11842 Want audit events for auditon(A_SETPMASK) and friends

Reviewed by: John Levon <john.levon@joyent.com> Reviewed by: Andy Fiddaman <andy@omniosce.org> Approved by: Robert Mustacchi <rm@fingolfin.org>
author: Alex Wilson <alex@uq.edu.au> 2019-09-13 13:56:31 +1000
committer: John Levon <john.levon@joyent.com> 2019-10-29 16:17:30 +0000
commit: 241bfedfbd27da9d3f2aa7ffaafa5da978f23afe (patch)
tree: fd1524f0700d18b084563f82a561fc6cb2ac98ff
parent: 8675de3a4bb7d310dd672e8f2bf479154e07c678 (diff)
download: illumos-joyent-241bfedfbd27da9d3f2aa7ffaafa5da978f23afe.tar.gz
5 files changed, 107 insertions, 5 deletions
diff --git a/usr/src/cmd/auditrecord/audit_record_attr.txt b/usr/src/cmd/auditrecord/audit_record_attr.txt
index 6284b554cf..fdc4fa46eb 100644
--- a/usr/src/cmd/auditrecord/audit_record_attr.txt
+++ b/usr/src/cmd/auditrecord/audit_record_attr.txt
@@ -459,6 +459,36 @@ label=AUE_AUDITON_SQCTRL
 #	return,failure: Not owner,-1
 #	trailer,176
 
+label=AUE_AUDITON_SETPMASK
+  format=[arg]1:[arg]2
+    comment=3, "setpmask&colon;pid", process
+    comment=3, "setpmask&colon;as_success", audit ID mask:
+    comment=3, "setpmask&colon;as_failure", audit ID mask
+  syscall=auditon: SETPMASK
+
+label=AUE_AUDITON_SETKAUDIT
+  format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7
+    comment=1, audit user ID, "auid":
+    comment=1, terminal ID, "port":
+    comment=1, type, "type":
+    comment=1, terminal ID, "ip address":
+    comment=1, preselection mask, "as_success":
+    comment=1, preselection mask, "as_failure":
+    comment=1, audit session ID, "asid"
+  syscall=auditon: SETKAUDIT
+
+label=AUE_AUDITON_GETPINFO
+  format=kernel
+  syscall=auditon: GETPINFO
+
+label=AUE_AUDITON_GETKAUDIT
+  format=kernel
+  syscall=auditon: GETKAUDIT
+
+label=AUE_AUDITON_OTHER
+  format=kernel
+  syscall=auditon: OTHER
+
 label=AUE_AUDITON_STERMID
   skip=Not used.
 
diff --git a/usr/src/lib/libbsm/audit_class.txt b/usr/src/lib/libbsm/audit_class.txt
index 30b0d84716..da241cbe77 100644
--- a/usr/src/lib/libbsm/audit_class.txt
+++ b/usr/src/lib/libbsm/audit_class.txt
@@ -25,8 +25,6 @@
 #
 # User Level Class Masks
 #
-# Developers: If you change this file you must also edit audit.h.
-#
 # "Meta-classes" can be created; these are supersets composed of multiple base
 # classes, and thus will have more than 1 bit in its mask. See "ad", "all",
 # "am", and "pc" below for examples.
diff --git a/usr/src/lib/libbsm/audit_event.txt b/usr/src/lib/libbsm/audit_event.txt
index 393d98ab62..2db2fc017e 100644
--- a/usr/src/lib/libbsm/audit_event.txt
+++ b/usr/src/lib/libbsm/audit_event.txt
@@ -363,6 +363,11 @@
 311:AUE_AUDITON_SETAMASK:auditon(2) - set default user preselection mask:as
 312:AUE_PSECFLAGS:psecflags(2) - set process security flags:pm
 313:AUE_SACL:SACL-based File Access Auditing:sa
+314:AUE_AUDITON_GETPINFO:auditon(2) - get process info:aa
+315:AUE_AUDITON_SETPMASK:auditon(2) - set process preselection mask:as
+316:AUE_AUDITON_GETKAUDIT:auditon(2) - get kernel audit characteristics:aa
+317:AUE_AUDITON_SETKAUDIT:auditon(2) - set kernel audit characteristics:as
+318:AUE_AUDITON_OTHER:auditon(2) - other event:aa
 #
 # user level audit events
 #	2048 -  6143	Reserved
diff --git a/usr/src/uts/common/c2/audit_event.c b/usr/src/uts/common/c2/audit_event.c
index 1cb523121f..4d97735fac 100644
--- a/usr/src/uts/common/c2/audit_event.c
+++ b/usr/src/uts/common/c2/audit_event.c
@@ -3039,8 +3039,21 @@ aui_auditsys(au_event_t e)
 		case A_SETCLASS:
 			e = AUE_AUDITON_SETCLASS;
 			break;
+		case A_GETPINFO:
+		case A_GETPINFO_ADDR:
+			e = AUE_AUDITON_GETPINFO;
+			break;
+		case A_SETPMASK:
+			e = AUE_AUDITON_SETPMASK;
+			break;
+		case A_GETKAUDIT:
+			e = AUE_AUDITON_GETKAUDIT;
+			break;
+		case A_SETKAUDIT:
+			e = AUE_AUDITON_SETKAUDIT;
+			break;
 		default:
-			e = AUE_NULL;
+			e = AUE_AUDITON_OTHER;
 			break;
 		}
 		break;
@@ -3061,6 +3074,7 @@ aus_auditsys(struct t_audit_data *tad)
 	uintptr_t a1, a2;
 	STRUCT_DECL(auditinfo, ainfo);
 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
+	STRUCT_DECL(auditpinfo, apinfo);
 	au_evclass_map_t event;
 	au_mask_t mask;
 	int auditstate, policy;
@@ -3238,6 +3252,53 @@ aus_auditsys(struct t_audit_data *tad)
 		au_uwrite(au_to_arg32(
 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
 		break;
+	case AUE_AUDITON_SETPMASK:
+		STRUCT_INIT(apinfo, get_udatamodel());
+		if (copyin((caddr_t)uap->a2, STRUCT_BUF(apinfo),
+		    STRUCT_SIZE(apinfo))) {
+			return;
+		}
+		au_uwrite(au_to_arg32(3, "setpmask:pid",
+		    (uint32_t)STRUCT_FGET(apinfo, ap_pid)));
+		au_uwrite(au_to_arg32(3, "setpmask:as_success",
+		    (uint32_t)STRUCT_FGET(apinfo, ap_mask.as_success)));
+		au_uwrite(au_to_arg32(3, "setpmask:as_failure",
+		    (uint32_t)STRUCT_FGET(apinfo, ap_mask.as_failure)));
+		break;
+	case AUE_AUDITON_SETKAUDIT:
+		STRUCT_INIT(ainfo_addr, get_udatamodel());
+		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
+		    STRUCT_SIZE(ainfo_addr))) {
+				return;
+		}
+		au_uwrite(au_to_arg32((char)1, "auid",
+		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
+#ifdef _LP64
+		au_uwrite(au_to_arg64((char)1, "port",
+		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
+#else
+		au_uwrite(au_to_arg32((char)1, "port",
+		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
+#endif
+		au_uwrite(au_to_arg32((char)1, "type",
+		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
+		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
+		    AU_IPv4) {
+			au_uwrite(au_to_in_addr(
+			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
+			    ai_termid.at_addr)));
+		} else {
+			au_uwrite(au_to_in_addr_ex(
+			    (int32_t *)STRUCT_FGETP(ainfo_addr,
+			    ai_termid.at_addr)));
+		}
+		au_uwrite(au_to_arg32((char)1, "as_success",
+		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
+		au_uwrite(au_to_arg32((char)1, "as_failure",
+		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
+		au_uwrite(au_to_arg32((char)1, "asid",
+		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
+		break;
 	case AUE_GETAUID:
 	case AUE_GETAUDIT:
 	case AUE_GETAUDIT_ADDR:
@@ -3252,6 +3313,9 @@ aus_auditsys(struct t_audit_data *tad)
 	case AUE_AUDITON_SETSTAT:
 	case AUE_AUDITON_GETCOND:
 	case AUE_AUDITON_GETCLASS:
+	case AUE_AUDITON_GETPINFO:
+	case AUE_AUDITON_GETKAUDIT:
+	case AUE_AUDITON_OTHER:
 		break;
 	default:
 		break;
diff --git a/usr/src/uts/common/c2/audit_kevents.h b/usr/src/uts/common/c2/audit_kevents.h
index ae6ee7351d..9cd650c858 100644
--- a/usr/src/uts/common/c2/audit_kevents.h
+++ b/usr/src/uts/common/c2/audit_kevents.h
@@ -349,10 +349,15 @@ extern "C" {
 #define	AUE_AUDITON_GETAMASK	310	/* =aa */
 #define	AUE_AUDITON_SETAMASK	311	/* =as */
 #define	AUE_PSECFLAGS		312	/* =pm psecflags */
-#define	AUE_SACL		313	/* =sa SACL auditing */
+#define	AUE_SACL		313	/* =sa SACL auditing (reserved) */
+#define	AUE_AUDITON_GETPINFO	314	/* =aa */
+#define	AUE_AUDITON_SETPMASK	315	/* =as */
+#define	AUE_AUDITON_GETKAUDIT	316	/* =aa */
+#define	AUE_AUDITON_SETKAUDIT	317	/* =as */
+#define	AUE_AUDITON_OTHER	318	/* =aa */
 
 /* NOTE: update MAX_KEVENTS below if events are added. */
-#define	MAX_KEVENTS		313
+#define	MAX_KEVENTS		318
 
 #ifdef __cplusplus
 }
author	Alex Wilson <alex@uq.edu.au>	2019-09-13 13:56:31 +1000
committer	John Levon <john.levon@joyent.com>	2019-10-29 16:17:30 +0000
commit	241bfedfbd27da9d3f2aa7ffaafa5da978f23afe (patch)
tree	fd1524f0700d18b084563f82a561fc6cb2ac98ff
parent	8675de3a4bb7d310dd672e8f2bf479154e07c678 (diff)
download	illumos-joyent-241bfedfbd27da9d3f2aa7ffaafa5da978f23afe.tar.gz