11037 SMB File access audit logging (reserve IDs)

Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
Reviewed by: John Levon <john.levon@joyent.com>

7 files changed, 31 insertions, 3 deletions

diff --git a/usr/src/cmd/auditrecord/audit_record_attr.txt b/usr/src/cmd/auditrecord/audit_record_attr.txt
index 198d7fec0b..6284b554cf 100644
--- a/usr/src/cmd/auditrecord/audit_record_attr.txt
+++ b/usr/src/cmd/auditrecord/audit_record_attr.txt
@@ -3,6 +3,7 @@
 # other comments are removed.
 ##
 ## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
+## Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
 ## Copyright 2019 Joyent, Inc.
 ##
 ## CDDL HEADER START
@@ -1485,6 +1486,14 @@ label=AUE_RFSSYS
 label=AUE_RMDIR
   format=path:[attr]
 
+label=AUE_SACL
+  title=File Access Audit
+  syscall=none
+  see=none
+  format=head:path:arg1:[text]2:subj
+    comment="access_mask":
+    comment="Windows SID"
+
 label=AUE_SEMCTL
   format=arg1:[ipc]:[ipc_perm]
     comment=1, semaphore ID, "sem ID"
diff --git a/usr/src/cmd/auditreduce/auditrt.h b/usr/src/cmd/auditreduce/auditrt.h
index 64d186d136..984d05825f 100644
--- a/usr/src/cmd/auditreduce/auditrt.h
+++ b/usr/src/cmd/auditreduce/auditrt.h
@@ -21,6 +21,8 @@
 /*
  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
  */
 
 #ifndef _AUDITRT_H
@@ -155,6 +157,7 @@ typedef struct audit_pcb audit_pcb_t;
 #define	OBJ_SHMOWNER	0x10000  /* 'o' shared memory [c]owner */
 #define	OBJ_FMRI	0x20000  /* 'o' fmri object */
 #define	OBJ_USER	0x40000  /* 'o' user object */
+#define	OBJ_WSID	0x80000  /* 'o' windows sid object */
 
 #define	SOCKFLG_MACHINE 0	/* search socket token by machine name */
 #define	SOCKFLG_PORT    1	/* search socket token by port number */
diff --git a/usr/src/cmd/praudit/toktable.h b/usr/src/cmd/praudit/toktable.h
index 77c11cf0ac..20428b521c 100644
--- a/usr/src/cmd/praudit/toktable.h
+++ b/usr/src/cmd/praudit/toktable.h
@@ -21,6 +21,8 @@
 /*
  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
  */
 
 #ifndef	_TOKTABLE_H
@@ -156,6 +158,7 @@ enum tagnum_t { TAG_INVALID = MAXTOKEN,
 	TAG_ACETYPE,			/* with ace token */
 	TAG_ACEID,			/* with ace token */
 	TAG_USERNAME,			/* with user token */
+	TAG_WSID,			/* with wsid token */
 	MAXTAG
 };
 
diff --git a/usr/src/lib/libbsm/audit_class.txt b/usr/src/lib/libbsm/audit_class.txt
index ae51e5fb53..30b0d84716 100644
--- a/usr/src/lib/libbsm/audit_class.txt
+++ b/usr/src/lib/libbsm/audit_class.txt
@@ -2,6 +2,8 @@
 # Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
+# Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
+#
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
@@ -21,8 +23,6 @@
 #
 # CDDL HEADER END
 #
-# ident	"%Z%%M%	%I%	%E% SMI"
-#
 # User Level Class Masks
 #
 # Developers: If you change this file you must also edit audit.h.
@@ -66,6 +66,7 @@
 0x00800000:xc:X - object create/destroy
 0x01000000:xs:X - operations that always silently fail, if bad
 0x01c00000:xx:X - all X events (meta-class)
+0x02000000:sa:SACL-based File Access Auditing
 0x20000000:io:ioctl
 0x40000000:ex:exec
 0x80000000:ot:other
diff --git a/usr/src/lib/libbsm/audit_event.txt b/usr/src/lib/libbsm/audit_event.txt
index 242aab3703..393d98ab62 100644
--- a/usr/src/lib/libbsm/audit_event.txt
+++ b/usr/src/lib/libbsm/audit_event.txt
@@ -1,5 +1,6 @@
 #
 # Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
+# Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
 #
 #
 # CDDL HEADER START
@@ -361,6 +362,7 @@
 310:AUE_AUDITON_GETAMASK:auditon(2) - get default user preselection mask:aa
 311:AUE_AUDITON_SETAMASK:auditon(2) - set default user preselection mask:as
 312:AUE_PSECFLAGS:psecflags(2) - set process security flags:pm
+313:AUE_SACL:SACL-based File Access Auditing:sa
 #
 # user level audit events
 #	2048 -  6143	Reserved
diff --git a/usr/src/uts/common/c2/audit_kevents.h b/usr/src/uts/common/c2/audit_kevents.h
index 212983ebce..ae6ee7351d 100644
--- a/usr/src/uts/common/c2/audit_kevents.h
+++ b/usr/src/uts/common/c2/audit_kevents.h
@@ -20,6 +20,7 @@
  */
 /*
  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
  */
 
 #ifndef _BSM_AUDIT_KEVENTS_H
@@ -348,9 +349,10 @@ extern "C" {
 #define	AUE_AUDITON_GETAMASK	310	/* =aa */
 #define	AUE_AUDITON_SETAMASK	311	/* =as */
 #define	AUE_PSECFLAGS		312	/* =pm psecflags */
+#define	AUE_SACL		313	/* =sa SACL auditing */
 
 /* NOTE: update MAX_KEVENTS below if events are added. */
-#define	MAX_KEVENTS		312
+#define	MAX_KEVENTS		313
 
 #ifdef __cplusplus
 }
diff --git a/usr/src/uts/common/c2/audit_record.h b/usr/src/uts/common/c2/audit_record.h
index 14a5003bd4..3a57c3b8e5 100644
--- a/usr/src/uts/common/c2/audit_record.h
+++ b/usr/src/uts/common/c2/audit_record.h
@@ -21,6 +21,8 @@
 /*
  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
  */
 
 #ifndef _BSM_AUDIT_RECORD_H
@@ -189,6 +191,12 @@ extern "C" {
 #define	AUT_IN_ADDR_EX		((char)0x7e)
 #define	AUT_SOCKET_EX		((char)0x7f)
 
+/*
+ * Can't do >= 0x80 because these are chars. 0x16/0x17 seem to be free here,
+ * but who knows if they have historical uses
+ */
+#define	AUT_ACCESS_MASK		((char)0x16)
+#define	AUT_WSID		((char)0x17)
 
 /*
  * Audit print suggestion types.