xref: /illumos-gate/usr/src/lib/libbsm/common/audit_plugin.c (revision 588541fbf64fffe619698198cef04af1900f1f86)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 1993, 2010, Oracle and/or its affiliates. All rights reserved.
23  *
24  * private interfaces for auditd plugins and auditd.
25  */
26 
27 #include <bsm/audit.h>
28 #include <bsm/audit_record.h>
29 #include <bsm/audit_uevents.h>
30 #include <bsm/libbsm.h>
31 #include <errno.h>
32 #include <fcntl.h>
33 #include <libintl.h>
34 #include <pthread.h>
35 #include <stdio.h>
36 #include <stdlib.h>
37 #include <string.h>
38 #include <sys/file.h>
39 #include <sys/stat.h>
40 #include <sys/types.h>
41 #include <syslog.h>
42 #include <unistd.h>
43 #include <wait.h>
44 #include "audit_plugin.h"
45 
46 static char	auditwarn[] = "/etc/security/audit_warn";
47 static pthread_mutex_t	syslog_lock;
48 
49 static void
50 init_syslog_mutex()
51 {
52 	(void) pthread_mutex_init(&syslog_lock, NULL);
53 }
54 
55 /*
56  * audit_syslog() -- generate syslog messages from threads that use
57  * different severity, facility code, and application names.
58  *
59  * syslog(3C) is thread safe, but the set openlog() / syslog() /
60  * closelog() is not.
61  *
62  * Assumption:  the app_name and facility code are paired, i.e.,
63  * if the facility code for this call is the same as for the
64  * the previous, the app_name hasn't changed.
65  */
66 void
67 __audit_syslog(const char *app_name, int flags, int facility, int severity,
68     const char *message)
69 {
70 	static pthread_once_t	once_control = PTHREAD_ONCE_INIT;
71 	static int		logopen = 0;
72 	static int		prev_facility = -1;
73 
74 	(void) pthread_once(&once_control, init_syslog_mutex);
75 
76 	(void) pthread_mutex_lock(&syslog_lock);
77 	if (prev_facility != facility) {
78 		if (logopen)
79 			closelog();
80 		openlog(app_name, flags, facility);
81 		syslog(severity, "%s", message);
82 		(void) pthread_mutex_unlock(&syslog_lock);
83 	} else {
84 		syslog(severity, "%s", message);
85 		(void) pthread_mutex_unlock(&syslog_lock);
86 	}
87 }
88 
89 /*
90  * __audit_dowarn - invoke the shell script auditwarn to notify the
91  *	adminstrator about a given problem.
92  * parameters -
93  *	option - what the problem is
94  *	text - when used with options soft and hard: which file was being
95  *		   used when the filesystem filled up
96  *	       when used with the plugin option:  error detail
97  *	count - used with various options: how many times auditwarn has
98  *		been called for this problem since it was last cleared.
99  */
100 void
101 __audit_dowarn(char *option, char *text, int count)
102 {
103 	pid_t		pid;
104 	int		st;
105 	char		countstr[5];
106 	char		warnstring[80];
107 	char		empty[1] = "";
108 
109 	if ((pid = fork1()) == -1) {
110 		__audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS,
111 		    LOG_DAEMON, LOG_ALERT, gettext("audit_warn fork failed\n"));
112 		return;
113 	}
114 	if (pid != 0) {
115 		(void) waitpid(pid, &st, 0);
116 		return;
117 	}
118 	(void) snprintf(countstr, 5, "%d", count);
119 	if (text == NULL)
120 		text = empty;
121 
122 	if (strcmp(option, "soft") == 0 || strcmp(option, "hard") == 0)
123 		(void) execl(auditwarn, auditwarn, option, text, 0);
124 
125 	else if (strcmp(option, "allhard") == 0)
126 		(void) execl(auditwarn, auditwarn, option, countstr, 0);
127 	else if (strcmp(option, "plugin") == 0)
128 		(void) execl(auditwarn, auditwarn, option, text, countstr, 0);
129 	else
130 		(void) execl(auditwarn, auditwarn, option, 0);
131 	/*
132 	 * (execl failed)
133 	 */
134 	if (strcmp(option, "soft") == 0)
135 		(void) snprintf(warnstring, 80,
136 		    gettext("soft limit in %s.\n"), text);
137 	else if (strcmp(option, "hard") == 0)
138 		(void) snprintf(warnstring, 80,
139 		    gettext("hard limit in %s.\n"), text);
140 	else if (strcmp(option, "allhard") == 0)
141 		(void) sprintf(warnstring,
142 		    gettext("All audit filesystems are full.\n"));
143 	else
144 		(void) snprintf(warnstring, 80,
145 		    gettext("error %s.\n"), option);
146 
147 	__audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS, LOG_AUTH,
148 	    LOG_ALERT, (const char *)warnstring);
149 
150 	exit(1);
151 }
152 
153 /*
154  * __audit_dowarn2 - invoke the shell script auditwarn to notify the
155  *	adminstrator about a given problem.
156  * parameters -
157  *	option - what the problem is
158  *	name - entity reporting the problem (ie, plugin name)
159  *	error - error string
160  *	text - when used with options soft and hard: which file was being
161  *		   used when the filesystem filled up
162  *	       when used with the plugin option:  error detail
163  *	count - used with various options: how many times auditwarn has
164  *		been called for this problem since it was last cleared.
165  */
166 void
167 __audit_dowarn2(char *option, char *name, char *error, char *text, int count)
168 {
169 	pid_t		pid;
170 	int		st;
171 	char		countstr[5];
172 	char		warnstring[80];
173 	char		empty[4] = "...";
174 	char		none[3] = "--";
175 
176 	if ((pid = fork()) == -1) {
177 		__audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS,
178 		    LOG_DAEMON, LOG_ALERT, gettext("audit_warn fork failed\n"));
179 		return;
180 	}
181 	if (pid != 0) {
182 		(void) waitpid(pid, &st, 0);
183 		return;
184 	}
185 	(void) snprintf(countstr, 5, "%d", count);
186 	if ((text == NULL) || (*text == '\0'))
187 		text = empty;
188 	if ((name == NULL) || (*name == '\0'))
189 		name = none;
190 
191 	(void) execl(auditwarn, auditwarn, option, name, error, text,
192 	    countstr, 0);
193 
194 	/*
195 	 * (execl failed)
196 	 */
197 	(void) snprintf(warnstring, 80,
198 	    gettext("%s plugin error: %s\n"), name, text);
199 
200 	__audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS, LOG_AUTH,
201 	    LOG_ALERT, (const char *)warnstring);
202 
203 	exit(1);
204 }
205 
206 /*
207  * logpost - post the new audit log file name.
208  *
209  *	Entry	name = active audit.log file name
210  *			NULL, if checking writability (auditd),
211  *			changing audit log files, error, or exiting (binfile).
212  *
213  *	Exit	0 = success
214  *		1 = system error -- errno
215  *		    audit_warn called with the specific error
216  *
217  */
218 int
219 __logpost(char *name)
220 {
221 	int lerrno;
222 
223 	if (unlink(BINFILE_FILE) != 0 &&
224 	    errno != ENOENT) {
225 
226 		lerrno = errno;
227 		__audit_dowarn("tmpfile", strerror(errno), 0);
228 		errno = lerrno;
229 		return (1);
230 	}
231 	if (name == NULL || *name == '\0') {
232 		/* audit_binfile not active, no file pointer */
233 		return (0);
234 	}
235 	if (symlink(name, BINFILE_FILE) != 0) {
236 
237 		lerrno = errno;
238 		__audit_dowarn("tmpfile", strerror(errno), 0);
239 		errno = lerrno;
240 		return (1);
241 	}
242 
243 	return (0);
244 }
245 
246 /*
247  * debug use - open a file for auditd and its plugins for debug
248  */
249 FILE *
250 __auditd_debug_file_open() {
251 	static FILE	*fp = NULL;
252 
253 	if (fp != NULL)
254 		return (fp);
255 	if ((fp = fopen("/var/audit/dump", "aF")) == NULL)
256 		(void) fprintf(stderr, "failed to open debug file:  %s\n",
257 		    strerror(errno));
258 
259 	return (fp);
260 }
261