Example #1
0
/*
 * Parse one line from the audit_user file into the au_user_ent structure.
 */
static struct au_user_ent *
userfromstr(char *str, struct au_user_ent *u)
{
	char *username, *always, *never;
	char *last;

	username = strtok_r(str, user_delim, &last);
	always = strtok_r(NULL, user_delim, &last);
	never = strtok_r(NULL, user_delim, &last);

	if ((username == NULL) || (always == NULL) || (never == NULL))
		return (NULL);

	if (strlen(username) >= AU_USER_NAME_MAX)
		return (NULL);

	strlcpy(u->au_name, username, AU_USER_NAME_MAX);
	if (getauditflagsbin(always, &(u->au_always)) == -1)
		return (NULL);

	if (getauditflagsbin(never, &(u->au_never)) == -1)
		return (NULL);

	return (u);
}
Example #2
0
/*
 * Read the default system wide audit classes from audit_control, combine with
 * the per-user audit class and update the binary preselection mask.
 */
int
au_user_mask(char *username, au_mask_t *mask_p)
{
	char auditstring[MAX_AUDITSTRING_LEN + 1];
	char user_ent_name[AU_USER_NAME_MAX];
	struct au_user_ent u, *up;

	bzero(&u, sizeof(u));
	bzero(user_ent_name, sizeof(user_ent_name));
	u.au_name = user_ent_name;

	/* Get user mask. */
	if ((up = getauusernam_r(&u, username)) != NULL) {
		if (-1 == getfauditflags(&up->au_always, &up->au_never,
		    mask_p))
			return (-1);
		return (0);
	}

	/* Read the default system mask. */
	if (getacflg(auditstring, MAX_AUDITSTRING_LEN) == 0) {
		if (-1 == getauditflagsbin(auditstring, mask_p))
			return (-1);
		return (0);
	}

	/* No masks defined. */
	return (-1);
}
/*
 * Check if the specified event is selected (enabled) for auditing.
 * Returns 1 if the event is selected, 0 if not and -1 on failure.
 */
static int
selected(char *username, uid_t uid, au_event_t event, int sf)
{
	int rc, sorf;
	char naflags[512];
	struct au_mask mask;

	mask.am_success = mask.am_failure = 0;
	if (uid < 0) {
		/* get flags for non-attributable (to a real user) events */
		rc = getacna(naflags, sizeof(naflags));
		if (rc == 0)
			(void) getauditflagsbin(naflags, &mask);
	} else
		rc = au_user_mask(username, &mask);

	sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE;
	return(au_preselect(event, &mask, sorf, AU_PRS_REREAD));
}
Example #4
0
/*
 * update_kcontext() - updates the non-/attributable preselection masks in
 * the kernel context. Returns B_TRUE on success, B_FALSE otherwise.
 */
boolean_t
update_kcontext(int cmd, char *cmask)
{
	au_mask_t	bmask;

	(void) getauditflagsbin(cmask, &bmask);
	if (auditon(cmd, (caddr_t)&bmask, sizeof (bmask)) == -1) {
		(void) printf("Could not update kernel context (%s).\n",
		    cmd == A_SETAMASK ? "A_SETAMASK" : "A_SETKMASK");
		return (B_FALSE);
	}

#ifdef	DEBUG
	(void) printf("svc-auditset: %s mask set to %s",
	    cmd == A_SETAMASK ? "Attributable" : "Non-Attributable", cmask);
#endif

	return (B_TRUE);
}
Example #5
0
/*
 * Generate the process audit state by combining the audit masks passed as
 * parameters with the system audit masks.
 */
int
getfauditflags(au_mask_t *usremask, au_mask_t *usrdmask, au_mask_t *lastmask)
{
	char auditstring[MAX_AUDITSTRING_LEN + 1];

	if ((usremask == NULL) || (usrdmask == NULL) || (lastmask == NULL))
		return (-1);

	lastmask->am_success = 0;
	lastmask->am_failure = 0;

	/* Get the system mask. */
	if (getacflg(auditstring, MAX_AUDITSTRING_LEN) == 0) {
		if (getauditflagsbin(auditstring, lastmask) != 0)
			return (-1);
	}

	ADDMASK(lastmask, usremask);
	SUBMASK(lastmask, usrdmask);

	return (0);
}
Example #6
0
/*
 * Check if the specified event is selected (enabled) for auditing.
 * Returns 1 if the event is selected, 0 if not and -1 on failure.
 */
static int
selected(char *username, uid_t uid, au_event_t event, int sf)
{
	int rc, sorf;
	char naflags[512];
	struct au_mask mask;

	mask.am_success = mask.am_failure = 0;
#if __APPLE__
	if (uid == (uid_t)-1) {
#else
	if (uid < 0) {
#endif
		/* get flags for non-attributable (to a real user) events */
		rc = getacna(naflags, sizeof(naflags));
		if (rc == 0)
			(void) getauditflagsbin(naflags, &mask);
	} else
		rc = au_user_mask(username, &mask);

	sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE;
	return(au_preselect(event, &mask, sorf, AU_PRS_REREAD));
}

static void
bsm_audit_record(int typ, char *string, au_event_t event_no)
{
	int		ad, rc, sel;
	uid_t		uid = -1;
	gid_t		gid = -1;
	pid_t		pid = getpid();
	AuditInfoTermID	tid = ssh_bsm_tid;

	if (the_authctxt == NULL) {
		error("BSM audit: audit record internal error (NULL ctxt)");
		abort();
	}
	
	if (the_authctxt->valid) {
		uid = the_authctxt->pw->pw_uid;
		gid = the_authctxt->pw->pw_gid;
	}

	rc = (typ == 0) ? 0 : -1;
	sel = selected(the_authctxt->user, uid, event_no, rc);
	debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
	if (!sel)
		return;	/* audit event does not match mask, do not write */

	debug3("BSM audit: writing audit new record");
	ad = au_open();

	(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
	    pid, pid, &tid));
	(void) au_write(ad, au_to_text(string));
	(void) au_write(ad, AUToReturnFunc(typ, rc));

#ifdef BROKEN_BSM_API
	/* The last argument is the event modifier flags. For
	   some seemingly undocumented reason it was added in
	   Solaris 11. */
	rc = au_close(ad, AU_TO_WRITE, event_no, 0);
#else
	rc = au_close(ad, AU_TO_WRITE, event_no);
#endif

	if (rc < 0)
		error("BSM audit: %s failed to write \"%s\" record: %s",
		    __func__, string, strerror(errno));
}
Example #7
0
int
main(int argc, char *argv [])
{
	struct sockaddr_in6 *sin6;
	struct sockaddr_in *sin;
	auditinfo_addr_t aia;
	struct addrinfo *res;
	struct passwd *pwd;
	char *r, *prog;
	int ch, error;

	prog = argv[0];
	bzero(&aia, sizeof(aia));
	aia.ai_termid.at_type = AU_IPv4;
	while ((ch = getopt(argc, argv, "a:m:s:p:")) != -1)
		switch (ch) {
		case 'a':
			aflag = optarg;
			break;
		case 'm':
			mflag = optarg;
			break;
		case 's':
			sflag = optarg;
			break;
		case 'p':
			aia.ai_termid.at_port = htons(atoi(optarg));
			break;
		default:
			usage(prog);
			/* NOT REACHED */
		}
	argc -= optind;
	argv += optind;
	if (argc == 0)
		usage(prog);
	if (aflag) {
		pwd = getpwnam(aflag);
		if (pwd == NULL) {
			aia.ai_auid = strtoul(aflag, &r, 10);
			if (r != NULL)
				errx(1, "%s: invalid user", aflag);
		} else
			aia.ai_auid = pwd->pw_uid;
	}
	if (mflag) {
		if (getauditflagsbin(mflag, &aia.ai_mask) < 0)
			err(1, "getauditflagsbin");
	}
	if (sflag) {
		error = getaddrinfo(sflag, NULL, NULL, &res);
		if (error)
			errx(1, "%s", gai_strerror(error));
		switch (res->ai_family) {
		case PF_INET6:
			sin6 = (struct sockaddr_in6 *) res->ai_addr;
			bcopy(&sin6->sin6_addr.s6_addr,
			    &aia.ai_termid.at_addr[0],
			    sizeof(struct in6_addr));
			aia.ai_termid.at_type = AU_IPv6;
			break;
		case PF_INET:
			sin = (struct sockaddr_in *) res->ai_addr;
			bcopy(&sin->sin_addr.s_addr,
			    &aia.ai_termid.at_addr[0],
			    sizeof(struct in_addr));
			aia.ai_termid.at_type = AU_IPv4;
			break;
		}
	}
	if (setaudit_addr(&aia, sizeof(aia)) < 0)
		err(1, "setaudit_addr");
	(void) execvp(*argv, argv);
	err(1, "%s", *argv);
}