History log of /freebsd-head/contrib/openbsm/bin/auditd/audit_warn.c
Revision Date Author Comments
00d578928eca75be320b36d37543a7e2a4f9fbdb 27-May-2016 grehan <grehan@FreeBSD.org> Create branch for bhyve graphics import.
144eea387465dd3aebdc4046e8e6d172c51f17bc 04-Jan-2016 brueffer <brueffer@FreeBSD.org> MFH: 292432,r292433,r292434

- Merge OpenBSM 1.2 alpha 4.
- Regenerate config.h for OpenBSM 1.2 alpha 4.
- Add au_notify.2 and MLINKs (added in OpenBSM 1.2 alpha 4).

Relnotes: yes
eb1a5f8de9f7ea602c373a710f531abbf81141c4 21-Feb-2014 gjb <gjb@FreeBSD.org> Move ^/user/gjb/hacking/release-embedded up one directory, and remove
^/user/gjb/hacking since this is likely to be merged to head/ soon.

Sponsored by: The FreeBSD Foundation
6b01bbf146ab195243a8e7d43bb11f8835c76af8 27-Dec-2013 gjb <gjb@FreeBSD.org> Copy head@r259933 -> user/gjb/hacking/release-embedded for initial
inclusion of (at least) arm builds with the release.

Sponsored by: The FreeBSD Foundation
09f9c897d33c41618ada06fbbcf1a9b3812dee53 19-Oct-2010 jamie <jamie@FreeBSD.org> A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.
f1216d1f0ade038907195fc114b7e630623b402c 19-Mar-2010 delphij <delphij@FreeBSD.org> Create a custom branch where I will be able to do the merge.
ee5318d5431890ccd7baeb15560b4bebe982525b 02-Mar-2009 rwatson <rwatson@FreeBSD.org> Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).

OpenBSM history for imported revision below for reference.

MFC after: 1 month
Sponsored by: Apple, Inc.
Obtained from: TrustedBSD Project

OpenBSM 1.1 beta 1

- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
For legacy support no suffix defaults to bytes.
- Audit trail log expiration support added. It is configured in
audit_control(5) with the expire-after parameter. If there is no
expire-after parameter in audit_control(5), the default, then the audit
trail files are not expired and removed. See audit_control(5) for
more information.
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
partitions, rotate automatically at 2mb, and set the default policy to
cnt,argv rather than cnt so that execve(2) arguments are captured if
AUE_EXECVE events are audited. These may provide more usable defaults for
many users.
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
au_to_socket_ex(3) arguments to BSM format.
- Fix error encoding AUT_IPC_PERM tokens.
19b6af98ec71398e77874582eb84ec5310c7156f 22-Nov-2008 dfr <dfr@FreeBSD.org> Clone Kip's Xen on stable/6 tree so that I can work on improving FreeBSD/amd64
performance in Xen's HVM mode.
2bd138f9edd4a43ef97291f03523af35e1ae18f8 12-Nov-2008 rwatson <rwatson@FreeBSD.org> Flatten OpenBSM vendor tree in preparation for new OpenBSM vendor
import.
cf5320822f93810742e3d4a1ac8202db8482e633 19-Oct-2008 lulf <lulf@FreeBSD.org> - Import the HEAD csup code which is the basis for the cvsmode work.
57455eb63bea05e01f345dcac98bb0296423a63f 15-Nov-2007 rwatson <rwatson@FreeBSD.org> Merge OpenBSM 1.0 from HEAD to RELENG_6:

OpenBSM 1.0

- Fix bug in auditreduce(8) which resulted in a memory fault/crash when
the user specified an event name with -m.
- Remove AU_.* hard-coded audit class constants, as udit classes are now
entirely dynamically configured using /etc/security/audit_class.

OpenBSM 1.0 alpha 15

- Fix bug when processing in_addr_ex tokens.
- Restore the behavior of printing the string/text specified while
auditing arg32 tokens.
- Synchronized audit event list to Solaris, picking up the *at(2) system call
definitions, now required for FreeBSD and Linux. Added additional events
for *at(2) system calls not present in Solaris.
- Bugs in auditreduce(8) fixed allowing partial date strings to be used in
filtering events.

OpenBSM 1.0 alpha 14

- Fix endian issues when processing IPv6 addresses for extended subject
and process tokens.
- gcc41 warnings clean.
- Teach audit_submit(3) about getaudit_addr(2).
- Add support for zonename tokens.

OpenBSM 1.0 alpha 13

- compat/clock_gettime.h now provides a compatibility implementation of
clock_gettime(), which fixes building on Mac OS X.
- Countless man page improvements, markup fixes, content fixs, etc.
- XML printing support via "praudit -x".
- audit.log.5 expanded to include additional BSM token types.
- Added encoding and decoding routines for process64_ex, process32_ex,
subject32_ex, header64, and attr64 tokens.
- Additional audit event identifiers for listen, mlockall/munlockall,
getpath, POSIX message queues, and mandatory access control.
2f3a6f61b35551e267159ec9175942da9175bbde 22-Jul-2007 rwatson <rwatson@FreeBSD.org> Vendor import TrustedBSD OpenBSM 1.0 alpha 15, with the following change
history since the last import:

OpenBSM 1.0 alpha 15

- Fix bug when processing in_addr_ex tokens.
- Restore the behavior of printing the string/text specified while
auditing arg32 tokens.
- Synchronized audit event list to Solaris, picking up the *at(2) system call
definitions, now required for FreeBSD and Linux. Added additional events
for *at(2) system calls not present in Solaris.
- Bugs in auditreduce(8) fixed allowing partial date strings to be used in
filtering events.

Approved by: re (hrs)
MFC after: 3 weeks
Obtained from: TrustedBSD Project
dfe8f4529b48619441e85cc8b3b1491060d23230 29-Sep-2006 rwatson <rwatson@FreeBSD.org> Merge OpenBSM 1.0 alpha 12 from HEAD to RELENG_6, which includes a broad
range of bug fixes made as a result of reports on 6.x, as well as some
minor enhancements:

OpenBSM 1.0 alpha 12

- Correct bug in auditreduce which prevented the -c option from working
correctly when the user specifies to process successful or failed events.
The problem stemmed from not having access to the return token at the time
the initial preselection occurred, but now a second preselection process
occurs while processing the return token.
- getacfilesz(3) API added to read new audit_control(5) filesz setting,
which auditd(8) now sets the kernel audit trail rotation size to.
- auditreduce(1) now uses stdin if no file names are specified on the command
line; this was the documented behavior previously, but it was not
implemented. Be more specific in auditreduce(1)'s examples section about
what might be done with the output of auditreduce.
- Add audit_warn(5) closefile event so that administrators can hook
termination of an audit trail file. For example, this might be used to
compress the trail file after it is closed.
- auditreduce(1) now uses regular expressions for pathname matching. Users can
now supply one or more (comma delimited) regular expressions for searching
the pathnames. If one of the regular expressions is prefixed with a tilde
(~), and a path matches, it will be excluded from the search results.

OpenBSM 1.0 alpha 11

- Reclassify certain read/write operations as having no class rather than the
fr/fw class; our default classes audit intent (open) not operations (read,
write).
- Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads
and writes of sysctls as separate events. Add additional kernel
environment and jail events for FreeBSD.
- Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER
(issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued
by the kernel audit implementation) so that they can be distinguished.
- Disable rate limiting of rotate requests; as the kernel doesn't retransmit
a dropped request, the log file will otherwise grow indefinitely if the
trigger is dropped.
- Improve auditd debugging output.
- Fix a number of threading related bugs in audit_control file reading
routines.
- Add APIs au_poltostr() and au_strtopol() to convert between text
representations of audit_control policy flags and the flags passed to
auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY).
- Add API getacpol() to return the 'policy:' entry from audit_control, an
extension to the Solaris file format to allow specification of policy
persistent flags.
- Update audump to print the audit_control policy field.
- Update auditd to read the audit_control policy field and set the kernel
policy to match it when configuring/reconfiguring. Remove the -s and -h
arguments as these policies are now set via the configuration file. If a
policy line is not found in the configuration file, continue with the
current default of setting AUDIT_CNT.
- Fix bugs in the parsing of large execve(2) arguments and environmental
variable tokens; increase maximum parsed argument and variable count.
- configure now detects strlcat(), used by policy-related functions.
- Reference token and record sample files added to test tree.

Approved by: re (kensmith)
6b46b736cc84f6697b21608e304026e847ac155d 25-Sep-2006 rwatson <rwatson@FreeBSD.org> Vendor import TrustedBSD OpenBSM 1.0 alpha 12, with the following change
history notes since the last import:

OpenBSM 1.0 alpha 12

- Correct bug in auditreduce which prevented the -c option from working
correctly when the user specifies to process successful or failed events.
The problem stemmed from not having access to the return token at the time
the initial preselection occurred, but now a second preselection process
occurs while processing the return token.
- getacfilesz(3) API added to read new audit_control(5) filesz setting,
which auditd(8) now sets the kernel audit trail rotation size to.
- auditreduce(1) now uses stdin if no file names are specified on the command
line; this was the documented behavior previously, but it was not
implemented. Be more specific in auditreduce(1)'s examples section about
what might be done with the output of auditreduce.
- Add audit_warn(5) closefile event so that administrators can hook
termination of an audit trail file. For example, this might be used to
compress the trail file after it is closed.
- auditreduce(1) now uses regular expressions for pathname matching. Users can
now supply one or more (comma delimited) regular expressions for searching
the pathnames. If one of the regular expressions is prefixed with a tilde
(~), and a path matches, it will be excluded from the search results.

MFC after: 3 days
Obtained from: TrustedBSD Project
9cb23632cc4fa7ad27aa1dd05858b54a5bc21e15 08-Mar-2006 cvs2svn <cvs2svn@FreeBSD.org> This commit was manufactured by cvs2svn to create branch 'RELENG_6'.
ab71945909ae42af4e5fa0802d62298315b31281 04-Mar-2006 rwatson <rwatson@FreeBSD.org> Vendor branch import of TrustedBSD OpenBSM 1.0 alpha 5:

- Update install notes to indicate /etc files are to be installed manually.
- On systems without LOG_SECURITY, use LOG_AUTH.
- Convert to autoconf/automake in order to move to a more portable (not
BSD-specific) build infrastructure, and more easy conditional building of
components. Currently, the primary feature loss is that automake does
not have native support for manual symlinks. This will be addressed in a
future OpenBSM release.
- Add compat/queue.h, to be used on systems dated BSD queue macro libraries
(as found on Linux).
- Rename CHANGELOG to HISTORY, as our change log doesn't follow some of the
existing conventions for a CHANGELOG.
- Some private data structures moved from audit.h to audit_internal.h to
prevent inappropriate use by applications and name space pollution.
- Improved detection and use of endian macros using autoconf.
- Avoid non-portable use of struct in6_addr, which is largely opaque.
- Avoid leaking BSD kernel socket related token code to user space in
bsm_token.c.
- Teach System V IPC calls to look for Linux naming variations for certain
struct ipc_perm fields.
- Test for audit system calls, and if not present, don't build
bsm_wrappers.c, bsm_notify.c, audit(8), and auditd(8), which rely on
those system calls.
- au_close() is not implemented on systems that don't have audit system
calls, but au_close_buffer() is.
- Work around missing BSDisms in bsm_wrapper.c.
- Fix nested includes so including libbsm.h in an application on Linux
picks up the necessary definitions.

Obtained from: TrustedBSD Project
3fdf6fa244dacc3457a4a9e0e97f27ef50422fe1 31-Jan-2006 rwatson <rwatson@FreeBSD.org> Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.

This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.

This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.

Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project