Print this page
NEX-13644 File access audit logging
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/praudit/toktable.c
+++ new/usr/src/cmd/praudit/toktable.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
|
↓ open down ↓ |
13 lines elided |
↑ open up ↑ |
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 + *
25 + * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
24 26 */
25 27
26 28 /*
27 29 * Solaris Audit Token Table.
28 30 */
29 31
30 32 #include <locale.h>
31 33
32 34 #include <stdio.h>
33 35 #include <stdlib.h>
34 36 #include <string.h>
35 37 #include <bsm/audit.h>
36 38 #include <bsm/audit_record.h>
37 39 #include <bsm/libbsm.h>
38 40
39 41 #include "praudit.h"
40 42 #include "toktable.h"
41 43
42 44 token_desc_t tokentable[MAXTAG + 1];
43 45
44 46 #define table_init(i, n, f, t) \
45 47 tokentable[(int)(i)].t_name = (n); \
46 48 tokentable[(int)(i)].t_tagname = (n); \
47 49 tokentable[(int)(i)].func = (f); \
48 50 tokentable[(int)(i)].t_type = (t);
49 51
50 52 /* table_initx is for entries which need name different from tagname */
51 53 #define table_initx(i, n, tn, f, t) \
52 54 tokentable[(int)(i)].t_name = (n); \
53 55 tokentable[(int)(i)].t_tagname = (tn); \
54 56 tokentable[(int)(i)].func = (f); \
55 57 tokentable[(int)(i)].t_type = (t);
56 58
57 59 /*
58 60 * Initialize the table of tokens & other tags.
59 61 */
60 62 void
61 63 init_tokens(void)
62 64 {
63 65 /*
64 66 * TRANSLATION_NOTE
65 67 * These names refer to different type of audit tokens.
66 68 * To gain a better understanding of each token, read
67 69 * System Administration Guide: Security Services >> Solaris Auditing
68 70 * at http://docs.sun.com.
69 71 */
70 72
71 73 (void) gettext("file"); /* to force out the translation note */
72 74
73 75 /*
74 76 * Control token types
75 77 */
76 78
77 79 table_init(AUT_INVALID, (char *)0, NOFUNC, T_UNKNOWN);
78 80 table_init(AUT_OTHER_FILE32, "file", file_token, T_EXTENDED);
79 81 table_init(AUT_OHEADER, "old_header", NOFUNC, T_EXTENDED);
80 82 table_init(AUT_TRAILER, "trailer", trailer_token, T_UNKNOWN);
81 83 table_initx(AUT_HEADER32, "header", "record",
82 84 header_token, T_EXTENDED);
83 85 table_initx(AUT_HEADER32_EX, "header", "record",
84 86 header32_ex_token, T_EXTENDED);
85 87
86 88 /*
87 89 * Data token types
88 90 */
89 91
90 92 table_init(AUT_DATA, "arbitrary", arbitrary_data_token, T_EXTENDED);
91 93 table_init(AUT_FMRI, "fmri", fmri_token, T_ELEMENT);
92 94 table_init(AUT_IPC, "IPC", s5_IPC_token, T_ENCLOSED);
93 95 table_init(AUT_PATH, "path", path_token, T_ELEMENT);
94 96 table_init(AUT_XATPATH, "path_attr", path_attr_token, T_ELEMENT);
95 97 table_init(AUT_SUBJECT32, "subject", subject32_token, T_ENCLOSED);
96 98 table_init(AUT_PROCESS32, "process", process32_token, T_ENCLOSED);
97 99 table_init(AUT_RETURN32, "return", return_value32_token, T_ENCLOSED);
98 100 table_init(AUT_TEXT, "text", text_token, T_ELEMENT);
99 101 table_init(AUT_OPAQUE, "opaque", opaque_token, T_ELEMENT);
100 102 table_initx(AUT_IN_ADDR, "ip address", "ip_address",
101 103 ip_addr_token, T_ELEMENT);
102 104 table_init(AUT_IP, "ip", ip_token, T_ENCLOSED);
103 105 table_initx(AUT_IPORT, "ip port", "ip_port",
104 106 iport_token, T_ELEMENT);
105 107 table_init(AUT_ARG32, "argument", argument32_token, T_ENCLOSED);
106 108 table_initx(AUT_SOCKET, "socket", "old_socket",
107 109 socket_token, T_ENCLOSED);
108 110 table_init(AUT_SEQ, "sequence", sequence_token, T_ENCLOSED);
109 111
110 112 /*
111 113 * Modifier token types
112 114 */
113 115
114 116 table_init(AUT_ACL, "acl", acl_token, T_ENCLOSED);
115 117 table_init(AUT_ACE, "acl", ace_token, T_ENCLOSED);
116 118 table_init(AUT_ATTR, "attribute", attribute_token, T_ENCLOSED);
117 119 table_init(AUT_IPC_PERM, "IPC_perm", s5_IPC_perm_token, T_ENCLOSED);
118 120 table_init(AUT_GROUPS, "group", group_token, T_ELEMENT);
119 121 table_initx(AUT_LABEL, "sensitivity label", "sensitivity_label",
120 122 label_token, T_ELEMENT);
121 123 table_init(AUT_PRIV, "privilege", privilege_token, T_EXTENDED);
122 124 table_init(AUT_SECFLAGS, "secflags", secflags_token, T_EXTENDED);
123 125 table_initx(AUT_UPRIV, "use of privilege", "use_of_privilege",
124 126 useofpriv_token, T_EXTENDED);
125 127 table_init(AUT_LIAISON, "liaison", liaison_token, T_ELEMENT);
126 128 table_init(AUT_NEWGROUPS, "group", newgroup_token, T_ELEMENT);
127 129 table_init(AUT_EXEC_ARGS, "exec_args", exec_args_token, T_ELEMENT);
128 130 table_init(AUT_EXEC_ENV, "exec_env", exec_env_token, T_ELEMENT);
129 131 table_init(AUT_ATTR32, "attribute", attribute32_token, T_ENCLOSED);
130 132 table_initx(AUT_UAUTH, "use of authorization",
131 133 "use_of_authorization", useofauth_token, T_ELEMENT);
132 134 table_init(AUT_USER, "user", user_token, T_ENCLOSED);
133 135 table_init(AUT_ZONENAME, "zone", zonename_token, T_ENCLOSED);
134 136
135 137 /*
136 138 * X windows token types
137 139 */
138 140 table_initx(AUT_XATOM, "X atom", "X_atom", xatom_token, T_ELEMENT);
139 141 table_initx(AUT_XOBJ, "X object", "X_object", NOFUNC, T_UNKNOWN);
140 142 table_initx(AUT_XPROTO, "X protocol", "X_protocol", NOFUNC, T_UNKNOWN);
141 143 table_initx(AUT_XSELECT, "X selection", "X_selection",
142 144 xselect_token, T_ELEMENT);
143 145 table_initx(AUT_XCOLORMAP, "X color map", "X_color_map",
144 146 xcolormap_token, T_ENCLOSED);
145 147 table_initx(AUT_XCURSOR, "X cursor", "X_cursor",
146 148 xcursor_token, T_ENCLOSED);
147 149 table_initx(AUT_XFONT, "X font", "X_font", xfont_token, T_ENCLOSED);
148 150 table_initx(AUT_XGC, "X graphic context", "X_graphic_context",
149 151 xgc_token, T_ENCLOSED);
150 152 table_initx(AUT_XPIXMAP, "X pixmap", "X_pixmap",
151 153 xpixmap_token, T_ENCLOSED);
152 154 table_initx(AUT_XPROPERTY, "X property", "X_property",
153 155 xproperty_token, T_EXTENDED);
154 156 table_initx(AUT_XWINDOW, "X window", "X_window",
155 157 xwindow_token, T_ENCLOSED);
156 158 table_initx(AUT_XCLIENT, "X client", "X_client",
157 159 xclient_token, T_ELEMENT);
158 160
159 161 /*
160 162 * Command token types
161 163 */
162 164
163 165 table_init(AUT_CMD, "cmd", cmd_token, T_ELEMENT);
164 166 table_init(AUT_EXIT, "exit", exit_token, T_ENCLOSED);
165 167
166 168 /*
167 169 * Miscellaneous token types
168 170 */
169 171
170 172 table_init(AUT_HOST, "host", host_token, T_ELEMENT);
171 173
172 174 /*
173 175 * Solaris64 token types
174 176 */
175 177
176 178 table_init(AUT_ARG64, "argument", argument64_token, T_ENCLOSED);
177 179 table_init(AUT_RETURN64, "return", return_value64_token, T_ENCLOSED);
178 180 table_init(AUT_ATTR64, "attribute", attribute64_token, T_ENCLOSED);
179 181 table_initx(AUT_HEADER64, "header", "record",
180 182 header64_token, T_EXTENDED);
181 183 table_init(AUT_SUBJECT64, "subject", subject64_token, T_ENCLOSED);
182 184 table_init(AUT_PROCESS64, "process", process64_token, T_ENCLOSED);
183 185 table_init(AUT_OTHER_FILE64, "file", file64_token, T_EXTENDED);
184 186
185 187 /*
186 188 * Extended network address token types
187 189 */
188 190
189 191 table_initx(AUT_HEADER64_EX, "header", "record",
|
↓ open down ↓ |
156 lines elided |
↑ open up ↑ |
190 192 header64_ex_token, T_EXTENDED);
191 193 table_init(AUT_SUBJECT32_EX, "subject", subject32_ex_token, T_ENCLOSED);
192 194 table_init(AUT_PROCESS32_EX, "process", process32_ex_token, T_ENCLOSED);
193 195 table_init(AUT_SUBJECT64_EX, "subject", subject64_ex_token, T_ENCLOSED);
194 196 table_init(AUT_PROCESS64_EX, "process", process64_ex_token, T_ENCLOSED);
195 197 table_initx(AUT_IN_ADDR_EX, "ip address", "ip_address",
196 198 ip_addr_ex_token, T_ELEMENT);
197 199 table_init(AUT_SOCKET_EX, "socket", socket_ex_token, T_ENCLOSED);
198 200 table_init(AUT_TID, "tid", tid_token, T_EXTENDED);
199 201
202 + table_init(AUT_ACCESS_MASK, "access mask", access_mask_token,
203 + T_ELEMENT);
204 + table_init(AUT_WSID, "Windows SID", wsid_token, T_ELEMENT);
205 +
200 206 #ifdef _PRAUDIT
201 207 /*
202 208 * Done with tokens above here. Now do remaining tags.
203 209 */
204 210 table_init(TAG_AUID, "audit-uid", pa_pw_uid, T_ATTRIBUTE);
205 211 table_init(TAG_UID, "uid", pa_pw_uid, T_ATTRIBUTE);
206 212 table_init(TAG_GID, "gid", pa_gr_uid, T_ATTRIBUTE);
207 213 table_init(TAG_RUID, "ruid", pa_pw_uid, T_ATTRIBUTE);
208 214 table_init(TAG_RGID, "rgid", pa_gr_uid, T_ATTRIBUTE);
209 215
210 216 table_init(TAG_PID, "pid", pa_adr_u_int32, T_ATTRIBUTE);
211 217 table_init(TAG_SID, "sid", pa_adr_u_int32, T_ATTRIBUTE);
212 218
213 219 table_init(TAG_TID32, "tid", pa_tid32, T_ATTRIBUTE);
214 220 table_init(TAG_TID64, "tid", pa_tid64, T_ATTRIBUTE);
215 221 table_init(TAG_TID32_EX, "tid", pa_tid32_ex, T_ATTRIBUTE);
216 222 table_init(TAG_TID64_EX, "tid", pa_tid64_ex, T_ATTRIBUTE);
217 223 table_init(TAG_TID_TYPE, "type", NOFUNC, T_ATTRIBUTE);
218 224 table_init(TAG_IP, "ipadr", NOFUNC, T_ENCLOSED);
219 225 table_init(TAG_IP_LOCAL, "local-port", pa_adr_u_short, T_ATTRIBUTE);
220 226 table_init(TAG_IP_REMOTE, "remote-port", pa_adr_u_short, T_ATTRIBUTE);
221 227 table_init(TAG_IP_ADR, "host", pa_ip_addr, T_ATTRIBUTE);
222 228
223 229 table_initx(TAG_EVMOD, "event-modifier", "modifier",
224 230 pa_event_modifier, T_ATTRIBUTE);
225 231 table_initx(TAG_EVTYPE, "event-type", "event",
226 232 pa_event_type, T_ATTRIBUTE);
227 233 table_initx(TAG_TOKVERS, "token-version", "version",
228 234 pa_adr_byte, T_ATTRIBUTE);
229 235
230 236 table_init(TAG_ISO, "iso8601", NOFUNC, T_ATTRIBUTE);
231 237
232 238 table_init(TAG_ERRVAL, "errval", NOFUNC, T_ATTRIBUTE);
233 239 table_init(TAG_RETVAL, "retval", pa_adr_int32, T_ATTRIBUTE);
234 240
235 241 table_init(TAG_SETTYPE, "set-type", pa_adr_string, T_ATTRIBUTE);
236 242 /* Sub-element of groups & newgroups token: */
237 243 table_init(TAG_GROUPID, "gid", pa_gr_uid, T_ELEMENT);
238 244
239 245 table_init(TAG_XID, "xid", pa_xid, T_ATTRIBUTE);
240 246 table_init(TAG_XCUID, "xcreator-uid", pa_pw_uid, T_ATTRIBUTE);
241 247
242 248 table_init(TAG_XSELTEXT, "x_sel_text", pa_adr_string, T_ELEMENT);
243 249 table_init(TAG_XSELTYPE, "x_sel_type", pa_adr_string, T_ELEMENT);
244 250 table_init(TAG_XSELDATA, "x_sel_data", pa_adr_string, T_ELEMENT);
245 251
246 252 table_init(TAG_ARGNUM, "arg-num", pa_adr_byte, T_ATTRIBUTE);
247 253 table_init(TAG_ARGVAL32, "value", pa_adr_int32hex, T_ATTRIBUTE);
248 254 table_init(TAG_ARGVAL64, "value", pa_adr_int64hex, T_ATTRIBUTE);
249 255 table_init(TAG_ARGDESC, "desc", pa_adr_string, T_ATTRIBUTE);
250 256
251 257 table_init(TAG_MODE, "mode", pa_mode, T_ATTRIBUTE);
252 258 table_init(TAG_FSID, "fsid", pa_adr_int32, T_ATTRIBUTE);
253 259 table_init(TAG_NODEID32, "nodeid", pa_adr_int32, T_ATTRIBUTE);
254 260 table_init(TAG_NODEID64, "nodeid", pa_adr_int64, T_ATTRIBUTE);
255 261 table_init(TAG_DEVICE32, "device", pa_adr_u_int32, T_ATTRIBUTE);
256 262 table_init(TAG_DEVICE64, "device", pa_adr_u_int64, T_ATTRIBUTE);
257 263
258 264 table_init(TAG_SEQNUM, "seq-num", pa_adr_u_int32, T_ATTRIBUTE);
259 265 table_init(TAG_ZONENAME, "name", pa_adr_string, T_ATTRIBUTE);
260 266 table_init(TAG_ARGV, "argv", pa_cmd, T_ELEMENT);
261 267 table_init(TAG_ARGE, "arge", pa_cmd, T_ELEMENT);
262 268 table_init(TAG_ARG, "arg", pa_string, T_ELEMENT);
263 269 table_init(TAG_ENV, "env", pa_string, T_ELEMENT);
264 270 table_init(TAG_XAT, "xattr", pa_string, T_ELEMENT);
265 271
266 272 table_init(TAG_RESULT, "result", NOFUNC, T_ATTRIBUTE);
267 273 table_init(TAG_CUID, "creator-uid", pa_pw_uid, T_ATTRIBUTE);
268 274 table_init(TAG_CGID, "creator-gid", pa_gr_uid, T_ATTRIBUTE);
269 275 table_init(TAG_SEQ, "seq", pa_adr_u_int32, T_ATTRIBUTE);
270 276 table_init(TAG_KEY, "key", pa_adr_int32hex, T_ATTRIBUTE);
271 277
272 278 table_init(TAG_IPVERS, "version", pa_adr_charhex, T_ATTRIBUTE);
273 279 table_init(TAG_IPSERV, "service_type", pa_adr_charhex, T_ATTRIBUTE);
274 280 table_init(TAG_IPLEN, "len", pa_adr_short, T_ATTRIBUTE);
275 281 table_init(TAG_IPID, "id", pa_adr_u_short, T_ATTRIBUTE);
276 282 table_init(TAG_IPOFFS, "offset", pa_adr_u_short, T_ATTRIBUTE);
277 283 table_init(TAG_IPTTL, "time_to_live", pa_adr_charhex, T_ATTRIBUTE);
278 284 table_init(TAG_IPPROTO, "protocol", pa_adr_charhex, T_ATTRIBUTE);
279 285 table_init(TAG_IPCKSUM, "cksum", pa_adr_u_short, T_ATTRIBUTE);
280 286 table_init(TAG_IPSRC, "src_addr", pa_adr_int32hex, T_ATTRIBUTE);
281 287 table_init(TAG_IPDEST, "dest_addr", pa_adr_int32hex, T_ATTRIBUTE);
282 288
283 289 table_init(TAG_ACLTYPE, "type", NOFUNC, T_ATTRIBUTE);
284 290 table_init(TAG_ACLVAL, "value", NOFUNC, T_ATTRIBUTE);
285 291 table_init(TAG_ACEMASK, "access_mask", NOFUNC, T_ATTRIBUTE);
286 292 table_init(TAG_ACEFLAGS, "flags", NOFUNC, T_ATTRIBUTE);
287 293 table_init(TAG_ACETYPE, "type", NOFUNC, T_ATTRIBUTE);
288 294 table_init(TAG_ACEID, "id", NOFUNC, T_ATTRIBUTE);
289 295 table_init(TAG_SOCKTYPE, "type", pa_adr_shorthex, T_ATTRIBUTE);
290 296 table_init(TAG_SOCKPORT, "port", pa_adr_shorthex, T_ATTRIBUTE);
291 297 table_init(TAG_SOCKADDR, "addr", NOFUNC, T_ATTRIBUTE);
292 298
293 299 table_init(TAG_SOCKEXDOM, "sock_domain", pa_adr_shorthex, T_ATTRIBUTE);
294 300 table_init(TAG_SOCKEXTYPE, "sock_type", pa_adr_shorthex, T_ATTRIBUTE);
295 301 table_init(TAG_SOCKEXLPORT, "lport", NOFUNC, T_ATTRIBUTE);
296 302 table_init(TAG_SOCKEXLADDR, "laddr", NOFUNC, T_ATTRIBUTE);
297 303 table_init(TAG_SOCKEXFPORT, "fport", NOFUNC, T_ATTRIBUTE);
298 304 table_init(TAG_SOCKEXFADDR, "faddr", NOFUNC, T_ATTRIBUTE);
|
↓ open down ↓ |
89 lines elided |
↑ open up ↑ |
299 305
300 306 table_init(TAG_IPCTYPE, "ipc-type", NOFUNC, T_ATTRIBUTE);
301 307 table_init(TAG_IPCID, "ipc-id", pa_adr_int32, T_ATTRIBUTE);
302 308
303 309 table_init(TAG_ARBPRINT, "print", NOFUNC, T_ATTRIBUTE);
304 310 table_init(TAG_ARBTYPE, "type", NOFUNC, T_ATTRIBUTE);
305 311 table_init(TAG_ARBCOUNT, "count", NOFUNC, T_ATTRIBUTE);
306 312
307 313 table_init(TAG_HOSTID, "host", NOFUNC, T_ATTRIBUTE);
308 314 table_init(TAG_USERNAME, "username", pa_adr_string, T_ATTRIBUTE);
315 + table_init(TAG_WSID, "wsid", NOFUNC, T_ATTRIBUTE);
316 +
309 317 #endif /* _PRAUDIT */
310 318 }
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX