xref: /titanic_52/usr/src/lib/libbsm/common/audit_plugin.c (revision bdfc6d18da790deeec2e0eb09c625902defe2498)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  *
26  * private interfaces for auditd plugins and auditd.
27  */
28 #pragma ident	"%Z%%M%	%I%	%E% SMI"
29 
30 #include <bsm/audit.h>
31 #include <bsm/audit_record.h>
32 #include <bsm/audit_uevents.h>
33 #include <bsm/libbsm.h>
34 #include <errno.h>
35 #include <fcntl.h>
36 #include <libintl.h>
37 #include <pthread.h>
38 #include <stdio.h>
39 #include <stdlib.h>
40 #include <string.h>
41 #include <sys/file.h>
42 #include <sys/stat.h>
43 #include <sys/types.h>
44 #include <syslog.h>
45 #include <unistd.h>
46 #include <wait.h>
47 #include "audit_plugin.h"
48 
49 static char	auditwarn[] = "/etc/security/audit_warn";
50 static pthread_mutex_t	syslog_lock;
51 
52 static void
53 init_syslog_mutex()
54 {
55 	(void) pthread_mutex_init(&syslog_lock, NULL);
56 }
57 
58 /*
59  * audit_syslog() -- generate syslog messages from threads that use
60  * different severity, facility code, and application names.
61  *
62  * The syslog() call does NOT use its format capability since the
63  * format string is used for generating the ID, and I want equal
64  * ID's to really be equal.
65  *
66  * syslog(3C) is thread safe, but the set openlog() / syslog() /
67  * closelog() is not.
68  *
69  * Assumption:  the app_name and facility code are paired, i.e.,
70  * if the facility code for this call is the same as for the
71  * the previous, the app_name hasn't changed.
72  */
73 void
74 __audit_syslog(
75 	const char *app_name,
76 	int flags,
77 	int facility,
78 	int severity,
79 	const char *message)
80 {
81 	pthread_once_t		once_control = PTHREAD_ONCE_INIT;
82 	static int		logopen = 0;
83 	static int		prev_facility = -1;
84 
85 	(void) pthread_once(&once_control, init_syslog_mutex);
86 
87 	(void) pthread_mutex_lock(&syslog_lock);
88 	if (prev_facility != facility) {
89 		if (logopen)
90 			closelog();
91 		openlog(app_name, flags, facility);
92 		syslog(severity, message);
93 		(void) pthread_mutex_unlock(&syslog_lock);
94 	} else {
95 		syslog(severity, message);
96 		(void) pthread_mutex_unlock(&syslog_lock);
97 	}
98 }
99 
100 /*
101  * __audit_dowarn - invoke the shell script auditwarn to notify the
102  *	adminstrator about a given problem.
103  * parameters -
104  *	option - what the problem is
105  *	text - when used with options soft and hard: which file was being
106  *		   used when the filesystem filled up
107  *	       when used with the plugin option:  error detail
108  *	count - used with various options: how many times auditwarn has
109  *		been called for this problem since it was last cleared.
110  */
111 void
112 __audit_dowarn(char *option, char *text, int count)
113 {
114 	pid_t		pid;
115 	int		st;
116 	char		countstr[5];
117 	char		warnstring[80];
118 	char		empty[1] = "";
119 
120 	if ((pid = fork1()) == -1) {
121 		__audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS,
122 		    LOG_DAEMON, LOG_ALERT, gettext("audit_warn fork failed\n"));
123 		return;
124 	}
125 	if (pid != 0) {
126 		(void) waitpid(pid, &st, 0);
127 		return;
128 	}
129 	(void) sprintf(countstr, "%d", count);
130 	if (text == NULL)
131 		text = empty;
132 
133 	if (strcmp(option, "soft") == 0 || strcmp(option, "hard") == 0)
134 		(void) execl(auditwarn, auditwarn, option, text, 0);
135 
136 	else if (strcmp(option, "allhard") == 0 ||
137 	    strcmp(option, "getacdir") == 0)
138 		(void) execl(auditwarn, auditwarn, option, countstr, 0);
139 	else if (strcmp(option, "plugin") == 0)
140 		(void) execl(auditwarn, auditwarn, option, text, countstr, 0);
141 	else
142 		(void) execl(auditwarn, auditwarn, option, 0);
143 	/*
144 	 * (execl failed)
145 	 */
146 	if (strcmp(option, "soft") == 0)
147 		(void) sprintf(warnstring,
148 		    gettext("soft limit in %s.\n"), text);
149 	else if (strcmp(option, "hard") == 0)
150 		(void) sprintf(warnstring,
151 		    gettext("hard limit in %s.\n"), text);
152 	else if (strcmp(option, "allhard") == 0)
153 		(void) sprintf(warnstring,
154 		    gettext("All audit filesystems are full.\n"));
155 	else if (strcmp(option, "getacmin") == 0)
156 		(void) sprintf(warnstring,
157 		    gettext("audit_control minfree error.\n"));
158 	else if (strcmp(option, "getacdir") == 0)
159 		(void) sprintf(warnstring,
160 		    gettext("audit_control directory error.\n"));
161 	else
162 		(void) sprintf(warnstring,
163 		    gettext("error %s.\n"), option);
164 
165 	__audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS, LOG_AUTH,
166 	    LOG_ALERT, (const char *)warnstring);
167 
168 	exit(1);
169 }
170 
171 /*
172  * __audit_dowarn2 - invoke the shell script auditwarn to notify the
173  *	adminstrator about a given problem.
174  * parameters -
175  *	option - what the problem is
176  *	name - entity reporting the problem (ie, plugin name)
177  *	error - error string
178  *	text - when used with options soft and hard: which file was being
179  *		   used when the filesystem filled up
180  *	       when used with the plugin option:  error detail
181  *	count - used with various options: how many times auditwarn has
182  *		been called for this problem since it was last cleared.
183  */
184 void
185 __audit_dowarn2(char *option, char *name, char *error, char *text, int count)
186 {
187 	pid_t		pid;
188 	int		st;
189 	char		countstr[5];
190 	char		warnstring[80];
191 	char		empty[4] = "...";
192 	char		none[3] = "--";
193 
194 	if ((pid = fork()) == -1) {
195 		__audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS,
196 		    LOG_DAEMON, LOG_ALERT, gettext("audit_warn fork failed\n"));
197 		return;
198 	}
199 	if (pid != 0) {
200 		(void) waitpid(pid, &st, 0);
201 		return;
202 	}
203 	(void) sprintf(countstr, "%d", count);
204 	if ((text == NULL) || (*text == '\0'))
205 		text = empty;
206 	if ((name == NULL) || (*name == '\0'))
207 		name = none;
208 
209 	(void) execl(auditwarn, auditwarn, option, name, error, text,
210 	    countstr, 0);
211 
212 	/*
213 	 * (execl failed)
214 	 */
215 	(void) sprintf(warnstring,
216 	    gettext("audit_control plugin error: %s\n"), text);
217 
218 	__audit_syslog("auditd", LOG_PID | LOG_ODELAY | LOG_CONS, LOG_AUTH,
219 	    LOG_ALERT, (const char *)warnstring);
220 
221 	exit(1);
222 }
223 
224 /*
225  * logpost - post the new audit log file name to audit_data.
226  *
227  * This is not re-entrant code; it is called from auditd.c when
228  * audit_binfile.so is not running and from binfile after auditd
229  * is done.
230  */
231 int
232 __logpost(char *name)
233 {
234 	char	buffer[MAXPATHLEN];
235 	char	empty[] = "";
236 
237 	static int	first = 1;
238 	static char	auditdata[] = AUDITDATAFILE;
239 	static int	audit_data_fd; /* file descriptor of audit_data */
240 
241 	if (first) {
242 		first = 0;
243 		/*
244 		 * Open the audit_data file. Use O_APPEND so that the contents
245 		 * are not destroyed if there is another auditd running.
246 		 */
247 		if ((audit_data_fd = open(auditdata,
248 			O_RDWR | O_APPEND | O_CREAT, 0660)) < 0) {
249 			__audit_dowarn("tmpfile", "", 0);
250 			return (1);
251 		}
252 	}
253 	if (name == NULL)
254 		name = empty;
255 
256 	(void) snprintf(buffer, sizeof (buffer), "%d:%s\n",
257 	    (int)getpid(), name);
258 
259 	(void) ftruncate(audit_data_fd, (off_t)0);
260 	(void) write(audit_data_fd, buffer, strlen(buffer));
261 	(void) fsync(audit_data_fd);
262 
263 	return (0);
264 }
265 
266 /*
267  * debug use - open a file for auditd and its plugins for debug
268  */
269 FILE *
270 __auditd_debug_file_open() {
271 	static FILE	*fp = NULL;
272 
273 	if (fp != NULL)
274 		return (fp);
275 	if ((fp = fopen("/var/audit/dump", "a")) == NULL)
276 		(void) fprintf(stderr, "failed to open debug file:  %s\n",
277 		    strerror(errno));
278 
279 	return (fp);
280 }
281