kauth: Add support for updated audit facility

New functionality was added to the audit facility that allows multiple
audit logs. The updated audit interfaces require a specific calling
sequence even if multiple audit logs are not used.

Support for multiple auditlogs is not supported for kauth. Since kauth
does not use libcmd for processing the command line, and adding support
for multiple audit log instances requires additional effort, that is not
warranted.

Update kauth to follow the proper calling sequences for the audit
facility.

Update help message and manpage entries for -auditlog and
-audit-interface.  Make note that multiple -auditlogs are not supported.

Change-Id: I98111b1e399e6687fde235bc2eadf0a28fa8acf4
Reviewed-on: https://gerrit.openafs.org/13782
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

diff --git a/doc/man-pages/pod8/kaserver.pod b/doc/man-pages/pod8/kaserver.pod
index 77f641a..dbd5ebf 100644 (file)
--- a/doc/man-pages/pod8/kaserver.pod
+++ b/doc/man-pages/pod8/kaserver.pod
@@ -8,8 +8,8 @@ kaserver - Initializes the Authentication Server
 <div class="synopsis">
 
 B<kaserver> [B<-noAuth>] [B<-database> <I<dbpath>>]
-    S<<< [B<-auditlog> <I<log path>>] >>>
-    S<<< [B<-audit-interface> (file | sysvmq)] >>>
+    S<<< [B<-auditlog> [<I<interface name>>:]<I<path to log file>>[:<I<parameters to interface>>]] >>>
+    S<<< [B<-audit-interface> <I<interface name>>] >>>
     S<<< [B<-localfiles> <I<lclpath>>] >>> S<<< [B<-minhours> <I<n>>] >>>
     S<<< [B<-servers> <I<serverlist>>] >>> [B<-enable_peer_stats>]
     [B<-enable_process_stats>] [B<-rxbind>] [B<-crossrealm>] [B<-help>]
@@ -109,18 +109,22 @@ Provide the B<-localfiles> argument along with this one; otherwise, the
 B<-localfiles> argument is also set to the value of this argument, which
 is probably inappropriate.
 
-=item B<-auditlog> <I<log path>>
+=item B<-auditlog> [<I<interface name>>:]<I<path to log file>>[:<I<parameters to interface>>]
 
 Turns on audit logging, and sets the path for the audit log.  The audit
 log records information about RPC calls, including the name of the RPC
 call, the host that submitted the call, the authenticated entity (user)
 that issued the call, the parameters for the call, and if the call
-succeeded or failed.
+succeeded or failed.  See L<fileserver(8)> for an explanation of the audit
+facility.
 
-=item B<-audit-interface> (file | sysvmq)
+Note: kaserver supports only a single -auditlog.
 
-Specifies what audit interface to use. Defaults to C<file>. See
-L<fileserver(8)> for an explanation of each interface.
+=item B<-audit-interface> <I<interface name>>
+
+Sets the default audit interface used by the B<-auditlog> option.  The
+initial default is the C<file> interface. See L<fileserver(8)> for
+an explanation of each interface.
 
 =item B<-localfiles> <I<lclpath>>
 

diff --git a/src/kauth/kaserver.c b/src/kauth/kaserver.c
index 584b611..14f793a 100644 (file)
--- a/src/kauth/kaserver.c
+++ b/src/kauth/kaserver.c
@@ -171,6 +171,7 @@ main(int argc, char *argv[])
     char clones[MAXHOSTSPERCELL];
     char hoststr[16];
     afs_uint32 host = ntohl(INADDR_ANY);
+    char *auditIFace = NULL;
     char *auditFileName = NULL;
     struct logOptions logopts;
 
@@ -202,7 +203,8 @@ main(int argc, char *argv[])
     if (argc == 0) {
       usage:
        printf("Usage: kaserver [-noAuth] [-database <dbpath>] "
-              "[-auditlog <log path>] [-audit-interface <file|sysvmq>] "
+              "[-auditlog [<interface>:]<path>[:<options>]] "
+              "[-audit-interface <default interface>] "
               "[-rxbind] [-localfiles <lclpath>] [-minhours <n>] "
               "[-servers <serverlist>] [-crossrealm] "
               "[-enable_peer_stats] [-enable_process_stats] "
@@ -252,15 +254,18 @@ main(int argc, char *argv[])
                lclpath = dbpath;
        }
        else if (strncmp(arg, "-auditlog", arglen) == 0) {
+           if (a + 1 >= argc) {
+               fprintf(stderr, "missing argument for -auditlog\n");
+               exit(2);
+           }
            auditFileName = argv[++a];
 
        } else if (strncmp(arg, "-audit-interface", arglen) == 0) {
-           char *interface = argv[++a];
-
-           if (osi_audit_interface(interface)) {
-               printf("Invalid audit interface '%s'\n", interface);
-               exit(1);
+           if (a + 1 >= argc) {
+               fprintf(stderr, "missing argument for -audit-interface\n");
+               exit(2);
            }
+           auditIFace = argv[++a];
 
        } else if (strcmp(arg, "-localfiles") == 0)
            lclpath = argv[++a];
@@ -304,10 +309,18 @@ main(int argc, char *argv[])
        }
     }
 
+    if (auditIFace) {
+       if (osi_audit_interface(auditIFace)) {
+           fprintf(stderr, "Invalid audit-interface '%s'\n", auditIFace);
+           exit(1);
+       }
+    }
     if (auditFileName) {
        osi_audit_file(auditFileName);
     }
 
+    osi_audit_open();
+
     if ((code = ka_CellConfig(cellservdb)))
        goto abort;
     cell = ka_LocalCell();