Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both

contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).

OpenBSM history for imported revision below for reference.

MFC after:      1 month
Sponsored by:   Apple, Inc.
Obtained from:  TrustedBSD Project

OpenBSM 1.1 beta 1

- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
  Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
  For legacy support no suffix defaults to bytes.
- Audit trail log expiration support added.  It is configured in
  audit_control(5) with the expire-after parameter.  If there is no
  expire-after parameter in audit_control(5), the default, then the audit
  trail files are not expired and removed.  See audit_control(5) for
  more information.
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
  partitions, rotate automatically at 2mb, and set the default policy to
  cnt,argv rather than cnt so that execve(2) arguments are captured if
  AUE_EXECVE events are audited.  These may provide more usable defaults for
  many users.
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
  au_to_socket_ex(3) arguments to BSM format.
- Fix error encoding AUT_IPC_PERM tokens.

contrib/openbsm/CREDITS

@@ -27,6 +27,7 @@ the development of OpenBSM:
     Eric Hall
     Xin LI
     Stacey Son
+    Todd Heberlein
 
 In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
 Software's FlexeLint tool were used to identify a number of bugs in the

contrib/openbsm/NEWS

@@ -1,5 +1,24 @@
 OpenBSM Version History
 
+OpenBSM 1.1 beta 1
+
+- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
+  Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
+  For legacy support no suffix defaults to bytes.
+- Audit trail log expiration support added.  It is configured in
+  audit_control(5) with the expire-after parameter.  If there is no 
+  expire-after parameter in audit_control(5), the default, then the audit
+  trail files are not expired and removed.  See audit_control(5) for
+  more information.
+- Change defaults in audit_control: warn at 5% rather than 20% free for audit
+  partitions, rotate automatically at 2mb, and set the default policy to
+  cnt,argv rather than cnt so that execve(2) arguments are captured if
+  AUE_EXECVE events are audited.  These may provide more usable defaults for
+  many users.
+- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
+  au_to_socket_ex(3) arguments to BSM format.
+- Fix error encoding AUT_IPC_PERM tokens.
+
 OpenBSM 1.1 alpha 5
 
 - Stub libauditd(3) man page added.
@@ -412,4 +431,4 @@ OpenBSM 1.0 alpha 1
   to support reloading of kernel event table.
 - Allow comments in /etc/security configuration files.
 
-$P4: //depot/projects/trustedbsd/openbsm/NEWS#27 $
+$P4: //depot/projects/trustedbsd/openbsm/NEWS#32 $

contrib/openbsm/README

@@ -1,4 +1,4 @@
-OpenBSM 1.1 alpha 4
+OpenBSM 1.1 beta 1
 
   Introduction
 
@@ -56,4 +56,4 @@ Information on TrustedBSD may be found on the TrustedBSD home page:
 
     http://www.TrustedBSD.org/
 
-$P4: //depot/projects/trustedbsd/openbsm/README#34 $
+$P4: //depot/projects/trustedbsd/openbsm/README#35 $

contrib/openbsm/VERSION

@@ -1 +1 @@
-OPENBSM_1_1_ALPHA_5
+OPENBSM_1_1_BETA_1

contrib/openbsm/bin/audit/audit.8

@@ -1,4 +1,4 @@
-.\" Copyright (c) 2004 Apple Inc.
+.\" Copyright (c) 2004-2009 Apple Inc.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -25,24 +25,28 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#13 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#15 $
 .\"
-.Dd December 11, 2008
+.Dd January 29, 2009
 .Dt AUDIT 8
 .Os
 .Sh NAME
 .Nm audit
 .Nd audit management utility
 .Sh SYNOPSIS
 .Nm
-.Fl i | n | s | t
+.Fl e | i | n | s | t
 .Sh DESCRIPTION
 The
 .Nm
 utility controls the state of the audit system.
 One of the following flags is required as an argument to
 .Nm :
 .Bl -tag -width indent
+.It Fl e
+Forces the audit system to immediately remove audit log files that
+meet the expiration criteria specified in the audit control file without
+doing a log rotation. 
 .It Fl i
 Initializes and starts auditing.
 This option is currently for Mac OS X only
@@ -53,6 +57,8 @@ to be configured to run under
 .It Fl n
 Forces the audit system to close the existing audit log file and rotate to
 a new log file in a location specified in the audit control file.
+Also, audit log files that meet the expiration criteria specified in the 
+audit control file will be removed.
 .It Fl s
 Specifies that the audit system should [re]synchronize its
 configuration from the audit control file.

contrib/openbsm/bin/audit/audit.c

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2005-2008 Apple Inc.
+ * Copyright (c) 2005-2009 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#13 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#14 $
  */
 /*
  * Program to trigger the audit daemon with a message that is either:
@@ -68,12 +68,15 @@ static int send_trigger(unsigned int);
 #include "auditd_control.h"
 
 /* 
- * XXX the following is temporary until this can be added to the kernel
+ * XXX The following are temporary until these can be added to the kernel
  * audit.h header. 
  */
 #ifndef AUDIT_TRIGGER_INITIALIZE
 #define	AUDIT_TRIGGER_INITIALIZE	7
 #endif
+#ifndef AUDIT_TRIGGER_EXPIRE_TRAILS
+#define	AUDIT_TRIGGER_EXPIRE_TRAILS	8
+#endif
 
 static int
 send_trigger(unsigned int trigger)
@@ -125,7 +128,7 @@ static void
 usage(void)
 {
 
-	(void)fprintf(stderr, "Usage: audit -i | -n | -s | -t \n");
+	(void)fprintf(stderr, "Usage: audit -e | -i | -n | -s | -t \n");
 	exit(-1);
 }
 
@@ -141,9 +144,13 @@ main(int argc, char **argv)
 	if (argc != 2)
 		usage();
 
-	while ((ch = getopt(argc, argv, "inst")) != -1) {
+	while ((ch = getopt(argc, argv, "einst")) != -1) {
 		switch(ch) {
 
+		case 'e':
+			trigger = AUDIT_TRIGGER_EXPIRE_TRAILS;
+			break;
+
 		case 'i':
 			trigger = AUDIT_TRIGGER_INITIALIZE;
 			break;

contrib/openbsm/bin/auditd/audit_warn.c

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2005 Apple Inc.
+ * Copyright (c) 2005-2009 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#10 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#11 $
  */
 
 #include <sys/types.h>
@@ -236,3 +236,18 @@ audit_warn_tmpfile(void)
 
 	return (auditwarnlog(args));
 }
+
+/*
+ * Indicates that this trail file has expired and was removed.
+ */
+int
+audit_warn_expired(char *filename)
+{
+	char *args[3];
+
+	args[0] = EXPIRED_WARN;
+	args[1] = filename;
+	args[2] = NULL;
+
+	return (auditwarnlog(args));
+}

contrib/openbsm/bin/auditd/auditd.c

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2004-2008 Apple Inc.
+ * Copyright (c) 2004-2009 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#41 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#43 $
  */
 
 #include <sys/types.h>
@@ -67,12 +67,16 @@
 #endif
 
 /*
- * XXX the following is temporary until this can be added to the kernel
+ * XXX The following are temporary until these can be added to the kernel
  * audit.h header.
  */
 #ifndef	AUDIT_TRIGGER_INITIALIZE
 #define	AUDIT_TRIGGER_INITIALIZE	7
 #endif
+#ifndef	AUDIT_TRIGGER_EXPIRE_TRAILS
+#define	AUDIT_TRIGGER_EXPIRE_TRAILS	8
+#endif
+
 
 /*
  * LaunchD flag (Mac OS X and, maybe, FreeBSD only.)  See launchd(8) and 
@@ -166,7 +170,7 @@ close_lastfile(char *TS)
 
 		/* Rename the last file -- append timestamp. */
 		if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) {
-			strlcpy(ptr, TS, TIMESTAMP_LEN);
+			memcpy(ptr, TS, POSTFIX_LEN);
 			if (rename(oldname, lastfile) != 0)
 				auditd_log_err(
 				    "Could not rename %s to %s: %m", oldname,
@@ -275,6 +279,14 @@ do_trail_file(void)
 		return (-1);
 	}
 
+	/*
+	 * Finally, see if there are any trail files to expire.
+	 */
+	err = auditd_expire_trails(audit_warn_expired);
+	if (err)
+		auditd_log_err("auditd_expire_trails(): %s",
+		    auditd_strerror(err));
+
 	return (0);
 }
 
@@ -550,6 +562,14 @@ auditd_handle_trigger(int trigger)
 			audit_setup();
 		break;
 
+	case AUDIT_TRIGGER_EXPIRE_TRAILS:
+		auditd_log_info("Got audit expire trails trigger");
+		err = auditd_expire_trails(audit_warn_expired);
+		if (err)
+			auditd_log_err("auditd_expire_trails(): %s",
+		    	    auditd_strerror(err));
+		break;
+
 	default:
 		auditd_log_err("Got unknown trigger %d", trigger);
 		break;
@@ -669,13 +689,18 @@ auditd_config_controls(void)
 	 */
 	err = auditd_set_host();
 	if (err) {
-		auditd_log_err("auditd_set_host() %s: %m",
-		    auditd_strerror(err));
-		ret = -1;
+		if (err == ADE_PARSE) {
+			auditd_log_notice(
+			    "audit_control(5) may be missing 'host:' field");
+		} else {
+			auditd_log_err("auditd_set_host() %s: %m",
+			    auditd_strerror(err));
+			ret = -1;
+		}
 	} else
 		auditd_log_debug(
 		    "Set audit host address information in kernel.");
-	
+
 	return (ret);
 }
 

contrib/openbsm/bin/auditd/auditd.h

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2005 Apple Inc.
+ * Copyright (c) 2005-2009 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#12 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#13 $
  */
 
 #ifndef _AUDITD_H_
@@ -57,6 +57,7 @@
 #define	POSTSIGTERM_WARN	"postsigterm"
 #define	SOFTLIM_WARN		"soft"
 #define	TMPFILE_WARN		"tmpfile"
+#define	EXPIRED_WARN		"expired"
 
 #define	AUDITWARN_SCRIPT	"/etc/security/audit_warn"
 #define	AUDITD_PIDFILE		"/var/run/auditd.pid"
@@ -76,6 +77,7 @@ int	audit_warn_nostart(void);
 int	audit_warn_postsigterm(void);
 int	audit_warn_soft(char *filename);
 int	audit_warn_tmpfile(void);
+int	audit_warn_expired(char *filename);
 
 void	auditd_openlog(int debug, gid_t gid);
 void	auditd_log_err(const char *fmt, ...);

contrib/openbsm/bsm/auditd_lib.h

@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#3 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#4 $
  */
 
 #ifndef _BSM_AUDITD_LIB_H_
@@ -81,12 +81,14 @@
 #define	ADE_INVAL	-16	/* Invalid argument. */
 #define	ADE_GETADDR	-17	/* Error resolving address from hostname. */
 #define	ADE_ADDRFAM	-18	/* Address family not supported. */
+#define	ADE_EXPIRE	-19	/* Error expiring audit trail files. */
 
 /*
  * auditd_lib functions.
  */
 const char *auditd_strerror(int errcode);
 int auditd_set_minfree(void);
+int auditd_expire_trails(int (*warn_expired)(char *));
 int auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *));
 void auditd_close_dirs(void);
 int auditd_set_evcmap(void);

contrib/openbsm/bsm/libbsm.h

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2004-2008 Apple Inc.
+ * Copyright (c) 2004-2009 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#41 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#42 $
  */
 
 #ifndef _LIBBSM_H_
@@ -76,13 +76,14 @@
 #define	AUDIT_CONTROL_FILE	"/etc/security/audit_control"
 #define	AUDIT_USER_FILE		"/etc/security/audit_user"
 
-#define	DIR_CONTROL_ENTRY	"dir"
-#define	MINFREE_CONTROL_ENTRY	"minfree"
-#define	FILESZ_CONTROL_ENTRY	"filesz"
-#define	FLAGS_CONTROL_ENTRY	"flags"
-#define	NA_CONTROL_ENTRY	"naflags"
-#define	POLICY_CONTROL_ENTRY	"policy"
+#define	DIR_CONTROL_ENTRY		"dir"
+#define	MINFREE_CONTROL_ENTRY		"minfree"
+#define	FILESZ_CONTROL_ENTRY		"filesz"
+#define	FLAGS_CONTROL_ENTRY		"flags"
+#define	NA_CONTROL_ENTRY		"naflags"
+#define	POLICY_CONTROL_ENTRY		"policy"
 #define	AUDIT_HOST_CONTROL_ENTRY	"host"
+#define	EXPIRE_AFTER_CONTROL_ENTRY	"expire-after"
 
 #define	AU_CLASS_NAME_MAX	8
 #define	AU_CLASS_DESC_MAX	72
@@ -766,6 +767,7 @@ int			 getacflg(char *auditstr, int len);
 int			 getacna(char *auditstr, int len);
 int			 getacpol(char *auditstr, size_t len);
 int			 getachost(char *auditstr, size_t len);
+int			 getacexpire(int *andflg, time_t *age, size_t *size);
 int			 getauditflagsbin(char *auditstr, au_mask_t *masks);
 int			 getauditflagschar(char *auditstr, au_mask_t *masks,
 			    int verbose);