xref: /illumos-gate/usr/src/lib/libbsm/common/audit_plugin.c (revision 7c478bd95313f5f23a4c958a745db2134aa03244)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 * private interfaces for auditd plugins and auditd.
 */
#pragma ident	"%Z%%M%	%I%	%E% SMI"

#include <bsm/audit.h>
#include <bsm/audit_record.h>
#include <bsm/audit_uevents.h>
#include <bsm/libbsm.h>
#include <errno.h>
#include <fcntl.h>
#include <libintl.h>
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/file.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <syslog.h>
#include <unistd.h>
#include <wait.h>
#include "audit_plugin.h"

static char	auditwarn[] = "/etc/security/audit_warn";
static pthread_mutex_t	syslog_lock;

static void
init_syslog_mutex()
{
	(void) pthread_mutex_init(&syslog_lock, NULL);
}

/*
 * audit_syslog() -- generate syslog messages from threads that use
 * different severity, facility code, and application names.
 *
 * The syslog() call does NOT use its format capability since the
 * format string is used for generating the ID, and I want equal
 * ID's to really be equal.
 *
 * syslog(3C) is thread safe, but the set openlog() / syslog() /
 * closelog() is not.
 *
 * Assumption:  the app_name and facility code are paired, i.e.,
 * if the facility code for this call is the same as for the
 * the previous, the app_name hasn't changed.
 */
void
__audit_syslog(
	const char *app_name,
	int flags,
	int facility,
	int severity,
	const char *message)
{
	pthread_once_t		once_control = PTHREAD_ONCE_INIT;
	static int		logopen = 0;
	static int		prev_facility = -1;

	(void) pthread_once(&once_control, init_syslog_mutex);

	(void) pthread_mutex_lock(&syslog_lock);
	if (prev_facility != facility) {
		if (logopen)
			closelog();
		openlog(app_name, flags, facility);
		syslog(severity, message);
		(void) pthread_mutex_unlock(&syslog_lock);
	} else {
		syslog(severity, message);
		(void) pthread_mutex_unlock(&syslog_lock);
	}
}

/*
 * __audit_dowarn - invoke the shell script auditwarn to notify the
 *	adminstrator about a given problem.
 * parameters -
 *	option - what the problem is
 *	text - when used with options soft and hard: which file was being
 *		   used when the filesystem filled up
 *	       when used with the plugin option:  error detail
 *	count - used with various options: how many times auditwarn has
 *		been called for this problem since it was last cleared.
 */
void
__audit_dowarn(char *option, char *text, int count)
{
	pid_t		pid;
	int		st;
	char		countstr[5];
	char		warnstring[80];
	char		empty[1] = "";

	if ((pid = fork1()) == -1) {
		__audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS,
		    LOG_DAEMON, LOG_ALERT, gettext("audit_warn fork failed\n"));
		return;
	}
	if (pid != 0) {
		(void) waitpid(pid, &st, 0);
		return;
	}
	(void) sprintf(countstr, "%d", count);
	if (text == NULL)
		text = empty;

	if (strcmp(option, "soft") == 0 || strcmp(option, "hard") == 0)
		(void) execl(auditwarn, auditwarn, option, text, 0);

	else if (strcmp(option, "allhard") == 0 ||
	    strcmp(option, "getacdir") == 0)
		(void) execl(auditwarn, auditwarn, option, countstr, 0);
	else if (strcmp(option, "plugin") == 0)
		(void) execl(auditwarn, auditwarn, option, text, countstr, 0);
	else
		(void) execl(auditwarn, auditwarn, option, 0);
	/*
	 * (execl failed)
	 */
	if (strcmp(option, "soft") == 0)
		(void) sprintf(warnstring,
		    gettext("soft limit in %s.\n"), text);
	else if (strcmp(option, "hard") == 0)
		(void) sprintf(warnstring,
		    gettext("hard limit in %s.\n"), text);
	else if (strcmp(option, "allhard") == 0)
		(void) sprintf(warnstring,
		    gettext("All audit filesystems are full.\n"));
	else if (strcmp(option, "getacmin") == 0)
		(void) sprintf(warnstring,
		    gettext("audit_control minfree error.\n"));
	else if (strcmp(option, "getacdir") == 0)
		(void) sprintf(warnstring,
		    gettext("audit_control directory error.\n"));
	else
		(void) sprintf(warnstring,
		    gettext("error %s.\n"), option);

	__audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS, LOG_AUTH,
	    LOG_ALERT, (const char *)warnstring);

	exit(1);
}

/*
 * __audit_dowarn2 - invoke the shell script auditwarn to notify the
 *	adminstrator about a given problem.
 * parameters -
 *	option - what the problem is
 *	name - entity reporting the problem (ie, plugin name)
 *	error - error string
 *	text - when used with options soft and hard: which file was being
 *		   used when the filesystem filled up
 *	       when used with the plugin option:  error detail
 *	count - used with various options: how many times auditwarn has
 *		been called for this problem since it was last cleared.
 */
void
__audit_dowarn2(char *option, char *name, char *error, char *text, int count)
{
	pid_t		pid;
	int		st;
	char		countstr[5];
	char		warnstring[80];
	char		empty[4] = "...";
	char		none[3] = "--";

	if ((pid = fork()) == -1) {
		__audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS,
		    LOG_DAEMON, LOG_ALERT, gettext("audit_warn fork failed\n"));
		return;
	}
	if (pid != 0) {
		(void) waitpid(pid, &st, 0);
		return;
	}
	(void) sprintf(countstr, "%d", count);
	if ((text == NULL) || (*text == '\0'))
		text = empty;
	if ((name == NULL) || (*name == '\0'))
		name = none;

	(void) execl(auditwarn, auditwarn, option, name, error, text,
	    countstr, 0);

	/*
	 * (execl failed)
	 */
	(void) sprintf(warnstring,
	    gettext("audit_control plugin error: %s\n"), text);

	__audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS, LOG_AUTH,
	    LOG_ALERT, (const char *)warnstring);

	exit(1);
}

/*
 * logpost - post the new audit log file name to audit_data.
 *
 * This is not re-entrant code; it is called from auditd.c when
 * audit_binfile.so is not running and from binfile after auditd
 * is done.
 */
int
__logpost(char *name)
{
	char	buffer[MAXPATHLEN];
	char	empty[] = "";

	static int	first = 1;
	static char	auditdata[] = AUDITDATAFILE;
	static int	audit_data_fd; /* file descriptor of audit_data */

	if (first) {
		first = 0;
		/*
		 * Open the audit_data file. Use O_APPEND so that the contents
		 * are not destroyed if there is another auditd running.
		 */
		if ((audit_data_fd = open(auditdata,
			O_RDWR | O_APPEND | O_CREAT, 0660)) < 0) {
			__audit_dowarn("tmpfile", "", 0);
			return (1);
		}
	}
	if (name == NULL)
		name = empty;

	(void) snprintf(buffer, sizeof (buffer), "%d:%s\n",
	    (int)getpid(), name);

	(void) ftruncate(audit_data_fd, (off_t)0);
	(void) write(audit_data_fd, buffer, strlen(buffer));
	(void) fsync(audit_data_fd);

	return (0);
}

/*
 * debug use - open a file for auditd and its plugins for debug
 */
FILE *
__auditd_debug_file_open() {
	static FILE	*fp = NULL;

	if (fp != NULL)
		return (fp);
	if ((fp = fopen("/var/audit/dump", "a")) == NULL)
		(void) fprintf(stderr, "failed to open debug file:  %s\n",
		    strerror(errno));

	return (fp);
}