void 
KeychainAuthLogger::writeCommon()
{
    writeSubject();
    writeToken(au_to_text(sysKCAuthStr), sysKCAuthStr);
    writeToken(au_to_text(mDatabase.c_str()), "keychain");
    writeToken(au_to_text(mItem.c_str()), "keychain item");
}
void 
AuthMechLogger::writeCommon()
{
    writeSubject();
    writeToken(au_to_text(mRight.c_str()), "right");
    if (true == mEvaluatingMechanism)
    {
        string tmpStr = mechStr;    // mechStr includes a trailing space
        tmpStr += mCurrentMechanism;
        writeToken(au_to_text(tmpStr.c_str()), "mechanism");
    }
}
void
RightAuthenticationLogger::logFailure(uid_t authenticator, const char *targetName)
{
    if (false == open())
        return;
    writeCommon();
    writeToken(au_to_arg32(1, authenticatorStr, authenticator), "authenticator");
    if (NULL == targetName)
        writeToken(au_to_text(unknownUserStr), "target username");
    else
        writeToken(au_to_text(targetName), "target username");
    // @@@  EAUTH more appropriate, but !defined for _POSIX_C_SOURCE
    writeReturn(EPERM, errAuthorizationDenied);
    close();
}
示例#4
0
void
bsm_audit_failure(char **exec_args, char const *const fmt, va_list ap)
{
	auditinfo_addr_t ainfo_addr;
	auditinfo_t ainfo;
	char text[256];
	token_t *tok;
	long au_cond;
	au_id_t auid;
	pid_t pid;
	int aufd;
	debug_decl(bsm_audit_success, SUDO_DEBUG_AUDIT)

	pid = getpid();
	/*
	 * If we are not auditing, don't cut an audit record; just return.
	 */
	if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {
		if (errno == AUDIT_NOT_CONFIGURED)
			debug_return;
		error(1, _("Could not determine audit condition"));
	}
	if (au_cond == AUC_NOAUDIT)
		debug_return;
	if (!audit_sudo_selected(1))
		debug_return;
	if (getauid(&auid) < 0)
		error(1, _("getauid: failed"));
	if ((aufd = au_open()) == -1)
		error(1, _("au_open: failed"));
	if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) == 0) { 
		tok = au_to_subject_ex(auid, geteuid(), getegid(), getuid(),
		    getuid(), pid, pid, &ainfo_addr.ai_termid);
	} else if (errno == ENOSYS) {
		if (getaudit(&ainfo) < 0) 
			error(1, _("getaudit: failed"));
		tok = au_to_subject(auid, geteuid(), getegid(), getuid(),
		    getuid(), pid, pid, &ainfo.ai_termid);
	} else
		error(1, _("getaudit: failed"));
	if (tok == NULL)
		error(1, _("au_to_subject: failed"));
	au_write(aufd, tok);
	tok = au_to_exec_args(exec_args);
	if (tok == NULL)
		error(1, _("au_to_exec_args: failed"));
	au_write(aufd, tok);
	(void) vsnprintf(text, sizeof(text), fmt, ap);
	tok = au_to_text(text);
	if (tok == NULL)
		error(1, _("au_to_text: failed"));
	au_write(aufd, tok);
	tok = au_to_return32(EPERM, 1);
	if (tok == NULL)
		error(1, _("au_to_return32: failed"));
	au_write(aufd, tok);
	if (au_close(aufd, 1, AUE_sudo) == -1)
		error(1, _("unable to commit audit record"));
	debug_return;
}
static void
bsm_audit_record(int typ, char *string, au_event_t event_no)
{
	int		ad, rc, sel;
	uid_t		uid = -1;
	gid_t		gid = -1;
	pid_t		pid = getpid();
	AuditInfoTermID	tid = ssh_bsm_tid;

	if (the_authctxt != NULL && the_authctxt->valid) {
		uid = the_authctxt->pw->pw_uid;
		gid = the_authctxt->pw->pw_gid;
	}

	rc = (typ == 0) ? 0 : -1;
	sel = selected(the_authctxt->user, uid, event_no, rc);
	debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
	if (!sel)
		return;	/* audit event does not match mask, do not write */

	debug3("BSM audit: writing audit new record");
	ad = au_open();

	(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
	    pid, pid, &tid));
	(void) au_write(ad, au_to_text(string));
	(void) au_write(ad, AUToReturnFunc(typ, rc));

	rc = au_close(ad, AU_TO_WRITE, event_no);
	if (rc < 0)
		error("BSM audit: %s failed to write \"%s\" record: %s",
		    __func__, string, strerror(errno));
}
void 
RightAuthenticationLogger::logLeastPrivilege(uid_t userId, bool isAuthorizingUser)
{
    if (false == open())
        return;
    writeCommon();
    writeToken(au_to_text(leastPrivStr), leastPrivStr);
    writeReturn(0, 0);
    close();
}
void 
RightAuthenticationLogger::logAuthorizationResult(const char *client, const char *authCreator, int errcode)
{
    if (false == open())
        return;
    writeCommon();
    string tmpStr(clientStr);
    tmpStr += client ? client : unknownClientStr;
    writeToken(au_to_text(tmpStr.c_str()), "Authorization client");
    tmpStr.clear();
    tmpStr = authCreatorStr;
    tmpStr += authCreator ? authCreator : unknownAuthCreatorStr;
    writeToken(au_to_text(tmpStr.c_str()), "Authorization creator");
    if (errAuthorizationSuccess == errcode)
        writeReturn(0, 0);
    else
        writeReturn(EPERM, errcode);
    close();
}
示例#8
0
static void
generate_text_record(const char *directory, const char *record_filename)
{
	token_t *text_token;

	text_token = au_to_text(text_token_text);
	if (text_token == NULL)
		err(EX_UNAVAILABLE, "au_to_text");
	write_record(directory, record_filename, text_token, AUE_NULL);
}
示例#9
0
static void
generate_text_token(const char *directory, const char *token_filename)
{
	token_t *text_token;

	text_token = au_to_text(text_token_text);
	if (text_token == NULL)
		err(EX_UNAVAILABLE, "au_to_text");
	write_token(directory, token_filename, text_token);
}
void 
AuthMechLogger::logInterrupt(const char *msg)
{
    if (false == open())
        return;
    writeCommon();
    if (msg)
        writeToken(au_to_text(msg), "interrupt");
    writeReturn(0, 0);
    close();
}
void
AuditLogger::logFailure(const char *errMsg, int errcode)
{
    if (false == open())
        return;
    writeCommon();
    if (errMsg)
        writeToken(au_to_text(errMsg), "evaluation error");
    writeReturn(EPERM, errcode);
    close();
}
示例#12
0
/*
 * The following tokens are included in the audit record for failed
 * login attempts: header, subject, text, return.
 */
void
au_login_fail(const char *errmsg, int na)
{
	token_t *tok;
	int aufd;
	int au_cond;
	uid_t uid;
	gid_t gid;
	pid_t pid = getpid();

	/* If we are not auditing, don't cut an audit record; just return. */
 	if (auditon(A_GETCOND, &au_cond, sizeof(au_cond)) < 0) {
		if (errno == ENOSYS)
			return;
		errx(1, "could not determine audit condition");
	}
	if (au_cond == AUC_NOAUDIT)
		return;

	if ((aufd = au_open()) == -1)
		errx(1, "audit error: au_open() failed");

	if (na) {
		/*
		 * Non attributable event.  Assuming that login is not called
		 * within a user's session => auid,asid == -1.
		 */
		if ((tok = au_to_subject32(-1, geteuid(), getegid(), -1, -1,
		    pid, -1, &tid)) == NULL)
			errx(1, "audit error: au_to_subject32() failed");
	} else {
		/* We know the subject -- so use its value instead. */
		uid = pwd->pw_uid;
		gid = pwd->pw_gid;
		if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid,
		    gid, pid, pid, &tid)) == NULL)
			errx(1, "audit error: au_to_subject32() failed");
	}
	au_write(aufd, tok);

	/* Include the error message. */
	if ((tok = au_to_text(errmsg)) == NULL)
		errx(1, "audit error: au_to_text() failed");
	au_write(aufd, tok);

	if ((tok = au_to_return32(1, errno)) == NULL)
		errx(1, "audit error: au_to_return32() failed");
	au_write(aufd, tok);

	if (au_close(aufd, 1, AUE_login) == -1)
		errx(1, "audit error: au_close() was not committed");
}
示例#13
0
/*
 * Same caveats as audit_write().  In addition, this function explicitly
 * assumes failure; use audit_write_success_self() otherwise.
 *
 * XXX  This should let the caller pass an error return value rather than
 * hard-coding -1.
 */
int
audit_write_failure_self(short event_code, char *errmsg, int errret)
{
	char *func = "audit_write_failure_self()";
	token_t *subject, *errtok;

	if ((subject = au_to_me()) == NULL) {
		syslog(LOG_ERR, "%s: au_to_me() failed", func);
		return (kAUMakeSubjectTokErr);
	}
	/* tokenize and save the error message */
	if ((errtok = au_to_text(errmsg)) == NULL) {
		au_free_token(subject);
		syslog(LOG_ERR, "%s: au_to_text() failed", func);
		return (kAUMakeTextTokErr);
	}
	return (audit_write(event_code, subject, errtok, -1, errret));
}
示例#14
0
static void
bsm_audit_record(int typ, char *string, au_event_t event_no)
{
	int		ad, rc, sel;
	uid_t		uid = -1;
	gid_t		gid = -1;
	pid_t		pid = getpid();
	AuditInfoTermID	tid = ssh_bsm_tid;

	if (the_authctxt != NULL && the_authctxt->valid) {
		uid = the_authctxt->pw->pw_uid;
		gid = the_authctxt->pw->pw_gid;
	}

	rc = (typ == 0) ? 0 : -1;
	sel = selected(the_authctxt->user, uid, event_no, rc);
	debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
	if (!sel)
		return;	/* audit event does not match mask, do not write */

	debug3("BSM audit: writing audit new record");
	ad = au_open();

	(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
	    pid, pid, &tid));
	(void) au_write(ad, au_to_text(string));
	(void) au_write(ad, AUToReturnFunc(typ, rc));

#ifdef BROKEN_BSM_API
	/* The last argument is the event modifier flags. For
	   some seemingly undocumented reason it was added in
	   Solaris 11. */
	rc = au_close(ad, AU_TO_WRITE, event_no, 0);
#else
	rc = au_close(ad, AU_TO_WRITE, event_no);
#endif

	if (rc < 0)
		error("BSM audit: %s failed to write \"%s\" record: %s",
		    __func__, string, strerror(errno));
}
示例#15
0
文件: lib_wrappers.c 项目: aosm/bsm
/*
 * Same caveats as audit_write().  In addition, this function explicitly 
 * assumes failure; use audit_write_success() otherwise.  
 *
 * XXX  This should let the caller pass an error return value rather than
 * hard-coding -1.  
 */
int
audit_write_failure(short event_code, char *errmsg, int errcode, 
		    au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 
		    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid)
{
    char *func = "audit_write_failure()";
    token_t *subject, *errtok;

    subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, tid);
    if (subject == NULL)
    {
	syslog(LOG_ERR, "%s: au_to_subject32() failed", func);
	return kAUMakeSubjectTokErr;
    }
    /* tokenize and save the error message */
    if ((errtok = au_to_text(errmsg)) == NULL)
    {
	syslog(LOG_ERR, "%s: au_to_text() failed", func);
	return kAUMakeTextTokErr;
    }
    return audit_write(event_code, subject, errtok, -1, errcode);
}
/*
 * au_to_data
 * returns:
 *	pointer to au_membuf chain containing a data token.
 */
token_t *
au_to_data(char unit_print, char unit_type, char unit_count, char *p)
{
	adr_t adr;			/* adr memory stream header */
	token_t *m;			/* au_membuf pointer */
	char data_header = AUT_DATA;	/* header for this token */

	ASSERT(p != NULL);
	ASSERT(unit_count != 0);

	switch (unit_type) {
	case AUR_SHORT:
		if (sizeof (short) * unit_count >= AU_BUFSIZE)
			return (au_to_text("au_to_data: unit count too big"));
		break;
	case AUR_INT32:
		if (sizeof (int32_t) * unit_count >= AU_BUFSIZE)
			return (au_to_text("au_to_data: unit count too big"));
		break;
	case AUR_INT64:
		if (sizeof (int64_t) * unit_count >= AU_BUFSIZE)
			return (au_to_text("au_to_data: unit count too big"));
		break;
	case AUR_BYTE:
	default:
#ifdef _CHAR_IS_UNSIGNED
		if (sizeof (char) * unit_count >= AU_BUFSIZE)
			return (au_to_text("au_to_data: unit count too big"));
#endif
		/*
		 * we used to check for this:
		 * sizeof (char) * (int)unit_count >= AU_BUFSIZE).
		 * but the compiler is smart enough to see that
		 * will never be >= AU_BUFSIZE, since that's 128
		 * and unit_count maxes out at 127 (signed char),
		 * and complain.
		 */
		break;
	}

	m = au_getclr();

	adr_start(&adr, memtod(m, char *));
	adr_char(&adr, &data_header, 1);
	adr_char(&adr, &unit_print, 1);
	adr_char(&adr, &unit_type, 1);
	adr_char(&adr, &unit_count, 1);

	switch (unit_type) {
	case AUR_SHORT:
		adr_short(&adr, (short *)p, unit_count);
		break;
	case AUR_INT32:
		adr_int32(&adr, (int32_t *)p, unit_count);
		break;
	case AUR_INT64:
		adr_int64(&adr, (int64_t *)p, unit_count);
		break;
	case AUR_BYTE:
	default:
		adr_char(&adr, p, unit_count);
		break;
	}

	m->len = adr_count(&adr);

	return (m);
}
示例#17
0
/*
 * General purpose audit submission mechanism for userspace.
 */
int
audit_submit(short au_event, au_id_t auid, char status,
    int reterr, const char *fmt, ...)
{
	char text[MAX_AUDITSTRING_LEN];
	token_t *token;
	int acond;
	va_list ap;
	pid_t pid;
	int error, afd, subj_ex;
	struct auditinfo ai;
	struct auditinfo_addr aia;
	au_tid_t atid;

	if (audit_get_cond(&acond) != 0) {
		/*
		 * If auditon(2) returns ENOSYS, then audit has not been
		 * compiled into the kernel, so just return.
		 */
		if (errno == ENOSYS)
			return (0);
		error = errno;
		syslog(LOG_AUTH | LOG_ERR, "audit: auditon failed: %s",
		    strerror(errno));
		errno = error;
		return (-1);
	}
	if (acond == AUC_NOAUDIT)
		return (0);
	afd = au_open();
	if (afd < 0) {
		error = errno;
		syslog(LOG_AUTH | LOG_ERR, "audit: au_open failed: %s",
		    strerror(errno));
		errno = error;
		return (-1);
	}
	/*
	 * Try to use getaudit_addr(2) first.  If this kernel does not support
	 * it, then fall back on to getaudit(2).
	 */
	subj_ex = 0;
	error = getaudit_addr(&aia, sizeof(aia));
	if (error < 0 && errno == ENOSYS) {
		error = getaudit(&ai);
		if (error < 0) {
			error = errno;
			syslog(LOG_AUTH | LOG_ERR, "audit: getaudit failed: %s",
			    strerror(errno));
			errno = error;
			return (-1);
		}
		/*
		 * Convert this auditinfo_t to an auditinfo_addr_t to make the
		 * following code less complicated wrt to preselection and
		 * subject token generation.
		 */
		aia.ai_auid = ai.ai_auid;
		aia.ai_mask = ai.ai_mask;
		aia.ai_asid = ai.ai_asid;
		aia.ai_termid.at_type = AU_IPv4;
		aia.ai_termid.at_addr[0] = ai.ai_termid.machine;
		aia.ai_termid.at_port = ai.ai_termid.port;
	} else if (error < 0) {
		error = errno;
		syslog(LOG_AUTH | LOG_ERR, "audit: getaudit_addr failed: %s",
		    strerror(errno));
		errno = error;
		return (-1);
	}
	/*
	 * NB: We should be performing pre-selection here now that we have the
	 * masks for this process.
	 */
	if (aia.ai_termid.at_type == AU_IPv6)
		subj_ex = 1;
	pid = getpid();
	if (subj_ex == 0) {
		atid.port = aia.ai_termid.at_port;
		atid.machine = aia.ai_termid.at_addr[0];
		token = au_to_subject32(auid, geteuid(), getegid(),
		    getuid(), getgid(), pid, pid, &atid);
	} else
		token = au_to_subject_ex(auid, geteuid(), getegid(),
		    getuid(), getgid(), pid, pid, &aia.ai_termid);
	if (token == NULL) {
		syslog(LOG_AUTH | LOG_ERR,
		    "audit: unable to build subject token");
		(void) au_close(afd, AU_TO_NO_WRITE, au_event);
		errno = EPERM;
		return (-1);
	}
	if (au_write(afd, token) < 0) {
		error = errno;
		syslog(LOG_AUTH | LOG_ERR,
		    "audit: au_write failed: %s", strerror(errno));
		(void) au_close(afd, AU_TO_NO_WRITE, au_event);
		errno = error;
		return (-1);
	}
	if (fmt != NULL) {
		va_start(ap, fmt);
		(void) vsnprintf(text, MAX_AUDITSTRING_LEN, fmt, ap);
		va_end(ap);
		token = au_to_text(text);
		if (token == NULL) {
			syslog(LOG_AUTH | LOG_ERR,
			    "audit: failed to generate text token");
			(void) au_close(afd, AU_TO_NO_WRITE, au_event);
			errno = EPERM;
			return (-1);
		}
		if (au_write(afd, token) < 0) {
			error = errno;
			syslog(LOG_AUTH | LOG_ERR,
			    "audit: au_write failed: %s", strerror(errno));
			(void) au_close(afd, AU_TO_NO_WRITE, au_event);
			errno = error;
			return (-1);
		}
	}
	token = au_to_return32(au_errno_to_bsm(status), reterr);
	if (token == NULL) {
		syslog(LOG_AUTH | LOG_ERR,
		    "audit: unable to build return token");
		(void) au_close(afd, AU_TO_NO_WRITE, au_event);
		errno = EPERM;
		return (-1);
	}
	if (au_write(afd, token) < 0) {
		error = errno;
		syslog(LOG_AUTH | LOG_ERR,
		    "audit: au_write failed: %s", strerror(errno));
		(void) au_close(afd, AU_TO_NO_WRITE, au_event);
		errno = error;
		return (-1);
	}
	if (au_close(afd, AU_TO_WRITE, au_event) < 0) {
		error = errno;
		syslog(LOG_AUTH | LOG_ERR, "audit: record not committed");
		errno = error;
		return (-1);
	}
	return (0);
}
void 
RightAuthenticationLogger::writeCommon()
{
    writeSubject();
    writeToken(au_to_text(mRight.c_str()), "right");
}
示例#19
0
/*
 * Check if the specified event is selected (enabled) for auditing.
 * Returns 1 if the event is selected, 0 if not and -1 on failure.
 */
static int
selected(char *username, uid_t uid, au_event_t event, int sf)
{
	int rc, sorf;
	char naflags[512];
	struct au_mask mask;

	mask.am_success = mask.am_failure = 0;
#if __APPLE__
	if (uid == (uid_t)-1) {
#else
	if (uid < 0) {
#endif
		/* get flags for non-attributable (to a real user) events */
		rc = getacna(naflags, sizeof(naflags));
		if (rc == 0)
			(void) getauditflagsbin(naflags, &mask);
	} else
		rc = au_user_mask(username, &mask);

	sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE;
	return(au_preselect(event, &mask, sorf, AU_PRS_REREAD));
}

static void
bsm_audit_record(int typ, char *string, au_event_t event_no)
{
	int		ad, rc, sel;
	uid_t		uid = -1;
	gid_t		gid = -1;
	pid_t		pid = getpid();
	AuditInfoTermID	tid = ssh_bsm_tid;

	if (the_authctxt == NULL) {
		error("BSM audit: audit record internal error (NULL ctxt)");
		abort();
	}
	
	if (the_authctxt->valid) {
		uid = the_authctxt->pw->pw_uid;
		gid = the_authctxt->pw->pw_gid;
	}

	rc = (typ == 0) ? 0 : -1;
	sel = selected(the_authctxt->user, uid, event_no, rc);
	debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
	if (!sel)
		return;	/* audit event does not match mask, do not write */

	debug3("BSM audit: writing audit new record");
	ad = au_open();

	(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
	    pid, pid, &tid));
	(void) au_write(ad, au_to_text(string));
	(void) au_write(ad, AUToReturnFunc(typ, rc));

#ifdef BROKEN_BSM_API
	/* The last argument is the event modifier flags. For
	   some seemingly undocumented reason it was added in
	   Solaris 11. */
	rc = au_close(ad, AU_TO_WRITE, event_no, 0);
#else
	rc = au_close(ad, AU_TO_WRITE, event_no);
#endif

	if (rc < 0)
		error("BSM audit: %s failed to write \"%s\" record: %s",
		    __func__, string, strerror(errno));
}
示例#20
0
/*
 * audit_audit:
 *	Cut and audit record if it is selected.
 *	Return 0, if successfully written.
 *	Return 0, if not written, and not expected to write.
 *	Return -1, if not written because of unexpected error.
 */
int
audit_audit(door_data_t *door_dp)
{
	int ad;

	if (can_audit() == 0) {
		return (0);
	}

	if (door_dp->audit_na) {
		if (!audit_na_selected(door_dp)) {
			return (0);
		}
	} else if (!audit_selected(door_dp)) {
		return (0);
	}

	if ((ad = au_open()) == -1) {
		return (-1);
	}

	(void) au_write(ad, au_to_subject_ex(door_dp->audit_auid,
	    door_dp->audit_euid,
	    door_dp->audit_egid,
	    door_dp->audit_uid, door_dp->audit_gid, door_dp->audit_pid,
	    door_dp->audit_asid, &door_dp->audit_tid));
	if (is_system_labeled())
		(void) au_write(ad, au_to_mylabel());
	if (door_dp->audit_policy & AUDIT_GROUP) {

		int ng;
		int maxgrp = getgroups(0, NULL);
		gid_t *grplst = alloca(maxgrp * sizeof (gid_t));

		if ((ng = getgroups(maxgrp, grplst))) {
			(void) au_write(ad, au_to_newgroups(ng, grplst));
		}
	}
	if (strlen(door_dp->audit_text) != 0) {
		(void) au_write(ad, au_to_text(door_dp->audit_text));
	}
	if (strlen(door_dp->audit_text1) != 0) {
		(void) au_write(ad, au_to_text(door_dp->audit_text1));
	}
	if (door_dp->audit_path != NULL) {
		(void) au_write(ad, au_to_path(door_dp->audit_path));
	}
#ifdef _LP64
	(void) au_write(ad, au_to_return64((door_dp->audit_sorf == 0) ? 0 : -1,
	    (int64_t)door_dp->audit_sorf));
#else
	(void) au_write(ad, au_to_return32((door_dp->audit_sorf == 0) ? 0 : -1,
	    (int32_t)door_dp->audit_sorf));
#endif
	if (au_close(ad, 1, door_dp->audit_event) < 0) {
		(void) au_close(ad, 0, 0);
		return (-1);
	}

	return (0);
}
示例#21
0
static void
generate_record(
		char	*locuser,	/* username of local user */
		int	err,		/* error status */
					/* (=0 success, >0 error code) */
		char	*msg)		/* error message */
{
	int	rd;		/* audit record descriptor */
	char	buf[256];	/* temporary buffer */
	uid_t	uid;
	gid_t	gid;
	uid_t	ruid;		/* real uid */
	gid_t	rgid;		/* real gid */
	pid_t	pid;
	struct passwd *pwd;
	uid_t	ceuid;		/* current effective uid */
	struct auditinfo_addr info;

	if (cannot_audit(0)) {
		return;
	}

	pwd = getpwnam(locuser);
	if (pwd == NULL) {
		uid = (uid_t)-1;
		gid = (gid_t)-1;
	} else {
		uid = pwd->pw_uid;
		gid = pwd->pw_gid;
	}

	ceuid = geteuid();	/* save current euid */
	(void) seteuid(0);	/* change to root so you can audit */

	/* determine if we're preselected */
	if (!selected(uid, locuser, AUE_ftpd, err)) {
		(void) seteuid(ceuid);
		return;
	}

	ruid = getuid();	/* get real uid */
	rgid = getgid();	/* get real gid */

	pid = getpid();

	/* see if terminal id already set */
	if (getaudit_addr(&info, sizeof (info)) < 0) {
		perror("getaudit");
	}

	rd = au_open();

	/* add subject token */
	(void) au_write(rd, au_to_subject_ex(uid, uid, gid,
	    ruid, rgid, pid, pid, &info.ai_termid));

	if (is_system_labeled())
		(void) au_write(rd, au_to_mylabel());

	/* add return token */
	errno = 0;
	if (err) {
		/* add reason for failure */
		if (err == UNKNOWN_USER)
			(void) snprintf(buf, sizeof (buf),
			    "%s %s", msg, locuser);
		else
			(void) snprintf(buf, sizeof (buf), "%s", msg);
		(void) au_write(rd, au_to_text(buf));
#ifdef _LP64
		(void) au_write(rd, au_to_return64(-1, (int64_t)err));
#else
		(void) au_write(rd, au_to_return32(-1, (int32_t)err));
#endif
	} else {
#ifdef _LP64
		(void) au_write(rd, au_to_return64(0, (int64_t)0));
#else
		(void) au_write(rd, au_to_return32(0, (int32_t)0));
#endif
	}

	/* write audit record */
	if (au_close(rd, 1, AUE_ftpd) < 0) {
		(void) au_close(rd, 0, 0);
	}
	(void) seteuid(ceuid);
}