xref: /titanic_50/usr/src/lib/auditd_plugins/syslog/sysplugin.c (revision 0a1278f26ea4b7c8c0285d4f2d6c5b680904aa01)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  *
25  * convert binary audit records to syslog messages and
26  * send them off to syslog
27  *
28  */
29 
30 /*
31  * auditd_plugin_open(), auditd_plugin() and auditd_plugin_close()
32  * implement a replacable library for use by auditd; they are a
33  * project private interface and may change without notice.
34  *
35  */
36 #define	DEBUG	0
37 #if DEBUG
38 #define	DPRINT(x) { (void) fprintf x; }
39 #else
40 #define	DPRINT(x)
41 #endif
42 
43 #include <arpa/inet.h>
44 #include <assert.h>
45 #include <errno.h>
46 #include <fcntl.h>
47 #include <grp.h>
48 #include <libintl.h>
49 #include <netdb.h>
50 #include <netinet/in.h>
51 #include <pthread.h>
52 #include <pwd.h>
53 #include <stdio.h>
54 #include <stdlib.h>
55 #include <string.h>
56 #include <time.h>
57 #include <syslog.h>
58 #include <sys/types.h>
59 #include <sys/socket.h>
60 #include <unistd.h>
61 
62 #include <bsm/audit.h>
63 #include <bsm/audit_record.h>
64 #include <security/auditd.h>
65 
66 #include "toktable.h"
67 #include "sysplugin.h"
68 #include "systoken.h"
69 #include <audit_plugin.h>
70 
71 /* gettext() obfuscation routine for lint */
72 #ifdef __lint
73 #define	gettext(x)	x
74 #endif
75 
76 #if DEBUG
77 static FILE	*dbfp;			/* debug file */
78 #endif
79 
80 extern void init_tokens();
81 extern int parse_token(parse_context_t *);
82 
83 static au_mask_t	mask;
84 static int		initialized = 0;
85 static size_t		maxavail;
86 static pthread_mutex_t	log_mutex;
87 
88 #define	ELLIPSIS	"..."
89 #define	ELLIPSIS_SIZE	(sizeof (ELLIPSIS) - 1)
90 
91 /*
92  * simple hashing for uid and hostname lookup
93  *
94  * performance tests showed that cacheing the hostname, uid, and gid
95  * make about a 40% difference for short audit records and regularly
96  * repeating hostname, uid, etc
97  *
98  * ht_type and ht_ip are only used for hostname lookup cacheing.
99  */
100 typedef struct hashtable {
101 	uint32_t	ht_key;
102 	uint32_t	ht_type;
103 	uint32_t	ht_ip[4];
104 	char		*ht_value;
105 	size_t		ht_length;
106 } hashtable_t;
107 #define	HOSTHASHSIZE	128
108 #define	UIDHASHSIZE	128
109 #define	GIDHASHSIZE	32
110 
111 static hashtable_t	uidhash[UIDHASHSIZE];
112 static hashtable_t	gidhash[GIDHASHSIZE];
113 static hashtable_t	hosthash[HOSTHASHSIZE];
114 
115 #define	STRCONSTARGS(s)	(s), (sizeof (s) - 1)
116 /*
117  * the hash "handles" collisions by overwriting the old
118  * hash entry with the new.  Perfection is not the goal.
119  *
120  * the key (s) is a 32 bit integer, handled here as
121  * four bytes.  If the hash size is increased beyond
122  * 256, this macro will need some work.
123  */
124 #define	HASH(s,  r, m)	{\
125 				uint32_t	_mush = 0;\
126 				int		_i;\
127 				for (_i = 0; _i < 4; _i++) {\
128 					_mush ^= *(s)++;\
129 				}\
130 				r = _mush % m;\
131 			}
132 
133 
134 /*
135  * The default mask for sysplugin is to reject all record types.
136  * The parameters input here select which classes to allow.
137  *
138  * getauditflgsbin() outputs error messages to syslog.
139  *
140  * caller must hold log_mutex
141  */
142 
143 static auditd_rc_t
144 setmask(const char *flags)
145 {
146 	au_mask_t tmask;
147 	char	*input, *ip, c;
148 	auditd_rc_t	rc = AUDITD_SUCCESS;
149 
150 	mask.am_success = 0x0;
151 	mask.am_failure = 0x0;
152 
153 	if (flags != NULL) {
154 		/*
155 		 * getauditflagsbin doesn't like blanks, but admins do
156 		 */
157 		input = malloc(strlen(flags) + 1);
158 		if (input == NULL)
159 			return (AUDITD_NO_MEMORY);
160 
161 		ip = input;
162 
163 		for (; (c = *flags) != '\0'; flags++) {
164 			if (c == ' ')
165 				continue;
166 			*ip++ = c;
167 		}
168 		*ip = '\0';
169 		if (getauditflagsbin(input, &tmask) == 0) {
170 			mask.am_success |= tmask.am_success;
171 			mask.am_failure |= tmask.am_failure;
172 		}
173 	}
174 	if ((mask.am_success | mask.am_failure) == 0) {
175 		rc = AUDITD_INVALID;
176 		__audit_syslog("audit_syslog.so", LOG_CONS | LOG_NDELAY,
177 		    LOG_DAEMON, LOG_ERR,
178 		    gettext("plugin is configured with empty class mask\n"));
179 	}
180 	free(input);
181 	return (rc);
182 }
183 
184 /*
185  * based on the current value of mask, either keep or toss the
186  * current audit record.  The input is 1 for success, -1 for
187  * failure.  0 means no exit or return token was seen.
188  *
189  * au_preselect returns 1 for keep it, 0 for delete it, and
190  * -1 for some sort of error.  Here, 1 and -1 are considered
191  * equivalent.  tossit() returns 1 for delete it and 0 for
192  * keep it.
193  */
194 
195 static int
196 tossit(au_event_t id, int passfail)
197 {
198 	int	rc;
199 	int	selFlag;
200 
201 	switch (passfail) {
202 	case 1:
203 		selFlag = AU_PRS_SUCCESS;
204 		break;
205 	case -1:
206 		selFlag = AU_PRS_FAILURE;
207 		break;
208 	default:		/* no exit or return token */
209 		selFlag = AU_PRS_BOTH;
210 		break;
211 	}
212 	(void) pthread_mutex_lock(&log_mutex);
213 	rc = au_preselect(id, &mask, selFlag, AU_PRS_USECACHE);
214 	(void) pthread_mutex_unlock(&log_mutex);
215 
216 	return (rc == 0);
217 }
218 
219 /*
220  * the three bytes for ellipsis could potentially be longer than the
221  * space available for text if maxavail is within two bytes of
222  * OUTPUT_BUF_SIZE, which can happen if the hostname is one or two
223  * characters long.  If there isn't room for ellipsis, there isn't
224  * room for the data, so it is simply dropped.
225  */
226 
227 static size_t
228 fromleft(char *p, size_t avail, char *attrname, size_t attrlen, char *txt,
229 	size_t txtlen)
230 {
231 	size_t	len;
232 
233 	if (avail < attrlen + ELLIPSIS_SIZE)
234 		return (0);
235 
236 	(void) memcpy(p, attrname, attrlen);
237 	p += attrlen;
238 	avail -= attrlen;
239 	if (txtlen > avail) {
240 		(void) memcpy(p, ELLIPSIS, ELLIPSIS_SIZE);
241 		txt += txtlen - (avail - ELLIPSIS_SIZE);
242 		(void) memcpy(p + ELLIPSIS_SIZE, txt, avail - ELLIPSIS_SIZE);
243 		len = attrlen + avail;
244 		p += avail;
245 	} else {
246 		(void) memcpy(p, txt, txtlen);
247 		len = attrlen + txtlen;
248 		p += txtlen;
249 	}
250 	*p = '\0';
251 	return (len);
252 }
253 
254 static size_t
255 fromright(char *p, size_t avail, char *attrname, size_t attrlen, char *txt,
256 	size_t txtlen)
257 {
258 	size_t	len;
259 
260 	if (avail < attrlen + ELLIPSIS_SIZE)
261 		return (0);
262 
263 	(void) memcpy(p, attrname, attrlen);
264 	p += attrlen;
265 	avail -= attrlen;
266 	if (txtlen > avail) {
267 		(void) memcpy(p, txt, avail - ELLIPSIS_SIZE);
268 		(void) memcpy(p + (avail - ELLIPSIS_SIZE),
269 		    ELLIPSIS, ELLIPSIS_SIZE);
270 		len = attrlen + avail;
271 		p += avail;
272 	} else {
273 		(void) memcpy(p, txt, txtlen);
274 		p += txtlen;
275 		len = attrlen + txtlen;
276 	}
277 	*p = '\0';
278 	return (len);
279 }
280 
281 static int
282 init_hash(hashtable_t *table, int bad_key, int table_length,
283     size_t max_value)
284 {
285 	int	i;
286 
287 	for (i = 0; i < table_length; i++) {
288 		table[i].ht_value = malloc(max_value + 1);
289 		table[i].ht_key = bad_key;
290 		table[i].ht_length = 0;
291 		if (table[i].ht_value == NULL) {
292 			int	j;
293 			for (j = 0; j < i; j++)
294 				free(table[j].ht_value);
295 			return (-1);
296 		}
297 		*(table[i].ht_value) = '\0';
298 	}
299 	return (0);
300 }
301 
302 static void
303 free_hash(hashtable_t *table, int table_length)
304 {
305 	int	i;
306 
307 	for (i = 0; i < table_length; i++) {
308 		free(table[i].ht_value);
309 	}
310 }
311 
312 
313 /*
314  * do IP -> hostname lookup
315  */
316 #define	UNKNOWN		"unknown"
317 #define	UNKNOWN_LEN	(sizeof (UNKNOWN))
318 
319 static size_t
320 gethname(au_tid_addr_t *tid, char *p, size_t max, char *prefix,
321     size_t prefix_len)
322 {
323 	size_t			len, l;
324 	struct hostent		*host;
325 	int			rc;
326 	int			af;
327 	int			ix;
328 	char			*hash_key;
329 	uint32_t		key;
330 	int			match;
331 
332 	if (prefix_len > max)
333 		return (0);
334 
335 	(void) memcpy(p, prefix, prefix_len);
336 	p += prefix_len;
337 	max -= prefix_len;
338 
339 	if (tid->at_type == AU_IPv6) {
340 		key = tid->at_addr[0] ^
341 		    tid->at_addr[1] ^
342 		    tid->at_addr[2] ^
343 		    tid->at_addr[3];
344 	} else
345 		key = (tid->at_addr[0]);
346 
347 	hash_key = (char *)&key;
348 
349 	HASH(hash_key, ix, HOSTHASHSIZE);
350 
351 	match = 0;
352 
353 	if (key == 0) {
354 		l = UNKNOWN_LEN;	/* includes end of string */
355 		if (l > max)
356 			l = max;
357 		len = prefix_len + strlcpy(p, UNKNOWN, l);
358 		return (len);
359 	}
360 
361 	if (tid->at_type == AU_IPv6) {
362 		if ((key == hosthash[ix].ht_key) &&
363 		    (hosthash[ix].ht_type == tid->at_type)) {
364 			int i;
365 			match = 1;
366 			for (i = 0; i < 4; i++) {
367 				if (hosthash[ix].ht_ip[i] != tid->at_addr[i]) {
368 					match = 0;
369 					break;
370 				}
371 			}
372 		}
373 	} else if (key == hosthash[ix].ht_key) {
374 		match = 1;
375 	}
376 	if (!match) {
377 		hosthash[ix].ht_key = key;
378 		hosthash[ix].ht_type = tid->at_type;
379 
380 		if (tid->at_type == AU_IPv4) {
381 			hosthash[ix].ht_ip[0] = tid->at_addr[0];
382 			af = AF_INET;
383 		} else {
384 			(void) memcpy((char *)hosthash[ix].ht_ip,
385 			    (char *)tid->at_addr, AU_IPv6);
386 			af = AF_INET6;
387 		}
388 		host = getipnodebyaddr((const void *)tid->at_addr,
389 		    tid->at_type, af, &rc);
390 
391 		if (host == NULL) {
392 			(void) inet_ntop(af, (void *)tid->at_addr,
393 			    hosthash[ix].ht_value, MAXHOSTNAMELEN);
394 			hosthash[ix].ht_length = strlen(hosthash[ix].ht_value);
395 		} else {
396 			hosthash[ix].ht_length = strlcpy(hosthash[ix].ht_value,
397 			    host->h_name,  MAXHOSTNAMELEN);
398 			freehostent(host);
399 		}
400 	}
401 	l = hosthash[ix].ht_length + 1;
402 	if (l > max)
403 		l = max;
404 
405 	len = prefix_len + strlcpy(p, hosthash[ix].ht_value, l);
406 
407 	return (len);
408 }
409 /*
410  * the appropriate buffer length for getpwuid_r() isn't documented;
411  * 1024 should be enough.
412  */
413 #define	GETPWUID_BUFF_LEN	1024
414 #define	USERNAMELEN		256
415 #define	GIDNAMELEN		256
416 
417 static size_t
418 getuname(uid_t uid, gid_t gid, char *p, size_t max, char *prefix,
419     size_t prefix_len)
420 {
421 	struct passwd		pw;
422 	char			pw_buf[GETPWUID_BUFF_LEN];
423 	size_t			len, l;
424 	struct group		gr;
425 	int			ix;
426 	char			*hash_key;
427 
428 	if (prefix_len > max)
429 		return (0);
430 
431 	len = prefix_len;
432 
433 	(void) memcpy(p, prefix, len);
434 	p += len;
435 	max -= len;
436 
437 	hash_key = (char *)&uid;
438 
439 	HASH(hash_key, ix, UIDHASHSIZE);
440 
441 	if (uid != uidhash[ix].ht_key) {
442 		uidhash[ix].ht_key = uid;
443 
444 		if ((getpwuid_r(uid, &pw, pw_buf, GETPWUID_BUFF_LEN)) == NULL)
445 			l = snprintf(uidhash[ix].ht_value, USERNAMELEN,
446 			    "%d", uid);
447 		else
448 			l = strlcpy(uidhash[ix].ht_value, pw.pw_name,
449 			    USERNAMELEN);
450 
451 		uidhash[ix].ht_length = l;
452 	}
453 	l = uidhash[ix].ht_length + 1;
454 	if (l > max)
455 		l = max;
456 	(void) memcpy(p, uidhash[ix].ht_value, l);
457 	len += l - 1;
458 
459 	if (gid != (gid_t)-2) {
460 		p += l - 1;
461 		max -= l - 1;
462 		if (max < 2)
463 			return (len);
464 
465 		hash_key = (char *)&gid;
466 		HASH(hash_key, ix, GIDHASHSIZE);
467 
468 		if (gid != gidhash[ix].ht_key) {
469 			gidhash[ix].ht_key = gid;
470 
471 			if (getgrgid_r(gid, &gr,  pw_buf, GETPWUID_BUFF_LEN) ==
472 			    NULL)
473 				gidhash[ix].ht_length =
474 				    snprintf(gidhash[ix].ht_value, GIDNAMELEN,
475 				    "%d", gid);
476 			else
477 				gidhash[ix].ht_length =
478 				    strlcpy(gidhash[ix].ht_value,
479 				    gr.gr_name, GIDNAMELEN);
480 		}
481 		*p++ = ':';
482 		len++;
483 		max--;
484 
485 		l = gidhash[ix].ht_length + 1;
486 		if (l > max)
487 			l = max;
488 		(void) memcpy(p, gidhash[ix].ht_value, l);
489 		len += l - 1;
490 	}
491 	return (len);
492 }
493 
494 /*
495  * filter() parse input; toss if not wanted.
496  *
497  * the input value sequence is a number generated when the buffer
498  * was queued.  ctx.out.sf_sequence, if not -1, is the sequence number
499  * generated in c2audit.  It is not part of the "official" syslog
500  * output but is included if DEBUG is on.
501  */
502 #define	EVENT_NAME_LEN	32
503 
504 static auditd_rc_t
505 filter(const char *input, uint64_t sequence, char *output,
506     size_t in_len, size_t out_len)
507 {
508 	parse_context_t		ctx;
509 	char			*bp;
510 	auditd_rc_t		rc = AUDITD_SUCCESS;
511 	auditd_rc_t		rc_ret = AUDITD_SUCCESS;
512 	size_t			used, remaining;
513 	char			*last_adr; /* infinite loop check */
514 	int			token_count = 0;
515 	int			parse_rc;
516 
517 	static parse_context_t	initial_ctx;
518 	static int		first = 1;
519 
520 	if (first) {
521 		first = 0;
522 
523 		/*
524 		 * Any member or submember of parse_context_t which utilizes
525 		 * allocated memory must free() the memory after calling
526 		 * parse_token() for both the preselected and non-preselected
527 		 * cases.
528 		 * New additions to parse_context_t or its submembers need to
529 		 * have this same treatment.
530 		 */
531 		initial_ctx.out.sf_eventid = 0;
532 		initial_ctx.out.sf_reclen = 0;
533 		initial_ctx.out.sf_pass = 0;
534 		initial_ctx.out.sf_asid = 0;
535 		initial_ctx.out.sf_auid = (uid_t)-2;
536 		initial_ctx.out.sf_euid = (uid_t)-2;
537 		initial_ctx.out.sf_egid = (gid_t)-2;
538 		initial_ctx.out.sf_tid.at_type = 0;
539 		initial_ctx.out.sf_pauid = (uid_t)-2;
540 		initial_ctx.out.sf_peuid = (uid_t)-2;
541 		initial_ctx.out.sf_uauthlen = 0;
542 		initial_ctx.out.sf_uauth = NULL;
543 		initial_ctx.out.sf_pathlen = 0;
544 		initial_ctx.out.sf_path = NULL;
545 		initial_ctx.out.sf_atpathlen = 0;
546 		initial_ctx.out.sf_atpath = NULL;
547 		initial_ctx.out.sf_textlen = 0;
548 		initial_ctx.out.sf_text = NULL;
549 		initial_ctx.out.sf_sequence = -1;
550 		initial_ctx.out.sf_zonelen = 0;
551 		initial_ctx.out.sf_zonename = NULL;
552 
553 		init_tokens();		/* cmd/praudit/toktable.c */
554 	}
555 	(void) memcpy(&ctx, &initial_ctx, sizeof (parse_context_t));
556 	ctx.id = sequence;
557 	ctx.adr.adr_stream = (char *)input;
558 	ctx.adr.adr_now = (char *)input;
559 
560 	last_adr = NULL;
561 	while ((ctx.adr.adr_now - ctx.adr.adr_stream) < in_len) {
562 		assert(last_adr != ctx.adr.adr_now);
563 		token_count++;
564 		last_adr = ctx.adr.adr_now;
565 		if ((parse_rc = parse_token(&ctx)) != 0) {
566 			char	message[256];
567 			au_event_ent_t	*event;
568 			char	event_name[EVENT_NAME_LEN];
569 			char	sequence_str[EVENT_NAME_LEN];
570 
571 			if (cacheauevent(&event, ctx.out.sf_eventid) < 0)
572 				(void) snprintf(event_name, EVENT_NAME_LEN,
573 				    "%hu", ctx.out.sf_eventid);
574 			else
575 				(void) strlcpy(event_name, event->ae_desc,
576 				    EVENT_NAME_LEN);
577 
578 			if (token_count < 2)
579 				/* leave rc_ret unchanged */
580 				rc = AUDITD_INVALID;
581 
582 			if (ctx.out.sf_sequence != -1)
583 				(void) snprintf(sequence_str, EVENT_NAME_LEN,
584 				    " (seq=%u) ", ctx.out.sf_sequence);
585 			else
586 				sequence_str[0] = '\0';
587 
588 			(void) snprintf(message, 256,
589 			    gettext("error before token %d (previous token=%d)"
590 			    " of record type %s%s\n"),
591 			    token_count, parse_rc, event_name, sequence_str);
592 
593 #if DEBUG
594 			/*LINTED*/
595 			(void) fprintf(dbfp, message);
596 #endif
597 
598 			__audit_syslog("audit_syslog.so",
599 			    LOG_PID | LOG_ODELAY | LOG_CONS,
600 			    LOG_DAEMON, LOG_ALERT, message);
601 			break;
602 		}
603 	}
604 	if (rc == AUDITD_SUCCESS) {
605 		if (tossit(ctx.out.sf_eventid, ctx.out.sf_pass)) {
606 #if DEBUG
607 			if (ctx.out.sf_sequence != -1)
608 				(void) fprintf(dbfp,
609 				    "syslog tossed (event=%hu) record %u "
610 				    "/ buffer %llu\n",
611 				    ctx.out.sf_eventid, ctx.out.sf_sequence,
612 				    sequence);
613 			else
614 				(void) fprintf(dbfp,
615 				    "syslog tossed (event=%hu) buffer %llu\n",
616 				    ctx.out.sf_eventid, sequence);
617 #endif
618 
619 			/*
620 			 * Members or submembers of parse_context_t which
621 			 * utilize allocated memory need to free() the memory
622 			 * here to handle the case of not being preselected as
623 			 * well as below for when the event is preselected.
624 			 * New additions to parse_context_t or any of its
625 			 * submembers need to get the same treatment.
626 			 */
627 			if (ctx.out.sf_uauthlen > 0) {
628 				free(ctx.out.sf_uauth);
629 				ctx.out.sf_uauth = NULL;
630 				ctx.out.sf_uauthlen = 0;
631 			}
632 			if (ctx.out.sf_pathlen > 0) {
633 				free(ctx.out.sf_path);
634 				ctx.out.sf_path = NULL;
635 				ctx.out.sf_pathlen = 0;
636 			}
637 			if (ctx.out.sf_atpathlen > 0) {
638 				free(ctx.out.sf_atpath);
639 				ctx.out.sf_atpath = NULL;
640 				ctx.out.sf_atpathlen = 0;
641 			}
642 			if (ctx.out.sf_textlen > 0) {
643 				free(ctx.out.sf_text);
644 				ctx.out.sf_text = NULL;
645 				ctx.out.sf_textlen = 0;
646 			}
647 			if (ctx.out.sf_zonelen > 0) {
648 				free(ctx.out.sf_zonename);
649 				ctx.out.sf_zonename = NULL;
650 				ctx.out.sf_zonelen = 0;
651 			}
652 
653 			return (-1);	/* tell caller it was tossed */
654 		}
655 		bp = output;
656 		remaining = out_len;
657 
658 		if (ctx.out.sf_eventid != 0) {
659 			au_event_ent_t	*event;
660 
661 			if (cacheauevent(&event, ctx.out.sf_eventid) < 0)
662 				used = snprintf(bp, remaining, "%hu",
663 				    ctx.out.sf_eventid);
664 			else
665 				used = strlcpy(bp, event->ae_desc, remaining);
666 			bp += used;
667 			remaining -= used;
668 		}
669 		if (ctx.out.sf_pass != 0) {
670 			if (ctx.out.sf_pass < 0)
671 				used = strlcpy(bp, " failed", remaining);
672 			else
673 				used = strlcpy(bp, " ok", remaining);
674 			bp += used;
675 			remaining -= used;
676 		}
677 		if (ctx.out.sf_asid != 0) {
678 			used = snprintf(bp, remaining, " session %u",
679 			    ctx.out.sf_asid);
680 			remaining -= used;
681 			bp += used;
682 		}
683 		if (ctx.out.sf_auid != (uid_t)-2) {
684 			used = getuname(ctx.out.sf_auid, -2, bp, remaining,
685 			    STRCONSTARGS(" by "));
686 			bp += used;
687 			remaining -= used;
688 		}
689 		if (ctx.out.sf_euid != (uid_t)-2) {
690 			/* 4 = strlen(" as ") */
691 			used = getuname(ctx.out.sf_euid, ctx.out.sf_egid, bp,
692 			    remaining, STRCONSTARGS(" as "));
693 			bp += used;
694 			remaining -= used;
695 		}
696 		if (ctx.out.sf_zonename != NULL) {
697 			used = fromright(bp, remaining,
698 			    STRCONSTARGS(" in "),
699 			    ctx.out.sf_zonename, ctx.out.sf_zonelen);
700 			free(ctx.out.sf_zonename);
701 			bp += used;
702 			remaining -= used;
703 		}
704 		if (ctx.out.sf_tid.at_type != 0) {
705 			/* 6 = strlen(" from ") */
706 			used = gethname(&(ctx.out.sf_tid), bp, remaining,
707 			    STRCONSTARGS(" from "));
708 			bp += used;
709 			remaining -= used;
710 		}
711 		if (ctx.out.sf_pauid != (uid_t)-2) {
712 			/* 11 = strlen(" proc_auid ") */
713 			used = getuname(ctx.out.sf_pauid, -2, bp, remaining,
714 			    STRCONSTARGS(" proc_auid "));
715 			bp += used;
716 			remaining -= used;
717 		}
718 		if (ctx.out.sf_peuid != (uid_t)-2) {
719 			used = getuname(ctx.out.sf_peuid, -2, bp, remaining,
720 			    STRCONSTARGS(" proc_uid "));
721 			bp += used;
722 			remaining -= used;
723 		}
724 #if DEBUG
725 		/*
726 		 * with performance testing, this has the effect of
727 		 * making that each message is unique, so syslogd
728 		 * won't collect a series of messages as "last message
729 		 * repeated n times," another reason why DEBUG 0
730 		 * should perform better than DEBUG 1.  However the
731 		 * intention is to help debug lost data problems
732 		 */
733 		if (ctx.out.sf_sequence != -1) {
734 			(void) fprintf(dbfp,
735 			    "syslog writing record %u / buffer %llu\n",
736 			    ctx.out.sf_sequence, sequence);
737 			used = snprintf(bp, remaining, "  seq %u",
738 			    ctx.out.sf_sequence, sequence);
739 			remaining -= used;
740 			bp += used;
741 		} else
742 			(void) fprintf(dbfp, "syslog writing buffer %llu\n",
743 			    sequence);
744 #endif
745 		/*
746 		 * Long fields that may need truncation go here in
747 		 * order of decreasing priority.  Paths are truncated
748 		 * from the left, text from the right.
749 		 */
750 		if (ctx.out.sf_path != NULL) {
751 			used = fromleft(bp, remaining, STRCONSTARGS(" obj "),
752 			    ctx.out.sf_path, ctx.out.sf_pathlen);
753 			free(ctx.out.sf_path);
754 			bp += used;
755 			remaining -= used;
756 		}
757 		if (ctx.out.sf_atpath != NULL) {
758 			used = fromleft(bp, remaining,
759 			    STRCONSTARGS(" attr_obj "),
760 			    ctx.out.sf_atpath, ctx.out.sf_atpathlen);
761 			free(ctx.out.sf_atpath);
762 			bp += used;
763 			remaining -= used;
764 		}
765 		if (ctx.out.sf_uauth != NULL) {
766 			used = fromright(bp, remaining, STRCONSTARGS(" uauth "),
767 			    ctx.out.sf_uauth, ctx.out.sf_uauthlen);
768 			free(ctx.out.sf_path);
769 			bp += used;
770 			remaining -= used;
771 		}
772 		if (ctx.out.sf_text != NULL) {
773 			used = fromright(bp, remaining,
774 			    STRCONSTARGS(AU_TEXT_NAME),
775 			    ctx.out.sf_text, ctx.out.sf_textlen);
776 			free(ctx.out.sf_text);
777 			bp += used;
778 			remaining -= used;
779 		}
780 	}
781 	return (rc_ret);
782 }
783 
784 /*
785  * 1024 is max syslog record size, 48 is minimum header length,
786  * assuming a hostname length of 0.  maxavail reduces use of the
787  * allocated space by the length of the hostname (see maxavail)
788  */
789 #define	OUTPUT_BUF_SIZE	1024 - 48
790 
791 /* ARGSUSED */
792 auditd_rc_t
793 auditd_plugin(const char *input, size_t in_len, uint64_t sequence, char **error)
794 {
795 	char		*outbuf;
796 	auditd_rc_t	rc = AUDITD_SUCCESS;
797 #if DEBUG
798 	static	uint64_t	last_sequence = 0;
799 	static	uint64_t	write_count = 0;
800 	static	uint64_t	toss_count = 0;
801 
802 	if ((last_sequence > 0) && (sequence != last_sequence + 1))
803 		(void) fprintf(dbfp,
804 		    "syslog: buffer sequence=%llu but prev=%llu\n",
805 		    sequence, last_sequence);
806 	last_sequence = sequence;
807 #endif
808 
809 	*error = NULL;
810 
811 	outbuf = malloc(OUTPUT_BUF_SIZE);
812 	if (outbuf == NULL) {
813 		DPRINT((dbfp, "syslog: out of memory; seq=%llu\n",
814 		    sequence));
815 		rc = AUDITD_NO_MEMORY;
816 		*error = strdup(gettext("Can't allocate buffers"));
817 	} else {
818 		rc = filter(input, sequence, outbuf, in_len, maxavail);
819 
820 		if (rc == AUDITD_SUCCESS) {
821 			__audit_syslog("audit", LOG_NDELAY,
822 			    LOG_AUDIT, LOG_NOTICE, outbuf);
823 			DPRINT((dbfp, "syslog: write_count=%llu, "
824 			    "buffer=%llu, tossed=%llu\n",
825 			    ++write_count, sequence, toss_count));
826 		} else if (rc > 0) {	/* -1 == discard it */
827 			DPRINT((dbfp, "syslog: parse failed for buffer %llu\n",
828 			    sequence));
829 			*error = strdup(gettext(
830 			    "Unable to parse audit record"));
831 		} else {
832 			DPRINT((dbfp, "syslog: rc = %d (-1 is discard), "
833 			    "sequence=%llu, toss_count=%llu\n",
834 			    rc, sequence, ++toss_count));
835 			rc = 0;
836 		}
837 		free(outbuf);
838 	}
839 	return (rc);
840 }
841 
842 auditd_rc_t
843 auditd_plugin_open(const kva_t *kvlist, char **ret_list, char **error)
844 {
845 	char		localname[MAXHOSTNAMELEN + 1];
846 	auditd_rc_t	rc;
847 	char		*value;
848 	/* kva_match doesn't do const, so copy the pointer */
849 	kva_t		*kva = (kva_t *)kvlist;
850 
851 	*error = NULL;
852 	*ret_list = NULL;
853 
854 	if ((kvlist == NULL) || ((value = kva_match(kva, "p_flags")) == NULL)) {
855 		*error = strdup(gettext(
856 		    "The \"p_flags\" attribute is missing."));
857 		return (AUDITD_INVALID);
858 	}
859 	if (!initialized) {
860 #if DEBUG
861 		dbfp = __auditd_debug_file_open();
862 #endif
863 		initialized = 1;
864 		(void) pthread_mutex_init(&log_mutex, NULL);
865 		/*
866 		 * calculate length of the local hostname for adjusting the
867 		 * estimate of how much space is taken by the syslog header.
868 		 * If the local hostname isn't available, leave some room
869 		 * anyway.  (The -2 is for the blanks on either side of the
870 		 * hostname in the syslog message.)
871 		 */
872 		(void) pthread_mutex_lock(&log_mutex);
873 		if (gethostname(localname, MAXHOSTNAMELEN))
874 			maxavail = OUTPUT_BUF_SIZE - 20;
875 		else
876 			maxavail = OUTPUT_BUF_SIZE - strlen(localname) - 2;
877 		(void) pthread_mutex_unlock(&log_mutex);
878 
879 		if (init_hash(hosthash, 0, HOSTHASHSIZE, MAXHOSTNAMELEN))
880 			return (AUDITD_NO_MEMORY);
881 
882 		if (init_hash(uidhash, -2, UIDHASHSIZE, USERNAMELEN))
883 			return (AUDITD_NO_MEMORY);
884 
885 		if (init_hash(gidhash, -2, GIDHASHSIZE, GIDNAMELEN))
886 			return (AUDITD_NO_MEMORY);
887 	}
888 	(void) pthread_mutex_lock(&log_mutex);
889 	if ((rc = setmask(value)) != AUDITD_SUCCESS)
890 		*error = strdup(gettext(
891 		    "incorrect p_flags setting; no records will be output"));
892 
893 	(void) pthread_mutex_unlock(&log_mutex);
894 
895 	return (rc);
896 }
897 
898 auditd_rc_t
899 auditd_plugin_close(char **error)
900 {
901 	*error = NULL;
902 
903 	if (initialized) {
904 		(void) pthread_mutex_destroy(&log_mutex);
905 
906 		free_hash(hosthash, HOSTHASHSIZE);
907 		free_hash(uidhash, UIDHASHSIZE);
908 		free_hash(gidhash, GIDHASHSIZE);
909 	}
910 	initialized = 0;
911 
912 	return (AUDITD_SUCCESS);
913 }
914