#include <roken.h>
-#include <fcntl.h>
-#include <stdarg.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#ifndef AFS_NT40_ENV
-#include <unistd.h>
-#endif
#ifdef AFS_AIX32_ENV
#include <sys/audit.h>
#else
#define AUDIT_FAIL_ACCESS 3
#define AUDIT_FAIL_PRIV 4
#endif /* AFS_AIX32_ENV */
-#include <errno.h>
+#include <afs/opr.h>
#include "afs/afsint.h"
+#include "afs/butc.h"
#include <rx/rx.h>
#include <rx/rxkad.h>
#include "audit.h"
#include "audit-api.h"
#include "lock.h"
-#ifdef AFS_AIX32_ENV
-#include <sys/audit.h>
-#endif
-#include <afs/afsutil.h>
-/* C99 requires va_copy. Older versions of GCC provide __va_copy. Per t
- Autoconf manual, memcpy is a generally portable fallback. */
-#ifndef va_copy
-# ifdef __va_copy
-# define va_copy(d, s) __va_copy((d), (s))
-# else
-# define va_copy(d, s) memcpy(&(d), &(s), sizeof(va_list))
-# endif
-#endif
+#include <afs/afsutil.h>
extern struct osi_audit_ops audit_file_ops;
#ifdef HAVE_SYS_IPC_H
#endif
static struct {
+ void *rock;
+ int (*islocal)(void *rock, char *name, char *inst, char *cell);
+} audit_user_check = { NULL, NULL };
+
+static struct {
const char *name;
const struct osi_audit_ops *ops;
} audit_interfaces[] = {
bufferPtr += sizeof(struct AFSFid);
break;
}
+ /* butc tape label */
+ case AUD_TLBL:
+ {
+ struct tc_tapeLabel *label;
+
+ label = (struct tc_tapeLabel *)va_arg(vaList,
+ struct tc_tapeLabel *);
+ if (label)
+ memcpy(bufferPtr, label, sizeof(*label));
+ else
+ memset(bufferPtr, 0, sizeof(*label));
+ bufferPtr += sizeof(label);
+ break;
+ }
+ /* butc dump interface */
+ case AUD_TDI:
+ {
+ struct tc_dumpInterface *di;
+
+ di = (struct tc_dumpInterface *)
+ va_arg(vaList, struct tc_dumpInterface *);
+ if (di)
+ memcpy(bufferPtr, di, sizeof(*di));
+ else
+ memset(bufferPtr, 0, sizeof(*di));
+ bufferPtr += sizeof(*di);
+ break;
+ }
+ /*
+ * butc dump array
+ * An array of dump descriptions, but the AIX audit package assumes fixed
+ * length, so we can only do the first one for now.
+ */
+ case AUD_TDA:
+ {
+ struct tc_dumpArray *da;
+
+ da = (struct tc_dumpArray *)
+ va_arg(vaList, struct tc_dumpArray *);
+ if (da && da->tc_dumpArray_len) {
+ memcpy(bufferPtr, &da->tc_dumpArray_len, sizeof(u_int));
+ bufferPtr += sizeof(u_int);
+ memcpy(bufferPtr, da->tc_dumpArray_val,
+ sizeof(da->tc_dumpArray_val[0]));
+ } else {
+ memset(bufferPtr, 0, sizeof(u_int));
+ bufferPtr += sizeof(u_int);
+ memset(bufferPtr, 0, sizeof(da->tc_dumpArray_val[0]));
+ }
+ bufferPtr += sizeof(da->tc_dumpArray_val[0]);
+ break;
+ }
+ /*
+ * butc restore array
+ * An array of restore descriptions, but the AIX audit package assumes
+ * fixed length, so we can only do the first one for now.
+ */
+ case AUD_TRA:
+ {
+ struct tc_restoreArray *ra;
+
+ ra = (struct tc_restoreArray *)
+ va_arg(vaList, struct tc_restoreArray *);
+ if (ra && ra->tc_restoreArray_len) {
+ memcpy(bufferPtr, &ra->tc_restoreArray_len, sizeof(u_int));
+ bufferPtr += sizeof(u_int);
+ memcpy(bufferPtr, ra->tc_restoreArray_val,
+ sizeof(ra->tc_restoreArray_val[0]));
+ } else {
+ memset(bufferPtr, 0, sizeof(u_int));
+ bufferPtr += sizeof(u_int);
+ memset(bufferPtr, 0, sizeof(ra->tc_restoreArray_val[0]));
+ }
+ bufferPtr += sizeof(ra->tc_restoreArray_val[0]);
+ break;
+ }
+ /* butc tape controller status */
+ {
+ struct tciStatusS *status;
+
+ status = (struct tciStatusS *)va_arg(vaList,
+ struct tciStatusS *);
+ if (status)
+ memcpy(bufferPtr, status, sizeof(*status));
+ else
+ memset(bufferPtr, 0, sizeof(*status));
+ bufferPtr += sizeof(*status);
+ break;
+ }
default:
#ifdef AFS_AIX32_ENV
code =
char *vaStr;
struct AFSFid *vaFid;
struct AFSCBFids *vaFids;
+ struct tc_tapeLabel *vaLabel;
+ struct tc_dumpInterface *vaDI;
+ struct tc_dumpArray *vaDA;
+ struct tc_restoreArray *vaRA;
+ struct tciStatusS *vaTCstatus;
int num = LogThreadNum();
struct in_addr hostAddr;
time_t currenttime;
- char *timeStamp;
char tbuffer[26];
+ struct tm tm;
/* Don't print the timestamp or thread id if we recursed */
if (rec == 0) {
currenttime = time(0);
- timeStamp = afs_ctime(¤ttime, tbuffer,
- sizeof(tbuffer));
- timeStamp[24] = ' '; /* ts[24] is the newline, 25 is the null */
- audit_ops->append_msg(timeStamp);
+ if (strftime(tbuffer, sizeof(tbuffer), "%a %b %d %H:%M:%S %Y ",
+ localtime_r(¤ttime, &tm)) !=0)
+ audit_ops->append_msg(tbuffer);
if (num > -1)
audit_ops->append_msg("[%d] ", num);
vaFid = vaFids->AFSCBFids_val;
if (vaFid) {
- audit_ops->append_msg("FIDS %u FID %u:%u:%u ", vaFids->AFSCBFids_len, vaFid->Volume,
- vaFid->Vnode, vaFid->Unique);
- for ( i = 1; i < vaFids->AFSCBFids_len; i++, vaFid++ )
+ audit_ops->append_msg("FIDS %u ", vaFids->AFSCBFids_len);
+ for ( i = 1; i <= vaFids->AFSCBFids_len; i++, vaFid++ )
audit_ops->append_msg("FID %u:%u:%u ", vaFid->Volume,
vaFid->Vnode, vaFid->Unique);
} else
}
break;
+ case AUD_TLBL: /* butc tape label */
+ vaLabel = va_arg(vaList, struct tc_tapeLabel *);
+
+ if (vaLabel) {
+ audit_ops->append_msg("TAPELABEL %d:%.*s:%.*s:%u ",
+ vaLabel->size,
+ TC_MAXTAPELEN, vaLabel->afsname,
+ TC_MAXTAPELEN, vaLabel->pname,
+ vaLabel->tapeId);
+ } else {
+ audit_ops->append_msg("TAPELABEL <null>");
+ }
+ break;
+ case AUD_TDI:
+ vaDI = va_arg(vaList, struct tc_dumpInterface *);
+
+ if (vaDI) {
+ audit_ops->append_msg(
+ "TCDUMPINTERFACE %.*s:%.*s:%.*s:%d:%d:%d:%d:%.*s:%.*s:%d:%d:%d:%d:%d ",
+ TC_MAXDUMPPATH, vaDI->dumpPath, TC_MAXNAMELEN, vaDI->volumeSetName,
+ TC_MAXNAMELEN, vaDI->dumpName, vaDI->parentDumpId, vaDI->dumpLevel,
+ vaDI->doAppend,
+ vaDI->tapeSet.id, TC_MAXHOSTLEN, vaDI->tapeSet.tapeServer,
+ TC_MAXFORMATLEN, vaDI->tapeSet.format, vaDI->tapeSet.maxTapes,
+ vaDI->tapeSet.a, vaDI->tapeSet.b, vaDI->tapeSet.expDate,
+ vaDI->tapeSet.expType);
+ } else {
+ audit_ops->append_msg("TCDUMPINTERFACE <null>");
+ }
+ break;
+ case AUD_TDA:
+ vaDA = va_arg(vaList, struct tc_dumpArray *);
+
+ if (vaDA) {
+ u_int i;
+ struct tc_dumpDesc *desc;
+ struct in_addr hostAddr;
+
+ desc = vaDA->tc_dumpArray_val;
+ if (desc) {
+ audit_ops->append_msg("DUMPS %d ", vaDA->tc_dumpArray_len);
+ for (i = 0; i < vaDA->tc_dumpArray_len; i++, desc++) {
+ hostAddr.s_addr = desc->hostAddr;
+ audit_ops->append_msg("DUMP %d:%d:%.*s:%d:%d:%d:%s ",
+ desc->vid, desc->vtype, TC_MAXNAMELEN, desc->name,
+ desc->partition, desc->date, desc->cloneDate,
+ inet_ntoa(hostAddr));
+ }
+ } else {
+ audit_ops->append_msg("DUMPS 0 DUMP 0:0::0:0:0:0.0.0.0");
+ }
+ }
+ break;
+ case AUD_TRA:
+ vaRA = va_arg(vaList, struct tc_restoreArray *);
+
+ if (vaRA) {
+ u_int i;
+ struct tc_restoreDesc *desc;
+ struct in_addr hostAddr;
+
+ desc = vaRA->tc_restoreArray_val;
+ if (desc) {
+ audit_ops->append_msg("RESTORES %d ",
+ vaRA->tc_restoreArray_len);
+ for(i = 0; i < vaRA->tc_restoreArray_len; i++, desc++) {
+ hostAddr.s_addr = desc->hostAddr;
+ audit_ops->append_msg(
+ "RESTORE %d:%.*s:%d:%d:%d:%d:%d:%d:%d:%s:%.*s:%.*s ",
+ desc->flags, TC_MAXTAPELEN, desc->tapeName,
+ desc->dbDumpId, desc->initialDumpId,
+ desc->position, desc->origVid, desc->vid,
+ desc->partition, desc->dumpLevel,
+ inet_ntoa(hostAddr), TC_MAXNAMELEN,
+ desc->oldName, TC_MAXNAMELEN, desc->newName);
+ }
+ } else {
+ audit_ops->append_msg(
+ "RESTORES 0 RESTORE 0::0:0:0:0:0:0:0:0.0.0.0::: ");
+ }
+ }
+ break;
+ case AUD_TSTT:
+ vaTCstatus = va_arg(vaList, struct tciStatusS *);
+
+ if (vaTCstatus)
+ audit_ops->append_msg("TCSTATUS %.*s:%d:%d:%d:%d:%.*s:%d:%d ",
+ TC_MAXNAMELEN, vaTCstatus->taskName,
+ vaTCstatus->taskId, vaTCstatus->flags,
+ vaTCstatus->dbDumpId, vaTCstatus->nKBytes,
+ TC_MAXNAMELEN, vaTCstatus->volumeName,
+ vaTCstatus->volsFailed,
+ vaTCstatus->lastPolled);
+ else
+ audit_ops->append_msg("TCSTATUS <null>");
+ break;
default:
audit_ops->append_msg("--badval-- ");
break;
/* i'm pretty sure all the server apps now call osi_audit_init(),
* but to be extra careful we'll leave this assert in here for a
* while to make sure */
- osi_Assert(audit_lock_initialized);
+ opr_Assert(audit_lock_initialized);
#endif /* AFS_PTHREAD_ENV */
if ((osi_audit_all < 0) || (osi_echo_trail < 0))
struct rx_peer *peer;
afs_int32 secClass;
afs_int32 code;
- char afsName[MAXKTCNAMELEN];
+ char afsName[MAXKTCNAMELEN + MAXKTCNAMELEN + MAXKTCREALMLEN + 3];
afs_int32 hostId;
va_list vaList;
conn = rx_ConnectionOf(call); /* call -> conn) */
if (conn) {
secClass = rx_SecurityClassOf(conn); /* conn -> securityIndex */
- if (secClass == 0) { /* unauthenticated */
+ if (secClass == RX_SECIDX_NULL) { /* unauthenticated */
osi_audit("AFS_Aud_Unauth", (-1), AUD_STR, audEvent, AUD_END);
strcpy(afsName, "--UnAuth--");
- } else if (secClass == 2) { /* authenticated */
+ } else if (secClass == RX_SECIDX_KAD || secClass == RX_SECIDX_KAE) {
+ /* authenticated with rxkad */
char tcell[MAXKTCREALMLEN];
char name[MAXKTCNAMELEN];
char inst[MAXKTCNAMELEN];
- char vname[256];
- int ilen, clen;
code =
rxkad_GetServerInfo(conn, NULL, NULL, name, inst, tcell,
osi_audit("AFS_Aud_NoAFSId", (-1), AUD_STR, audEvent, AUD_END);
strcpy(afsName, "--NoName--");
} else {
- strncpy(vname, name, sizeof(vname));
- if ((ilen = strlen(inst))) {
- if (strlen(vname) + 1 + ilen >= sizeof(vname))
- goto done;
- strcat(vname, ".");
- strcat(vname, inst);
- }
- if ((clen = strlen(tcell))) {
-#if defined(AFS_ATHENA_STDENV) || defined(AFS_KERBREALM_ENV)
- static char local_realms[AFS_NUM_LREALMS][AFS_REALM_SZ];
- static int num_lrealms = -1;
- int i, lrealm_match;
-
- if (num_lrealms == -1) {
- for (i = 0; i < AFS_NUM_LREALMS; i++) {
- if (afs_krb_get_lrealm(local_realms[i], i) != 0 /*KSUCCESS*/)
- break;
- }
-
- if (i == 0)
- strncpy(local_realms[0], "UNKNOWN.LOCAL.REALM", AFS_REALM_SZ);
- num_lrealms = i;
- }
-
- /* Check to see if the ticket cell matches one of the local realms */
- lrealm_match = 0;
- for (i = 0; i < num_lrealms ; i++ ) {
- if (!strcasecmp(local_realms[i], tcell)) {
- lrealm_match = 1;
- break;
- }
- }
- /* If yes, then make sure that the name is not present in
- * an exclusion list */
- if (lrealm_match) {
- char uname[256];
- if (inst[0])
- snprintf(uname,sizeof(uname),"%s.%s@%s",name,inst,tcell);
- else
- snprintf(uname,sizeof(uname),"%s@%s",name,tcell);
-
- if (afs_krb_exclusion(uname))
- lrealm_match = 0;
- }
-
- if (!lrealm_match) {
- if (strlen(vname) + 1 + clen >= sizeof(vname))
- goto done;
- strcat(vname, "@");
- strcat(vname, tcell);
- }
-#endif
- }
- strcpy(afsName, vname);
- }
- } else { /* Unauthenticated & unknown */
+ afs_int32 islocal = 0;
+ if (audit_user_check.islocal) {
+ islocal =
+ audit_user_check.islocal(audit_user_check.rock,
+ name, inst, tcell);
+ }
+ strlcpy(afsName, name, sizeof(afsName));
+ if (inst[0]) {
+ strlcat(afsName, ".", sizeof(afsName));
+ strlcat(afsName, inst, sizeof(afsName));
+ }
+ if (tcell[0] && !islocal) {
+ strlcat(afsName, "@", sizeof(afsName));
+ strlcat(afsName, tcell, sizeof(afsName));
+ }
+ }
+ } else { /* Unauthenticated and/or unknown */
osi_audit("AFS_Aud_UnknSec", (-1), AUD_STR, audEvent, AUD_END);
strcpy(afsName, "--Unknown--");
}
- done:
peer = rx_PeerOf(conn); /* conn -> peer */
if (peer)
hostId = rx_HostOf(peer); /* peer -> host */
}
void
+osi_audit_set_user_check(void *rock,
+ int (*islocal) (void *rock, char *name, char *inst,
+ char *cell))
+{
+ audit_user_check.rock = rock;
+ audit_user_check.islocal = islocal;
+}
+
+void
audit_PrintStats(FILE *out)
{
audit_ops->print_interface_stats(out);