1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 /*
26 * auditconfig - set and display audit parameters
27 */
28
29 #include <locale.h>
30 #include <sys/types.h>
31 #include <ctype.h>
32 #include <stdlib.h>
33 #include <stdarg.h>
34 #include <unistd.h>
35 #include <errno.h>
36 #include <sys/param.h>
37 #include <stdio.h>
38 #include <string.h>
39 #include <strings.h>
40 #include <nlist.h>
41 #include <fcntl.h>
42 #include <sys/socket.h>
43 #include <netdb.h>
44 #include <netinet/in.h>
45 #include <arpa/inet.h>
46 #include <sys/mkdev.h>
47 #include <sys/param.h>
48 #include <pwd.h>
49 #include <libintl.h>
50 #include <zone.h>
51 #include <libscf_priv.h>
52 #include <tsol/label.h>
53 #include <bsm/libbsm.h>
54 #include <audit_policy.h>
55 #include <audit_scf.h>
56
57 enum commands {
58 AC_ARG_ACONF,
59 AC_ARG_AUDIT,
60 AC_ARG_CHKACONF,
61 AC_ARG_CHKCONF,
62 AC_ARG_CONF,
63 AC_ARG_GETASID,
64 AC_ARG_GETAUDIT,
65 AC_ARG_GETAUID,
66 AC_ARG_GETCAR,
67 AC_ARG_GETCLASS,
68 AC_ARG_GETCOND,
69 AC_ARG_GETCWD,
70 AC_ARG_GETESTATE,
71 AC_ARG_GETFLAGS,
72 AC_ARG_GETKAUDIT,
73 AC_ARG_GETKMASK,
74 AC_ARG_GETNAFLAGS,
75 AC_ARG_GETPINFO,
76 AC_ARG_GETPLUGIN,
77 AC_ARG_GETPOLICY,
78 AC_ARG_GETQBUFSZ,
79 AC_ARG_GETQCTRL,
80 AC_ARG_GETQDELAY,
81 AC_ARG_GETQHIWATER,
82 AC_ARG_GETQLOWATER,
83 AC_ARG_GETSTAT,
84 AC_ARG_GETTERMID,
85 AC_ARG_LSEVENT,
86 AC_ARG_LSPOLICY,
87 AC_ARG_SETASID,
88 AC_ARG_SETAUDIT,
89 AC_ARG_SETAUID,
90 AC_ARG_SETCLASS,
91 AC_ARG_SETFLAGS,
92 AC_ARG_SETKAUDIT,
93 AC_ARG_SETKMASK,
94 AC_ARG_SETNAFLAGS,
95 AC_ARG_SETPLUGIN,
96 AC_ARG_SETPMASK,
97 AC_ARG_SETPOLICY,
98 AC_ARG_SETQBUFSZ,
99 AC_ARG_SETQCTRL,
100 AC_ARG_SETQDELAY,
101 AC_ARG_SETQHIWATER,
102 AC_ARG_SETQLOWATER,
103 AC_ARG_SETSMASK,
104 AC_ARG_SETSTAT,
105 AC_ARG_SETUMASK,
106 AC_ARG_SET_TEMPORARY
107 };
108
109 #define AC_KERN_EVENT 0
110 #define AC_USER_EVENT 1
111
112 #define NONE(s) (!strlen(s) ? gettext("none") : s)
113
114 #define ONEK 1024
115
116 /*
117 * remove this after the audit.h is fixed
118 */
119 struct arg_entry {
120 char *arg_str;
121 char *arg_opts;
122 enum commands auditconfig_cmd;
123 boolean_t temporary_allowed; /* -t allowed for the option */
124 };
125 typedef struct arg_entry arg_entry_t;
126
127 /* arg_table - command option and usage message table */
128 static arg_entry_t arg_table[] = {
129 { "-aconf", "", AC_ARG_ACONF, B_FALSE},
130 { "-audit", " event sorf retval string", AC_ARG_AUDIT, B_FALSE},
131 { "-chkaconf", "", AC_ARG_CHKACONF, B_FALSE},
132 { "-chkconf", "", AC_ARG_CHKCONF, B_FALSE},
133 { "-conf", "", AC_ARG_CONF, B_FALSE},
134 { "-getasid", "", AC_ARG_GETASID, B_FALSE},
135 { "-getaudit", "", AC_ARG_GETAUDIT, B_FALSE},
136 { "-getauid", "", AC_ARG_GETAUID, B_FALSE},
137 { "-getcar", "", AC_ARG_GETCAR, B_FALSE},
138 { "-getclass", " event", AC_ARG_GETCLASS, B_FALSE},
139 { "-getcond", "", AC_ARG_GETCOND, B_FALSE},
140 { "-getcwd", "", AC_ARG_GETCWD, B_FALSE},
141 { "-getestate", " event", AC_ARG_GETESTATE, B_FALSE},
142 { "-getflags", "", AC_ARG_GETFLAGS, B_FALSE},
143 { "-getkaudit", "", AC_ARG_GETKAUDIT, B_FALSE},
144 { "-getkmask", "", AC_ARG_GETKMASK, B_FALSE},
145 { "-getnaflags", "", AC_ARG_GETNAFLAGS, B_FALSE},
146 { "-getpinfo", " pid", AC_ARG_GETPINFO, B_FALSE},
147 { "-getplugin", " [plugin]", AC_ARG_GETPLUGIN, B_FALSE},
148 { "-getpolicy", "", AC_ARG_GETPOLICY, B_TRUE},
149 { "-getqbufsz", "", AC_ARG_GETQBUFSZ, B_TRUE},
150 { "-getqctrl", "", AC_ARG_GETQCTRL, B_TRUE},
151 { "-getqdelay", "", AC_ARG_GETQDELAY, B_TRUE},
152 { "-getqhiwater", "", AC_ARG_GETQHIWATER, B_TRUE},
153 { "-getqlowater", "", AC_ARG_GETQLOWATER, B_TRUE},
154 { "-getstat", "", AC_ARG_GETSTAT, B_FALSE},
155 { "-gettid", "", AC_ARG_GETTERMID, B_FALSE},
156 { "-lsevent", "", AC_ARG_LSEVENT, B_FALSE},
157 { "-lspolicy", "", AC_ARG_LSPOLICY, B_FALSE},
158 { "-setasid", " asid [cmd]", AC_ARG_SETASID, B_FALSE},
159 { "-setaudit", " auid audit_flags termid asid [cmd]",
160 AC_ARG_SETAUDIT, B_FALSE},
161 { "-setauid", " auid [cmd]", AC_ARG_SETAUID, B_FALSE},
162 { "-setclass", " event audit_flags", AC_ARG_SETCLASS, B_FALSE},
163 { "-setflags", " audit_flags", AC_ARG_SETFLAGS, B_FALSE},
164 { "-setkaudit", " type IP_address", AC_ARG_SETKAUDIT, B_FALSE},
165 { "-setkmask", " audit_flags", AC_ARG_SETKMASK, B_FALSE},
166 { "-setnaflags", " audit_naflags", AC_ARG_SETNAFLAGS, B_FALSE},
167 { "-setplugin", " name active|inactive [attributes [qsize]]",
168 AC_ARG_SETPLUGIN, B_FALSE},
169 { "-setpmask", " pid audit_flags", AC_ARG_SETPMASK, B_FALSE},
170 { "-setpolicy", " [+|-]policy_flags", AC_ARG_SETPOLICY, B_TRUE},
171 { "-setqbufsz", " bufsz", AC_ARG_SETQBUFSZ, B_TRUE},
172 { "-setqctrl", " hiwater lowater bufsz delay",
173 AC_ARG_SETQCTRL, B_TRUE},
174 { "-setqdelay", " delay", AC_ARG_SETQDELAY, B_TRUE},
175 { "-setqhiwater", " hiwater", AC_ARG_SETQHIWATER, B_TRUE},
176 { "-setqlowater", " lowater", AC_ARG_SETQLOWATER, B_TRUE},
177 { "-setsmask", " asid audit_flags", AC_ARG_SETSMASK, B_FALSE},
178 { "-setstat", "", AC_ARG_SETSTAT, B_FALSE},
179 { "-setumask", " user audit_flags", AC_ARG_SETUMASK, B_FALSE},
180 { "-t", "", AC_ARG_SET_TEMPORARY, B_FALSE},
181 };
182
183 #define ARG_TBL_SZ (sizeof (arg_table) / sizeof (arg_entry_t))
184
185 char *progname = "auditconfig";
186
187 /*
188 * temporary_set true to get/set only kernel settings,
189 * false to get/set kernel settings and service properties
190 */
191 static boolean_t temporary_set = B_FALSE;
192
193 static au_event_ent_t *egetauevnam(char *event_name);
194 static au_event_ent_t *egetauevnum(au_event_t event_number);
195 static int arg_ent_compare(const void *aep1, const void *aep2);
196 static char *cond2str(void);
197 static int policy2str(uint32_t policy, char *policy_str, size_t len);
198 static int str2type(char *s, uint_t *type);
199 static int str2policy(char *policy_str, uint32_t *policy_mask);
200 static int str2ipaddr(char *s, uint32_t *addr, uint32_t type);
201 static int strisipaddr(char *s);
202 static int strisnum(char *s);
203 static arg_entry_t *get_arg_ent(char *arg_str);
204 static uid_t get_user_id(char *user);
205 static void chk_arg_len(char *argv, uint_t len);
206 static void chk_event_num(int etype, au_event_t event);
207 static void chk_event_str(int etype, char *event_str);
208 static void chk_known_plugin(char *plugin_str);
209 static void chk_retval(char *retval_str);
210 static void chk_sorf(char *sorf_str);
211 static void do_aconf(void);
212 static void do_args(char **argv, au_mask_t *mask);
213 static void do_audit(char *, char, int, char *);
214 static void do_chkaconf(void);
215 static void do_chkconf(void);
216 static void do_conf(void);
217 static void do_getasid(void);
218 static void do_getaudit(void);
219 static void do_getkaudit(void);
220 static void do_setkaudit(char *t, char *s);
221 static void do_getauid(void);
222 static void do_getcar(void);
223 static void do_getclass(char *event_str);
224 static void do_getcond(void);
225 static void do_getcwd(void);
226 static void do_getflags(void);
227 static void do_getkmask(void);
228 static void do_getnaflags(void);
229 static void do_getpinfo(char *pid_str);
230 static void do_getplugin(char *plugin_str);
231 static void do_getpolicy(void);
232 static void do_getqbufsz(void);
233 static void do_getqctrl(void);
234 static void do_getqdelay(void);
235 static void do_getqhiwater(void);
236 static void do_getqlowater(void);
237 static void do_getstat(void);
238 static void do_gettermid(void);
239 static void do_lsevent(void);
240 static void do_lspolicy(void);
241 static void do_setasid(char *sid_str, char **argv);
242 static void do_setaudit(char *user_str, char *mask_str, char *tid_str,
243 char *sid_str, char **argv);
244 static void do_setauid(char *user, char **argv);
245 static void do_setclass(char *event_str, au_mask_t *mask);
246 static void do_setflags(char *audit_flags, au_mask_t *amask);
247 static void do_setkmask(au_mask_t *pmask);
248 static void do_setnaflags(char *audit_naflags, au_mask_t *namask);
249 static void do_setpmask(char *pid_str, au_mask_t *mask);
250 static void do_setsmask(char *asid_str, au_mask_t *mask);
251 static void do_setumask(char *auid_str, au_mask_t *mask);
252 static void do_setplugin(char *plugin_str, boolean_t plugin_state,
253 char *plugin_attr, int plugin_qsize);
254 static void do_setpolicy(char *policy_str);
255 static void do_setqbufsz(char *bufsz);
256 static void do_setqctrl(char *hiwater, char *lowater, char *bufsz, char *delay);
257 static void do_setqdelay(char *delay);
258 static void do_setqhiwater(char *hiwater);
259 static void do_setqlowater(char *lowater);
260 static void do_setstat(void);
261 static void str2tid(char *tid_str, au_tid_addr_t *tp);
262
263 static void eauditon(int cmd, caddr_t data, int length);
264 static void echkflags(char *auditflags, au_mask_t *mask);
265 static void egetaudit(auditinfo_addr_t *ai, int size);
266 static void egetauditflagsbin(char *auditflags, au_mask_t *pmask);
267 static void egetauid(au_id_t *auid);
268 static void egetkaudit(auditinfo_addr_t *ai, int size);
269 static void esetaudit(auditinfo_addr_t *ai, int size);
270 static void esetauid(au_id_t *auid);
271 static void esetkaudit(auditinfo_addr_t *ai, int size);
272 static void execit(char **argv);
273 static void exit_error(char *fmt, ...);
274 static void exit_usage(int status);
275 static void parse_args(int argc, char **argv, au_mask_t *mask);
276 static void print_asid(au_asid_t asid);
277 static void print_auid(au_id_t auid);
278 static void print_mask(char *desc, au_mask_t *pmp);
279 static void print_plugin(char *plugin_name, kva_t *plugin_kva);
280 static void print_tid_ex(au_tid_addr_t *tidp);
281
282 #if !defined(TEXT_DOMAIN)
283 #define TEXT_DOMAIN "SUNW_OST_OSCMD"
284 #endif
285
286 int
287 main(int argc, char **argv)
288 {
289 au_mask_t mask; /* for options manipulating flags */
290
291 (void) setlocale(LC_ALL, "");
292 (void) textdomain(TEXT_DOMAIN);
293
294 if (argc == 1) {
295 exit_usage(0);
296 }
297
298 if (argc == 2 &&
299 (argv[1][0] == '?' ||
300 strcmp(argv[1], "-h") == 0 ||
301 strcmp(argv[1], "-?") == 0)) {
302 exit_usage(0);
303 }
304
305 parse_args(argc, argv, &mask);
306 do_args(argv, &mask);
307
308 return (0);
309 }
310
311 /*
312 * parse_args()
313 * Desc: Checks command line argument syntax.
314 * Inputs: Command line argv;
315 * Returns: If a syntax error is detected, a usage message is printed
316 * and exit() is called. If a syntax error is not detected,
317 * parse_args() returns without a value.
318 */
319 static void
320 parse_args(int argc, char **argv, au_mask_t *mask)
321 {
322 arg_entry_t *ae;
323
324 uint_t type;
325 uint_t addr[4];
326
327 for (++argv; *argv; argv++) {
328 if ((ae = get_arg_ent(*argv)) == NULL) {
329 exit_usage(1);
330 }
331
332 switch (ae->auditconfig_cmd) {
333
334 case AC_ARG_AUDIT:
335 ++argv;
336 if (!*argv)
337 exit_usage(1);
338 if (strisnum(*argv)) {
339 chk_event_num(AC_USER_EVENT,
340 (au_event_t)atol(*argv));
341 } else {
342 chk_event_str(AC_USER_EVENT, *argv);
343 }
344 ++argv;
345 if (!*argv)
346 exit_usage(1);
347 chk_sorf(*argv);
348 ++argv;
349 if (!*argv)
350 exit_usage(1);
351 chk_retval(*argv);
352 ++argv;
353 if (!*argv)
354 exit_usage(1);
355 break;
356
357 case AC_ARG_CHKCONF:
358 case AC_ARG_CONF:
359 case AC_ARG_ACONF:
360 case AC_ARG_CHKACONF:
361 case AC_ARG_GETASID:
362 case AC_ARG_GETAUID:
363 case AC_ARG_GETAUDIT:
364 case AC_ARG_GETKAUDIT:
365 break;
366
367 case AC_ARG_GETCLASS:
368 case AC_ARG_GETESTATE:
369 ++argv;
370 if (!*argv)
371 exit_usage(1);
372 if (strisnum(*argv)) {
373 chk_event_num(AC_KERN_EVENT,
374 (au_event_t)atol(*argv));
375 } else {
376 chk_event_str(AC_KERN_EVENT, *argv);
377 }
378 break;
379
380 case AC_ARG_GETCAR:
381 case AC_ARG_GETCOND:
382 case AC_ARG_GETCWD:
383 case AC_ARG_GETFLAGS:
384 case AC_ARG_GETKMASK:
385 case AC_ARG_GETNAFLAGS:
386 break;
387
388 case AC_ARG_GETPLUGIN:
389 if (*++argv == NULL) {
390 --argv;
391 break;
392 }
393 if (get_arg_ent(*argv) != NULL) {
394 --argv;
395 } else {
396 chk_arg_len(*argv, PLUGIN_MAXBUF);
397 chk_known_plugin(*argv);
398 }
399 break;
400
401 case AC_ARG_GETPOLICY:
402 case AC_ARG_GETQBUFSZ:
403 case AC_ARG_GETQCTRL:
404 case AC_ARG_GETQDELAY:
405 case AC_ARG_GETQHIWATER:
406 case AC_ARG_GETQLOWATER:
407 case AC_ARG_GETSTAT:
408 case AC_ARG_GETTERMID:
409 case AC_ARG_LSEVENT:
410 case AC_ARG_LSPOLICY:
411 break;
412
413 case AC_ARG_SETASID:
414 case AC_ARG_SETAUID:
415 case AC_ARG_SETAUDIT:
416 ++argv;
417 if (!*argv)
418 exit_usage(1);
419
420 while (*argv)
421 ++argv;
422 --argv;
423
424 break;
425
426 case AC_ARG_SETKAUDIT:
427 ++argv;
428 if (!*argv)
429 exit_usage(1);
430 if (str2type (*argv, &type))
431 exit_error(gettext(
432 "Invalid IP address type specified."));
433 ++argv;
434 if (!*argv)
435 exit_usage(1);
436
437 if (str2ipaddr(*argv, addr, type))
438 exit_error(
439 gettext("Invalid IP address specified."));
440 break;
441
442 case AC_ARG_SETCLASS:
443 ++argv;
444 if (!*argv)
445 exit_usage(1);
446 if (strisnum(*argv))
447 chk_event_num(AC_KERN_EVENT,
448 (au_event_t)atol(*argv));
449 else
450 chk_event_str(AC_KERN_EVENT, *argv);
451 ++argv;
452 if (!*argv)
453 exit_usage(1);
454 echkflags(*argv, mask);
455 break;
456
457 case AC_ARG_SETFLAGS:
458 ++argv;
459 if (!*argv)
460 exit_usage(1);
461 chk_arg_len(*argv, PRESELECTION_MAXBUF);
462 echkflags(*argv, mask);
463 break;
464
465 case AC_ARG_SETKMASK:
466 ++argv;
467 if (!*argv)
468 exit_usage(1);
469 echkflags(*argv, mask);
470 break;
471
472 case AC_ARG_SETNAFLAGS:
473 ++argv;
474 if (!*argv)
475 exit_usage(1);
476 chk_arg_len(*argv, PRESELECTION_MAXBUF);
477 echkflags(*argv, mask);
478 break;
479
480 case AC_ARG_SETPLUGIN:
481 if (*++argv == NULL || get_arg_ent(*argv) != NULL) {
482 exit_usage(1);
483 }
484 chk_known_plugin(*argv);
485 chk_arg_len(*argv, PLUGIN_MAXBUF);
486 if (*++argv == NULL || strcmp(*argv, "active") != 0 &&
487 strcmp(*argv, "inactive") != 0) {
488 exit_usage(1);
489 }
490 if (*++argv == NULL || get_arg_ent(*argv) != NULL) {
491 --argv;
492 break;
493 }
494 chk_arg_len(*argv, PLUGIN_MAXATT);
495 if (*++argv == NULL || get_arg_ent(*argv) != NULL) {
496 --argv;
497 break;
498 }
499 if (atoi(*argv) < 0) {
500 exit_error(gettext("Incorrect qsize specified "
501 "(%s)."), *argv);
502 }
503 break;
504
505 case AC_ARG_SETPOLICY:
506 ++argv;
507 if (!*argv)
508 exit_usage(1);
509 break;
510
511 case AC_ARG_SETSTAT:
512 break;
513
514 case AC_ARG_GETPINFO:
515 ++argv;
516 if (!*argv)
517 exit_usage(1);
518 break;
519
520 case AC_ARG_SETPMASK:
521 ++argv;
522 if (!*argv)
523 exit_usage(1);
524 ++argv;
525 if (!*argv)
526 exit_usage(1);
527 echkflags(*argv, mask);
528 break;
529
530 case AC_ARG_SETQBUFSZ:
531 ++argv;
532 if (!*argv)
533 exit_usage(1);
534 if (!strisnum(*argv))
535 exit_error(gettext("Invalid bufsz specified."));
536 break;
537
538 case AC_ARG_SETQCTRL:
539 ++argv;
540 if (!*argv)
541 exit_usage(1);
542 if (!strisnum(*argv))
543 exit_error(
544 gettext("Invalid hiwater specified."));
545 ++argv;
546 if (!*argv)
547 exit_usage(1);
548 if (!strisnum(*argv))
549 exit_error(
550 gettext("Invalid lowater specified."));
551 ++argv;
552 if (!*argv)
553 exit_usage(1);
554 if (!strisnum(*argv))
555 exit_error(gettext("Invalid bufsz specified."));
556 ++argv;
557 if (!*argv)
558 exit_usage(1);
559 if (!strisnum(*argv))
560 exit_error(gettext("Invalid delay specified."));
561 break;
562
563 case AC_ARG_SETQDELAY:
564 ++argv;
565 if (!*argv)
566 exit_usage(1);
567 if (!strisnum(*argv))
568 exit_error(gettext("Invalid delay specified."));
569 break;
570
571 case AC_ARG_SETQHIWATER:
572 ++argv;
573 if (!*argv)
574 exit_usage(1);
575 if (!strisnum(*argv)) {
576 exit_error(
577 gettext("Invalid hiwater specified."));
578 }
579 break;
580
581 case AC_ARG_SETQLOWATER:
582 ++argv;
583 if (!*argv)
584 exit_usage(1);
585 if (!strisnum(*argv)) {
586 exit_error(
587 gettext("Invalid lowater specified."));
588 }
589 break;
590
591 case AC_ARG_SETSMASK:
592 case AC_ARG_SETUMASK:
593 ++argv;
594 if (!*argv)
595 exit_usage(1);
596 ++argv;
597 if (!*argv)
598 exit_usage(1);
599 echkflags(*argv, mask);
600 break;
601
602 case AC_ARG_SET_TEMPORARY:
603 /* Do not accept single -t option. */
604 if (argc == 2) {
605 exit_error(
606 gettext("Only the -t option specified "
607 "(it is not a standalone option)."));
608 }
609 temporary_set = B_TRUE;
610 break;
611
612 default:
613 exit_error(gettext("Internal error #1."));
614 break;
615 }
616 }
617 }
618
619
620 /*
621 * do_args() - do command line arguments in the order in which they appear.
622 * Function return values returned by the underlying functions; the semantics
623 * they should follow is to return B_TRUE on successful execution, B_FALSE
624 * otherwise.
625 */
626 static void
627 do_args(char **argv, au_mask_t *mask)
628 {
629 arg_entry_t *ae;
630
631 for (++argv; *argv; argv++) {
632 ae = get_arg_ent(*argv);
633
634 switch (ae->auditconfig_cmd) {
635
636 case AC_ARG_AUDIT:
637 {
638 char sorf;
639 int retval;
640 char *event_name;
641 char *audit_str;
642
643 ++argv;
644 event_name = *argv;
645 ++argv;
646 sorf = (char)atoi(*argv);
647 ++argv;
648 retval = atoi(*argv);
649 ++argv;
650 audit_str = *argv;
651 do_audit(event_name, sorf, retval, audit_str);
652 }
653 break;
654
655 case AC_ARG_CHKCONF:
656 do_chkconf();
657 break;
658
659 case AC_ARG_CONF:
660 do_conf();
661 break;
662
663 case AC_ARG_CHKACONF:
664 do_chkaconf();
665 break;
666
667 case AC_ARG_ACONF:
668 do_aconf();
669 break;
670
671 case AC_ARG_GETASID:
672 do_getasid();
673 break;
674
675 case AC_ARG_GETAUID:
676 do_getauid();
677 break;
678
679 case AC_ARG_GETAUDIT:
680 do_getaudit();
681 break;
682
683 case AC_ARG_GETKAUDIT:
684 do_getkaudit();
685 break;
686
687 case AC_ARG_GETCLASS:
688 case AC_ARG_GETESTATE:
689 ++argv;
690 do_getclass(*argv);
691 break;
692
693 case AC_ARG_GETCAR:
694 do_getcar();
695 break;
696
697 case AC_ARG_GETCOND:
698 do_getcond();
699 break;
700
701 case AC_ARG_GETCWD:
702 do_getcwd();
703 break;
704
705 case AC_ARG_GETFLAGS:
706 do_getflags();
707 break;
708
709 case AC_ARG_GETKMASK:
710 do_getkmask();
711 break;
712
713 case AC_ARG_GETNAFLAGS:
714 do_getnaflags();
715 break;
716
717 case AC_ARG_GETPLUGIN:
718 {
719 char *plugin_str = NULL;
720
721 ++argv;
722 if (*argv != NULL) {
723 if (get_arg_ent(*argv) != NULL) {
724 --argv;
725 } else {
726 plugin_str = *argv;
727 }
728 } else {
729 --argv;
730 }
731
732 do_getplugin(plugin_str);
733 }
734 break;
735
736 case AC_ARG_GETPOLICY:
737 do_getpolicy();
738 break;
739
740 case AC_ARG_GETQBUFSZ:
741 do_getqbufsz();
742 break;
743
744 case AC_ARG_GETQCTRL:
745 do_getqctrl();
746 break;
747
748 case AC_ARG_GETQDELAY:
749 do_getqdelay();
750 break;
751
752 case AC_ARG_GETQHIWATER:
753 do_getqhiwater();
754 break;
755
756 case AC_ARG_GETQLOWATER:
757 do_getqlowater();
758 break;
759
760 case AC_ARG_GETSTAT:
761 do_getstat();
762 break;
763
764 case AC_ARG_GETTERMID:
765 do_gettermid();
766 break;
767
768 case AC_ARG_LSEVENT:
769 do_lsevent();
770 break;
771
772 case AC_ARG_LSPOLICY:
773 do_lspolicy();
774 break;
775
776 case AC_ARG_SETASID:
777 {
778 char *sid_str;
779
780 ++argv;
781 sid_str = *argv;
782 ++argv;
783 do_setasid(sid_str, argv);
784 }
785 break;
786
787 case AC_ARG_SETAUID:
788 {
789 char *user;
790
791 ++argv;
792 user = *argv;
793 ++argv;
794 do_setauid(user, argv);
795 }
796 break;
797
798 case AC_ARG_SETAUDIT:
799 {
800 char *user_str;
801 char *mask_str;
802 char *tid_str;
803 char *sid_str;
804
805 ++argv;
806 user_str = *argv;
807 ++argv;
808 mask_str = *argv;
809 ++argv;
810 tid_str = *argv;
811 ++argv;
812 sid_str = *argv;
813 ++argv;
814 do_setaudit(user_str, mask_str, tid_str,
815 sid_str, argv);
816 }
817 break;
818
819 case AC_ARG_SETKAUDIT:
820 {
821 char *address_type, *address;
822
823 ++argv; address_type = *argv;
824 ++argv; address = *argv;
825 do_setkaudit(address_type, address);
826 }
827 break;
828
829 case AC_ARG_SETCLASS:
830 {
831 char *event_str;
832
833 ++argv;
834 event_str = *argv;
835 do_setclass(event_str, mask);
836
837 ++argv;
838 }
839 break;
840
841 case AC_ARG_SETFLAGS:
842 ++argv;
843 do_setflags(*argv, mask);
844 break;
845
846 case AC_ARG_SETKMASK:
847 ++argv;
848 do_setkmask(mask);
849 break;
850
851 case AC_ARG_SETNAFLAGS:
852 ++argv;
853 do_setnaflags(*argv, mask);
854 break;
855
856 case AC_ARG_SETPLUGIN:
857 {
858 char *plugin_str = NULL;
859 boolean_t plugin_state = B_FALSE;
860 char *plugin_att = NULL;
861 int plugin_qsize = -1;
862
863 plugin_str = *++argv;
864 if (strcmp(*++argv, "active") == 0) {
865 plugin_state = B_TRUE;
866 }
867 if (*++argv != NULL &&
868 get_arg_ent(*argv) == NULL) {
869 plugin_att = *argv;
870 if (*++argv != NULL &&
871 get_arg_ent(*argv) == NULL) {
872 plugin_qsize = atoi(*argv);
873 } else {
874 --argv;
875 }
876 } else {
877 --argv;
878 }
879
880 do_setplugin(plugin_str, plugin_state,
881 plugin_att, plugin_qsize);
882 }
883 break;
884
885 case AC_ARG_SETPOLICY:
886 ++argv;
887 do_setpolicy(*argv);
888 break;
889
890 case AC_ARG_GETPINFO:
891 {
892 char *pid_str;
893
894 ++argv;
895 pid_str = *argv;
896 do_getpinfo(pid_str);
897 }
898 break;
899
900 case AC_ARG_SETPMASK:
901 {
902 char *pid_str;
903
904 ++argv;
905 pid_str = *argv;
906 do_setpmask(pid_str, mask);
907
908 ++argv;
909 }
910 break;
911
912 case AC_ARG_SETSTAT:
913 do_setstat();
914 break;
915
916 case AC_ARG_SETQBUFSZ:
917 ++argv;
918 do_setqbufsz(*argv);
919 break;
920
921 case AC_ARG_SETQCTRL:
922 {
923 char *hiwater, *lowater, *bufsz, *delay;
924
925 ++argv; hiwater = *argv;
926 ++argv; lowater = *argv;
927 ++argv; bufsz = *argv;
928 ++argv; delay = *argv;
929 do_setqctrl(hiwater, lowater, bufsz, delay);
930 }
931 break;
932 case AC_ARG_SETQDELAY:
933 ++argv;
934 do_setqdelay(*argv);
935 break;
936
937 case AC_ARG_SETQHIWATER:
938 ++argv;
939 do_setqhiwater(*argv);
940 break;
941
942 case AC_ARG_SETQLOWATER:
943 ++argv;
944 do_setqlowater(*argv);
945 break;
946
947 case AC_ARG_SETSMASK:
948 {
949 char *asid_str;
950
951 ++argv;
952 asid_str = *argv;
953 do_setsmask(asid_str, mask);
954
955 ++argv;
956 }
957 break;
958 case AC_ARG_SETUMASK:
959 {
960 char *auid_str;
961
962 ++argv;
963 auid_str = *argv;
964 do_setumask(auid_str, mask);
965
966 ++argv;
967 }
968 break;
969 case AC_ARG_SET_TEMPORARY:
970 break;
971
972 default:
973 exit_error(gettext("Internal error #2."));
974 break;
975 }
976 }
977 }
978
979 /*
980 * do_chkconf() - the returned value is for the global zone unless AUDIT_PERZONE
981 * is set.
982 */
983 static void
984 do_chkconf(void)
985 {
986 register au_event_ent_t *evp;
987 au_mask_t pmask;
988 char conf_aflags[256];
989 char run_aflags[256];
990 au_stat_t as;
991 int class;
992 int len;
993 struct au_evclass_map cmap;
994
995 pmask.am_success = pmask.am_failure = 0;
996 eauditon(A_GETSTAT, (caddr_t)&as, 0);
997
998 setauevent();
999 if (getauevent() == NULL) {
1000 exit_error(gettext("NO AUDIT EVENTS: Could not read %s\n."),
1001 AUDITEVENTFILE);
1002 }
1003
1004 setauevent();
1005 while ((evp = getauevent()) != NULL) {
1006 cmap.ec_number = evp->ae_number;
1007 len = sizeof (struct au_evclass_map);
1008 if (evp->ae_number <= as.as_numevent) {
1009 if (auditon(A_GETCLASS, (caddr_t)&cmap, len) == -1) {
1010 (void) printf("%s(%hu):%s",
1011 evp->ae_name, evp->ae_number,
1012 gettext("UNKNOWN EVENT: Could not get "
1013 "class for event. Configuration may "
1014 "be bad.\n"));
1015 } else {
1016 class = cmap.ec_class;
1017 if (class != evp->ae_class) {
1018 conf_aflags[0] = run_aflags[0] = '\0';
1019 pmask.am_success = class;
1020 pmask.am_failure = class;
1021 (void) getauditflagschar(run_aflags,
1022 &pmask, 0);
1023 pmask.am_success = evp->ae_class;
1024 pmask.am_failure = evp->ae_class;
1025 (void) getauditflagschar(conf_aflags,
1026 &pmask, 0);
1027
1028 (void) printf(gettext(
1029 "%s(%hu): CLASS MISMATCH: "
1030 "runtime class (%s) != "
1031 "configured class (%s)\n"),
1032 evp->ae_name, evp->ae_number,
1033 NONE(run_aflags),
1034 NONE(conf_aflags));
1035 }
1036 }
1037 }
1038 }
1039 endauevent();
1040 }
1041
1042 /*
1043 * do_conf() - configure the kernel events. The value returned to the user is
1044 * for the global zone unless AUDIT_PERZONE is set.
1045 */
1046 static void
1047 do_conf(void)
1048 {
1049 register au_event_ent_t *evp;
1050 register int i;
1051 au_evclass_map_t ec;
1052 au_stat_t as;
1053
1054 eauditon(A_GETSTAT, (caddr_t)&as, 0);
1055
1056 i = 0;
1057 setauevent();
1058 while ((evp = getauevent()) != NULL) {
1059 if (evp->ae_number <= as.as_numevent) {
1060 ++i;
1061 ec.ec_number = evp->ae_number;
1062 ec.ec_class = evp->ae_class;
1063 eauditon(A_SETCLASS, (caddr_t)&ec, sizeof (ec));
1064 }
1065 }
1066 endauevent();
1067 (void) printf(gettext("Configured %d kernel events.\n"), i);
1068
1069 }
1070
1071 /*
1072 * do_chkaconf() - report a mismatch if the runtime class mask of a kernel audit
1073 * event does not match the configured class mask. The value returned to the
1074 * user is for the global zone unless AUDIT_PERZONE is set.
1075 */
1076 static void
1077 do_chkaconf(void)
1078 {
1079 char *namask_cfg;
1080 au_mask_t pmask, kmask;
1081
1082 if (!do_getnaflags_scf(&namask_cfg) || namask_cfg == NULL) {
1083 exit_error(gettext("Could not get configured value."));
1084 }
1085 egetauditflagsbin(namask_cfg, &pmask);
1086
1087 eauditon(A_GETKMASK, (caddr_t)&kmask, sizeof (kmask));
1088
1089 if ((pmask.am_success != kmask.am_success) ||
1090 (pmask.am_failure != kmask.am_failure)) {
1091 char kbuf[2048];
1092 if (getauditflagschar(kbuf, &kmask, 0) < 0) {
1093 free(namask_cfg);
1094 (void) fprintf(stderr,
1095 gettext("bad kernel non-attributable mask\n"));
1096 exit(1);
1097 }
1098 (void) printf(
1099 gettext("non-attributable event flags mismatch:\n"));
1100 (void) printf(gettext("active non-attributable audit flags "
1101 "= %s\n"), kbuf);
1102 (void) printf(gettext("configured non-attributable audit flags "
1103 "= %s\n"), namask_cfg);
1104 }
1105 free(namask_cfg);
1106 }
1107
1108 /*
1109 * do_aconf - configures the non-attributable events. The value returned to the
1110 * user is for the global zone unless AUDIT_PERZONE is set.
1111 */
1112 static void
1113 do_aconf(void)
1114 {
1115 au_mask_t namask;
1116 char *namask_cfg;
1117
1118 if (!do_getnaflags_scf(&namask_cfg) || namask_cfg == NULL) {
1119 exit_error(gettext("Could not get configured value."));
1120 }
1121 egetauditflagsbin(namask_cfg, &namask);
1122 free(namask_cfg);
1123
1124 eauditon(A_SETKMASK, (caddr_t)&namask, sizeof (namask));
1125 (void) printf(gettext("Configured non-attributable event mask.\n"));
1126 }
1127
1128 /*
1129 * do_audit() - construct an audit record for audit event event using the
1130 * process's audit characteristics containing a text token string audit_str. The
1131 * return token is constructed from the success/failure flag sort. Returned
1132 * value retval is an errno value.
1133 */
1134 static void
1135 do_audit(char *event, char sorf, int retval, char *audit_str)
1136 {
1137 int rtn;
1138 int rd;
1139 au_event_t event_num;
1140 au_event_ent_t *evp;
1141 auditinfo_addr_t ai;
1142 token_t *tokp;
1143
1144 egetaudit(&ai, sizeof (ai));
1145
1146 if (strisnum(event)) {
1147 event_num = (au_event_t)atoi(event);
1148 evp = egetauevnum(event_num);
1149 } else {
1150 evp = egetauevnam(event);
1151 }
1152
1153 rtn = au_preselect(evp->ae_number, &ai.ai_mask, (int)sorf,
1154 AU_PRS_USECACHE);
1155
1156 if (rtn == -1) {
1157 exit_error("%s\n%s %hu\n",
1158 gettext("Check audit event configuration."),
1159 gettext("Could not get audit class for event number"),
1160 evp->ae_number);
1161 }
1162
1163 /* record is preselected */
1164 if (rtn == 1) {
1165 if ((rd = au_open()) == -1) {
1166 exit_error(gettext(
1167 "Could not get and audit record descriptor\n"));
1168 }
1169 if ((tokp = au_to_me()) == NULL) {
1170 exit_error(
1171 gettext("Could not allocate subject token\n"));
1172 }
1173 if (au_write(rd, tokp) == -1) {
1174 exit_error(gettext("Could not construct subject token "
1175 "of audit record\n"));
1176 }
1177 if (is_system_labeled()) {
1178 if ((tokp = au_to_mylabel()) == NULL) {
1179 exit_error(gettext(
1180 "Could not allocate label token\n"));
1181 }
1182 if (au_write(rd, tokp) == -1) {
1183 exit_error(gettext("Could not "
1184 "construct label token of audit record\n"));
1185 }
1186 }
1187
1188 if ((tokp = au_to_text(audit_str)) == NULL)
1189 exit_error(gettext("Could not allocate text token\n"));
1190 if (au_write(rd, tokp) == -1)
1191 exit_error(gettext("Could not construct text token of "
1192 "audit record\n"));
1193 #ifdef _LP64
1194 if ((tokp = au_to_return64(sorf, retval)) == NULL)
1195 #else
1196 if ((tokp = au_to_return32(sorf, retval)) == NULL)
1197 #endif
1198 exit_error(
1199 gettext("Could not allocate return token\n"));
1200 if (au_write(rd, tokp) == -1) {
1201 exit_error(gettext("Could not construct return token "
1202 "of audit record\n"));
1203 }
1204 if (au_close(rd, 1, evp->ae_number) == -1) {
1205 exit_error(
1206 gettext("Could not write audit record: %s\n"),
1207 strerror(errno));
1208 }
1209 }
1210 }
1211
1212 /*
1213 * do_getauid() - print the audit id of the current process.
1214 */
1215 static void
1216 do_getauid(void)
1217 {
1218 au_id_t auid;
1219
1220 egetauid(&auid);
1221 print_auid(auid);
1222 }
1223
1224 /*
1225 * do_getaudit() - print the audit characteristics of the current process.
1226 */
1227 static void
1228 do_getaudit(void)
1229 {
1230 auditinfo_addr_t ai;
1231
1232 egetaudit(&ai, sizeof (ai));
1233 print_auid(ai.ai_auid);
1234 print_mask(gettext("process preselection mask"), &ai.ai_mask);
1235 print_tid_ex(&ai.ai_termid);
1236 print_asid(ai.ai_asid);
1237 }
1238
1239 /*
1240 * do_getkaudit() - print the audit characteristics of the current zone.
1241 */
1242 static void
1243 do_getkaudit(void)
1244 {
1245 auditinfo_addr_t ai;
1246
1247 egetkaudit(&ai, sizeof (ai));
1248 print_auid(ai.ai_auid);
1249 print_mask(gettext("process preselection mask"), &ai.ai_mask);
1250 print_tid_ex(&ai.ai_termid);
1251 print_asid(ai.ai_asid);
1252 }
1253
1254 /*
1255 * do_setkaudit() - set IP address_type/address of machine to specified values;
1256 * valid per zone if AUDIT_PERZONE is set, else only in global zone.
1257 */
1258 static void
1259 do_setkaudit(char *t, char *s)
1260 {
1261 uint_t type;
1262 auditinfo_addr_t ai;
1263
1264 egetkaudit(&ai, sizeof (ai));
1265 (void) str2type(t, &type);
1266 (void) str2ipaddr(s, &ai.ai_termid.at_addr[0], type);
1267 ai.ai_termid.at_type = type;
1268 esetkaudit(&ai, sizeof (ai));
1269 }
1270
1271 /*
1272 * do_getcar() - print the zone-relative root
1273 */
1274 static void
1275 do_getcar(void)
1276 {
1277 char path[MAXPATHLEN];
1278
1279 eauditon(A_GETCAR, (caddr_t)path, sizeof (path));
1280 (void) printf(gettext("current active root = %s\n"), path);
1281 }
1282
1283 /*
1284 * do_getclass() - print the preselection mask associated with the specified
1285 * kernel audit event. The displayed value is for the global zone unless
1286 * AUDIT_PERZONE is set.
1287 */
1288 static void
1289 do_getclass(char *event_str)
1290 {
1291 au_evclass_map_t ec;
1292 au_event_ent_t *evp;
1293 au_event_t event_number;
1294 char *event_name;
1295
1296 if (strisnum(event_str)) {
1297 event_number = atol(event_str);
1298 if ((evp = egetauevnum(event_number)) != NULL) {
1299 event_number = evp->ae_number;
1300 event_name = evp->ae_name;
1301 } else {
1302 event_name = gettext("unknown");
1303 }
1304 } else {
1305 event_name = event_str;
1306 if ((evp = egetauevnam(event_str)) != NULL) {
1307 event_number = evp->ae_number;
1308 }
1309 }
1310
1311 ec.ec_number = event_number;
1312 eauditon(A_GETCLASS, (caddr_t)&ec, 0);
1313
1314 (void) printf(gettext("audit class mask for event %s(%hu) = 0x%x\n"),
1315 event_name, event_number, ec.ec_class);
1316 }
1317
1318 /*
1319 * do_getcond() - the printed value is for the global zone unless
1320 * AUDIT_PERZONE is set. (AUC_DISABLED is always global, the other states are
1321 * per zone if AUDIT_PERZONE is set)
1322 */
1323 static void
1324 do_getcond(void)
1325 {
1326 (void) printf(gettext("audit condition = %s\n"), cond2str());
1327 }
1328
1329 /*
1330 * do_getcwd() - the printed path is relative to the current zone root
1331 */
1332 static void
1333 do_getcwd(void)
1334 {
1335 char path[MAXPATHLEN];
1336
1337 eauditon(A_GETCWD, (caddr_t)path, sizeof (path));
1338 (void) printf(gettext("current working directory = %s\n"), path);
1339 }
1340
1341 /*
1342 * do_getflags() - the printed value is for the global zone unless AUDIT_PERZONE
1343 * is set.
1344 */
1345 static void
1346 do_getflags(void)
1347 {
1348 au_mask_t amask;
1349 char *amask_cfg;
1350
1351 eauditon(A_GETAMASK, (caddr_t)&amask, sizeof (amask));
1352 print_mask(gettext("active user default audit flags"), &amask);
1353
1354 if (!do_getflags_scf(&amask_cfg) || amask_cfg == NULL) {
1355 exit_error(gettext("Could not get configured value."));
1356 }
1357 egetauditflagsbin(amask_cfg, &amask);
1358 print_mask(gettext("configured user default audit flags"), &amask);
1359 free(amask_cfg);
1360 }
1361
1362 /*
1363 * do_getkmask() - the printed value is for the global zone unless AUDIT_PERZONE
1364 * is set.
1365 */
1366 static void
1367 do_getkmask(void)
1368 {
1369 au_mask_t pmask;
1370
1371 eauditon(A_GETKMASK, (caddr_t)&pmask, sizeof (pmask));
1372 print_mask(gettext("active non-attributable audit flags"), &pmask);
1373 }
1374
1375 /*
1376 * do_getnaflags() - the printed value is for the global zone unless
1377 * AUDIT_PERZONE is set.
1378 */
1379 static void
1380 do_getnaflags(void)
1381 {
1382 au_mask_t namask;
1383 char *namask_cfg;
1384
1385 eauditon(A_GETKMASK, (caddr_t)&namask, sizeof (namask));
1386 print_mask(gettext("active non-attributable audit flags"), &namask);
1387
1388 if (!do_getnaflags_scf(&namask_cfg) || namask_cfg == NULL) {
1389 exit_error(gettext("Could not get configured value."));
1390 }
1391 egetauditflagsbin(namask_cfg, &namask);
1392 print_mask(gettext("configured non-attributable audit flags"), &namask);
1393 free(namask_cfg);
1394 }
1395
1396 /*
1397 * do_getpolicy() - print active and configured kernel audit policy relative to
1398 * the current zone.
1399 */
1400 static void
1401 do_getpolicy(void)
1402 {
1403 char policy_str[1024];
1404 uint32_t policy;
1405
1406 if (!temporary_set) {
1407 if (!do_getpolicy_scf(&policy)) {
1408 exit_error(gettext("Could not get configured values."));
1409 }
1410 (void) policy2str(policy, policy_str, sizeof (policy_str));
1411 (void) printf(gettext("configured audit policies = %s\n"),
1412 policy_str);
1413 }
1414
1415 eauditon(A_GETPOLICY, (caddr_t)&policy, 0);
1416 (void) policy2str(policy, policy_str, sizeof (policy_str));
1417 (void) printf(gettext("active audit policies = %s\n"), policy_str);
1418 }
1419
1420
1421 /*
1422 * do_getpinfo() - print the audit ID, preselection mask, terminal ID, and
1423 * audit session ID for the specified process.
1424 */
1425 static void
1426 do_getpinfo(char *pid_str)
1427 {
1428 struct auditpinfo_addr ap;
1429
1430 if (strisnum(pid_str))
1431 ap.ap_pid = (pid_t)atoi(pid_str);
1432 else
1433 exit_usage(1);
1434
1435 eauditon(A_GETPINFO_ADDR, (caddr_t)&ap, sizeof (ap));
1436
1437 print_auid(ap.ap_auid);
1438 print_mask(gettext("process preselection mask"), &(ap.ap_mask));
1439 print_tid_ex(&(ap.ap_termid));
1440 print_asid(ap.ap_asid);
1441 }
1442
1443 /*
1444 * do_getplugin() - print plugin configuration.
1445 */
1446 static void
1447 do_getplugin(char *plugin_str)
1448 {
1449 scf_plugin_kva_node_t *plugin_kva_ll;
1450 scf_plugin_kva_node_t *plugin_kva_ll_head;
1451
1452 if (!do_getpluginconfig_scf(plugin_str, &plugin_kva_ll)) {
1453 exit_error(gettext("Could not get plugin configuration."));
1454 }
1455
1456 plugin_kva_ll_head = plugin_kva_ll;
1457
1458 while (plugin_kva_ll != NULL) {
1459 print_plugin(plugin_kva_ll->plugin_name,
1460 plugin_kva_ll->plugin_kva);
1461 plugin_kva_ll = plugin_kva_ll->next;
1462 if (plugin_kva_ll != NULL) {
1463 (void) printf("\n");
1464 }
1465 }
1466 plugin_kva_ll_free(plugin_kva_ll_head);
1467 }
1468
1469 /*
1470 * do_getqbufsz() - print the active and configured audit queue write buffer
1471 * size relative to the current zone.
1472 */
1473 static void
1474 do_getqbufsz(void)
1475 {
1476 struct au_qctrl qctrl;
1477
1478 if (!temporary_set) {
1479 if (!do_getqbufsz_scf(&qctrl.aq_bufsz)) {
1480 exit_error(gettext("Could not get configured value."));
1481 }
1482
1483 if (qctrl.aq_bufsz == 0) {
1484 (void) printf(gettext(
1485 "no configured audit queue buffer size\n"));
1486 } else {
1487 (void) printf(gettext("configured audit queue "
1488 "buffer size (bytes) = %d\n"), qctrl.aq_bufsz);
1489 }
1490 }
1491
1492 eauditon(A_GETQCTRL, (caddr_t)&qctrl, 0);
1493 (void) printf(gettext("active audit queue buffer size (bytes) = %d\n"),
1494 qctrl.aq_bufsz);
1495 }
1496
1497 /*
1498 * do_getqctrl() - print the configured and active audit queue write buffer
1499 * size, audit queue hiwater mark, audit queue lowater mark, audit queue prod
1500 * interval (ticks) relative to the current zone.
1501 */
1502 static void
1503 do_getqctrl(void)
1504 {
1505 struct au_qctrl qctrl;
1506
1507 if (!temporary_set) {
1508 if (!do_getqctrl_scf(&qctrl)) {
1509 exit_error(gettext("Could not get configured values."));
1510 }
1511
1512 if (qctrl.aq_hiwater == 0) {
1513 (void) printf(gettext(
1514 "no configured audit queue hiwater mark\n"));
1515 } else {
1516 (void) printf(gettext("configured audit queue "
1517 "hiwater mark (records) = %d\n"), qctrl.aq_hiwater);
1518 }
1519 if (qctrl.aq_lowater == 0) {
1520 (void) printf(gettext(
1521 "no configured audit queue lowater mark\n"));
1522 } else {
1523 (void) printf(gettext("configured audit queue "
1524 "lowater mark (records) = %d\n"), qctrl.aq_lowater);
1525 }
1526 if (qctrl.aq_bufsz == 0) {
1527 (void) printf(gettext(
1528 "no configured audit queue buffer size\n"));
1529 } else {
1530 (void) printf(gettext("configured audit queue "
1531 "buffer size (bytes) = %d\n"), qctrl.aq_bufsz);
1532 }
1533 if (qctrl.aq_delay == 0) {
1534 (void) printf(gettext(
1535 "no configured audit queue delay\n"));
1536 } else {
1537 (void) printf(gettext("configured audit queue "
1538 "delay (ticks) = %ld\n"), qctrl.aq_delay);
1539 }
1540 }
1541
1542 eauditon(A_GETQCTRL, (caddr_t)&qctrl, 0);
1543 (void) printf(gettext("active audit queue hiwater mark "
1544 "(records) = %d\n"), qctrl.aq_hiwater);
1545 (void) printf(gettext("active audit queue lowater mark "
1546 "(records) = %d\n"), qctrl.aq_lowater);
1547 (void) printf(gettext("active audit queue buffer size (bytes) = %d\n"),
1548 qctrl.aq_bufsz);
1549 (void) printf(gettext("active audit queue delay (ticks) = %ld\n"),
1550 qctrl.aq_delay);
1551 }
1552
1553 /*
1554 * do_getqdelay() - print, relative to the current zone, the configured and
1555 * active interval at which audit queue is prodded to start output.
1556 */
1557 static void
1558 do_getqdelay(void)
1559 {
1560 struct au_qctrl qctrl;
1561
1562 if (!temporary_set) {
1563 if (!do_getqdelay_scf(&qctrl.aq_delay)) {
1564 exit_error(gettext("Could not get configured value."));
1565 }
1566
1567 if (qctrl.aq_delay == 0) {
1568 (void) printf(gettext(
1569 "no configured audit queue delay\n"));
1570 } else {
1571 (void) printf(gettext("configured audit queue "
1572 "delay (ticks) = %ld\n"), qctrl.aq_delay);
1573 }
1574 }
1575
1576 eauditon(A_GETQCTRL, (caddr_t)&qctrl, 0);
1577 (void) printf(gettext("active audit queue delay (ticks) = %ld\n"),
1578 qctrl.aq_delay);
1579 }
1580
1581 /*
1582 * do_getqhiwater() - print, relative to the current zone, the high water
1583 * point in undelivered audit records when audit generation will block.
1584 */
1585 static void
1586 do_getqhiwater(void)
1587 {
1588 struct au_qctrl qctrl;
1589
1590 if (!temporary_set) {
1591 if (!do_getqhiwater_scf(&qctrl.aq_hiwater)) {
1592 exit_error(gettext("Could not get configured value."));
1593 }
1594
1595 if (qctrl.aq_hiwater == 0) {
1596 (void) printf(gettext(
1597 "no configured audit queue hiwater mark\n"));
1598 } else {
1599 (void) printf(gettext("configured audit queue "
1600 "hiwater mark (records) = %d\n"), qctrl.aq_hiwater);
1601 }
1602 }
1603
1604 eauditon(A_GETQCTRL, (caddr_t)&qctrl, 0);
1605 (void) printf(gettext("active audit queue hiwater mark "
1606 "(records) = %d\n"), qctrl.aq_hiwater);
1607 }
1608
1609 /*
1610 * do_getqlowater() - print, relative to the current zone, the low water point
1611 * in undelivered audit records where blocked processes will resume.
1612 */
1613 static void
1614 do_getqlowater(void)
1615 {
1616 struct au_qctrl qctrl;
1617
1618 if (!temporary_set) {
1619 if (!do_getqlowater_scf(&qctrl.aq_lowater)) {
1620 exit_error(gettext("Could not get configured value."));
1621 }
1622
1623 if (qctrl.aq_lowater == 0) {
1624 (void) printf(gettext(
1625 "no configured audit queue lowater mark\n"));
1626 } else {
1627 (void) printf(gettext("configured audit queue "
1628 "lowater mark (records) = %d\n"), qctrl.aq_lowater);
1629 }
1630 }
1631
1632 eauditon(A_GETQCTRL, (caddr_t)&qctrl, 0);
1633 (void) printf(gettext("active audit queue lowater mark "
1634 "(records) = %d\n"), qctrl.aq_lowater);
1635 }
1636
1637 /*
1638 * do_getasid() - print out the audit session-ID.
1639 */
1640 static void
1641 do_getasid(void)
1642 {
1643 auditinfo_addr_t ai;
1644
1645 if (getaudit_addr(&ai, sizeof (ai))) {
1646 exit_error(gettext("getaudit_addr(2) failed"));
1647 }
1648 print_asid(ai.ai_asid);
1649 }
1650
1651 /*
1652 * do_getstat() - the printed statistics are for the entire system unless
1653 * AUDIT_PERZONE is set.
1654 */
1655 static void
1656 do_getstat(void)
1657 {
1658 au_stat_t as;
1659 int offset[12]; /* used to line the header up correctly */
1660 char buf[512];
1661
1662 eauditon(A_GETSTAT, (caddr_t)&as, 0);
1663 (void) sprintf(buf, "%4lu %n%4lu %n%4lu %n%4lu %n%4lu %n%4lu %n%4lu "
1664 "%n%4lu %n%4lu %n%4lu %n%4lu %n%4lu%n",
1665 (ulong_t)as.as_generated, &(offset[0]),
1666 (ulong_t)as.as_nonattrib, &(offset[1]),
1667 (ulong_t)as.as_kernel, &(offset[2]),
1668 (ulong_t)as.as_audit, &(offset[3]),
1669 (ulong_t)as.as_auditctl, &(offset[4]),
1670 (ulong_t)as.as_enqueue, &(offset[5]),
1671 (ulong_t)as.as_written, &(offset[6]),
1672 (ulong_t)as.as_wblocked, &(offset[7]),
1673 (ulong_t)as.as_rblocked, &(offset[8]),
1674 (ulong_t)as.as_dropped, &(offset[9]),
1675 (ulong_t)as.as_totalsize / ONEK, &(offset[10]),
1676 (ulong_t)as.as_memused / ONEK, &(offset[11]));
1677
1678 /*
1679 * TRANSLATION_NOTE
1680 * Print a properly aligned header.
1681 */
1682 (void) printf("%*s %*s %*s %*s %*s %*s %*s %*s %*s %*s %*s %*s\n",
1683 offset[0] - 1, gettext("gen"),
1684 offset[1] - offset[0] -1, gettext("nona"),
1685 offset[2] - offset[1] -1, gettext("kern"),
1686 offset[3] - offset[2] -1, gettext("aud"),
1687 offset[4] - offset[3] -1, gettext("ctl"),
1688 offset[5] - offset[4] -1, gettext("enq"),
1689 offset[6] - offset[5] -1, gettext("wrtn"),
1690 offset[7] - offset[6] -1, gettext("wblk"),
1691 offset[8] - offset[7] -1, gettext("rblk"),
1692 offset[9] - offset[8] -1, gettext("drop"),
1693 offset[10] - offset[9] -1, gettext("tot"),
1694 offset[11] - offset[10], gettext("mem"));
1695
1696 (void) printf("%s\n", buf);
1697 }
1698
1699 /*
1700 * do_gettermid() - print audit terminal ID for current process.
1701 */
1702 static void
1703 do_gettermid(void)
1704 {
1705 auditinfo_addr_t ai;
1706
1707 if (getaudit_addr(&ai, sizeof (ai))) {
1708 exit_error(gettext("getaudit_addr(2) failed"));
1709 }
1710 print_tid_ex(&ai.ai_termid);
1711 }
1712
1713 /*
1714 * do_lsevent() - display the active kernel and user level audit event
1715 * information. The printed events are for the global zone unless AUDIT_PERZONE
1716 * is set.
1717 */
1718 static void
1719 do_lsevent(void)
1720 {
1721 register au_event_ent_t *evp;
1722 au_mask_t pmask;
1723 char auflags[256];
1724
1725 setauevent();
1726 if (getauevent() == NULL) {
1727 exit_error(gettext("NO AUDIT EVENTS: Could not read %s\n."),
1728 AUDITEVENTFILE);
1729 }
1730
1731 setauevent();
1732 while ((evp = getauevent()) != NULL) {
1733 pmask.am_success = pmask.am_failure = evp->ae_class;
1734 if (getauditflagschar(auflags, &pmask, 0) == -1)
1735 (void) strcpy(auflags, "unknown");
1736 (void) printf("%-30s %5hu %s %s\n",
1737 evp->ae_name, evp->ae_number, auflags, evp->ae_desc);
1738 }
1739 endauevent();
1740 }
1741
1742 /*
1743 * do_lspolicy() - display the kernel audit policies with a description of each
1744 * policy. The printed value is for the global zone unless AUDIT_PERZONE is set.
1745 */
1746 static void
1747 do_lspolicy(void)
1748 {
1749 int i;
1750
1751 /*
1752 * TRANSLATION_NOTE
1753 * Print a properly aligned header.
1754 */
1755 (void) printf(gettext("policy string description:\n"));
1756 for (i = 0; i < POLICY_TBL_SZ; i++) {
1757 (void) printf("%-17s%s\n", policy_table[i].policy_str,
1758 gettext(policy_table[i].policy_desc));
1759 }
1760 }
1761
1762 /*
1763 * do_setasid() - execute shell or cmd with specified session-ID.
1764 */
1765 static void
1766 do_setasid(char *sid_str, char **argv)
1767 {
1768 struct auditinfo_addr ai;
1769
1770 if (getaudit_addr(&ai, sizeof (ai))) {
1771 exit_error(gettext("getaudit_addr(2) failed"));
1772 }
1773 ai.ai_asid = (au_asid_t)atol(sid_str);
1774 if (setaudit_addr(&ai, sizeof (ai))) {
1775 exit_error(gettext("setaudit_addr(2) failed"));
1776 }
1777 execit(argv);
1778 }
1779
1780 /*
1781 * do_setaudit() - execute shell or cmd with specified audit characteristics.
1782 */
1783 static void
1784 do_setaudit(char *user_str, char *mask_str, char *tid_str, char *sid_str,
1785 char **argv)
1786 {
1787 auditinfo_addr_t ai;
1788
1789 ai.ai_auid = (au_id_t)get_user_id(user_str);
1790 egetauditflagsbin(mask_str, &ai.ai_mask),
1791 str2tid(tid_str, &ai.ai_termid);
1792 ai.ai_asid = (au_asid_t)atol(sid_str);
1793
1794 esetaudit(&ai, sizeof (ai));
1795 execit(argv);
1796 }
1797
1798 /*
1799 * do_setauid() - execute shell or cmd with specified audit-ID.
1800 */
1801 static void
1802 do_setauid(char *user, char **argv)
1803 {
1804 au_id_t auid;
1805
1806 auid = get_user_id(user);
1807 esetauid(&auid);
1808 execit(argv);
1809 }
1810
1811 /*
1812 * do_setpmask() - set the preselection mask of the specified process; valid
1813 * per zone if AUDIT_PERZONE is set, else only in global zone.
1814 */
1815 static void
1816 do_setpmask(char *pid_str, au_mask_t *mask)
1817 {
1818 struct auditpinfo ap;
1819
1820 if (strisnum(pid_str)) {
1821 ap.ap_pid = (pid_t)atoi(pid_str);
1822 } else {
1823 exit_usage(1);
1824 }
1825
1826 ap.ap_mask.am_success = mask->am_success;
1827 ap.ap_mask.am_failure = mask->am_failure;
1828
1829 eauditon(A_SETPMASK, (caddr_t)&ap, sizeof (ap));
1830 }
1831
1832 /*
1833 * do_setsmask() - set the preselection mask of all processes with the specified
1834 * audit session-ID; valid per zone if AUDIT_PERZONE is set, else only in global
1835 * zone.
1836 */
1837 static void
1838 do_setsmask(char *asid_str, au_mask_t *mask)
1839 {
1840 struct auditinfo ainfo;
1841
1842 if (strisnum(asid_str)) {
1843 ainfo.ai_asid = (au_asid_t)atoi(asid_str);
1844 } else {
1845 exit_usage(1);
1846 }
1847
1848 ainfo.ai_mask.am_success = mask->am_success;
1849 ainfo.ai_mask.am_failure = mask->am_failure;
1850
1851 eauditon(A_SETSMASK, (caddr_t)&ainfo, sizeof (ainfo));
1852 }
1853
1854 /*
1855 * do_setumask() - set the preselection mask of all processes with the
1856 * specified audit-ID; valid per zone if AUDIT_PERZONE is set, else only in
1857 * global zone.
1858 */
1859 static void
1860 do_setumask(char *auid_str, au_mask_t *mask)
1861 {
1862 struct auditinfo ainfo;
1863
1864 if (strisnum(auid_str)) {
1865 ainfo.ai_auid = (au_id_t)atoi(auid_str);
1866 } else {
1867 exit_usage(1);
1868 }
1869
1870 ainfo.ai_mask.am_success = mask->am_success;
1871 ainfo.ai_mask.am_failure = mask->am_failure;
1872
1873 eauditon(A_SETUMASK, (caddr_t)&ainfo, sizeof (ainfo));
1874 }
1875
1876 /*
1877 * do_setstat() - reset audit statistics counters; local zone use is valid if
1878 * AUDIT_PERZONE is set, otherwise the syscall returns EPERM.
1879 */
1880 static void
1881 do_setstat(void)
1882 {
1883 au_stat_t as;
1884
1885 as.as_audit = (uint_t)-1;
1886 as.as_auditctl = (uint_t)-1;
1887 as.as_dropped = (uint_t)-1;
1888 as.as_enqueue = (uint_t)-1;
1889 as.as_generated = (uint_t)-1;
1890 as.as_kernel = (uint_t)-1;
1891 as.as_nonattrib = (uint_t)-1;
1892 as.as_rblocked = (uint_t)-1;
1893 as.as_totalsize = (uint_t)-1;
1894 as.as_wblocked = (uint_t)-1;
1895 as.as_written = (uint_t)-1;
1896
1897 eauditon(A_SETSTAT, (caddr_t)&as, sizeof (as));
1898 (void) printf("%s\n", gettext("audit stats reset"));
1899 }
1900
1901 /*
1902 * do_setclass() - map the kernel event event_str to the classes specified by
1903 * audit flags (mask); valid per zone if AUDIT_PERZONE is set, else only in
1904 * global zone.
1905 */
1906 static void
1907 do_setclass(char *event_str, au_mask_t *mask)
1908 {
1909 au_event_t event;
1910 au_evclass_map_t ec;
1911 au_event_ent_t *evp;
1912
1913 if (strisnum(event_str)) {
1914 event = (uint_t)atol(event_str);
1915 } else {
1916 if ((evp = egetauevnam(event_str)) != NULL) {
1917 event = evp->ae_number;
1918 }
1919 }
1920
1921 ec.ec_number = event;
1922 ec.ec_class = (mask->am_success | mask->am_failure);
1923
1924 eauditon(A_SETCLASS, (caddr_t)&ec, sizeof (ec));
1925 }
1926
1927 /*
1928 * do_setflags() - set configured and active default user preselection masks;
1929 * valid per zone if AUDIT_PERZONE is set, else only in global zone.
1930 */
1931 static void
1932 do_setflags(char *audit_flags, au_mask_t *amask)
1933 {
1934 eauditon(A_SETAMASK, (caddr_t)amask, sizeof (*amask));
1935
1936 if (!do_setflags_scf(audit_flags)) {
1937 print_mask(gettext("active user default audit flags"), amask);
1938 exit_error(gettext("Could not store configuration value."));
1939 }
1940 print_mask(gettext("user default audit flags"), amask);
1941 }
1942
1943 /*
1944 * do_setkmask() - set non-attributable audit flags of machine; valid per zone
1945 * if AUDIT_PERZONE is set, else only in global zone.
1946 */
1947 static void
1948 do_setkmask(au_mask_t *pmask)
1949 {
1950 eauditon(A_SETKMASK, (caddr_t)pmask, sizeof (*pmask));
1951 print_mask(gettext("active non-attributable audit flags"), pmask);
1952 }
1953
1954 /*
1955 * do_setnaflags() - set configured and active non-attributable selection flags
1956 * of machine; valid per zone if AUDIT_PERZONE is set, else only in global zone.
1957 */
1958 static void
1959 do_setnaflags(char *audit_naflags, au_mask_t *namask)
1960 {
1961 eauditon(A_SETKMASK, (caddr_t)namask, sizeof (*namask));
1962
1963 if (!do_setnaflags_scf(audit_naflags)) {
1964 print_mask(
1965 gettext("active non-attributable audit flags"), namask);
1966 exit_error(gettext("Could not store configuration value."));
1967 }
1968 print_mask(gettext("non-attributable audit flags"), namask);
1969 }
1970
1971 /*
1972 * do_setplugin() - set the given plugin plugin_str configuration values.
1973 */
1974 static void
1975 do_setplugin(char *plugin_str, boolean_t plugin_state, char *plugin_attr,
1976 int plugin_qsize)
1977 {
1978 if (!do_setpluginconfig_scf(plugin_str, plugin_state, plugin_attr,
1979 plugin_qsize)) {
1980 exit_error(gettext("Could not set plugin configuration."));
1981 }
1982 }
1983
1984 /*
1985 * do_setpolicy() - set the active and configured kernel audit policy; active
1986 * values can be changed per zone if AUDIT_PERZONE is set, else only in global
1987 * zone.
1988 *
1989 * ahlt and perzone are global zone only. The kernel ensures that a local zone
1990 * can't change ahlt and perzone (EINVAL).
1991 */
1992 static void
1993 do_setpolicy(char *policy_str)
1994 {
1995 uint32_t policy = 0;
1996
1997 switch (str2policy(policy_str, &policy)) {
1998 case 0:
1999 if (!temporary_set) {
2000 if (!do_getpolicy_scf(&policy)) {
2001 exit_error(gettext("Unable to get current "
2002 "policy values from the SMF repository"));
2003 }
2004 (void) str2policy(policy_str, &policy);
2005
2006 if (!do_setpolicy_scf(policy)) {
2007 exit_error(gettext("Could not store "
2008 "configuration values."));
2009 }
2010 }
2011 eauditon(A_SETPOLICY, (caddr_t)&policy, 0);
2012 break;
2013 case 2:
2014 exit_error(gettext("policy (%s) invalid in a local zone."),
2015 policy_str);
2016 break;
2017 default:
2018 exit_error(gettext("Invalid policy (%s) specified."),
2019 policy_str);
2020 break;
2021 }
2022 }
2023
2024 /*
2025 * do_setqbufsz() - set the active and configured audit queue write buffer size
2026 * (bytes); active values can be changed per zone if AUDIT_PERZONE is set, else
2027 * only in global zone.
2028 */
2029 static void
2030 do_setqbufsz(char *bufsz)
2031 {
2032 struct au_qctrl qctrl;
2033
2034 if (!temporary_set) {
2035 qctrl.aq_bufsz = (size_t)atol(bufsz);
2036 if (!do_setqbufsz_scf(&qctrl.aq_bufsz)) {
2037 exit_error(gettext(
2038 "Could not store configuration value."));
2039 }
2040 if (qctrl.aq_bufsz == 0) {
2041 return;
2042 }
2043 }
2044
2045 eauditon(A_GETQCTRL, (caddr_t)&qctrl, 0);
2046 qctrl.aq_bufsz = (size_t)atol(bufsz);
2047 eauditon(A_SETQCTRL, (caddr_t)&qctrl, 0);
2048 }
2049
2050 /*
2051 * do_setqctrl() - set the active and configured audit queue write buffer size
2052 * (bytes), hiwater audit record count, lowater audit record count, and wakeup
2053 * interval (ticks); active values can be changed per zone if AUDIT_PERZONE is
2054 * set, else only in global zone.
2055 */
2056 static void
2057 do_setqctrl(char *hiwater, char *lowater, char *bufsz, char *delay)
2058 {
2059 struct au_qctrl qctrl;
2060
2061 qctrl.aq_hiwater = (size_t)atol(hiwater);
2062 qctrl.aq_lowater = (size_t)atol(lowater);
2063 qctrl.aq_bufsz = (size_t)atol(bufsz);
2064 qctrl.aq_delay = (clock_t)atol(delay);
2065
2066 if (!temporary_set) {
2067 struct au_qctrl qctrl_act;
2068
2069 if (!do_setqctrl_scf(&qctrl)) {
2070 exit_error(gettext(
2071 "Could not store configuration values."));
2072 }
2073
2074 eauditon(A_GETQCTRL, (caddr_t)&qctrl_act, 0);
2075 if (qctrl.aq_hiwater == 0) {
2076 qctrl.aq_hiwater = qctrl_act.aq_hiwater;
2077 }
2078 if (qctrl.aq_lowater == 0) {
2079 qctrl.aq_lowater = qctrl_act.aq_lowater;
2080 }
2081 if (qctrl.aq_bufsz == 0) {
2082 qctrl.aq_bufsz = qctrl_act.aq_bufsz;
2083 }
2084 if (qctrl.aq_delay == 0) {
2085 qctrl.aq_delay = qctrl_act.aq_delay;
2086 }
2087 }
2088
2089 eauditon(A_SETQCTRL, (caddr_t)&qctrl, 0);
2090 }
2091
2092 /*
2093 * do_setqdelay() - set the active and configured audit queue wakeup interval
2094 * (ticks); active values can be changed per zone if AUDIT_PERZONE is set, else
2095 * only in global zone.
2096 */
2097 static void
2098 do_setqdelay(char *delay)
2099 {
2100 struct au_qctrl qctrl;
2101
2102 if (!temporary_set) {
2103 qctrl.aq_delay = (clock_t)atol(delay);
2104 if (!do_setqdelay_scf(&qctrl.aq_delay)) {
2105 exit_error(gettext(
2106 "Could not store configuration value."));
2107 }
2108 if (qctrl.aq_delay == 0) {
2109 return;
2110 }
2111 }
2112
2113 eauditon(A_GETQCTRL, (caddr_t)&qctrl, 0);
2114 qctrl.aq_delay = (clock_t)atol(delay);
2115 eauditon(A_SETQCTRL, (caddr_t)&qctrl, 0);
2116 }
2117
2118 /*
2119 * do_setqhiwater() - sets the active and configured number of undelivered audit
2120 * records in the audit queue at which audit record generation blocks; active
2121 * values can be changed per zone if AUDIT_PERZONE is set, else only in global
2122 * zone.
2123 */
2124 static void
2125 do_setqhiwater(char *hiwater)
2126 {
2127 struct au_qctrl qctrl;
2128
2129 if (!temporary_set) {
2130 qctrl.aq_hiwater = (size_t)atol(hiwater);
2131 if (!do_setqhiwater_scf(&qctrl.aq_hiwater)) {
2132 exit_error(gettext(
2133 "Could not store configuration value."));
2134 }
2135 if (qctrl.aq_hiwater == 0) {
2136 return;
2137 }
2138 }
2139
2140 eauditon(A_GETQCTRL, (caddr_t)&qctrl, 0);
2141 qctrl.aq_hiwater = (size_t)atol(hiwater);
2142 eauditon(A_SETQCTRL, (caddr_t)&qctrl, 0);
2143 }
2144
2145 /*
2146 * do_setqlowater() - set the active and configured number of undelivered audit
2147 * records in the audit queue at which blocked auditing processes unblock;
2148 * active values can be changed per zone if AUDIT_PERZONE is set, else only in
2149 * global zone.
2150 */
2151 static void
2152 do_setqlowater(char *lowater)
2153 {
2154 struct au_qctrl qctrl;
2155
2156 if (!temporary_set) {
2157 qctrl.aq_lowater = (size_t)atol(lowater);
2158 if (!do_setqlowater_scf(&qctrl.aq_lowater)) {
2159 exit_error(gettext(
2160 "Could not store configuration value."));
2161 }
2162 if (qctrl.aq_lowater == 0) {
2163 return;
2164 }
2165 }
2166
2167 eauditon(A_GETQCTRL, (caddr_t)&qctrl, 0);
2168 qctrl.aq_lowater = (size_t)atol(lowater);
2169 eauditon(A_SETQCTRL, (caddr_t)&qctrl, 0);
2170 }
2171
2172 static void
2173 eauditon(int cmd, caddr_t data, int length)
2174 {
2175 if (auditon(cmd, data, length) == -1)
2176 exit_error(gettext("auditon(2) failed."));
2177 }
2178
2179 static void
2180 egetauid(au_id_t *auid)
2181 {
2182 if (getauid(auid) == -1)
2183 exit_error(gettext("getauid(2) failed."));
2184 }
2185
2186 static void
2187 egetaudit(auditinfo_addr_t *ai, int size)
2188 {
2189 if (getaudit_addr(ai, size) == -1)
2190 exit_error(gettext("getaudit_addr(2) failed."));
2191 }
2192
2193 static void
2194 egetkaudit(auditinfo_addr_t *ai, int size)
2195 {
2196 if (auditon(A_GETKAUDIT, (char *)ai, size) < 0)
2197 exit_error(gettext("auditon: A_GETKAUDIT failed."));
2198 }
2199
2200 static void
2201 esetkaudit(auditinfo_addr_t *ai, int size)
2202 {
2203 if (auditon(A_SETKAUDIT, (char *)ai, size) < 0)
2204 exit_error(gettext("auditon: A_SETKAUDIT failed."));
2205 }
2206
2207 static void
2208 egetauditflagsbin(char *auditflags, au_mask_t *pmask)
2209 {
2210 if (strcmp(auditflags, "none") == 0) {
2211 pmask->am_success = pmask->am_failure = 0;
2212 return;
2213 }
2214
2215 if (getauditflagsbin(auditflags, pmask) < 0) {
2216 exit_error(gettext("Could not get audit flags (%s)"),
2217 auditflags);
2218 }
2219 }
2220
2221 static void
2222 echkflags(char *auditflags, au_mask_t *mask)
2223 {
2224 char *err = "";
2225 char *err_ptr;
2226
2227 if (!__chkflags(auditflags, mask, B_FALSE, &err)) {
2228 err_ptr = err;
2229 while (*err_ptr != ',' && *err_ptr != '\0') {
2230 err_ptr++;
2231 }
2232 *err_ptr = '\0';
2233 exit_error(gettext("Unknown audit flags and/or prefixes "
2234 "encountered: %s"), err);
2235 }
2236 }
2237
2238 static au_event_ent_t *
2239 egetauevnum(au_event_t event_number)
2240 {
2241 au_event_ent_t *evp;
2242
2243 if ((evp = getauevnum(event_number)) == NULL) {
2244 exit_error(gettext("Could not get audit event %hu"),
2245 event_number);
2246 }
2247
2248 return (evp);
2249 }
2250
2251 static au_event_ent_t *
2252 egetauevnam(char *event_name)
2253 {
2254 register au_event_ent_t *evp;
2255
2256 if ((evp = getauevnam(event_name)) == NULL)
2257 exit_error(gettext("Could not get audit event %s"), event_name);
2258
2259 return (evp);
2260 }
2261
2262 static void
2263 esetauid(au_id_t *auid)
2264 {
2265 if (setauid(auid) == -1)
2266 exit_error(gettext("setauid(2) failed."));
2267 }
2268
2269 static void
2270 esetaudit(auditinfo_addr_t *ai, int size)
2271 {
2272 if (setaudit_addr(ai, size) == -1)
2273 exit_error(gettext("setaudit_addr(2) failed."));
2274 }
2275
2276 static uid_t
2277 get_user_id(char *user)
2278 {
2279 struct passwd *pwd;
2280 uid_t uid;
2281
2282 if (isdigit(*user)) {
2283 uid = atoi(user);
2284 if ((pwd = getpwuid(uid)) == NULL) {
2285 exit_error(gettext("Invalid user: %s"), user);
2286 }
2287 } else {
2288 if ((pwd = getpwnam(user)) == NULL) {
2289 exit_error(gettext("Invalid user: %s"), user);
2290 }
2291 }
2292
2293 return (pwd->pw_uid);
2294 }
2295
2296 /*
2297 * get_arg_ent()
2298 * Inputs: command line argument string
2299 * Returns ptr to struct arg_entry if found; null, if not found
2300 */
2301 static arg_entry_t *
2302 get_arg_ent(char *arg_str)
2303 {
2304 arg_entry_t key;
2305
2306 key.arg_str = arg_str;
2307
2308 return ((arg_entry_t *)bsearch((char *)&key, (char *)arg_table,
2309 ARG_TBL_SZ, sizeof (arg_entry_t), arg_ent_compare));
2310 }
2311
2312 /*
2313 * arg_ent_compare()
2314 * Compares two command line arguments to determine which is
2315 * lexicographically greater.
2316 * Inputs: two argument map table entry pointers
2317 * Returns: > 1: aep1->arg_str > aep2->arg_str
2318 * < 1: aep1->arg_str < aep2->arg_str
2319 * 0: aep1->arg_str = aep->arg_str2
2320 */
2321 static int
2322 arg_ent_compare(const void *aep1, const void *aep2)
2323 {
2324 return (strcmp(((arg_entry_t *)aep1)->arg_str,
2325 ((arg_entry_t *)aep2)->arg_str));
2326 }
2327
2328 /*
2329 * tid_str is major,minor,host -- host is a name or an ip address
2330 */
2331 static void
2332 str2tid(char *tid_str, au_tid_addr_t *tp)
2333 {
2334 char *major_str;
2335 char *minor_str;
2336 char *host_str = NULL;
2337 major_t major = 0;
2338 major_t minor = 0;
2339 dev_t dev = 0;
2340 struct hostent *phe;
2341 int err;
2342 uint32_t ibuf;
2343 uint32_t ibuf6[4];
2344
2345 tp->at_port = 0;
2346 tp->at_type = 0;
2347 bzero(tp->at_addr, 16);
2348
2349 major_str = tid_str;
2350 if ((minor_str = strchr(tid_str, ',')) != NULL) {
2351 *minor_str = '\0';
2352 minor_str++;
2353 }
2354
2355 if (minor_str) {
2356 if ((host_str = strchr(minor_str, ',')) != NULL) {
2357 *host_str = '\0';
2358 host_str++;
2359 }
2360 }
2361
2362 if (major_str)
2363 major = (major_t)atoi(major_str);
2364
2365 if (minor_str)
2366 minor = (minor_t)atoi(minor_str);
2367
2368 if ((dev = makedev(major, minor)) != NODEV)
2369 tp->at_port = dev;
2370
2371 if (host_str) {
2372 if (strisipaddr(host_str)) {
2373 if (inet_pton(AF_INET, host_str, &ibuf)) {
2374 tp->at_addr[0] = ibuf;
2375 tp->at_type = AU_IPv4;
2376 } else if (inet_pton(AF_INET6, host_str, ibuf6)) {
2377 tp->at_addr[0] = ibuf6[0];
2378 tp->at_addr[1] = ibuf6[1];
2379 tp->at_addr[2] = ibuf6[2];
2380 tp->at_addr[3] = ibuf6[3];
2381 tp->at_type = AU_IPv6;
2382 }
2383 } else {
2384 phe = getipnodebyname((const void *)host_str,
2385 AF_INET, 0, &err);
2386 if (phe == 0) {
2387 phe = getipnodebyname((const void *)host_str,
2388 AF_INET6, 0, &err);
2389 }
2390
2391 if (phe != NULL) {
2392 if (phe->h_addrtype == AF_INET6) {
2393 /* address is IPv6 (128 bits) */
2394 (void) memcpy(&tp->at_addr[0],
2395 phe->h_addr_list[0], 16);
2396 tp->at_type = AU_IPv6;
2397 } else {
2398 /* address is IPv4 (32 bits) */
2399 (void) memcpy(&tp->at_addr[0],
2400 phe->h_addr_list[0], 4);
2401 tp->at_type = AU_IPv4;
2402 }
2403 freehostent(phe);
2404 }
2405 }
2406 }
2407 }
2408
2409 static char *
2410 cond2str(void)
2411 {
2412 uint_t cond;
2413
2414 eauditon(A_GETCOND, (caddr_t)&cond, sizeof (cond));
2415
2416 switch (cond) {
2417
2418 case AUC_AUDITING:
2419 return ("auditing");
2420
2421 case AUC_NOAUDIT:
2422 case AUC_INIT_AUDIT:
2423 return ("noaudit");
2424
2425 case AUC_UNSET:
2426 return ("unset");
2427
2428 case AUC_NOSPACE:
2429 return ("nospace");
2430
2431 default:
2432 return ("");
2433 }
2434 }
2435
2436 /*
2437 * exit = 0, success
2438 * 1, error
2439 * 2, bad zone
2440 */
2441 static int
2442 str2policy(char *policy_str, uint32_t *policy_mask)
2443 {
2444 char *buf;
2445 char *tok;
2446 char pfix;
2447 boolean_t is_all = B_FALSE;
2448 uint32_t pm = 0;
2449 uint32_t curp;
2450
2451 pfix = *policy_str;
2452
2453 if (pfix == '-' || pfix == '+' || pfix == '=')
2454 ++policy_str;
2455
2456 if ((buf = strdup(policy_str)) == NULL)
2457 return (1);
2458
2459 for (tok = strtok(buf, ","); tok != NULL; tok = strtok(NULL, ",")) {
2460 uint32_t tok_pm;
2461 if (((tok_pm = get_policy(tok)) == 0) &&
2462 ((strcasecmp(tok, "none") != 0))) {
2463 free(buf);
2464 return (1);
2465 } else {
2466 pm |= tok_pm;
2467 if (tok_pm == ALL_POLICIES) {
2468 is_all = B_TRUE;
2469 }
2470 }
2471 }
2472 free(buf);
2473
2474 /* reuse policy mask if already set to some value */
2475 if (*policy_mask != 0) {
2476 curp = *policy_mask;
2477 } else {
2478 (void) auditon(A_GETPOLICY, (caddr_t)&curp, 0);
2479 }
2480
2481 if (pfix == '-') {
2482 if (!is_all &&
2483 (getzoneid() != GLOBAL_ZONEID) &&
2484 (pm & ~AUDIT_LOCAL)) {
2485 return (2);
2486 }
2487
2488 if (getzoneid() != GLOBAL_ZONEID)
2489 curp &= AUDIT_LOCAL;
2490 *policy_mask = curp & ~pm;
2491
2492 } else if (pfix == '+') {
2493 /*
2494 * In a local zone, accept specifying "all", but not
2495 * individually specifying global-zone only policies.
2496 * Limit to all locally allowed, so system call doesn't
2497 * fail.
2498 */
2499 if (!is_all &&
2500 (getzoneid() != GLOBAL_ZONEID) &&
2501 (pm & ~AUDIT_LOCAL)) {
2502 return (2);
2503 }
2504
2505 if (getzoneid() != GLOBAL_ZONEID) {
2506 curp &= AUDIT_LOCAL;
2507 if (is_all) {
2508 pm &= AUDIT_LOCAL;
2509 }
2510 }
2511 *policy_mask = curp | pm;
2512
2513 } else {
2514 /*
2515 * In a local zone, accept specifying "all", but not
2516 * individually specifying global-zone only policies.
2517 * Limit to all locally allowed, so system call doesn't
2518 * fail.
2519 */
2520 if (!is_all &&
2521 (getzoneid() != GLOBAL_ZONEID) &&
2522 (pm & ~AUDIT_LOCAL)) {
2523 return (2);
2524 }
2525
2526 if (is_all && (getzoneid() != GLOBAL_ZONEID)) {
2527 pm &= AUDIT_LOCAL;
2528 }
2529 *policy_mask = pm;
2530 }
2531 return (0);
2532 }
2533
2534 static int
2535 policy2str(uint32_t policy, char *policy_str, size_t len)
2536 {
2537 int i, j;
2538
2539 if (policy == ALL_POLICIES) {
2540 (void) strcpy(policy_str, "all");
2541 return (1);
2542 }
2543
2544 if (policy == NO_POLICIES) {
2545 (void) strcpy(policy_str, "none");
2546 return (1);
2547 }
2548
2549 *policy_str = '\0';
2550
2551 for (i = 0, j = 0; i < POLICY_TBL_SZ; i++) {
2552 if (policy & policy_table[i].policy_mask &&
2553 policy_table[i].policy_mask != ALL_POLICIES) {
2554 if (j++) {
2555 (void) strcat(policy_str, ",");
2556 }
2557 (void) strlcat(policy_str, policy_table[i].policy_str,
2558 len);
2559 }
2560 }
2561
2562 if (*policy_str)
2563 return (0);
2564
2565 return (1);
2566 }
2567
2568
2569 static int
2570 strisnum(char *s)
2571 {
2572 if (s == NULL || !*s)
2573 return (0);
2574
2575 for (; *s == '-' || *s == '+'; s++)
2576
2577 if (!*s)
2578 return (0);
2579
2580 for (; *s; s++)
2581 if (!isdigit(*s))
2582 return (0);
2583
2584 return (1);
2585 }
2586
2587 static int
2588 strisipaddr(char *s)
2589 {
2590 int dot = 0;
2591 int colon = 0;
2592
2593 /* no string */
2594 if ((s == NULL) || (!*s))
2595 return (0);
2596
2597 for (; *s; s++) {
2598 if (!(isxdigit(*s) || *s != '.' || *s != ':'))
2599 return (0);
2600 if (*s == '.')
2601 dot++;
2602 if (*s == ':')
2603 colon++;
2604 }
2605
2606 if (dot && colon)
2607 return (0);
2608
2609 if (!dot && !colon)
2610 return (0);
2611
2612 return (1);
2613 }
2614
2615 static void
2616 chk_arg_len(char *argv, uint_t len)
2617 {
2618 if ((strlen(argv) + 1) > len) {
2619 *(argv + len - 1) = '\0';
2620 exit_error(gettext("Argument too long (%s..)."), argv);
2621 }
2622 }
2623
2624 static void
2625 chk_event_num(int etype, au_event_t event)
2626 {
2627 au_stat_t as;
2628
2629 eauditon(A_GETSTAT, (caddr_t)&as, 0);
2630
2631 if (etype == AC_KERN_EVENT) {
2632 if (event > as.as_numevent) {
2633 exit_error(gettext(
2634 "Invalid kernel audit event number specified.\n"
2635 "\t%hu is outside allowable range 0-%d."),
2636 event, as.as_numevent);
2637 }
2638 } else {
2639 /* user event */
2640 if (event <= as.as_numevent) {
2641 exit_error(gettext("Invalid user level audit event "
2642 "number specified %hu."), event);
2643 }
2644 }
2645 }
2646
2647 static void
2648 chk_event_str(int etype, char *event_str)
2649 {
2650 au_event_ent_t *evp;
2651 au_stat_t as;
2652
2653 eauditon(A_GETSTAT, (caddr_t)&as, 0);
2654
2655 evp = egetauevnam(event_str);
2656 if (etype == AC_KERN_EVENT && (evp->ae_number > as.as_numevent)) {
2657 exit_error(gettext(
2658 "Invalid kernel audit event string specified.\n"
2659 "\t\"%s\" appears to be a user level event. "
2660 "Check configuration."), event_str);
2661 } else if (etype == AC_USER_EVENT &&
2662 (evp->ae_number < as.as_numevent)) {
2663 exit_error(gettext(
2664 "Invalid user audit event string specified.\n"
2665 "\t\"%s\" appears to be a kernel event. "
2666 "Check configuration."), event_str);
2667 }
2668 }
2669
2670 static void
2671 chk_known_plugin(char *plugin_str)
2672 {
2673 if ((strlen(plugin_str) + 1) > PLUGIN_MAXBUF) {
2674 exit_error(gettext("Plugin name too long.\n"));
2675 }
2676
2677 if (!plugin_avail_scf(plugin_str)) {
2678 exit_error(gettext("No such plugin configured: %s"),
2679 plugin_str);
2680 }
2681 }
2682
2683 static void
2684 chk_sorf(char *sorf_str)
2685 {
2686 if (!strisnum(sorf_str))
2687 exit_error(gettext("Invalid sorf specified: %s"), sorf_str);
2688 }
2689
2690 static void
2691 chk_retval(char *retval_str)
2692 {
2693 if (!strisnum(retval_str))
2694 exit_error(gettext("Invalid retval specified: %s"), retval_str);
2695 }
2696
2697 static void
2698 execit(char **argv)
2699 {
2700 char *args, *args_pos;
2701 size_t len = 0;
2702 size_t n = 0;
2703 char **argv_pos;
2704
2705 if (*argv) {
2706 /* concatenate argument array to be passed to sh -c "..." */
2707 for (argv_pos = argv; *argv_pos; argv_pos++)
2708 len += strlen(*argv_pos) + 1;
2709
2710 if ((args = malloc(len + 1)) == NULL)
2711 exit_error(
2712 gettext("Allocation for command/arguments failed"));
2713
2714 args_pos = args;
2715 for (argv_pos = argv; *argv_pos; argv_pos++) {
2716 n += snprintf(args_pos, len - n, "%s ", *argv_pos);
2717 args_pos = args + n;
2718 }
2719 /* strip the last space */
2720 args[strlen(args)] = '\0';
2721
2722 (void) execl("/bin/sh", "sh", "-c", args, NULL);
2723 } else {
2724 (void) execl("/bin/sh", "sh", NULL);
2725 }
2726
2727 exit_error(gettext("exec(2) failed"));
2728 }
2729
2730 static void
2731 exit_usage(int status)
2732 {
2733 FILE *fp;
2734 int i;
2735
2736 fp = (status ? stderr : stdout);
2737 (void) fprintf(fp, gettext("usage: %s option ...\n"), progname);
2738
2739 for (i = 0; i < ARG_TBL_SZ; i++) {
2740 /* skip the -t option; it's not a standalone option */
2741 if (arg_table[i].auditconfig_cmd == AC_ARG_SET_TEMPORARY) {
2742 continue;
2743 }
2744
2745 (void) fprintf(fp, " %s%s%s\n",
2746 arg_table[i].arg_str, arg_table[i].arg_opts,
2747 (arg_table[i].temporary_allowed ? " [-t]" : ""));
2748 }
2749
2750 exit(status);
2751 }
2752
2753 static void
2754 print_asid(au_asid_t asid)
2755 {
2756 (void) printf(gettext("audit session id = %u\n"), asid);
2757 }
2758
2759 static void
2760 print_auid(au_id_t auid)
2761 {
2762 struct passwd *pwd;
2763 char *username;
2764
2765 if ((pwd = getpwuid((uid_t)auid)) != NULL)
2766 username = pwd->pw_name;
2767 else
2768 username = gettext("unknown");
2769
2770 (void) printf(gettext("audit id = %s(%d)\n"), username, auid);
2771 }
2772
2773 static void
2774 print_mask(char *desc, au_mask_t *pmp)
2775 {
2776 char auflags[512];
2777
2778 if (getauditflagschar(auflags, pmp, 0) < 0)
2779 (void) strlcpy(auflags, gettext("unknown"), sizeof (auflags));
2780
2781 (void) printf("%s = %s(0x%x,0x%x)\n",
2782 desc, auflags, pmp->am_success, pmp->am_failure);
2783 }
2784
2785 static void
2786 print_plugin(char *plugin_name, kva_t *plugin_kva)
2787 {
2788 char att_str[PLUGIN_MAXATT];
2789 boolean_t plugin_active;
2790 char *active_str;
2791 char *qsize_ptr;
2792 int qsize;
2793
2794 if ((active_str = kva_match(plugin_kva, "active")) == NULL) {
2795 (void) printf(gettext("Audit service configuration error: "
2796 "\"active\" property not found\n"));
2797 return;
2798 }
2799
2800 plugin_active = (boolean_t)atoi(active_str);
2801 qsize_ptr = kva_match(plugin_kva, "qsize");
2802 qsize = atoi(qsize_ptr == NULL ? "-1" : qsize_ptr);
2803
2804 (void) printf(gettext("Plugin: %s (%s)\n"), plugin_name,
2805 plugin_active ? "active" : "inactive");
2806
2807 free_static_att_kva(plugin_kva);
2808
2809 switch (_kva2str(plugin_kva, att_str, PLUGIN_MAXATT, "=", ";")) {
2810 case 0:
2811 (void) printf(gettext("\tAttributes: %s\n"), att_str);
2812 break;
2813 case 1:
2814 exit_error(gettext("Internal error - buffer size too small."));
2815 break;
2816 default:
2817 exit_error(gettext("Internal error."));
2818 break;
2819 }
2820
2821 if (qsize != 0) {
2822 (void) printf(gettext("\tQueue size: %d %s\n"), qsize,
2823 qsize == -1 ? "(internal error: value not available)" : "");
2824 }
2825 }
2826
2827 static void
2828 print_tid_ex(au_tid_addr_t *tidp)
2829 {
2830 struct hostent *phe;
2831 char *hostname;
2832 struct in_addr ia;
2833 uint32_t *addr;
2834 int err;
2835 char buf[INET6_ADDRSTRLEN];
2836 char *bufp;
2837
2838
2839 /* IPV6 or IPV4 address */
2840 if (tidp->at_type == AU_IPv4) {
2841 if ((phe = gethostbyaddr((char *)&tidp->at_addr[0],
2842 sizeof (tidp->at_addr[0]), AF_INET)) != NULL) {
2843 hostname = phe->h_name;
2844 } else {
2845 hostname = gettext("unknown");
2846 }
2847
2848 ia.s_addr = tidp->at_addr[0];
2849
2850 (void) printf(gettext(
2851 "terminal id (maj,min,host) = %lu,%lu,%s(%s)\n"),
2852 major(tidp->at_port), minor(tidp->at_port),
2853 hostname, inet_ntoa(ia));
2854 } else {
2855 addr = &tidp->at_addr[0];
2856 phe = getipnodebyaddr((const void *)addr, 16, AF_INET6, &err);
2857
2858 bzero(buf, sizeof (buf));
2859
2860 (void) inet_ntop(AF_INET6, (void *)addr, buf, sizeof (buf));
2861 if (phe == NULL) {
2862 bufp = gettext("unknown");
2863 } else {
2864 bufp = phe->h_name;
2865 }
2866
2867 (void) printf(gettext(
2868 "terminal id (maj,min,host) = %lu,%lu,%s(%s)\n"),
2869 major(tidp->at_port), minor(tidp->at_port),
2870 bufp, buf);
2871 if (phe) {
2872 freehostent(phe);
2873 }
2874 }
2875 }
2876
2877 static int
2878 str2ipaddr(char *s, uint32_t *addr, uint32_t type)
2879 {
2880 int j, sl;
2881 char *ss;
2882 unsigned int v;
2883
2884 bzero(addr, 16);
2885 if (strisipaddr(s)) {
2886 if (type == AU_IPv4) {
2887 if (inet_pton(AF_INET, s, addr)) {
2888 return (0);
2889 }
2890 return (1);
2891 } else if (type == AU_IPv6) {
2892 if (inet_pton(AF_INET6, s, addr))
2893 return (0);
2894 return (1);
2895 }
2896 return (1);
2897 } else {
2898 if (type == AU_IPv4) {
2899 (void) sscanf(s, "%x", &addr[0]);
2900 return (0);
2901 } else if (type == AU_IPv6) {
2902 sl = strlen(s);
2903 ss = s;
2904 for (j = 3; j >= 0; j--) {
2905 if ((sl - 8) <= 0) {
2906 (void) sscanf(s, "%x", &v);
2907 addr[j] = v;
2908 return (0);
2909 }
2910 ss = &s[sl-8];
2911 (void) sscanf(ss, "%x", &v);
2912 addr[j] = v;
2913 sl -= 8;
2914 *ss = '\0';
2915 }
2916 }
2917 return (0);
2918 }
2919 }
2920
2921 static int
2922 str2type(char *s, uint_t *type)
2923 {
2924 if (strcmp(s, "ipv6") == 0) {
2925 *type = AU_IPv6;
2926 return (0);
2927 }
2928 if (strcmp(s, "ipv4") == 0) {
2929 *type = AU_IPv4;
2930 return (0);
2931 }
2932
2933 return (1);
2934 }
2935
2936 /*
2937 * exit_error() - print an error message along with corresponding system error
2938 * number and error message, then exit. Inputs - program error format and
2939 * message.
2940 */
2941 /*PRINTFLIKE1*/
2942 static void
2943 exit_error(char *fmt, ...)
2944 {
2945 va_list args;
2946
2947 va_start(args, fmt);
2948 prt_error_va(fmt, args);
2949 va_end(args);
2950
2951 exit(1);
2952 }