auditd.c (187214) | auditd.c (189279) |
---|---|
1/*- | 1/*- |
2 * Copyright (c) 2004-2008 Apple Inc. | 2 * Copyright (c) 2004-2009 Apple Inc. |
3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. --- 10 unchanged lines hidden (view full) --- 21 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 * | 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. --- 10 unchanged lines hidden (view full) --- 21 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 * |
29 * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#41 $ | 29 * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#43 $ |
30 */ 31 32#include <sys/types.h> 33 34#include <config/config.h> 35 36#include <sys/dirent.h> 37#ifdef HAVE_FULL_QUEUE_H --- 24 unchanged lines hidden (view full) --- 62 63#include "auditd.h" 64 65#ifndef HAVE_STRLCPY 66#include <compat/strlcpy.h> 67#endif 68 69/* | 30 */ 31 32#include <sys/types.h> 33 34#include <config/config.h> 35 36#include <sys/dirent.h> 37#ifdef HAVE_FULL_QUEUE_H --- 24 unchanged lines hidden (view full) --- 62 63#include "auditd.h" 64 65#ifndef HAVE_STRLCPY 66#include <compat/strlcpy.h> 67#endif 68 69/* |
70 * XXX the following is temporary until this can be added to the kernel | 70 * XXX The following are temporary until these can be added to the kernel |
71 * audit.h header. 72 */ 73#ifndef AUDIT_TRIGGER_INITIALIZE 74#define AUDIT_TRIGGER_INITIALIZE 7 75#endif | 71 * audit.h header. 72 */ 73#ifndef AUDIT_TRIGGER_INITIALIZE 74#define AUDIT_TRIGGER_INITIALIZE 7 75#endif |
76#ifndef AUDIT_TRIGGER_EXPIRE_TRAILS 77#define AUDIT_TRIGGER_EXPIRE_TRAILS 8 78#endif |
|
76 | 79 |
80 |
|
77/* 78 * LaunchD flag (Mac OS X and, maybe, FreeBSD only.) See launchd(8) and 79 * http://wiki.freebsd.org/launchd for more information. 80 * 81 * In order for auditd to work "on demand" with launchd(8) it can't: 82 * call daemon(3) 83 * call fork and having the parent process exit 84 * change uids or gids. --- 76 unchanged lines hidden (view full) --- 161 len = strlen(lastfile) + 1; 162 oldname = (char *)malloc(len); 163 if (oldname == NULL) 164 return (-1); 165 strlcpy(oldname, lastfile, len); 166 167 /* Rename the last file -- append timestamp. */ 168 if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) { | 81/* 82 * LaunchD flag (Mac OS X and, maybe, FreeBSD only.) See launchd(8) and 83 * http://wiki.freebsd.org/launchd for more information. 84 * 85 * In order for auditd to work "on demand" with launchd(8) it can't: 86 * call daemon(3) 87 * call fork and having the parent process exit 88 * change uids or gids. --- 76 unchanged lines hidden (view full) --- 165 len = strlen(lastfile) + 1; 166 oldname = (char *)malloc(len); 167 if (oldname == NULL) 168 return (-1); 169 strlcpy(oldname, lastfile, len); 170 171 /* Rename the last file -- append timestamp. */ 172 if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) { |
169 strlcpy(ptr, TS, TIMESTAMP_LEN); | 173 memcpy(ptr, TS, POSTFIX_LEN); |
170 if (rename(oldname, lastfile) != 0) 171 auditd_log_err( 172 "Could not rename %s to %s: %m", oldname, 173 lastfile); 174 else { 175 /* 176 * Remove the 'current' symlink since the link 177 * is now invalid. --- 92 unchanged lines hidden (view full) --- 270 /* 271 * XXX Faulty directory listing? - user should be given 272 * XXX an opportunity to change the audit_control file 273 * XXX switch to a reduced mode of auditing? 274 */ 275 return (-1); 276 } 277 | 174 if (rename(oldname, lastfile) != 0) 175 auditd_log_err( 176 "Could not rename %s to %s: %m", oldname, 177 lastfile); 178 else { 179 /* 180 * Remove the 'current' symlink since the link 181 * is now invalid. --- 92 unchanged lines hidden (view full) --- 274 /* 275 * XXX Faulty directory listing? - user should be given 276 * XXX an opportunity to change the audit_control file 277 * XXX switch to a reduced mode of auditing? 278 */ 279 return (-1); 280 } 281 |
282 /* 283 * Finally, see if there are any trail files to expire. 284 */ 285 err = auditd_expire_trails(audit_warn_expired); 286 if (err) 287 auditd_log_err("auditd_expire_trails(): %s", 288 auditd_strerror(err)); 289 |
|
278 return (0); 279} 280 281/* 282 * Start up auditing. 283 */ 284static void 285audit_setup(void) --- 259 unchanged lines hidden (view full) --- 545 break; 546 547 case AUDIT_TRIGGER_INITIALIZE: 548 auditd_log_info("Got audit initialize trigger"); 549 if (au_state == AUD_STATE_DISABLED) 550 audit_setup(); 551 break; 552 | 290 return (0); 291} 292 293/* 294 * Start up auditing. 295 */ 296static void 297audit_setup(void) --- 259 unchanged lines hidden (view full) --- 557 break; 558 559 case AUDIT_TRIGGER_INITIALIZE: 560 auditd_log_info("Got audit initialize trigger"); 561 if (au_state == AUD_STATE_DISABLED) 562 audit_setup(); 563 break; 564 |
565 case AUDIT_TRIGGER_EXPIRE_TRAILS: 566 auditd_log_info("Got audit expire trails trigger"); 567 err = auditd_expire_trails(audit_warn_expired); 568 if (err) 569 auditd_log_err("auditd_expire_trails(): %s", 570 auditd_strerror(err)); 571 break; 572 |
|
553 default: 554 auditd_log_err("Got unknown trigger %d", trigger); 555 break; 556 } 557} 558 559/* 560 * Reap our children. --- 103 unchanged lines hidden (view full) --- 664 auditd_log_debug( 665 "Set audit trail min free percent in kernel."); 666 667 /* 668 * Configure host address in the audit kernel information. 669 */ 670 err = auditd_set_host(); 671 if (err) { | 573 default: 574 auditd_log_err("Got unknown trigger %d", trigger); 575 break; 576 } 577} 578 579/* 580 * Reap our children. --- 103 unchanged lines hidden (view full) --- 684 auditd_log_debug( 685 "Set audit trail min free percent in kernel."); 686 687 /* 688 * Configure host address in the audit kernel information. 689 */ 690 err = auditd_set_host(); 691 if (err) { |
672 auditd_log_err("auditd_set_host() %s: %m", 673 auditd_strerror(err)); 674 ret = -1; | 692 if (err == ADE_PARSE) { 693 auditd_log_notice( 694 "audit_control(5) may be missing 'host:' field"); 695 } else { 696 auditd_log_err("auditd_set_host() %s: %m", 697 auditd_strerror(err)); 698 ret = -1; 699 } |
675 } else 676 auditd_log_debug( 677 "Set audit host address information in kernel."); | 700 } else 701 auditd_log_debug( 702 "Set audit host address information in kernel."); |
678 | 703 |
679 return (ret); 680} 681 682/* 683 * Setup and initialize auditd. 684 */ 685static void 686setup(void) --- 111 unchanged lines hidden --- | 704 return (ret); 705} 706 707/* 708 * Setup and initialize auditd. 709 */ 710static void 711setup(void) --- 111 unchanged lines hidden --- |