bsmconv

contrib/openbsm/bin/bsmconv/.gitignore

@@ -0,0 +1,3 @@
+*.o
+*.core
+*.out

contrib/openbsm/bin/bsmconv/.tests/unhandled/tabs.input

@@ -0,0 +1,3 @@
+type=TESTTYPE1 msg=audit(1464612294.816:250): name1=value1,	name2=value2
+type=TESTTYPE2 msg=audit(1464612294.816:250): name1=value1		  	name2=value2
+type=TESTTYPE2 msg=audit(1464612294.816:250): name1=value1	name2=value2	

contrib/openbsm/bin/bsmconv/README.md

@@ -0,0 +1,14 @@
+# Install dependencies
+
+Go to `lib/libbsm` and run:
+
+        make
+        sudo make install
+
+# Compile
+
+    ./fu m
+
+# Tests
+
+Run `./fu help` to get help on that.

contrib/openbsm/bin/bsmconv/STYLE

@@ -0,0 +1,61 @@
+See the "man: style(99)" file on the project's Wiki on GitHub.
+
+Assertions
+==========
+
+General Guidelines
+------------------
+
+Use assertions on a parameter of a function when:
+- The function is using the parameter directly (like passing the parameter
+to strcpy);
+- <strike>It calls a function which requires the parameter to be for example
+non-NULL.  It means that the assertions are supposed to fetch a possible error
+as soon as possible.</strike>
+
+`PJDLOG_ASSERT()` vs `PJDLOG_VERIFY()`
+--------------------------------------
+
+- Use `PJDLOG_ASSERT()` to check the return value of functions like `malloc()`,
+`sbuf_new_auto()` and `au_to_text()` because they fail rarely and there is no
+need to use `PJDLOG_VERIFY()` instead.
+
+Brackets
+========
+
+The if statements
+-----------------
+
+Use a little bit more strict rules in terms of using brackets around the if
+statements.  Here an example of the desired style:
+
+```c
+if (!fun_returning_bool) {
+	f();
+} else {
+	g();
+	h();
+}
+
+if (!fun_returning_bool) {
+	f();
+} else if (fun_returning_bool2) {
+	this_is_a_really_long_function_name(withsolongparameters,
+	    thatthelinehastobebroken);
+} else {
+	g();
+}
+
+if (f() == 0)
+	return (1);
+else
+	return (2);
+
+/* It is better to break on "&&" and "||" than on the function's "(". */
+if (!very_long_fun(aaa, bbb, ccc) &&
+    another_very_long_fun(xxx, yyy, zzz)
+	f();
+else if (this_breaking_style_is_not_that_good(xxx, yyy, zzz) && fun(
+    aaa, bbb, ccc)
+	f();
+```

contrib/openbsm/bin/bsmconv/TODO

@@ -0,0 +1,65 @@
+Conversion
+==========
+
+Validation
+----------
+
+- [ ] Improve the cwd field value validation. At the moment it checks if
+      the value is _encoded_.  Should it check if the path is actually a valid
+      path?
+- [ ] Regex fields validators should return only valid fields.
+
+Improvements
+------------
+
+- [x] Add the Linux Audit record id to a sequence token.
+- [ ] Improve the conversion of the LOGIN type record. See an example
+      in tests/fields.centos.v265/LOGIN.input.
+- [ ] Find out what does the _user_ thing mean in a Linux Audit record.  Does it
+      indicate that the user is the subject of the _action_?
+- [ ] Some fields like `ses` use the value of `-1` and some others like `auid`
+      use `?`. What's the rule?
+- [ ] Add the identifiers for Linux Audit events so that praudit can generate
+      meaningful output because of the Linux dedicated identifiers
+      in `/etc/security/audit_event`.
+
+FreeBSD Improvements
+====================
+
+- [ ] Update the `au_token(3)` man page since it is super outdated.
+    - `au_to_attr` has invalid arguements.
+    - `man au_to_attr` doesn't open `au_token(3)`. The same applies to
+      `au_to_attr32`.
+- [ ] Why isn't the pointer parameters of the au_to_* functions const? See
+      `sys/security/audit/bsm_token.c:au_to_exec_args` for example.  For example
+      `au_to_exec_args` does not modify the parameters; as the function uses
+      `memcpy(3)` it does not _consume_ the parameters.
+
+Maintainability
+===============
+
+- [ ] Add a script which validates that every lcrt_tokens list has
+      a termianting NULL.
+
+Style & Refactoring
+===================
+
+- [x] Refactor the while loop in process_events() in bsmconv.c.
+- [ ] Standardize the naming convention of static functions.
+    - May all the interface functions be prefixed with `linau_`.
+- [ ] Allign the protypes of static functions (as in style(9)).
+- [ ] Should I use protected names (see style(9))?
+- [ ] Find out if you should treat int* as an integer or as a pointer as you
+      sort the variable declarations in functions (see style(9)).
+- [ ] Unify the lctokens for the _res_ and _result_ fields.
+- [ ] Use pjdlog.h instead of `printf` in `linau_event_dump` (pjdlog.h is said
+      to cause problems when used together with `printf`).
+- [ ] Use pjdlog_set_prefix for pjdlog_debug messages.
+- [ ] Use `errx(EX_USAGE, "<usage>");` for usage.
+
+Tests
+=====
+
+- [ ] Test if the library properly converts pid fields and uid fields for edge
+      cases.
+- [ ] `argc="text"`

contrib/openbsm/bin/bsmconv/bsmconv.c

@@ -0,0 +1,110 @@
+/*-
+ * Copyright (c) 2016 Mateusz Piotrowski <[email protected]>
+ * All rights reserved.
+ *
+ * This software was developed by Mateusz Piotrowski during
+ * the Google Summer of Code 2016 under the mentorship of Konrad Witaszczyk.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/time.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <bsm/libbsm.h>
+
+#include "linau.h"
+#include "pjdlog.h"
+
+static void process_event(const struct linau_event *event);
+static void process_events(FILE *fp);
+
+static void
+process_event(const struct linau_event *event)
+{
+	size_t buflen;
+	u_char *buf;
+
+	buf = linau_event_process(event, &buflen);
+
+	if (pjdlog_debug_get() == 0)
+		write(1, buf, buflen);
+	else
+		linau_event_dump(event);
+
+	free(buf);
+}
+
+static void
+process_events(FILE *fp)
+{
+	struct linau_event *event;
+	struct linau_record *record;
+
+	event = linau_event_create();
+	PJDLOG_ASSERT(event != NULL);
+
+	/*
+	 * Style: Is this better than the previous while loop?
+	 */
+	for (;;) {
+		record = linau_record_fetch(fp);
+		if (record == NULL) {
+			process_event(event);
+			linau_event_destroy(event);
+			break;
+		}
+		else if (linau_event_compare_origin(event, record) != 0) {
+			process_event(event);
+			linau_event_clear(event);
+		}
+		linau_event_add_record(event, record);
+	}
+}
+
+int
+main(int argc, char **argv)
+{
+	int debuglevel;
+	int optchar;
+
+	pjdlog_init(PJDLOG_MODE_STD);
+
+	debuglevel = 0;
+	while ((optchar = getopt(argc, argv, "v")) != -1)
+		switch (optchar) {
+		case 'v':
+			debuglevel++;
+			break;
+		default:
+			PJDLOG_ABORT("Invalid command line options detected");
+		}
+
+	pjdlog_debug_set(debuglevel);
+
+	process_events(stdin);
+
+	return (0);
+}

contrib/openbsm/bin/bsmconv/docs/la-notes.yaml

@@ -0,0 +1,111 @@
+---
+fields:
+  audit_backlog_limit:
+    name: audit_backlog_limit
+    type: numeric
+    notes:
+      - |
+        What is it?
+
+        https://www.redhat.com/archives/rhl-beta-list/2007-December/msg00449.html
+  auid:
+    name: auid
+    type: numeric
+    notes:
+      - meaning: login user id
+  cmd:
+    name: cmd
+    type: encoded
+  cwd:
+    name: cwd
+    type: encoded
+    notes:
+      - meaning: The current working directory.
+  egid:
+    name: egid
+    type: numeric
+  euid:
+    name: euid
+    type: numeric
+  msg:
+    name: msg
+    type: alphanumeric
+    fields:
+      - cwd
+      - cmd
+      - terminal
+      - res
+  notes:
+    - meaning: The payload of the audit record.
+    - It seems to store additional fields inside its value.
+  op:
+    name: op
+    type: alphanumeric
+    notes:
+      - meaning: The operation being performed that is audited.
+    values:
+      - open
+  pid:
+    name: pid
+    type: numeric
+  res:
+    name: res
+    type: alphanumeric
+    values:
+      - success
+      - failed
+  notes:
+    - |
+      Inconsistency
+
+      According to what was posted on the linux-audit redhat com mailing
+      list the only valid values are success and fail.
+  ses:
+    name: ses
+    type: numeric
+  terminal:
+    name: terminal
+    type: alphanumeric
+recordTypes:
+  LOGIN:
+    examples:
+      - |
+        type=LOGIN msg=audit(1468853208.803:12): pid=1166 uid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1
+    notes:
+      - |
+        This is somewhat weird to see the 'new' and the 'old' words between
+        fields.
+  USER_CMD:
+    obligatory_fields:
+      - auid
+      - egid
+      - euid
+      - pid
+      - ses
+  optional_fields:
+    tokens:
+      - function_name: au_to_process32
+  USER_AUTH:
+    obligatory_fields:
+      - auid
+      - msg
+      - pid
+      - ses
+      - subj:
+        example_values:
+          - text,subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
+      - uid
+    tokens:
+      - function_name: au_to_process32
+tokens:
+  process32:
+    function_name: au_to_process32
+    notes:
+      - |
+        The IP address and the port number of the Linux Audit should be
+        placed in this token.
+standard:
+  notes:
+    - |
+      According to Steve Grubb fields can be separated by only a comma or
+      a space. There should be no exceptions.