#define DEBUG 0
#if DEBUG
#define DPRINT(x) { (void) fprintf x; }
#else
#define DPRINT(x)
#endif
#include <arpa/inet.h>
#include <assert.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <libintl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <pthread.h>
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <syslog.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <bsm/audit.h>
#include <bsm/audit_record.h>
#include <security/auditd.h>
#include "toktable.h"
#include "sysplugin.h"
#include "systoken.h"
#include <audit_plugin.h>
#ifdef __lint
#define gettext(x) x
#endif
#if DEBUG
static FILE *dbfp;
#endif
extern void init_tokens();
extern int parse_token(parse_context_t *);
static au_mask_t mask;
static int initialized = 0;
static size_t maxavail;
static pthread_mutex_t log_mutex;
#define ELLIPSIS "..."
#define ELLIPSIS_SIZE (sizeof (ELLIPSIS) - 1)
typedef struct hashtable {
uint32_t ht_key;
uint32_t ht_type;
uint32_t ht_ip[4];
char *ht_value;
size_t ht_length;
} hashtable_t;
#define HOSTHASHSIZE 128
#define UIDHASHSIZE 128
#define GIDHASHSIZE 32
static hashtable_t uidhash[UIDHASHSIZE];
static hashtable_t gidhash[GIDHASHSIZE];
static hashtable_t hosthash[HOSTHASHSIZE];
#define STRCONSTARGS(s) (s), (sizeof (s) - 1)
#define HASH(s, r, m) {\
uint32_t _mush = 0;\
int _i;\
for (_i = 0; _i < 4; _i++) {\
_mush ^= *(s)++;\
}\
r = _mush % m;\
}
static auditd_rc_t
setmask(const char *flags)
{
au_mask_t tmask;
char *input, *ip, c;
auditd_rc_t rc = AUDITD_SUCCESS;
mask.am_success = 0x0;
mask.am_failure = 0x0;
if (flags != NULL) {
input = malloc(strlen(flags) + 1);
if (input == NULL)
return (AUDITD_NO_MEMORY);
ip = input;
for (; (c = *flags) != '\0'; flags++) {
if (c == ' ')
continue;
*ip++ = c;
}
*ip = '\0';
if (getauditflagsbin(input, &tmask) == 0) {
mask.am_success |= tmask.am_success;
mask.am_failure |= tmask.am_failure;
}
}
if ((mask.am_success | mask.am_failure) == 0) {
rc = AUDITD_INVALID;
__audit_syslog("audit_syslog.so", LOG_CONS | LOG_NDELAY,
LOG_DAEMON, LOG_ERR,
gettext("plugin is configured with empty class mask\n"));
}
free(input);
return (rc);
}
static int
tossit(au_event_t id, int passfail)
{
int rc;
int selFlag;
switch (passfail) {
case 1:
selFlag = AU_PRS_SUCCESS;
break;
case -1:
selFlag = AU_PRS_FAILURE;
break;
default:
selFlag = AU_PRS_BOTH;
break;
}
(void) pthread_mutex_lock(&log_mutex);
rc = au_preselect(id, &mask, selFlag, AU_PRS_USECACHE);
(void) pthread_mutex_unlock(&log_mutex);
return (rc == 0);
}
static size_t
fromleft(char *p, size_t avail, char *attrname, size_t attrlen, char *txt,
size_t txtlen)
{
size_t len;
if (avail < attrlen + ELLIPSIS_SIZE)
return (0);
(void) memcpy(p, attrname, attrlen);
p += attrlen;
avail -= attrlen;
if (txtlen > avail) {
(void) memcpy(p, ELLIPSIS, ELLIPSIS_SIZE);
txt += txtlen - (avail - ELLIPSIS_SIZE);
(void) memcpy(p + ELLIPSIS_SIZE, txt, avail - ELLIPSIS_SIZE);
len = attrlen + avail;
p += avail;
} else {
(void) memcpy(p, txt, txtlen);
len = attrlen + txtlen;
p += txtlen;
}
*p = '\0';
return (len);
}
static size_t
fromright(char *p, size_t avail, char *attrname, size_t attrlen, char *txt,
size_t txtlen)
{
size_t len;
if (avail < attrlen + ELLIPSIS_SIZE)
return (0);
(void) memcpy(p, attrname, attrlen);
p += attrlen;
avail -= attrlen;
if (txtlen > avail) {
(void) memcpy(p, txt, avail - ELLIPSIS_SIZE);
(void) memcpy(p + (avail - ELLIPSIS_SIZE),
ELLIPSIS, ELLIPSIS_SIZE);
len = attrlen + avail;
p += avail;
} else {
(void) memcpy(p, txt, txtlen);
p += txtlen;
len = attrlen + txtlen;
}
*p = '\0';
return (len);
}
static int
init_hash(hashtable_t *table, int bad_key, int table_length,
size_t max_value)
{
int i;
for (i = 0; i < table_length; i++) {
table[i].ht_value = malloc(max_value + 1);
table[i].ht_key = bad_key;
table[i].ht_length = 0;
if (table[i].ht_value == NULL) {
int j;
for (j = 0; j < i; j++)
free(table[j].ht_value);
return (-1);
}
*(table[i].ht_value) = '\0';
}
return (0);
}
static void
free_hash(hashtable_t *table, int table_length)
{
int i;
for (i = 0; i < table_length; i++) {
free(table[i].ht_value);
}
}
#define UNKNOWN "unknown"
#define UNKNOWN_LEN (sizeof (UNKNOWN))
static size_t
gethname(au_tid_addr_t *tid, char *p, size_t max, char *prefix,
size_t prefix_len)
{
size_t len, l;
struct hostent *host;
int rc;
int af;
int ix;
char *hash_key;
uint32_t key;
int match;
if (prefix_len > max)
return (0);
(void) memcpy(p, prefix, prefix_len);
p += prefix_len;
max -= prefix_len;
if (tid->at_type == AU_IPv6) {
key = tid->at_addr[0] ^
tid->at_addr[1] ^
tid->at_addr[2] ^
tid->at_addr[3];
} else
key = (tid->at_addr[0]);
hash_key = (char *)&key;
HASH(hash_key, ix, HOSTHASHSIZE);
match = 0;
if (key == 0) {
l = UNKNOWN_LEN;
if (l > max)
l = max;
len = prefix_len + strlcpy(p, UNKNOWN, l);
return (len);
}
if (tid->at_type == AU_IPv6) {
if ((key == hosthash[ix].ht_key) &&
(hosthash[ix].ht_type == tid->at_type)) {
int i;
match = 1;
for (i = 0; i < 4; i++) {
if (hosthash[ix].ht_ip[i] != tid->at_addr[i]) {
match = 0;
break;
}
}
}
} else if (key == hosthash[ix].ht_key) {
match = 1;
}
if (!match) {
hosthash[ix].ht_key = key;
hosthash[ix].ht_type = tid->at_type;
if (tid->at_type == AU_IPv4) {
hosthash[ix].ht_ip[0] = tid->at_addr[0];
af = AF_INET;
} else {
(void) memcpy((char *)hosthash[ix].ht_ip,
(char *)tid->at_addr, AU_IPv6);
af = AF_INET6;
}
host = getipnodebyaddr((const void *)tid->at_addr,
tid->at_type, af, &rc);
if (host == NULL) {
(void) inet_ntop(af, (void *)tid->at_addr,
hosthash[ix].ht_value, MAXHOSTNAMELEN);
hosthash[ix].ht_length = strlen(hosthash[ix].ht_value);
} else {
hosthash[ix].ht_length = strlcpy(hosthash[ix].ht_value,
host->h_name, MAXHOSTNAMELEN);
freehostent(host);
}
}
l = hosthash[ix].ht_length + 1;
if (l > max)
l = max;
len = prefix_len + strlcpy(p, hosthash[ix].ht_value, l);
return (len);
}
#define GETPWUID_BUFF_LEN 1024
#define USERNAMELEN 256
#define GIDNAMELEN 256
static size_t
getuname(uid_t uid, gid_t gid, char *p, size_t max, char *prefix,
size_t prefix_len)
{
struct passwd pw;
char pw_buf[GETPWUID_BUFF_LEN];
size_t len, l;
struct group gr;
int ix;
char *hash_key;
if (prefix_len > max)
return (0);
len = prefix_len;
(void) memcpy(p, prefix, len);
p += len;
max -= len;
hash_key = (char *)&uid;
HASH(hash_key, ix, UIDHASHSIZE);
if (uid != uidhash[ix].ht_key) {
uidhash[ix].ht_key = uid;
if ((getpwuid_r(uid, &pw, pw_buf, GETPWUID_BUFF_LEN)) == NULL)
l = snprintf(uidhash[ix].ht_value, USERNAMELEN,
"%d", uid);
else
l = strlcpy(uidhash[ix].ht_value, pw.pw_name,
USERNAMELEN);
uidhash[ix].ht_length = l;
}
l = uidhash[ix].ht_length + 1;
if (l > max)
l = max;
(void) memcpy(p, uidhash[ix].ht_value, l);
len += l - 1;
if (gid != (gid_t)-2) {
p += l - 1;
max -= l - 1;
if (max < 2)
return (len);
hash_key = (char *)&gid;
HASH(hash_key, ix, GIDHASHSIZE);
if (gid != gidhash[ix].ht_key) {
gidhash[ix].ht_key = gid;
if (getgrgid_r(gid, &gr, pw_buf, GETPWUID_BUFF_LEN) ==
NULL)
gidhash[ix].ht_length =
snprintf(gidhash[ix].ht_value, GIDNAMELEN,
"%d", gid);
else
gidhash[ix].ht_length =
strlcpy(gidhash[ix].ht_value,
gr.gr_name, GIDNAMELEN);
}
*p++ = ':';
len++;
max--;
l = gidhash[ix].ht_length + 1;
if (l > max)
l = max;
(void) memcpy(p, gidhash[ix].ht_value, l);
len += l - 1;
}
return (len);
}
#define EVENT_NAME_LEN 32
static auditd_rc_t
filter(const char *input, uint64_t sequence, char *output,
size_t in_len, size_t out_len)
{
parse_context_t ctx;
char *bp;
auditd_rc_t rc = AUDITD_SUCCESS;
auditd_rc_t rc_ret = AUDITD_SUCCESS;
size_t used, remaining;
char *last_adr;
int token_count = 0;
int parse_rc;
static parse_context_t initial_ctx;
static int first = 1;
if (first) {
first = 0;
initial_ctx.out.sf_eventid = 0;
initial_ctx.out.sf_reclen = 0;
initial_ctx.out.sf_pass = 0;
initial_ctx.out.sf_asid = 0;
initial_ctx.out.sf_auid = (uid_t)-2;
initial_ctx.out.sf_euid = (uid_t)-2;
initial_ctx.out.sf_egid = (gid_t)-2;
initial_ctx.out.sf_tid.at_type = 0;
initial_ctx.out.sf_pauid = (uid_t)-2;
initial_ctx.out.sf_peuid = (uid_t)-2;
initial_ctx.out.sf_uauthlen = 0;
initial_ctx.out.sf_uauth = NULL;
initial_ctx.out.sf_pathlen = 0;
initial_ctx.out.sf_path = NULL;
initial_ctx.out.sf_atpathlen = 0;
initial_ctx.out.sf_atpath = NULL;
initial_ctx.out.sf_textlen = 0;
initial_ctx.out.sf_text = NULL;
initial_ctx.out.sf_sequence = -1;
initial_ctx.out.sf_zonelen = 0;
initial_ctx.out.sf_zonename = NULL;
init_tokens();
}
(void) memcpy(&ctx, &initial_ctx, sizeof (parse_context_t));
ctx.id = sequence;
ctx.adr.adr_stream = (char *)input;
ctx.adr.adr_now = (char *)input;
last_adr = NULL;
while ((ctx.adr.adr_now - ctx.adr.adr_stream) < in_len) {
assert(last_adr != ctx.adr.adr_now);
token_count++;
last_adr = ctx.adr.adr_now;
if ((parse_rc = parse_token(&ctx)) != 0) {
char message[256];
au_event_ent_t *event;
char event_name[EVENT_NAME_LEN];
char sequence_str[EVENT_NAME_LEN];
if (cacheauevent(&event, ctx.out.sf_eventid) < 0)
(void) snprintf(event_name, EVENT_NAME_LEN,
"%hu", ctx.out.sf_eventid);
else
(void) strlcpy(event_name, event->ae_desc,
EVENT_NAME_LEN);
if (token_count < 2)
rc = AUDITD_INVALID;
if (ctx.out.sf_sequence != -1)
(void) snprintf(sequence_str, EVENT_NAME_LEN,
" (seq=%u) ", ctx.out.sf_sequence);
else
sequence_str[0] = '\0';
(void) snprintf(message, 256,
gettext("error before token %d (previous token=%d)"
" of record type %s%s\n"),
token_count, parse_rc, event_name, sequence_str);
#if DEBUG
(void) fprintf(dbfp, message);
#endif
__audit_syslog("audit_syslog.so",
LOG_PID | LOG_ODELAY | LOG_CONS,
LOG_DAEMON, LOG_ALERT, message);
break;
}
}
if (rc == AUDITD_SUCCESS) {
if (tossit(ctx.out.sf_eventid, ctx.out.sf_pass)) {
#if DEBUG
if (ctx.out.sf_sequence != -1)
(void) fprintf(dbfp,
"syslog tossed (event=%hu) record %u "
"/ buffer %llu\n",
ctx.out.sf_eventid, ctx.out.sf_sequence,
sequence);
else
(void) fprintf(dbfp,
"syslog tossed (event=%hu) buffer %llu\n",
ctx.out.sf_eventid, sequence);
#endif
if (ctx.out.sf_uauthlen > 0) {
free(ctx.out.sf_uauth);
ctx.out.sf_uauth = NULL;
ctx.out.sf_uauthlen = 0;
}
if (ctx.out.sf_pathlen > 0) {
free(ctx.out.sf_path);
ctx.out.sf_path = NULL;
ctx.out.sf_pathlen = 0;
}
if (ctx.out.sf_atpathlen > 0) {
free(ctx.out.sf_atpath);
ctx.out.sf_atpath = NULL;
ctx.out.sf_atpathlen = 0;
}
if (ctx.out.sf_textlen > 0) {
free(ctx.out.sf_text);
ctx.out.sf_text = NULL;
ctx.out.sf_textlen = 0;
}
if (ctx.out.sf_zonelen > 0) {
free(ctx.out.sf_zonename);
ctx.out.sf_zonename = NULL;
ctx.out.sf_zonelen = 0;
}
return (AUDITD_DISCARD);
}
bp = output;
remaining = out_len;
if (ctx.out.sf_eventid != 0) {
au_event_ent_t *event;
if (cacheauevent(&event, ctx.out.sf_eventid) < 0)
used = snprintf(bp, remaining, "%hu",
ctx.out.sf_eventid);
else
used = strlcpy(bp, event->ae_desc, remaining);
bp += used;
remaining -= used;
}
if (ctx.out.sf_pass != 0) {
if (ctx.out.sf_pass < 0)
used = strlcpy(bp, " failed", remaining);
else
used = strlcpy(bp, " ok", remaining);
bp += used;
remaining -= used;
}
if (ctx.out.sf_asid != 0) {
used = snprintf(bp, remaining, " session %u",
ctx.out.sf_asid);
remaining -= used;
bp += used;
}
if (ctx.out.sf_auid != (uid_t)-2) {
used = getuname(ctx.out.sf_auid, -2, bp, remaining,
STRCONSTARGS(" by "));
bp += used;
remaining -= used;
}
if (ctx.out.sf_euid != (uid_t)-2) {
used = getuname(ctx.out.sf_euid, ctx.out.sf_egid, bp,
remaining, STRCONSTARGS(" as "));
bp += used;
remaining -= used;
}
if (ctx.out.sf_zonename != NULL) {
used = fromright(bp, remaining,
STRCONSTARGS(" in "),
ctx.out.sf_zonename, ctx.out.sf_zonelen);
free(ctx.out.sf_zonename);
bp += used;
remaining -= used;
}
if (ctx.out.sf_tid.at_type != 0) {
used = gethname(&(ctx.out.sf_tid), bp, remaining,
STRCONSTARGS(" from "));
bp += used;
remaining -= used;
}
if (ctx.out.sf_pauid != (uid_t)-2) {
used = getuname(ctx.out.sf_pauid, -2, bp, remaining,
STRCONSTARGS(" proc_auid "));
bp += used;
remaining -= used;
}
if (ctx.out.sf_peuid != (uid_t)-2) {
used = getuname(ctx.out.sf_peuid, -2, bp, remaining,
STRCONSTARGS(" proc_uid "));
bp += used;
remaining -= used;
}
#if DEBUG
if (ctx.out.sf_sequence != -1) {
(void) fprintf(dbfp,
"syslog writing record %u / buffer %llu\n",
ctx.out.sf_sequence, sequence);
used = snprintf(bp, remaining, " seq %u",
ctx.out.sf_sequence, sequence);
remaining -= used;
bp += used;
} else
(void) fprintf(dbfp, "syslog writing buffer %llu\n",
sequence);
#endif
if (ctx.out.sf_path != NULL) {
used = fromleft(bp, remaining, STRCONSTARGS(" obj "),
ctx.out.sf_path, ctx.out.sf_pathlen);
free(ctx.out.sf_path);
bp += used;
remaining -= used;
}
if (ctx.out.sf_atpath != NULL) {
used = fromleft(bp, remaining,
STRCONSTARGS(" attr_obj "),
ctx.out.sf_atpath, ctx.out.sf_atpathlen);
free(ctx.out.sf_atpath);
bp += used;
remaining -= used;
}
if (ctx.out.sf_uauth != NULL) {
used = fromright(bp, remaining, STRCONSTARGS(" uauth "),
ctx.out.sf_uauth, ctx.out.sf_uauthlen);
free(ctx.out.sf_path);
bp += used;
remaining -= used;
}
if (ctx.out.sf_text != NULL) {
used = fromright(bp, remaining,
STRCONSTARGS(AU_TEXT_NAME),
ctx.out.sf_text, ctx.out.sf_textlen);
free(ctx.out.sf_text);
bp += used;
remaining -= used;
}
}
return (rc_ret);
}
#define OUTPUT_BUF_SIZE 1024 - 48
auditd_rc_t
auditd_plugin(const char *input, size_t in_len, uint64_t sequence, char **error)
{
char *outbuf;
auditd_rc_t rc = AUDITD_SUCCESS;
#if DEBUG
static uint64_t last_sequence = 0;
static uint64_t write_count = 0;
static uint64_t toss_count = 0;
if ((last_sequence > 0) && (sequence != last_sequence + 1))
(void) fprintf(dbfp,
"syslog: buffer sequence=%llu but prev=%llu\n",
sequence, last_sequence);
last_sequence = sequence;
#endif
*error = NULL;
outbuf = malloc(OUTPUT_BUF_SIZE);
if (outbuf == NULL) {
DPRINT((dbfp, "syslog: out of memory; seq=%llu\n",
sequence));
rc = AUDITD_NO_MEMORY;
*error = strdup(gettext("Can't allocate buffers"));
} else {
rc = filter(input, sequence, outbuf, in_len, maxavail);
if (rc == AUDITD_SUCCESS) {
__audit_syslog("audit", LOG_NDELAY,
LOG_AUDIT, LOG_NOTICE, outbuf);
DPRINT((dbfp, "syslog: write_count=%llu, "
"buffer=%llu, tossed=%llu\n",
++write_count, sequence, toss_count));
} else if (rc != AUDITD_DISCARD) {
DPRINT((dbfp, "syslog: parse failed for buffer %llu\n",
sequence));
*error = strdup(gettext(
"Unable to parse audit record"));
} else {
DPRINT((dbfp, "syslog: rc = %d (%d is discard), "
"sequence=%llu, toss_count=%llu\n",
rc, AUDITD_DISCARD, sequence, ++toss_count));
rc = AUDITD_SUCCESS;
}
free(outbuf);
}
return (rc);
}
auditd_rc_t
auditd_plugin_open(const kva_t *kvlist, char **ret_list, char **error)
{
char localname[MAXHOSTNAMELEN + 1];
auditd_rc_t rc;
char *value;
kva_t *kva = (kva_t *)kvlist;
*error = NULL;
*ret_list = NULL;
if ((kvlist == NULL) || ((value = kva_match(kva, "p_flags")) == NULL)) {
*error = strdup(gettext(
"The \"p_flags\" attribute is missing."));
return (AUDITD_INVALID);
}
if (!initialized) {
#if DEBUG
dbfp = __auditd_debug_file_open();
#endif
initialized = 1;
(void) pthread_mutex_init(&log_mutex, NULL);
(void) pthread_mutex_lock(&log_mutex);
if (gethostname(localname, MAXHOSTNAMELEN))
maxavail = OUTPUT_BUF_SIZE - 20;
else
maxavail = OUTPUT_BUF_SIZE - strlen(localname) - 2;
(void) pthread_mutex_unlock(&log_mutex);
if (init_hash(hosthash, 0, HOSTHASHSIZE, MAXHOSTNAMELEN))
return (AUDITD_NO_MEMORY);
if (init_hash(uidhash, -2, UIDHASHSIZE, USERNAMELEN))
return (AUDITD_NO_MEMORY);
if (init_hash(gidhash, -2, GIDHASHSIZE, GIDNAMELEN))
return (AUDITD_NO_MEMORY);
}
(void) pthread_mutex_lock(&log_mutex);
if ((rc = setmask(value)) != AUDITD_SUCCESS)
*error = strdup(gettext(
"incorrect p_flags setting; no records will be output"));
(void) pthread_mutex_unlock(&log_mutex);
return (rc);
}
auditd_rc_t
auditd_plugin_close(char **error)
{
*error = NULL;
if (initialized) {
(void) pthread_mutex_destroy(&log_mutex);
free_hash(hosthash, HOSTHASHSIZE);
free_hash(uidhash, UIDHASHSIZE);
free_hash(gidhash, GIDHASHSIZE);
}
initialized = 0;
return (AUDITD_SUCCESS);
}
