+/*
+ * Copyright (c) 2004 Apple Computer, Inc. All rights reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * "Portions Copyright (c) 2004 Apple Computer, Inc. All Rights
+ * Reserved. This file contains Original Code and/or Modifications of
+ * Original Code as defined in and that are subject to the Apple Public
+ * Source License Version 1.0 (the 'License'). You may not use this file
+ * except in compliance with the License. Please obtain a copy of the
+ * License at http://www.apple.com/publicsource and read it before using
+ * this file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
+ * License for the specific language governing rights and limitations
+ * under the License."
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include <mach/port.h>
+#include <mach/mach_error.h>
+#include <mach/mach_traps.h>
+#include <mach/mach.h>
+#include <mach/host_special_ports.h>
+
+#include <sys/types.h>
+#include <sys/mman.h>
+#include <sys/queue.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+
+#include <fcntl.h>
+#include <time.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <syslog.h>
+#include <signal.h>
+#include <string.h>
+#include <notify.h>
+
+#include <bsm/audit.h>
+#include <bsm/audit_uevents.h>
+#include <bsm/libbsm.h>
+
+#include <auditd.h>
+#include "auditd_control_server.h"
+#include "audit_triggers_server.h"
+#define NA_EVENT_STR_SIZE 25
+
+static int ret, minval;
+static char *lastfile = NULL;
+
+static int allhardcount = 0;
+
+mach_port_t bp = MACH_PORT_NULL;
+mach_port_t control_port = MACH_PORT_NULL;
+mach_port_t signal_port = MACH_PORT_NULL;
+mach_port_t port_set = MACH_PORT_NULL;
+
+#ifndef __BSM_INTERNAL_NOTIFY_KEY
+#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change"
+#endif /* __BSM_INTERNAL_NOTIFY_KEY */
+
+TAILQ_HEAD(, dir_ent) dir_q;
+
+
+/* Error starting auditd */
+void fail_exit()
+{
+ audit_warn_nostart();
+ exit(1);
+}
+
+/*
+ * Free our local list of directory names
+ */
+void free_dir_q()
+{
+ struct dir_ent *dirent;
+
+ while ((dirent = TAILQ_FIRST(&dir_q))) {
+ TAILQ_REMOVE(&dir_q, dirent, dirs);
+ free(dirent->dirname);
+ free(dirent);
+ }
+}
+
+/*
+ * generate the timestamp string
+ */
+int getTSstr(char *buf, int len)
+{
+ struct timeval ts;
+ struct timezone tzp;
+ time_t tt;
+
+ if(gettimeofday(&ts, &tzp) != 0) {
+ return -1;
+ }
+ tt = (time_t)ts.tv_sec;
+ if(!strftime(buf, len, "%Y%m%d%H%M%S", gmtime(&tt))) {
+ return -1;
+ }
+
+ return 0;
+}
+
+/*
+ * Concat the directory name to the given file name
+ * XXX We should affix the hostname also
+ */
+char *affixdir(char *name, struct dir_ent *dirent)
+{
+ char *fn;
+ char *curdir;
+ const char *sep = "/";
+
+ curdir = dirent->dirname;
+ syslog(LOG_INFO, "dir = %s\n", dirent->dirname);
+
+ fn = (char *) malloc (strlen(curdir) + strlen(sep)
+ + (2 * POSTFIX_LEN) + 1);
+ if(fn == NULL) {
+ return NULL;
+ }
+ strcpy(fn, curdir);
+ strcat(fn, sep);
+ strcat(fn, name);
+
+ return fn;
+}
+
+/* Close the previous audit trail file */
+int close_lastfile(char *TS)
+{
+ char *ptr;
+ char *oldname;
+
+ if(lastfile != NULL) {
+ oldname = (char *)malloc(strlen(lastfile) + 1);
+ if(oldname == NULL) {
+ return -1;
+ }
+ strcpy(oldname, lastfile);
+
+ /* rename the last file -- append timestamp */
+
+ if((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) {
+ *ptr = '.';
+ strcpy(ptr+1, TS);
+ if(rename(oldname, lastfile) != 0) {
+ syslog(LOG_ERR, "Could not rename %s to %s \n",
+ oldname, lastfile);
+ }
+ else {
+ syslog(LOG_INFO, "renamed %s to %s \n",
+ oldname, lastfile);
+ }
+ }
+
+ free(lastfile);
+ free(oldname);
+
+ lastfile = NULL;
+ }
+
+ return 0;
+}
+
+/*
+ * Create the new file name, swap with existing audit file
+ */
+int swap_audit_file()
+{
+ char timestr[2 * POSTFIX_LEN];
+ char *fn;
+ char TS[POSTFIX_LEN];
+ struct dir_ent *dirent;
+
+ if(getTSstr(TS, POSTFIX_LEN) != 0) {
+ return -1;
+ }
+
+ strcpy(timestr, TS);
+ strcat(timestr, NOT_TERMINATED);
+
+ /* try until we succeed */
+ while((dirent = TAILQ_FIRST(&dir_q))) {
+ if((fn = affixdir(timestr, dirent)) == NULL) {
+ return -1;
+ }
+
+ syslog(LOG_INFO, "New audit file is %s\n", fn);
+ if (open(fn, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP) < 0) {
+ perror("File open");
+ }
+ else if (auditctl(fn) != 0) {
+ syslog(LOG_ERR, "auditctl failed! : %s\n",
+ strerror(errno));
+ }
+ else {
+ /* Success */
+ close_lastfile(TS);
+ lastfile = fn;
+ return 0;
+ }
+
+ /* Tell the administrator about lack of permissions for dirent */
+ audit_warn_getacdir(dirent->dirname);
+
+ /* Try again with a different directory */
+ TAILQ_REMOVE(&dir_q, dirent, dirs);
+ free(dirent->dirname);
+ free(dirent);
+ }
+ return -1;
+}
+
+/*
+ * Read the audit_control file contents
+ */
+int read_control_file()
+{
+ char cur_dir[MAX_DIR_SIZE];
+ struct dir_ent *dirent;
+ au_qctrl_t qctrl;
+
+ /* Clear old values */
+ free_dir_q();
+ endac(); // force a re-read of the file the next time
+
+ /* Post that the audit config changed */
+ notify_post(__BSM_INTERNAL_NOTIFY_KEY);
+
+ /* Read the list of directories into a local linked list */
+ /* XXX We should use the reentrant interfaces once they are available */
+ while(getacdir(cur_dir, MAX_DIR_SIZE) >= 0) {
+ dirent = (struct dir_ent *) malloc (sizeof(struct dir_ent));
+ if(dirent == NULL) {
+ return -1;
+ }
+
+ dirent->softlim = 0;
+ dirent->dirname = (char *) malloc (MAX_DIR_SIZE);
+ if(dirent->dirname == NULL) {
+ free(dirent);
+ return -1;
+ }
+
+ strcpy(dirent->dirname, cur_dir);
+ TAILQ_INSERT_TAIL(&dir_q, dirent, dirs);
+ }
+
+ allhardcount = 0;
+
+ if(swap_audit_file() == -1) {
+ syslog(LOG_ERR, "Could not swap audit file\n");
+ /*
+ * XXX Faulty directory listing? - user should be given
+ * XXX an opportunity to change the audit_control file
+ * XXX switch to a reduced mode of auditing?
+ */
+ return -1;
+ }
+
+ /*
+ * XXX There are synchronization problems here
+ * XXX what should we do if a trigger for the earlier limit
+ * XXX is generated here?
+ */
+ if(0 == (ret = getacmin(&minval))) {
+
+ syslog(LOG_INFO, "min free = %d\n", minval);
+
+ if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
+ syslog(LOG_ERR,
+ "could not get audit queue settings\n");
+ return -1;
+ }
+ qctrl.aq_minfree = minval;
+ if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
+ syslog(LOG_ERR,
+ "could not set audit queue settings\n");
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+/*
+ * Close all log files, control files, and tell the audit system.
+ */
+int close_all()
+{
+ int err_ret = 0;
+ char TS[POSTFIX_LEN];
+ int aufd;
+ token_t *tok;
+
+ /* Generate an audit record */
+ if((aufd = au_open()) == -1) {
+ syslog(LOG_ERR, "Could not create audit shutdown event.\n");
+ } else {
+
+ if((tok = au_to_text("auditd::Audit shutdown")) != NULL) {
+ au_write(aufd, tok);
+ }
+
+ if(au_close(aufd, 1, AUE_audit_shutdown) == -1) {
+ syslog(LOG_ERR, "Could not close audit shutdown event.\n");
+ }
+ }
+
+ /* flush contents */
+ err_ret = auditctl(NULL);
+ if (err_ret != 0) {
+ syslog(LOG_ERR, "auditctl failed! : %s\n",
+ strerror(errno));
+ err_ret = 1;
+ }
+ if(getTSstr(TS, POSTFIX_LEN) == 0) {
+ close_lastfile(TS);
+ }
+ if(lastfile != NULL)
+ free(lastfile);
+
+ free_dir_q();
+ if((remove(AUDITD_PIDFILE) == -1) || err_ret) {
+ syslog(LOG_ERR, "Could not unregister\n");
+ audit_warn_postsigterm();
+ return (1);
+ }
+ endac();
+ syslog(LOG_INFO, "Finished.\n");
+ return (0);
+}
+
+/*
+ * When we get a signal, we are often not at a clean point.
+ * So, little can be done in the signal handler itself. Instead,
+ * we send a message to the main servicing loop to do proper
+ * handling from a non-signal-handler context.
+ */
+static void
+relay_signal(int signal)
+{
+ mach_msg_empty_send_t msg;
+
+ msg.header.msgh_id = signal;
+ msg.header.msgh_remote_port = signal_port;
+ msg.header.msgh_local_port = MACH_PORT_NULL;
+ msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
+ mach_msg(&(msg.header), MACH_SEND_MSG|MACH_SEND_TIMEOUT, sizeof(msg),
+ 0, MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
+}
+
+/* registering the daemon */
+int register_daemon()
+{
+ FILE * pidfile;
+ int fd;
+ pid_t pid;
+
+ /* Set up the signal hander */
+ if (signal(SIGTERM, relay_signal) == SIG_ERR) {
+ fail_exit();
+ }
+ if (signal(SIGCHLD, relay_signal) == SIG_ERR) {
+ fail_exit();
+ }
+
+ if ((pidfile = fopen(AUDITD_PIDFILE, "a")) == NULL) {
+ audit_warn_tmpfile();
+ return -1;
+ }
+
+ /* attempt to lock the pid file; if a lock is present, exit */
+ fd = fileno(pidfile);
+ if(flock(fd, LOCK_EX | LOCK_NB) < 0) {
+ syslog(LOG_ERR, "PID file is locked (is another auditd running?).\n");
+ audit_warn_ebusy();
+ return -1;
+ }
+
+ pid = getpid();
+ ftruncate(fd, 0);
+ if(fprintf(pidfile, "%u\n", pid) < 0) {
+ /* should not start the daemon */
+ fail_exit();
+ }
+
+ fflush(pidfile);
+ return 0;
+}
+
+/*
+ * React to input from the audit tool
+ */
+kern_return_t auditd_control(auditd_port, flags)
+ mach_port_t auditd_port;
+ int flags;
+{
+ int err_ret = 0;
+
+ switch(flags) {
+
+ case OPEN_NEW :
+ /* create a new file and swap with the one being used in kernel */
+ if(swap_audit_file() == -1) {
+ syslog(LOG_ERR, "Error swapping audit file\n");
+ }
+ break;
+
+ case READ_FILE :
+ if(read_control_file() == -1) {
+ syslog(LOG_ERR, "Error in audit control file\n");
+ }
+ break;
+
+ case CLOSE_AND_DIE :
+ err_ret = close_all();
+ exit (err_ret);
+ break;
+
+ default :
+ break;
+ }
+
+ return KERN_SUCCESS;
+}
+
+/*
+ * Suppress duplicate messages within a 30 second interval.
+ * This should be enough to time to rotate log files without
+ * thrashing from soft warnings generated before the log is
+ * actually rotated.
+ */
+#define DUPLICATE_INTERVAL 30
+/*
+ * Implementation of the audit_triggers() MIG routine.
+ */
+kern_return_t audit_triggers(audit_port, flags)
+ mach_port_t audit_port;
+ int flags;
+{
+ static int last_flags;
+ static time_t last_time;
+ struct dir_ent *dirent;
+
+ /*
+ * Suppres duplicate messages from the kernel within the specified interval
+ */
+ struct timeval ts;
+ struct timezone tzp;
+ time_t tt;
+
+ if(gettimeofday(&ts, &tzp) == 0) {
+ tt = (time_t)ts.tv_sec;
+ if ((flags == last_flags) && (tt < (last_time + DUPLICATE_INTERVAL))) {
+ return KERN_SUCCESS;
+ }
+ last_flags = flags;
+ last_time = tt;
+ }
+
+ syslog(LOG_INFO,
+ "audit_triggers() called within auditd with flags = %d\n",
+ flags);
+ /*
+ * XXX Message processing is done here
+ */
+ dirent = TAILQ_FIRST(&dir_q);
+ if(flags == AUDIT_TRIGGER_LOW_SPACE) {
+ if(dirent && (dirent->softlim != 1)) {
+ TAILQ_REMOVE(&dir_q, dirent, dirs);
+ /* add this node to the end of the list */
+ TAILQ_INSERT_TAIL(&dir_q, dirent, dirs);
+ audit_warn_soft(dirent->dirname);
+ dirent->softlim = 1;
+
+ if (TAILQ_NEXT(TAILQ_FIRST(&dir_q), dirs) != NULL && swap_audit_file() == -1) {
+ syslog(LOG_ERR, "Error swapping audit file\n");
+ }
+
+ /*
+ * check if the next dir has already reached its
+ * soft limit
+ */
+ dirent = TAILQ_FIRST(&dir_q);
+ if(dirent->softlim == 1) {
+ /* all dirs have reached their soft limit */
+ audit_warn_allsoft();
+ }
+ }
+ else {
+ /*
+ * Continue auditing to the current file
+ * Also generate an allsoft warning
+ * XXX do we want to do this ?
+ */
+ audit_warn_allsoft();
+ }
+ }
+ else if (flags == AUDIT_TRIGGER_FILE_FULL) {
+
+ /* delete current dir, go on to next */
+ TAILQ_REMOVE(&dir_q, dirent, dirs);
+ audit_warn_hard(dirent->dirname);
+ free(dirent->dirname);
+ free(dirent);
+
+ if(swap_audit_file() == -1) {
+ syslog(LOG_ERR, "Error swapping audit file in response to AUDIT_TRIGGER_FILE_FULL message\n");
+
+ /* Nowhere to write to */
+ audit_warn_allhard(++allhardcount);
+ }
+ }
+ return KERN_SUCCESS;
+}
+
+/*
+ * Reap our children.
+ */
+static void
+reap_children(void)
+{
+ pid_t child;
+ int wstatus;
+
+ while ((child = waitpid(-1, &wstatus, WNOHANG)) > 0) {
+ if (wstatus) {
+ syslog(LOG_INFO, "warn process [pid=%d] %s %d.\n", child,
+ ((WIFEXITED(wstatus)) ?
+ "exited with non-zero status" :
+ "exited as a result of signal"),
+ ((WIFEXITED(wstatus)) ?
+ WEXITSTATUS(wstatus) :
+ WTERMSIG(wstatus)));
+ }
+ }
+}
+
+/*
+ * Handle an RPC call
+ */
+boolean_t auditd_combined_server(
+ mach_msg_header_t *InHeadP,
+ mach_msg_header_t *OutHeadP)
+{
+ mach_port_t local_port = InHeadP->msgh_local_port;
+
+ if (local_port == signal_port) {
+ int signo = InHeadP->msgh_id;
+ int ret;
+
+ if (SIGTERM == signo) {
+ ret = close_all();
+ exit (ret);
+ } else if (SIGCHLD == signo) {
+ reap_children();
+ return TRUE;
+ } else {
+ syslog(LOG_INFO, "Recevied signal %d.\n", signo);
+ return TRUE;
+ }
+ } else if (local_port == control_port) {
+ boolean_t result;
+
+ result = audit_triggers_server(InHeadP, OutHeadP);
+ if (!result)
+ result = auditd_control_server(InHeadP, OutHeadP);
+ return result;
+ }
+ syslog(LOG_INFO, "Recevied msg on bad port 0x%x.\n", local_port);
+ return FALSE;
+}
+
+void wait_on_audit_trigger(port_set)
+ mach_port_t port_set;
+{
+ kern_return_t result;
+ result = mach_msg_server(auditd_combined_server, 4096, port_set, MACH_MSG_OPTION_NONE);
+ syslog(LOG_ERR, "abnormal exit\n");
+}
+
+/*
+ * Configure the audit controls in the kernel: the event to class mapping,
+ * kernel preselection mask, etc.
+ */
+int config_audit_controls(long flags)
+{
+ au_event_ent_t *ev;
+ au_evclass_map_t evc_map;
+ au_mask_t aumask;
+ int ctr = 0;
+ char naeventstr[NA_EVENT_STR_SIZE];
+
+ /* Process the audit event file, obtaining a class mapping for each
+ * event, and send that mapping into the kernel.
+ * XXX There's a risk here that the BSM library will return NULL
+ * for an event when it can't properly map it to a class. In that
+ * case, we will not process any events beyond the one that failed,
+ * but should. We need a way to get a count of the events.
+ */
+
+ setauevent();
+ while((ev = getauevent()) != NULL) {
+ evc_map.ec_number = ev->ae_number;
+ evc_map.ec_class = ev->ae_class;
+ if (auditon(A_SETCLASS, &evc_map, sizeof(au_evclass_map_t)) != 0) {
+ syslog(LOG_ERR,
+ "Failed to register class mapping for event %s",
+ ev->ae_name);
+ } else {
+ ctr++;
+ }
+ free(ev->ae_name);
+ free(ev->ae_desc);
+ free(ev);
+ }
+ endauevent();
+ if (ctr == 0)
+ syslog(LOG_ERR, "No events to class mappings registered.");
+ else
+ syslog(LOG_INFO, "Registered %d event to class mappings.", ctr);
+
+ /* Get the non-attributable event string and set the kernel mask
+ * from that.
+ */
+ if ((getacna(naeventstr, NA_EVENT_STR_SIZE) == 0)
+ && ( getauditflagsbin(naeventstr, &aumask) == 0)) {
+
+ if (auditon(A_SETKMASK, &aumask, sizeof(au_mask_t))){
+ syslog(LOG_ERR,
+ "Failed to register non-attributable event mask.");
+ } else {
+ syslog(LOG_INFO, "Registered non-attributable event mask.");
+ }
+
+ } else {
+ syslog(LOG_ERR,"Failed to obtain non-attributable event mask.");
+ }
+
+ /*
+ * Set the audit policy flags based on passed in parameter values.
+ */
+ if (auditon(A_SETPOLICY, &flags, sizeof(flags))) {
+ syslog(LOG_ERR,
+ "Failed to set audit policy.");
+ }
+
+ return 0;
+}
+
+void setup(long flags)
+{
+ mach_msg_type_name_t poly;
+ int aufd;
+ token_t *tok;
+
+ /* Allocate a port set */
+ if (mach_port_allocate(mach_task_self(),
+ MACH_PORT_RIGHT_PORT_SET,
+ &port_set) != KERN_SUCCESS) {
+ syslog(LOG_ERR, "allocation of port set failed\n");
+ fail_exit();
+ }
+
+ /* Allocate a signal reflection port */
+ if (mach_port_allocate(mach_task_self(),
+ MACH_PORT_RIGHT_RECEIVE,
+ &signal_port) != KERN_SUCCESS ||
+ mach_port_move_member(mach_task_self(),
+ signal_port,
+ port_set) != KERN_SUCCESS) {
+ syslog(LOG_ERR, "allocation of signal port failed\n");
+ fail_exit();
+ }
+
+ /* Allocate a trigger port */
+ if (mach_port_allocate(mach_task_self(),
+ MACH_PORT_RIGHT_RECEIVE,
+ &control_port) != KERN_SUCCESS ||
+ mach_port_move_member(mach_task_self(),
+ control_port,
+ port_set) != KERN_SUCCESS) {
+ syslog(LOG_ERR, "allocation of trigger port failed\n");
+ fail_exit();
+ }
+
+ /* create a send right on our trigger port */
+ mach_port_extract_right(mach_task_self(), control_port,
+ MACH_MSG_TYPE_MAKE_SEND, &control_port, &poly);
+
+ TAILQ_INIT(&dir_q);
+
+ /* register the trigger port with the kernel */
+ if(host_set_audit_control_port(mach_host_self(), control_port) != KERN_SUCCESS) {
+ syslog(LOG_ERR, "Cannot set Mach control port\n");
+ fail_exit();
+ }
+ else {
+ syslog(LOG_ERR, "Mach control port registered\n");
+ }
+
+ if(read_control_file() == -1) {
+ syslog(LOG_ERR, "Error reading control file\n");
+ fail_exit();
+ }
+
+ /* Generate an audit record */
+ if((aufd = au_open()) == -1) {
+ syslog(LOG_ERR, "Could not create audit startup event.\n");
+ } else {
+
+ if((tok = au_to_text("auditd::Audit startup")) != NULL) {
+ au_write(aufd, tok);
+ }
+
+ if(au_close(aufd, 1, AUE_audit_startup) == -1) {
+ syslog(LOG_ERR, "Could not close audit startup event.\n");
+ }
+ }
+
+ if (config_audit_controls(flags) == 0)
+ syslog(LOG_INFO, "Initialization successful\n");
+ else
+ syslog(LOG_INFO, "Initialization failed\n");
+}
+
+
+int main(int argc, char **argv)
+{
+ char ch;
+ long flags = AUDIT_CNT;
+ int debug = 0;
+
+ while ((ch = getopt(argc, argv, "dhs")) != -1) {
+ switch(ch) {
+
+ /* debug option */
+ case 'd':
+ debug = 1;
+ break;
+
+ /* fail-stop option */
+ case 's':
+ flags &= ~(AUDIT_CNT);
+ break;
+
+ /* halt-stop option */
+ case 'h':
+ flags |= AUDIT_AHLT;
+ break;
+
+ case '?':
+ default:
+ (void)fprintf(stderr,
+ "usage: auditd [-h | -s]\n");
+ exit(1);
+ }
+ }
+
+ openlog("auditd", LOG_CONS | LOG_PID, LOG_DAEMON);
+ syslog(LOG_INFO, "starting...\n");
+
+ if (debug == 0 && daemon(0, 0) == -1) {
+ syslog(LOG_ERR, "Failed to daemonize\n");
+ exit(1);
+ }
+
+ if(register_daemon() == -1) {
+ syslog(LOG_ERR, "Could not register as daemon\n");
+ exit(1);
+ }
+
+ setup(flags);
+ wait_on_audit_trigger(port_set);
+ syslog(LOG_INFO, "exiting.\n");
+
+ exit(1);
+}
projects / apple / system_cmds.git / commitdiff
