error(); free(state); exit(1); } } free(state); }
int audit_set_policy(int *policy) { int ret; ret = auditon(A_SETPOLICY, policy, sizeof(*policy)); #ifdef A_OLDSETPOLICY if ((0 != ret) && (EINVAL == errno)){ long lpolicy = (long)*policy; ret = auditon(A_OLDSETPOLICY, &lpolicy, sizeof(lpolicy)); *policy = (int)lpolicy; } #endif return (ret); }
static int selected( uid_t uid, char *locuser, au_event_t event, int err) { int sorf; struct au_mask mask; mask.am_success = mask.am_failure = 0; if (uid > MAXEPHUID) { /* get non-attrib flags */ (void) auditon(A_GETKMASK, (caddr_t)&mask, sizeof (mask)); } else { (void) au_user_mask(locuser, &mask); } if (err == 0) { sorf = AU_PRS_SUCCESS; } else if (err >= 1) { sorf = AU_PRS_FAILURE; } else { sorf = AU_PRS_BOTH; } return (au_preselect(event, &mask, sorf, AU_PRS_REREAD)); }
int audit_set_cond(int *cond) { int ret; ret = auditon(A_SETCOND, cond, sizeof(*cond)); #ifdef A_OLDSETCOND if ((0 != ret) && (EINVAL == errno)) { long lcond = (long)*cond; ret = auditon(A_OLDSETCOND, &lcond, sizeof(lcond)); *cond = (int)lcond; } #endif return (ret); }
int audit_set_kmask(au_mask_t *kmask, size_t sz) { if (sizeof(*kmask) != sz) { errno = EINVAL; return (-1); } return (auditon(A_SETKMASK, kmask, sz)); }
static int audit_save_policy(door_data_t *door_dp) { uint32_t policy; if (auditon(A_GETPOLICY, (caddr_t)&policy, sizeof (policy))) { return (-1); } door_dp->audit_policy = policy; return (0); }
int audit_set_pmask(auditpinfo_t *api, size_t sz) { if (sizeof(*api) != sz) { errno = EINVAL; return (-1); } return (auditon(A_SETPMASK, api, sz)); }
int audit_set_stat(au_stat_t *stats, size_t sz) { if (sizeof(*stats) != sz) { errno = EINVAL; return (-1); } return (auditon(A_GETSTAT, stats, sz)); }
int audit_get_sinfo_addr(auditinfo_addr_t *aia, size_t sz) { if (sizeof(*aia) != sz) { errno = EINVAL; return (-1); } return (auditon(A_GETSINFO_ADDR, aia, sz)); }
int audit_set_fsize(au_fstat_t *fstat, size_t sz) { if (sizeof(*fstat) != sz) { errno = EINVAL; return (-1); } return (auditon(A_SETFSIZE, fstat, sz)); }
int audit_set_event(au_evname_map_t *evn_map, size_t sz) { if (sizeof(*evn_map) != sz) { errno = EINVAL; return (-1); } return (auditon(A_SETEVENT, evn_map, sz)); }
int audit_set_class(au_evclass_map_t *evc_map, size_t sz) { if (sizeof(*evc_map) != sz) { errno = EINVAL; return (-1); } return (auditon(A_SETCLASS, evc_map, sz)); }
int audit_set_kaudit(auditinfo_addr_t *aia, size_t sz) { if (sizeof(*aia) != sz) { errno = EINVAL; return (-1); } return (auditon(A_SETKAUDIT, aia, sz)); }
int audit_get_pinfo(auditpinfo_t *api, size_t sz) { if (sizeof(*api) != sz) { errno = EINVAL; return (-1); } return (auditon(A_GETPINFO, api, sz)); }
/* * The following tokens are included in the audit record for failed * login attempts: header, subject, text, return. */ void au_login_fail(const char *errmsg, int na) { token_t *tok; int aufd; int au_cond; uid_t uid; gid_t gid; pid_t pid = getpid(); /* If we are not auditing, don't cut an audit record; just return. */ if (auditon(A_GETCOND, &au_cond, sizeof(au_cond)) < 0) { if (errno == ENOSYS) return; errx(1, "could not determine audit condition"); } if (au_cond == AUC_NOAUDIT) return; if ((aufd = au_open()) == -1) errx(1, "audit error: au_open() failed"); if (na) { /* * Non attributable event. Assuming that login is not called * within a user's session => auid,asid == -1. */ if ((tok = au_to_subject32(-1, geteuid(), getegid(), -1, -1, pid, -1, &tid)) == NULL) errx(1, "audit error: au_to_subject32() failed"); } else { /* We know the subject -- so use its value instead. */ uid = pwd->pw_uid; gid = pwd->pw_gid; if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid, gid, pid, pid, &tid)) == NULL) errx(1, "audit error: au_to_subject32() failed"); } au_write(aufd, tok); /* Include the error message. */ if ((tok = au_to_text(errmsg)) == NULL) errx(1, "audit error: au_to_text() failed"); au_write(aufd, tok); if ((tok = au_to_return32(1, errno)) == NULL) errx(1, "audit error: au_to_return32() failed"); au_write(aufd, tok); if (au_close(aufd, 1, AUE_login) == -1) errx(1, "audit error: au_close() was not committed"); }
int audit_crontab_process_not_audited() { struct auditpinfo_addr info; int rc; info.ap_pid = getpid(); if (auditon(A_GETPINFO_ADDR, (caddr_t)&info, sizeof (info)) != 0) rc = 0; /* audit failure: not enabled */ else rc = (info.ap_auid == AU_NOAUDITID); return (rc); }
static void wait_for_auqueue() { au_stat_t au_stat; int retries = 10; while (retries-- && auditon(A_GETSTAT, (caddr_t)&au_stat, NULL) == 0) { if (au_stat.as_enqueue == au_stat.as_written) { break; } (void) sleep(1); } }
int audit_set_qctrl(au_qctrl_t *qctrl, size_t sz) { int ret; if (sizeof(*qctrl) != sz) { errno = EINVAL; return (-1); } ret = auditon(A_SETQCTRL, qctrl, sz); #ifdef A_OLDSETQCTRL if ((0 != ret) && (EINVAL == errno)) { struct old_qctrl { size_t oq_hiwater; size_t oq_lowater; size_t oq_bufsz; clock_t oq_delay; int oq_minfree; } oq; oq.oq_hiwater = (size_t)qctrl->aq_hiwater; oq.oq_lowater = (size_t)qctrl->aq_lowater; oq.oq_bufsz = (size_t)qctrl->aq_bufsz; oq.oq_delay = (clock_t)qctrl->aq_delay; oq.oq_minfree = qctrl->aq_minfree; ret = auditon(A_OLDSETQCTRL, &oq, sizeof(oq)); qctrl->aq_hiwater = (int)oq.oq_hiwater; qctrl->aq_lowater = (int)oq.oq_lowater; qctrl->aq_bufsz = (int)oq.oq_bufsz; qctrl->aq_delay = (int)oq.oq_delay; qctrl->aq_minfree = oq.oq_minfree; } #endif /* A_OLDSETQCTRL */ return (ret); }
/* * can_audit: * Return 1 if audit module is loaded. * Return 0 otherwise. * */ int can_audit(void) { static int auc = AUC_UNSET; int cond = 0; if (auditon(A_GETCOND, (caddr_t)&cond, sizeof (cond))) { auc = AUC_DISABLED; } else { auc = cond; } if (auc == AUC_DISABLED) return (0); else return (1); }
/* * set_transq_count_max() - sets the transq_count_max value based on kernel * audit queue high water mark. This is backup solution for a case, when the * the default qsize zero value is (intentionally) set in the audit_remote(5) * plugin configuration. */ static auditd_rc_t set_transq_count_max() { struct au_qctrl qctrl; if (auditon(A_GETQCTRL, (caddr_t)&qctrl, 0) != -1) { transq_count_max = qctrl.aq_hiwater; DPRINT((dfile, "Transmission queue max length set to %ld\n", transq_count_max)); return (AUDITD_SUCCESS); } DPRINT((dfile, "Setting the transmission queue max length failed\n")); return (AUDITD_RETRY); }
/* * The following tokens are included in the audit record for a successful * login: header, subject, return. */ void au_login_success(void) { token_t *tok; int aufd; au_mask_t aumask; auditinfo_t auinfo; uid_t uid = pwd->pw_uid; gid_t gid = pwd->pw_gid; pid_t pid = getpid(); int au_cond; /* If we are not auditing, don't cut an audit record; just return. */ if (auditon(A_GETCOND, &au_cond, sizeof(au_cond)) < 0) { if (errno == ENOSYS) return; errx(1, "could not determine audit condition"); } if (au_cond == AUC_NOAUDIT) return; /* Compute and set the user's preselection mask. */ if (au_user_mask(pwd->pw_name, &aumask) == -1) errx(1, "could not set audit mask"); /* Set the audit info for the user. */ auinfo.ai_auid = uid; auinfo.ai_asid = pid; bcopy(&tid, &auinfo.ai_termid, sizeof(auinfo.ai_termid)); bcopy(&aumask, &auinfo.ai_mask, sizeof(auinfo.ai_mask)); if (setaudit(&auinfo) != 0) err(1, "setaudit failed"); if ((aufd = au_open()) == -1) errx(1, "audit error: au_open() failed"); if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid, gid, pid, pid, &tid)) == NULL) errx(1, "audit error: au_to_subject32() failed"); au_write(aufd, tok); if ((tok = au_to_return32(0, 0)) == NULL) errx(1, "audit error: au_to_return32() failed"); au_write(aufd, tok); if (au_close(aufd, 1, AUE_login) == -1) errx(1, "audit record was not committed."); }
/* * audit_save_namask(): * Save the namask using the naflags entry in the audit_control file. * Return 0 if successful. * Return -1, and don't change the namask, if failed. * Side Effect: Sets audit_na to -1 if error, 1 if successful. */ static int audit_save_namask(door_data_t *door_dp) { au_mask_t mask; door_dp->audit_na = -1; /* * get non-attributable system event mask from kernel. */ if (auditon(A_GETKMASK, (caddr_t)&mask, sizeof (mask)) != 0) { return (-1); } door_dp->audit_namask.am_success = mask.am_success; door_dp->audit_namask.am_failure = mask.am_failure; door_dp->audit_na = 1; return (0); }
void priv_audit_control(int asroot, int injail, struct test *test) { long policy; int error; error = auditon(A_GETPOLICY, &policy, sizeof(policy)); if (asroot && injail) expect("priv_audit_control(asroot, injail)", error, -1, ENOSYS); if (asroot && !injail) expect("priv_audit_control(asroot, !injail)", error, 0, 0); if (!asroot && injail) expect("priv_audit_control(!asroot, injail)", error, -1, ENOSYS); if (!asroot && !injail) expect("priv_audit_control(!asroot, !injail)", error, -1, EPERM); }
/* * update_kcontext() - updates the non-/attributable preselection masks in * the kernel context. Returns B_TRUE on success, B_FALSE otherwise. */ boolean_t update_kcontext(int cmd, char *cmask) { au_mask_t bmask; (void) getauditflagsbin(cmask, &bmask); if (auditon(cmd, (caddr_t)&bmask, sizeof (bmask)) == -1) { (void) printf("Could not update kernel context (%s).\n", cmd == A_SETAMASK ? "A_SETAMASK" : "A_SETKMASK"); return (B_FALSE); } #ifdef DEBUG (void) printf("svc-auditset: %s mask set to %s", cmd == A_SETAMASK ? "Attributable" : "Non-Attributable", cmask); #endif return (B_TRUE); }
int audit_get_car(char *path, size_t sz) { return (auditon(A_GETCAR, path, sz)); }
int audit_get_cwd(char *path, size_t sz) { return (auditon(A_GETCWD, path, sz)); }