Print this page
NEX-13644 File access audit logging
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/auditreduce/auditrt.h
+++ new/usr/src/cmd/auditreduce/auditrt.h
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
|
↓ open down ↓ |
13 lines elided |
↑ open up ↑ |
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 + *
25 + * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
24 26 */
25 27
26 28 #ifndef _AUDITRT_H
27 29 #define _AUDITRT_H
28 30
29 31 #ifdef __cplusplus
30 32 extern "C" {
31 33 #endif
32 34
33 35 /*
34 36 * Auditreduce data structures.
35 37 */
36 38
37 39 /*
38 40 * File Control Block
39 41 * Controls a single file.
40 42 * These are held by the pcb's in audit_pcbs[] in a linked list.
41 43 * There is one fcb for each file controlled by the pcb,
42 44 * and all of the files in a list have the same suffix in their names.
43 45 */
44 46 struct audit_fcb {
45 47 struct audit_fcb *fcb_next; /* ptr to next fcb in list */
46 48 int fcb_flags; /* flags - see below */
47 49 time_t fcb_start; /* start time from filename */
48 50 time_t fcb_end; /* end time from filename */
49 51 char *fcb_suffix; /* ptr to suffix in fcb_file */
50 52 char *fcb_name; /* ptr to name in fcb_file */
51 53 char fcb_file[1]; /* full path and name string */
52 54 };
53 55
54 56 typedef struct audit_fcb audit_fcb_t;
55 57
56 58 /*
57 59 * Flags for fcb_flags.
58 60 */
59 61 #define FF_NOTTERM 0x01 /* file is "not_terminated" */
60 62 #define FF_DELETE 0x02 /* we may delete this file if requested */
61 63
62 64 /*
63 65 * Process Control Block
64 66 * A pcb comes in two types:
65 67 * It controls either:
66 68 *
67 69 * 1. A single group of pcbs (processes that are lower on the process tree).
68 70 * These are the pcb's that the process tree is built from.
69 71 * These are allocated as needed while the process tree is being built.
70 72 *
71 73 * 2. A single group of files (fcbs).
72 74 * All of the files in one pcb have the same suffix in their filename.
73 75 * They are controlled by the leaf nodes of the process tree.
74 76 * They are found in audit_pcbs[].
75 77 * They are initially setup by process_fileopt() when the files to be
76 78 * processes are gathered together. Then they are parsed out to
77 79 * the leaf nodes by mfork().
78 80 * A particular leaf node's range of audit_pcbs[] is determined
79 81 * in the call to mfork() by the lo and hi paramters.
80 82 */
81 83 struct audit_pcb {
82 84 struct audit_pcb *pcb_below; /* ptr to group of pcb's */
83 85 struct audit_pcb *pcb_next; /* ptr to next - for list in mproc() */
84 86 int pcb_procno; /* subprocess # */
85 87 int pcb_nrecs; /* how many records read (current pcb/file) */
86 88 int pcb_nprecs; /* how many records put (current pcb/file) */
87 89 int pcb_flags; /* flags - see below */
88 90 int pcb_count; /* count of active pcb's */
89 91 int pcb_lo; /* low index for pcb's */
90 92 int pcb_hi; /* hi index for pcb's */
91 93 int pcb_size; /* size of current record buffer */
92 94 time_t pcb_time; /* time of current record */
93 95 time_t pcb_otime; /* time of previous record */
94 96 char *pcb_rec; /* ptr to current record buffer */
95 97 char *pcb_suffix; /* ptr to suffix name (string) */
96 98 audit_fcb_t *pcb_first; /* ptr to first fcb_ */
97 99 audit_fcb_t *pcb_last; /* ptr to last fcb_ */
98 100 audit_fcb_t *pcb_cur; /* ptr to current fcb_ */
99 101 audit_fcb_t *pcb_dfirst; /* ptr to first fcb_ for deleting */
100 102 audit_fcb_t *pcb_dlast; /* ptr to last fcb_ for deleting */
101 103 FILE *pcb_fpr; /* read stream */
102 104 FILE *pcb_fpw; /* write stream */
103 105 };
104 106
105 107 typedef struct audit_pcb audit_pcb_t;
106 108
107 109 /*
108 110 * Flags for pcb_flags
109 111 */
110 112 #define PF_ROOT 0x01 /* current pcb is the root of process tree */
111 113 #define PF_LEAF 0x02 /* current pcb is a leaf of process tree */
112 114 #define PF_USEFILE 0x04 /* current pcb uses files as input, not pipes */
113 115
114 116 /*
115 117 * Message selection options
116 118 */
117 119 #define M_AFTER 0x0001 /* 'a' after a time */
118 120 #define M_BEFORE 0x0002 /* 'b' before a time */
119 121 #define M_CLASS 0x0004 /* 'c' event class */
120 122 #define M_GROUPE 0x0008 /* 'f' effective group-id */
121 123 #define M_GROUPR 0x0010 /* 'g' real group-id */
122 124 #define M_OBJECT 0x0020 /* 'o' object */
123 125 #define M_SUBJECT 0x0040 /* 'j' subject */
124 126 #define M_TYPE 0x0080 /* 'm' event type */
125 127 #define M_USERA 0x0100 /* 'u' audit user */
126 128 #define M_USERE 0x0200 /* 'e' effective user */
127 129 #define M_USERR 0x0400 /* 'r' real user */
128 130 #define M_LABEL 0x0800 /* 'l' mandatory label range */
129 131 #define M_ZONENAME 0x1000 /* 'z' zone name */
130 132 #define M_SID 0x2000 /* 's' session ID */
131 133 #define M_SORF 0x4000 /* success or failure of event */
132 134 #define M_TID 0x8000 /* 't' terminal ID */
133 135 /*
134 136 * object types
135 137 */
136 138
137 139 /* XXX Why is this a bit map? There can be only one M_OBJECT. */
138 140
139 141 #define OBJ_LP 0x00001 /* 'o' lp object */
140 142 #define OBJ_MSG 0x00002 /* 'o' msgq object */
141 143 #define OBJ_PATH 0x00004 /* 'o' file system object */
142 144 #define OBJ_PROC 0x00008 /* 'o' process object */
143 145 #define OBJ_SEM 0x00010 /* 'o' semaphore object */
144 146 #define OBJ_SHM 0x00020 /* 'o' shared memory object */
145 147 #define OBJ_SOCK 0x00040 /* 'o' socket object */
146 148 #define OBJ_FGROUP 0x00080 /* 'o' file group */
147 149 #define OBJ_FOWNER 0x00100 /* 'o' file owner */
|
↓ open down ↓ |
114 lines elided |
↑ open up ↑ |
148 150 #define OBJ_MSGGROUP 0x00200 /* 'o' msgq [c]group */
149 151 #define OBJ_MSGOWNER 0x00400 /* 'o' msgq [c]owner */
150 152 #define OBJ_PGROUP 0x00800 /* 'o' process [e]group */
151 153 #define OBJ_POWNER 0x01000 /* 'o' process [e]owner */
152 154 #define OBJ_SEMGROUP 0x02000 /* 'o' semaphore [c]group */
153 155 #define OBJ_SEMOWNER 0x04000 /* 'o' semaphore [c]owner */
154 156 #define OBJ_SHMGROUP 0x08000 /* 'o' shared memory [c]group */
155 157 #define OBJ_SHMOWNER 0x10000 /* 'o' shared memory [c]owner */
156 158 #define OBJ_FMRI 0x20000 /* 'o' fmri object */
157 159 #define OBJ_USER 0x40000 /* 'o' user object */
160 +#define OBJ_WSID 0x80000 /* 'o' windows sid object */
158 161
159 162 #define SOCKFLG_MACHINE 0 /* search socket token by machine name */
160 163 #define SOCKFLG_PORT 1 /* search socket token by port number */
161 164
162 165 /*
163 166 * Global variables
164 167 */
165 168 extern unsigned short m_type; /* 'm' message type */
166 169 extern gid_t m_groupr; /* 'g' real group-id */
167 170 extern gid_t m_groupe; /* 'f' effective group-id */
168 171 extern uid_t m_usera; /* 'u' audit user */
169 172 extern uid_t m_userr; /* 'r' real user */
170 173 extern uid_t m_usere; /* 'f' effective user */
171 174 extern au_asid_t m_sid; /* 's' session-id */
172 175 extern time_t m_after; /* 'a' after a time */
173 176 extern time_t m_before; /* 'b' before a time */
174 177 extern audit_state_t mask; /* used with m_class */
175 178 extern char *zonename; /* 'z' zonename */
176 179
177 180 extern m_range_t *m_label; /* 'l' mandatory label range */
178 181 extern int flags;
179 182 extern int checkflags;
180 183 extern int socket_flag;
|
↓ open down ↓ |
13 lines elided |
↑ open up ↑ |
181 184 extern int ip_type;
182 185 extern uchar_t ip_ipv6[16]; /* ip ipv6 object identifier */
183 186 extern int obj_flag; /* 'o' object type */
184 187 extern int obj_id; /* object identifier */
185 188 extern gid_t obj_group; /* object group */
186 189 extern uid_t obj_owner; /* object owner */
187 190 extern int subj_id; /* subject identifier */
188 191 extern char ipc_type; /* 'o' object type - tell what type of IPC */
189 192 extern scf_pattern_t fmri; /* 'o' fmri value */
190 193 extern uid_t obj_user; /* 'o' user value */
194 +extern char *wsid; /* 'o' wsid value */
191 195
192 196 /*
193 197 * File selection options
194 198 */
195 199 extern char *f_machine; /* 'M' machine (suffix) type */
196 200 extern char *f_root; /* 'R' audit root */
197 201 extern char *f_server; /* 'S' server */
198 202 extern char *f_outfile; /* 'W' output file */
199 203 extern int f_all; /* 'A' all records from a file */
200 204 extern int f_complete; /* 'C' only completed files */
201 205 extern int f_delete; /* 'D' delete when done */
202 206 extern int f_quiet; /* 'Q' sshhhh! */
203 207 extern int f_verbose; /* 'V' verbose */
204 208 extern int f_stdin; /* '-' read from stdin */
|
↓ open down ↓ |
4 lines elided |
↑ open up ↑ |
205 209 extern int f_cmdline; /* files specified on the command line */
206 210 extern int new_mode; /* 'N' new object selection mode */
207 211
208 212 /*
209 213 * Error reporting
210 214 * Error_str is set whenever an error occurs to point to a string describing
211 215 * the error. When the error message is printed error_str is also
212 216 * printed to describe exactly what went wrong.
213 217 * Errbuf is used to build messages with variables in them.
214 218 */
219 +#define ERRBUF_SZ 256
215 220 extern char *error_str; /* current error message */
216 221 extern char errbuf[]; /* buffer for building error message */
217 222 extern char *ar; /* => "auditreduce:" */
218 223
219 224 /*
220 225 * Control blocks
221 226 * Audit_pcbs[] is an array of pcbs that control files directly.
222 227 * In the program's initialization phase it will gather all of the input
223 228 * files it needs to process. Each file will have one fcb allocated for it,
224 229 * and each fcb will belong to one pcb from audit_pcbs[]. All of the files
225 230 * in a single pcb will have the same suffix in their filenames. If the
226 231 * number of active pcbs in audit_pcbs[] is greater that the number of open
227 232 * files a single process can have then the program will need to fork
228 233 * subprocesses to handle all of the files.
229 234 */
230 235 extern audit_pcb_t *audit_pcbs; /* file-holding pcb's */
231 236 extern int pcbsize; /* current size of audit_pcbs[] */
232 237 extern int pcbnum; /* total # of active pcbs in audit_pcbs[] */
233 238
234 239 /*
235 240 * Time values
236 241 */
237 242 extern time_t f_start; /* time of start rec for outfile */
238 243 extern time_t f_end; /* time of end rec for outfile */
239 244 extern time_t time_now; /* time program began */
240 245
241 246 /*
242 247 * Counting vars
243 248 */
244 249 extern int filenum; /* number of files total */
245 250
246 251 /*
247 252 * Global variable, class of current record being processed.
248 253 */
249 254 extern int global_class;
250 255
251 256 #ifdef __cplusplus
252 257 }
253 258 #endif
254 259
255 260 #endif /* _AUDITRT_H */
|
↓ open down ↓ |
31 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX