xref: /illumos-gate/usr/src/lib/libbsm/common/audit_plugin.c (revision 9a016c63ca347047a236dff12f0da83aac8981d1)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  *
25  * private interfaces for auditd plugins and auditd.
26  */
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 #include <bsm/audit.h>
30 #include <bsm/audit_record.h>
31 #include <bsm/audit_uevents.h>
32 #include <bsm/libbsm.h>
33 #include <errno.h>
34 #include <fcntl.h>
35 #include <libintl.h>
36 #include <pthread.h>
37 #include <stdio.h>
38 #include <stdlib.h>
39 #include <string.h>
40 #include <sys/file.h>
41 #include <sys/stat.h>
42 #include <sys/types.h>
43 #include <syslog.h>
44 #include <unistd.h>
45 #include <wait.h>
46 #include "audit_plugin.h"
47 
48 static char	auditwarn[] = "/etc/security/audit_warn";
49 static pthread_mutex_t	syslog_lock;
50 
51 static void
52 init_syslog_mutex()
53 {
54 	(void) pthread_mutex_init(&syslog_lock, NULL);
55 }
56 
57 /*
58  * audit_syslog() -- generate syslog messages from threads that use
59  * different severity, facility code, and application names.
60  *
61  * The syslog() call does NOT use its format capability since the
62  * format string is used for generating the ID, and I want equal
63  * ID's to really be equal.
64  *
65  * syslog(3C) is thread safe, but the set openlog() / syslog() /
66  * closelog() is not.
67  *
68  * Assumption:  the app_name and facility code are paired, i.e.,
69  * if the facility code for this call is the same as for the
70  * the previous, the app_name hasn't changed.
71  */
72 void
73 __audit_syslog(
74 	const char *app_name,
75 	int flags,
76 	int facility,
77 	int severity,
78 	const char *message)
79 {
80 	pthread_once_t		once_control = PTHREAD_ONCE_INIT;
81 	static int		logopen = 0;
82 	static int		prev_facility = -1;
83 
84 	(void) pthread_once(&once_control, init_syslog_mutex);
85 
86 	(void) pthread_mutex_lock(&syslog_lock);
87 	if (prev_facility != facility) {
88 		if (logopen)
89 			closelog();
90 		openlog(app_name, flags, facility);
91 		syslog(severity, message);
92 		(void) pthread_mutex_unlock(&syslog_lock);
93 	} else {
94 		syslog(severity, message);
95 		(void) pthread_mutex_unlock(&syslog_lock);
96 	}
97 }
98 
99 /*
100  * __audit_dowarn - invoke the shell script auditwarn to notify the
101  *	adminstrator about a given problem.
102  * parameters -
103  *	option - what the problem is
104  *	text - when used with options soft and hard: which file was being
105  *		   used when the filesystem filled up
106  *	       when used with the plugin option:  error detail
107  *	count - used with various options: how many times auditwarn has
108  *		been called for this problem since it was last cleared.
109  */
110 void
111 __audit_dowarn(char *option, char *text, int count)
112 {
113 	pid_t		pid;
114 	int		st;
115 	char		countstr[5];
116 	char		warnstring[80];
117 	char		empty[1] = "";
118 
119 	if ((pid = fork1()) == -1) {
120 		__audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS,
121 		    LOG_DAEMON, LOG_ALERT, gettext("audit_warn fork failed\n"));
122 		return;
123 	}
124 	if (pid != 0) {
125 		(void) waitpid(pid, &st, 0);
126 		return;
127 	}
128 	(void) sprintf(countstr, "%d", count);
129 	if (text == NULL)
130 		text = empty;
131 
132 	if (strcmp(option, "soft") == 0 || strcmp(option, "hard") == 0)
133 		(void) execl(auditwarn, auditwarn, option, text, 0);
134 
135 	else if (strcmp(option, "allhard") == 0 ||
136 	    strcmp(option, "getacdir") == 0)
137 		(void) execl(auditwarn, auditwarn, option, countstr, 0);
138 	else if (strcmp(option, "plugin") == 0)
139 		(void) execl(auditwarn, auditwarn, option, text, countstr, 0);
140 	else
141 		(void) execl(auditwarn, auditwarn, option, 0);
142 	/*
143 	 * (execl failed)
144 	 */
145 	if (strcmp(option, "soft") == 0)
146 		(void) sprintf(warnstring,
147 		    gettext("soft limit in %s.\n"), text);
148 	else if (strcmp(option, "hard") == 0)
149 		(void) sprintf(warnstring,
150 		    gettext("hard limit in %s.\n"), text);
151 	else if (strcmp(option, "allhard") == 0)
152 		(void) sprintf(warnstring,
153 		    gettext("All audit filesystems are full.\n"));
154 	else if (strcmp(option, "getacmin") == 0)
155 		(void) sprintf(warnstring,
156 		    gettext("audit_control minfree error.\n"));
157 	else if (strcmp(option, "getacdir") == 0)
158 		(void) sprintf(warnstring,
159 		    gettext("audit_control directory error.\n"));
160 	else
161 		(void) sprintf(warnstring,
162 		    gettext("error %s.\n"), option);
163 
164 	__audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS, LOG_AUTH,
165 	    LOG_ALERT, (const char *)warnstring);
166 
167 	exit(1);
168 }
169 
170 /*
171  * __audit_dowarn2 - invoke the shell script auditwarn to notify the
172  *	adminstrator about a given problem.
173  * parameters -
174  *	option - what the problem is
175  *	name - entity reporting the problem (ie, plugin name)
176  *	error - error string
177  *	text - when used with options soft and hard: which file was being
178  *		   used when the filesystem filled up
179  *	       when used with the plugin option:  error detail
180  *	count - used with various options: how many times auditwarn has
181  *		been called for this problem since it was last cleared.
182  */
183 void
184 __audit_dowarn2(char *option, char *name, char *error, char *text, int count)
185 {
186 	pid_t		pid;
187 	int		st;
188 	char		countstr[5];
189 	char		warnstring[80];
190 	char		empty[4] = "...";
191 	char		none[3] = "--";
192 
193 	if ((pid = fork()) == -1) {
194 		__audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS,
195 		    LOG_DAEMON, LOG_ALERT, gettext("audit_warn fork failed\n"));
196 		return;
197 	}
198 	if (pid != 0) {
199 		(void) waitpid(pid, &st, 0);
200 		return;
201 	}
202 	(void) sprintf(countstr, "%d", count);
203 	if ((text == NULL) || (*text == '\0'))
204 		text = empty;
205 	if ((name == NULL) || (*name == '\0'))
206 		name = none;
207 
208 	(void) execl(auditwarn, auditwarn, option, name, error, text,
209 	    countstr, 0);
210 
211 	/*
212 	 * (execl failed)
213 	 */
214 	(void) sprintf(warnstring,
215 	    gettext("audit_control plugin error: %s\n"), text);
216 
217 	__audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS, LOG_AUTH,
218 	    LOG_ALERT, (const char *)warnstring);
219 
220 	exit(1);
221 }
222 
223 /*
224  * logpost - post the new audit log file name to audit_data.
225  *
226  * This is not re-entrant code; it is called from auditd.c when
227  * audit_binfile.so is not running and from binfile after auditd
228  * is done.
229  */
230 int
231 __logpost(char *name)
232 {
233 	char	buffer[MAXPATHLEN];
234 	char	empty[] = "";
235 
236 	static int	first = 1;
237 	static char	auditdata[] = AUDITDATAFILE;
238 	static int	audit_data_fd; /* file descriptor of audit_data */
239 
240 	if (first) {
241 		first = 0;
242 		/*
243 		 * Open the audit_data file. Use O_APPEND so that the contents
244 		 * are not destroyed if there is another auditd running.
245 		 */
246 		if ((audit_data_fd = open(auditdata,
247 			O_RDWR | O_APPEND | O_CREAT, 0660)) < 0) {
248 			__audit_dowarn("tmpfile", "", 0);
249 			return (1);
250 		}
251 	}
252 	if (name == NULL)
253 		name = empty;
254 
255 	(void) snprintf(buffer, sizeof (buffer), "%d:%s\n",
256 	    (int)getpid(), name);
257 
258 	(void) ftruncate(audit_data_fd, (off_t)0);
259 	(void) write(audit_data_fd, buffer, strlen(buffer));
260 	(void) fsync(audit_data_fd);
261 
262 	return (0);
263 }
264 
265 /*
266  * debug use - open a file for auditd and its plugins for debug
267  */
268 FILE *
269 __auditd_debug_file_open() {
270 	static FILE	*fp = NULL;
271 
272 	if (fp != NULL)
273 		return (fp);
274 	if ((fp = fopen("/var/audit/dump", "aF")) == NULL)
275 		(void) fprintf(stderr, "failed to open debug file:  %s\n",
276 		    strerror(errno));
277 
278 	return (fp);
279 }
280