static int do_ipv4_address(struct sockaddr_in *peer, struct sockaddr_in *sock) { auditinfo_t ai; /* get audit characteristics of process */ if (getaudit(&ai) < 0) { return (errno); } /* * if terminal ID already set, i.e. non-zero, then just return */ if (ai.ai_termid.port || ai.ai_termid.machine) { return (0); } ai.ai_termid.port = (peer->sin_port<<16 | sock->sin_port); ai.ai_termid.machine = (uint32_t)peer->sin_addr.s_addr; if (setaudit(&ai) < 0) { return (errno); } return (0); }
int main (int argc, const char *argv[]) { int suid = (getuid() != geteuid()); if (argc != 2) { printf ("usage: audit_test <audit file>\n"); return 1; } int fd = open (argv[1], O_RDWR | O_CREAT, 0600); if (fd < 0) { perror (argv[1]); return 1; } close(fd); if (auditctl (argv[1])) { perror ("auditctl"); return 1; } auditinfo_t ai; memset (&ai, 0, sizeof (auditinfo_t)); ai.ai_auid = getuid(); ai.ai_asid = getpid(); ai.ai_mask.am_failure = AU_PROCESS | AU_FCREATE | AU_FACCESS | AU_FMODIFY | AU_FREAD | AU_FWRITE | AU_FCREATE | AU_FDELETE; if (setaudit (&ai)) { perror ("setaudit"); return 1; } if (suid) setuid (getuid()); execl ("/bin/bash", "-bash", NULL); perror ("bash"); return 1; }
/*ARGSUSED1*/ int auditsys(struct auditcalls *uap, rval_t *rvp) { int err; int result = 0; if (audit_active == C2AUDIT_DISABLED) return (ENOTSUP); switch (uap->code) { case BSM_GETAUID: result = getauid((caddr_t)uap->a1); break; case BSM_SETAUID: result = setauid((caddr_t)uap->a1); break; case BSM_GETAUDIT: result = getaudit((caddr_t)uap->a1); break; case BSM_GETAUDIT_ADDR: result = getaudit_addr((caddr_t)uap->a1, (int)uap->a2); break; case BSM_SETAUDIT: result = setaudit((caddr_t)uap->a1); break; case BSM_SETAUDIT_ADDR: result = setaudit_addr((caddr_t)uap->a1, (int)uap->a2); break; case BSM_AUDITCTL: result = auditctl((int)uap->a1, (caddr_t)uap->a2, (int)uap->a3); break; case BSM_AUDIT: if (audit_active == C2AUDIT_UNLOADED) return (0); result = audit((caddr_t)uap->a1, (int)uap->a2); break; case BSM_AUDITDOOR: if (audit_active == C2AUDIT_LOADED) { result = auditdoor((int)uap->a1); break; } default: if (audit_active == C2AUDIT_LOADED) { result = EINVAL; break; } /* Return a different error when not privileged */ err = secpolicy_audit_config(CRED()); if (err == 0) return (EINVAL); else return (err); } rvp->r_vals = result; return (result); }
/* * The following tokens are included in the audit record for a successful * login: header, subject, return. */ void au_login_success(void) { token_t *tok; int aufd; au_mask_t aumask; auditinfo_t auinfo; uid_t uid = pwd->pw_uid; gid_t gid = pwd->pw_gid; pid_t pid = getpid(); int au_cond; /* If we are not auditing, don't cut an audit record; just return. */ if (auditon(A_GETCOND, &au_cond, sizeof(au_cond)) < 0) { if (errno == ENOSYS) return; errx(1, "could not determine audit condition"); } if (au_cond == AUC_NOAUDIT) return; /* Compute and set the user's preselection mask. */ if (au_user_mask(pwd->pw_name, &aumask) == -1) errx(1, "could not set audit mask"); /* Set the audit info for the user. */ auinfo.ai_auid = uid; auinfo.ai_asid = pid; bcopy(&tid, &auinfo.ai_termid, sizeof(auinfo.ai_termid)); bcopy(&aumask, &auinfo.ai_mask, sizeof(auinfo.ai_mask)); if (setaudit(&auinfo) != 0) err(1, "setaudit failed"); if ((aufd = au_open()) == -1) errx(1, "audit error: au_open() failed"); if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid, gid, pid, pid, &tid)) == NULL) errx(1, "audit error: au_to_subject32() failed"); au_write(aufd, tok); if ((tok = au_to_return32(0, 0)) == NULL) errx(1, "audit error: au_to_return32() failed"); au_write(aufd, tok); if (au_close(aufd, 1, AUE_login) == -1) errx(1, "audit record was not committed."); }
void priv_audit_setaudit(int asroot, int injail, struct test *test) { int error; error = setaudit(&ai); if (asroot && injail) expect("priv_audit_setaudit(asroot, injail)", error, -1, ENOSYS); if (asroot && !injail) expect("priv_audit_setaudit(asroot, !injail)", error, 0, 0); if (!asroot && injail) expect("priv_audit_setaudit(!asroot, injail)", error, -1, ENOSYS); if (!asroot && !injail) expect("priv_audit_setaudit(!asroot, !injail)", error, -1, EPERM); }
int _auditsys(struct auditcalls *uap, rval_t *rvp) { int result = 0; switch (uap->code) { case BSM_GETAUID: result = getauid((caddr_t)uap->a1); break; case BSM_SETAUID: result = setauid((caddr_t)uap->a1); break; case BSM_GETAUDIT: result = getaudit((caddr_t)uap->a1); break; case BSM_GETAUDIT_ADDR: result = getaudit_addr((caddr_t)uap->a1, (int)uap->a2); break; case BSM_SETAUDIT: result = setaudit((caddr_t)uap->a1); break; case BSM_SETAUDIT_ADDR: result = setaudit_addr((caddr_t)uap->a1, (int)uap->a2); break; case BSM_AUDIT: result = audit((caddr_t)uap->a1, (int)uap->a2); break; case BSM_AUDITDOOR: result = auditdoor((int)uap->a1); break; case BSM_AUDITCTL: result = auditctl((int)uap->a1, (caddr_t)uap->a2, (int)uap->a3); break; default: result = EINVAL; } rvp->r_vals = result; return (result); }