audit_plugin.c revision f89940742f5d14dde79b69b98a414dd7b7f585c7
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
*
* private interfaces for auditd plugins and auditd.
*/
#include <bsm/audit_record.h>
#include <bsm/audit_uevents.h>
#include <errno.h>
#include <fcntl.h>
#include <libintl.h>
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
#include <wait.h>
#include "audit_plugin.h"
static char auditwarn[] = "/etc/security/audit_warn";
static pthread_mutex_t syslog_lock;
static void
{
}
/*
* audit_syslog() -- generate syslog messages from threads that use
* different severity, facility code, and application names.
*
* syslog(3C) is thread safe, but the set openlog() / syslog() /
* closelog() is not.
*
* Assumption: the app_name and facility code are paired, i.e.,
* if the facility code for this call is the same as for the
* the previous, the app_name hasn't changed.
*/
void
const char *message)
{
static int logopen = 0;
static int prev_facility = -1;
(void) pthread_mutex_lock(&syslog_lock);
if (prev_facility != facility) {
if (logopen)
closelog();
(void) pthread_mutex_unlock(&syslog_lock);
} else {
(void) pthread_mutex_unlock(&syslog_lock);
}
}
/*
* __audit_dowarn - invoke the shell script auditwarn to notify the
* adminstrator about a given problem.
* parameters -
* option - what the problem is
* text - when used with options soft and hard: which file was being
* used when the filesystem filled up
* when used with the plugin option: error detail
* count - used with various options: how many times auditwarn has
* been called for this problem since it was last cleared.
*/
void
{
int st;
char countstr[5];
char warnstring[80];
return;
}
if (pid != 0) {
return;
}
else
/*
* (execl failed)
*/
(void) sprintf(warnstring,
gettext("All audit filesystems are full.\n"));
else
LOG_ALERT, (const char *)warnstring);
exit(1);
}
/*
* __audit_dowarn2 - invoke the shell script auditwarn to notify the
* adminstrator about a given problem.
* parameters -
* option - what the problem is
* name - entity reporting the problem (ie, plugin name)
* error - error string
* text - when used with options soft and hard: which file was being
* used when the filesystem filled up
* when used with the plugin option: error detail
* count - used with various options: how many times auditwarn has
* been called for this problem since it was last cleared.
*/
void
{
int st;
char countstr[5];
char warnstring[80];
return;
}
if (pid != 0) {
return;
}
countstr, 0);
/*
* (execl failed)
*/
LOG_ALERT, (const char *)warnstring);
exit(1);
}
/*
* logpost - post the new audit log file name.
*
* Entry name = active audit.log file name
* NULL, if checking writability (auditd),
* changing audit log files, error, or exiting (binfile).
*
* Exit 0 = success
* 1 = system error -- errno
* audit_warn called with the specific error
*
*/
int
{
int lerrno;
if (unlink(BINFILE_FILE) != 0 &&
return (1);
}
/* audit_binfile not active, no file pointer */
return (0);
}
return (1);
}
return (0);
}
/*
* debug use - open a file for auditd and its plugins for debug
*/
FILE *
return (fp);
return (fp);
}