/* * Check if the specified event is selected (enabled) for auditing. * Returns 1 if the event is selected, 0 if not and -1 on failure. */ static int selected(char *username, uid_t uid, au_event_t event, int sf) { int rc, sorf; char naflags[512]; struct au_mask mask; mask.am_success = mask.am_failure = 0; if (uid < 0) { /* get flags for non-attributable (to a real user) events */ rc = getacna(naflags, sizeof(naflags)); if (rc == 0) (void) getauditflagsbin(naflags, &mask); } else rc = au_user_mask(username, &mask); sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE; return(au_preselect(event, &mask, sorf, AU_PRS_REREAD)); }
/* * Check if the specified event is selected (enabled) for auditing. * Returns 1 if the event is selected, 0 if not and -1 on failure. */ static int selected(char *username, uid_t uid, au_event_t event, int sf) { int rc, sorf; char naflags[512]; struct au_mask mask; mask.am_success = mask.am_failure = 0; #if __APPLE__ if (uid == (uid_t)-1) { #else if (uid < 0) { #endif /* get flags for non-attributable (to a real user) events */ rc = getacna(naflags, sizeof(naflags)); if (rc == 0) (void) getauditflagsbin(naflags, &mask); } else rc = au_user_mask(username, &mask); sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE; return(au_preselect(event, &mask, sorf, AU_PRS_REREAD)); } static void bsm_audit_record(int typ, char *string, au_event_t event_no) { int ad, rc, sel; uid_t uid = -1; gid_t gid = -1; pid_t pid = getpid(); AuditInfoTermID tid = ssh_bsm_tid; if (the_authctxt == NULL) { error("BSM audit: audit record internal error (NULL ctxt)"); abort(); } if (the_authctxt->valid) { uid = the_authctxt->pw->pw_uid; gid = the_authctxt->pw->pw_gid; } rc = (typ == 0) ? 0 : -1; sel = selected(the_authctxt->user, uid, event_no, rc); debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string); if (!sel) return; /* audit event does not match mask, do not write */ debug3("BSM audit: writing audit new record"); ad = au_open(); (void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid, pid, pid, &tid)); (void) au_write(ad, au_to_text(string)); (void) au_write(ad, AUToReturnFunc(typ, rc)); #ifdef BROKEN_BSM_API /* The last argument is the event modifier flags. For some seemingly undocumented reason it was added in Solaris 11. */ rc = au_close(ad, AU_TO_WRITE, event_no, 0); #else rc = au_close(ad, AU_TO_WRITE, event_no); #endif if (rc < 0) error("BSM audit: %s failed to write \"%s\" record: %s", __func__, string, strerror(errno)); }
static void audump_control(void) { char string[PATH_MAX], string2[PATH_MAX]; int ret, val; long policy; time_t age; size_t size; ret = getacflg(string, PATH_MAX); if (ret == -2) err(-1, "getacflg"); if (ret != 0) errx(-1, "getacflg: %d", ret); printf("flags:%s\n", string); ret = getacmin(&val); if (ret == -2) err(-1, "getacmin"); if (ret != 0) errx(-1, "getacmin: %d", ret); printf("min:%d\n", val); ret = getacna(string, PATH_MAX); if (ret == -2) err(-1, "getacna"); if (ret != 0) errx(-1, "getacna: %d", ret); printf("naflags:%s\n", string); setac(); do { ret = getacdir(string, PATH_MAX); if (ret == -1) break; if (ret == -2) err(-1, "getacdir"); if (ret != 0) errx(-1, "getacdir: %d", ret); printf("dir:%s\n", string); } while (ret == 0); ret = getacpol(string, PATH_MAX); if (ret != 0) err(-1, "getacpol"); if (au_strtopol(string, &policy) < 0) err(-1, "au_strtopol"); if (au_poltostr(policy, PATH_MAX, string2) < 0) err(-1, "au_poltostr"); printf("policy:%s\n", string2); ret = getacfilesz(&size); if (ret == -2) err(-1, "getacfilesz"); if (ret != 0) err(-1, "getacfilesz: %d", ret); printf("filesz:%ldB\n", size); ret = getachost(string, PATH_MAX); if (ret == -2) err(-1, "getachost"); if (ret == -3) err(-1, "getachost: %d", ret); if (ret == 0 && ret != 1) printf("host:%s\n", string); ret = getacexpire(&val, &age, &size); if (ret == -2) err(-1, "getacexpire"); if (ret == -1) err(-1, "getacexpire: %d", ret); if (ret == 0 && ret != 1) printf("expire-after:%ldB %s %lds\n", size, val ? "AND" : "OR", age); }