auditd.c revision 7883e825152992a0f20c3f52f7c4bb902a56205c
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2005 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
/* Audit daemon server */
/*
* These routines make up the audit daemon server. This daemon, called
* auditd, handles the user level parts of auditing. It receives buffered
* audit records (usually one or more per buffer, potentially less than
* one) and passes them to one or more plugins for processing.
*
* The major interrupts are AU_SIG_READ_CONTROL (start over),
* AU_SIG_DISABLE (start shutting down), SIGALRM (quit), and
* AU_SIG_NEXT_DIR (start a new audit log file). SIGTERM (the implementation
* value of AU_SIG_DISABLE) is also used for the child to tell the parent
* that audit is ready.
*
* Configuration data comes from /etc/security/audit_control and the auditon
* system call.
*
* The major errors are EBUSY (auditing is already in use) and EINTR
* (one of the above signals was received). File space errors are
* handled by the audit_binfile plugin
*/
#define DEBUG 0
#define MEM_TEST 0 /* set to one to generate core dump on exit */
#include <assert.h>
#include <bsm/audit_record.h>
#include <fcntl.h>
#include <libintl.h>
#include <locale.h>
#include <netdb.h>
#include <pwd.h>
#include <secdb.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <termios.h>
#include <unistd.h>
#include "plugin.h"
#include "audit_sig_infc.h"
#include <audit_plugin.h>
#if !defined(TEXT_DOMAIN)
#define TEXT_DOMAIN "SUNW_OST_OSCMD"
#endif
/*
* After we get a AU_SIG_DISABLE, we want to set a timer for 2 seconds
* and let c2audit write as many records as it can until the timer
* goes off(at which point it returns to auditd with SIGALRM). If any
* other signals are received during that time, we call
* __audit_dowarn() to indicate that the queue may not have been fully
* flushed.
*/
#define ALRM_TIME 2
#if DEBUG
#else
#define DPRINT(x)
#endif /* DEBUG */
static int turn_audit_on = AUC_AUDITING;
static int turn_audit_off = AUC_NOAUDIT;
static int running = 1;
/*
* GLOBALS:
*/
static int caught_alrm = 0; /* number of SIGALRMs pending */
static int caught_readc = 0; /* number of AU_SIG_READ_CONTROLs */
static int caught_term = 0; /* number of AU_SIG_DISABLEs pending */
static int caught_nextd = 0; /* number of AU_SIG_NEXT_DIRs pending */
static int auditing_set = 0; /* 1 if auditon(A_SETCOND, on... */
static void my_sleep();
static void signal_thread();
static void loadauditlist();
static void block_signals();
static int do_sethost();
/* common exit function */
void
auditd_exit(int status)
{
#if MEM_TEST
status));
abort();
#endif
if (auditing_set)
(int)sizeof (int));
}
/* ARGSUSED */
int
{
plugin_t *p;
#if DEBUG
/* LINTED */
char *envp;
#endif
(void) setsid();
/* Internationalization */
(void) textdomain(TEXT_DOMAIN);
/*
* Set the audit host-id.
*/
if (do_sethost() != 0) {
auditd_exit(1);
}
/*
* Turn off all auditing for this process.
*/
auditd_exit(2);
}
auid = AU_NOAUDITID;
/*
* Set the audit state flag to AUDITING.
*/
0) {
auditd_exit(7);
}
#if DEBUG
/* output to dbfp shouldn't be duplicated by parent and child */
#endif
/*
* wait for "ready" signal before exit -- for greenline
*/
if (fork()) {
int signal_caught = 0;
(void) sigemptyset(&set);
while (signal_caught != AU_SIG_DISABLE)
auditd_exit(0);
}
auditing_set = 1;
#endif
/* thread 0 sync */
/*
* Set up a separate thread for signal handling.
*/
NULL)) {
"auditd can't create a thread\n"));
auditd_exit(3);
}
/*
* Set the umask so that only audit or other users in the audit group
* can get to the files created by auditd.
*/
(void) umask(007);
auditd_exit(4);
}
/*
* Here is the main body of the audit daemon. running == 0 means that
* after flushing out the audit queue, it is time to exit in response to
* AU_SIG_DISABLE
*/
while (running) {
/*
* Read audit_control and create plugin lists.
*
* loadauditlist() and auditd_thread_init() are called
* while under the plugin_mutex lock to avoid a race
* with unload_plugin().
*/
if (reset_list || reset_file) {
(void) pthread_mutex_lock(&plugin_mutex);
if (reset_list)
if (auditd_thread_init()) {
/* continue; wait for audit -s */
}
(void) pthread_mutex_unlock(&plugin_mutex);
reset_list = 0;
}
/*
* tell parent I'm running whether or not the initialization
* actually worked. The failure case is to wait for an
* audit -n or audit -s to fix the problem.
*/
if (pid != 0) {
pid = 0;
}
/*
* thread_signal() signals main (this thread) when
* it has received a signal.
*/
/*
* Got here because a signal came in.
* Since we may have gotten more than one, we assume a
* priority scheme with SIGALRM being the most
* significant.
*/
if (caught_alrm) {
/*
* We have returned from our timed wait for
* c2audit to calm down. We need to really shut
* down here.
*/
caught_alrm = 0;
running = 0; /* shut down now */
} else if (caught_term) {
/*
* we are going to shut down, but need to
* allow time for the audit queues in
* c2audit and for the threads to empty.
*/
p = plugin_head;
while (p != NULL) {
p->plg_tid));
(void) pthread_mutex_lock(&(p->plg_mutex));
p->plg_removed = 1;
if (p->plg_initialized)
(void) pthread_cond_signal(
&(p->plg_cv));
(void) pthread_mutex_unlock(&(p->plg_mutex));
p = p->plg_next;
}
caught_alrm = 0;
caught_readc = 0;
caught_term = 0;
caught_nextd = 0;
"main thread is pausing before exit.\n"));
caught_alrm = 0;
while (!caught_alrm)
running = 0; /* Close down auditing and exit */
} else if (caught_readc) {
/*
* if both hup and usr1 are caught, the logic in
* loadauditlist() results in hup winning. The
* result will be that the audit file is not rolled
* over unless audit_control actually changed.
*
* They want to reread the audit_control file.
* Set reset_list which will return us to the
* main while loop in the main routine.
*/
caught_readc = 0;
reset_list = 1;
} else if (caught_nextd) {
/*
* This is a special case for the binfile
* plugin. (audit -n) NULL out kvlist
* so binfile won't re-read audit_control
*/
caught_nextd = 0;
reset_file = 1;
}
}
} /* end while (running) */
auditd_exit(0);
return (0);
}
/*
* my_sleep - sleep for SLEEP_TIME seconds but only accept the signals
* that we want to accept. (Premature termination just means the
* caller retries more often, not a big deal.)
*/
static void
my_sleep()
{
/*
* Set timer to "sleep"
*/
(void) alarm(SLEEP_TIME);
if (caught_term) {
/*
* Exit, as requested.
*/
}
if (caught_readc)
caught_readc = 0;
caught_nextd = 0;
}
/*
* search for $ISA/ in path and replace it with "" if auditd
* is 32 bit, else "sparcv9/" The plugin $ISA must match however
* auditd was compiled.
*/
static void
{
char *p, *q;
#ifdef __sparcv9
#endif
(void) strcpy(q, p + 5);
} else
}
/*
* init_plugin first searches the existing plugin list to see
* if the plugin already has been defined; if not, it creates it
* and links it into the list. It returns a pointer to the found
* or created struct. A change of path in audit_control for a
* given plugin will cause a miss.
*/
/*
* for 64 bits, the path name can grow 3 bytes (minus 5 for the
* removed "$ISA" and plus 8 for the added "sparcv9/"
*/
static plugin_t *
{
plugin_t *p, *q;
if (*name != '/') {
#ifdef __sparcv9
#else
#endif
return (NULL);
} else {
return (NULL);
}
p = plugin_head;
q = plugin_head;
while (p != NULL) {
p->plg_removed = 0;
p->plg_to_be_removed = 0;
_kva_free(p->plg_kvlist);
p->plg_kvlist = list;
p->plg_reopen = 1;
return (p);
}
}
q = p;
p = p->plg_next;
}
if (p == NULL) {
perror("auditd");
return (NULL);
}
if (q == NULL)
plugin_head = p;
else
q->plg_next = p;
p->plg_initialized = 0;
p->plg_reopen = 1;
p->plg_tid = 0;
p->plg_removed = 0;
p->plg_to_be_removed = 0;
p->plg_tossed = 0;
p->plg_queued = 0;
p->plg_output = 0;
p->plg_sequence = 1;
p->plg_last_seq_out = 0;
p->plg_kvlist = list;
p->plg_retry_time = SLEEP_TIME;
p->plg_qmax = 0;
p->plg_save_q_copy = NULL;
return (p);
}
/*
* loadauditlist - read the directory list from the audit_control file.
* to determine if a binary file is to be written.
* - read the plugin entries from the audit_control file
*
* globals -
*
* plugin queues
*
* success is when at least one plug in is defined.
*
* set cnt policy here based on auditconfig setting. future could
* have a policy = {+|-}cnt entry per plugin with auditconfig providing the
* default.
*/
static void
{
char buf[MAXPATHLEN];
char *value;
plugin_t *p;
int acresult;
int wait_count = 0;
long policy;
int cnt_flag;
int got_dir = 0;
int have_plugin = 0;
char *endptr;
auditd_exit(5);
}
"continue" : "block"));
#if DEBUG
0)
#endif
0) {
auditd_exit(6);
}
p = plugin_head;
/*
* two-step on setting p->plg_removed because the input thread
* in doorway.c uses p->plg_removed to decide if the plugin is
* active.
*/
while (p != NULL) {
p, p->plg_path));
p = p->plg_next;
}
/*
* have_plugin may over count by one if both a "dir" entry
* and a "plugin" entry for binfile are found. All that
* matters is that it be zero if no plugin or dir entries
* are found.
*/
have_plugin = 0;
for (;;) {
/* NULL == use standard path for audit_control */
/*
* loop until a directory entry is found (0) or eof (-1)
*/
acresult != -1) {
}
if (acresult == 0) {
"loadauditlist: "
"got binfile via old config syntax\n"));
/*
* A directory entry was found.
*/
got_dir = 1;
"=", ";");
if (p != NULL) {
binfile = p;
have_plugin++;
}
}
/*
* collect plugin entries. If there is an entry for
* binfile.so.1, the parameters from the plugin line
* override those set above. For binfile, p_dir is
* required only if dir wasn't specified elsewhere in
* audit_control
*/
break;
value));
if (p == NULL)
continue;
binfile = p;
if (!got_dir &&
NULL)) {
}
}
long tmp;
if (*endptr == '\0')
}
have_plugin++;
}
if (have_plugin != 0)
break;
/*
* there was a problem getting the directory
* list or remote host info from the audit_control file
*/
wait_count++;
#if DEBUG
if (wait_count < 2)
"auditd: problem getting directory "
"/ or plugin list from audit_control.\n"));
#endif /* DEBUG */
/*
* sleep for SLEEP_TIME seconds.
*/
my_sleep();
} /* end for(;;) */
p = plugin_head;
while (p != NULL) {
p->plg_removed = p->plg_to_be_removed;
p = p->plg_next;
}
}
/*
* block signals -- thread-specific blocking of the signals expected
* by the main thread.
*/
static void
{
(void) sigfillset(&set);
}
/*
* signal_thread is the designated signal catcher. It wakes up the
* main thread whenever it receives a signal and then goes back to
* sleep; it does not exit. The global variables caught_* let
* the main thread which signal was received.
*
* The thread is created with all signals blocked.
*/
static void
{
int signal_caught;
pthread_self()));
(void) sigemptyset(&set);
for (;;) {
switch (signal_caught) {
case SIGALRM:
caught_alrm++;
break;
case AU_SIG_DISABLE:
caught_term++;
break;
case AU_SIG_READ_CONTROL:
caught_readc++;
break;
case AU_SIG_NEXT_DIR:
caught_nextd++;
break;
default:
break;
}
}
}
/*
* do_sethost - do auditon(2) to set the audit host-id.
* Returns 0 if success, error code or -1 otherwise.
*/
static int
do_sethost(void)
{
int err;
int addr_type;
void *p;
/* First, get our machine name and convert to IP address */
return (err);
}
if (err == 0) {
/* LINTED */
} else {
if (err != 0) {
return (-1);
}
/* LINTED */
}
/* Get current kernel audit info, and fill in the IP address */
sizeof (audit_info))) < 0) {
return (err);
}
/* Update the kernel audit info with new IP address */
sizeof (audit_info))) < 0) {
return (err);
}
return (0);
}