From 5069c697c706c1b93b6c4881f07f5995a6c0d5d1 Mon Sep 17 00:00:00 2001 From: Cheyenne Wills Date: Fri, 4 Dec 2020 10:16:57 -0700 Subject: [PATCH] Add command line support for multiple audit logs Gerrits #13774 (audit: Support multiple audit interfaces and interface options) and #13775 (audit: Add cmd helper for processing audit options) added support in the audit facility for multiple audit logs. Add command line support to use multiple audit logs for daemons that use libcmd for command line processing: bosserver, buserver, butc, fileserver, volserver, ptserver, and vlserver. Update the daemons to add a call to audit_open, and where possible add a call to audit_close when shutting down the daemon. Update help message and manpage entries for -auditlog and -audit-interface Change-Id: I4356e1aa84f580897a0e788e2a2829685be891aa Reviewed-on: https://gerrit.openafs.org/13776 Tested-by: BuildBot Reviewed-by: Benjamin Kaduk --- doc/man-pages/pod8/bosserver.pod | 16 +++--- doc/man-pages/pod8/buserver.pod | 16 +++--- doc/man-pages/pod8/butc.pod | 17 +++--- .../pod8/fragments/dafileserver-synopsis.pod | 4 +- .../pod8/fragments/davolserver-synopsis.pod | 2 +- .../pod8/fragments/fileserver-options.pod | 56 ++++++++++++++++--- .../pod8/fragments/fileserver-synopsis.pod | 4 +- .../pod8/fragments/volserver-options.pod | 12 ++-- .../pod8/fragments/volserver-synopsis.pod | 4 +- doc/man-pages/pod8/ptserver.pod | 16 +++--- doc/man-pages/pod8/vlserver.pod | 16 +++--- src/bozo/bosserver.c | 29 +++++----- src/budb/server.c | 36 ++++++------ src/butc/tcmain.c | 28 +++++----- src/ptserver/ptserver.c | 33 +++++------ src/viced/viced.c | 33 ++++++----- src/vlserver/vlserver.c | 30 +++++----- src/volser/volmain.c | 37 ++++++------ 18 files changed, 214 insertions(+), 175 deletions(-) diff --git a/doc/man-pages/pod8/bosserver.pod b/doc/man-pages/pod8/bosserver.pod index c865e0ba30..fbeeee49ac 100644 --- a/doc/man-pages/pod8/bosserver.pod +++ b/doc/man-pages/pod8/bosserver.pod @@ -11,8 +11,8 @@ B S<<< [B<-noauth>] >>> S<<< [B<-log>] >>> S<<< [B<-enable_peer_stats>] >>> - S<<< [B<-auditlog> >] >>> - S<<< [B<-audit-interface> ( file | sysvmq )] >>> + S<<< [B<-auditlog> [>:]>[:>]] >>> + S<<< [B<-audit-interface> >>] >>> S<<< [B<-enable_process_stats>] >>> S<<< [B<-allow-dotted-principals>] >>> S<<< [B<-cores>[=none|>]] >>> @@ -136,18 +136,20 @@ listed in the F file). The argument none turns off core file generation. Otherwise, the argument is a path where core files will be stored. -=item B<-auditlog> > +=item B<-auditlog> [>:]>[:>] Turns on audit logging, and sets the path for the audit log. The audit log records information about RPC calls, including the name of the RPC call, the host that submitted the call, the authenticated entity (user) that issued the call, the parameters for the call, and if the call -succeeded or failed. +succeeded or failed. See L for an explanation of the audit +facility. -=item B<-audit-interface> (file | sysvmq) +=item B<-audit-interface> > -Specifies what audit interface to use. Defaults to C. See -L for an explanation of each interface. +Sets the default audit interface used by the B<-auditlog> option. The +initial default is the C interface. See L for +an explanation of each interface. =item B<-enable_peer_stats> diff --git a/doc/man-pages/pod8/buserver.pod b/doc/man-pages/pod8/buserver.pod index 793c842c6a..127cfd2cc6 100644 --- a/doc/man-pages/pod8/buserver.pod +++ b/doc/man-pages/pod8/buserver.pod @@ -8,8 +8,8 @@ buserver - Initializes the Backup Server
B S<<< [B<-database> >] >>> - S<<< [B<-auditlog> >] >>> - S<<< [B<-audit-interface> (file | sysvmq)] >>> + S<<< [B<-auditlog> [>:]>[:>]] >>> + S<<< [B<-audit-interface> >] >>> S<<< [B<-cellservdb> >] >>> [B<-resetdb>] [B<-noauth>] [B<-smallht>] S<<< [B<-servers> >+] >>> @@ -63,18 +63,20 @@ Specifies the pathname of an alternate directory for the Backup Database files, ending in a final slash (C). If this argument is not provided, the default is the F directory. -=item B<-auditlog> > +=item B<-auditlog> [>:]>[:>] Turns on audit logging, and sets the path for the audit log. The audit log records information about RPC calls, including the name of the RPC call, the host that submitted the call, the authenticated entity (user) that issued the call, the parameters for the call, and if the call -succeeded or failed. +succeeded or failed. See L for an explanation of the audit +facility. -=item B<-audit-interface> (file | sysvmq) +=item B<-audit-interface> > -Specifies what audit interface to use. Defaults to C. See -L for an explanation of each interface. +Sets the default audit interface used by the B<-auditlog> option. The +initial default is the C interface. See L for +an explanation of each interface. =item B<-cellservdb> > diff --git a/doc/man-pages/pod8/butc.pod b/doc/man-pages/pod8/butc.pod index 42c72daf25..9b74c14fb0 100644 --- a/doc/man-pages/pod8/butc.pod +++ b/doc/man-pages/pod8/butc.pod @@ -9,12 +9,13 @@ butc - Initializes the Tape Coordinator process B S<<< [B<-port> >] >>> S<<< [B<-debuglevel> (0 | 1 | 2)] >>> S<<< [B<-cell> >] >>> [B<-noautoquery>] [B<-rxbind>] [B<-localauth>] - [B<-auditlog> > [B<-audit-interface> >]] + [B<-auditlog> [>:]>[:>]] + [B<-audit-interface> >> [B<-allow_unauthenticated>] [B<-help>] B S<<< [B<-p> >] >>> S<<< [B<-d> (0 | 1 | 2)] >>> S<<< [B<-c> >] >>> [B<-n>] [B<-r>] [B<-l>] - [B<-auditl> > [-B<-audit-i> >]] + [B<-auditl> [>:]>[:>]] [B<-al>] [B<-h>] =for html @@ -190,18 +191,20 @@ logged on to a server machine as the local superuser C; client machines do not have F or F files. -=item B<-auditlog> > +=item B<-auditlog> [>:]>[:>] Turns on audit logging, and sets the path for the audit log. The audit log records information about RPC calls, including the name of the RPC call, the host that submitted the call, the authenticated entity (user) that issued the call, the parameters for the call, and if the call -succeeded or failed. +succeeded or failed. See L for an explanation of the audit +facility. -=item B<-audit-interface> <(file | sysvmq)> +=item B<-audit-interface> > -Specifies what audit interface to use. Defaults to C. See -L for an explanation of each interface. +Sets the default audit interface used by the B<-auditlog> option. The +initial default is the C interface. See L for +an explanation of each interface. =item B<-allow_unauthenticated> diff --git a/doc/man-pages/pod8/fragments/dafileserver-synopsis.pod b/doc/man-pages/pod8/fragments/dafileserver-synopsis.pod index 1e74123c9b..59afc9b1c1 100644 --- a/doc/man-pages/pod8/fragments/dafileserver-synopsis.pod +++ b/doc/man-pages/pod8/fragments/dafileserver-synopsis.pod @@ -1,6 +1,6 @@ B - S<<< [B<-auditlog> >] >>> - S<<< [B<-audit-interface> (file | sysvmq)] >>> + S<<< [B<-auditlog> [>:]>[:>]] >>> + S<<< [B<-audit-interface> ] >>> S<<< [B<-d> >] >>> S<<< [B<-p> >] >>> S<<< [B<-spare> >] >>> diff --git a/doc/man-pages/pod8/fragments/davolserver-synopsis.pod b/doc/man-pages/pod8/fragments/davolserver-synopsis.pod index 05aec874fc..48454c5aad 100644 --- a/doc/man-pages/pod8/fragments/davolserver-synopsis.pod +++ b/doc/man-pages/pod8/fragments/davolserver-synopsis.pod @@ -1,6 +1,6 @@ B [B<-log>] S<<< [B<-p> >] >>> - S<<< [B<-auditlog> >] >>> [B<-audit-interface> (file | sysvmq)] + S<<< [B<-auditlog> [>:]>[:>]] >>> [B<-audit-interface> >] S<<< [B<-udpsize> >] >>> S<<< [B<-d> >] >>> [B<-nojumbo>] [B<-jumbo>] diff --git a/doc/man-pages/pod8/fragments/fileserver-options.pod b/doc/man-pages/pod8/fragments/fileserver-options.pod index 1652303609..62735f0de9 100644 --- a/doc/man-pages/pod8/fragments/fileserver-options.pod +++ b/doc/man-pages/pod8/fragments/fileserver-options.pod @@ -1,6 +1,6 @@ =over 4 -=item B<-auditlog> > +=item B<-auditlog> [>:]>[:>] Turns on audit logging, and sets the path for the audit log. The audit log records information about RPC calls, including the name of the RPC @@ -8,16 +8,54 @@ call, the host that submitted the call, the authenticated entity (user) that issued the call, the parameters for the call, and if the call succeeded or failed. -=item B<-audit-interface> (file | sysvmq) +The parameter to B<-auditlog> contains three parts separated by a colon +(see examples below). -Specifies what audit interface to use. The C interface writes audit -messages to the file passed to B<-auditlog>. The C interface -writes audit messages to a SYSV message (see L and -L). The message queue the C interface writes to has the -key C, where C is the path specified in the -B<-auditlog> option. +The first part is the optional interface name. The default audit +interface is C and can be changed by the B<-audit-interface> option. -Defaults to C. +The second part is the path to the log file and is required. Note the path +to the file cannot itself contain a colon. + +The third part are parameters that will be passed to the audit interface. +The parameters are optional and the value and format is specific to the +audit interface. + +The audit interfaces are: + +=over 4 + +=item B + +The C interface writes audit messages to the specified file. +There are no optional parameters to the file interface. This is the default +interface unless changed by the B<-audit-interface> option. + +=item B + +The C interface writes audit messages to a SYSV message (see L +and L). The C interface writes to the key C, +where C is specified by the I parameter. There are no +optional parameters to the sysvmq interface. + +=back + +Multiple audit logs can be set up with different interfaces or different +I. + +Examples: + + -auditlog /path/to/file + -auditlog file:/path/to/file + -auditlog sysvmq:/path/to/sysvmq + -auditlog /path/to/file -auditlog /path/to/file2 + +=item B<-audit-interface> > + +Sets the default audit interface used by the B<-auditlog> option. The +initial default is the C interface. + +See B<-auditlog> for information on the different audit interfaces. =item B<-d> > diff --git a/doc/man-pages/pod8/fragments/fileserver-synopsis.pod b/doc/man-pages/pod8/fragments/fileserver-synopsis.pod index 203d7a36b8..214f0689b4 100644 --- a/doc/man-pages/pod8/fragments/fileserver-synopsis.pod +++ b/doc/man-pages/pod8/fragments/fileserver-synopsis.pod @@ -1,6 +1,6 @@ B - S<<< [B<-auditlog> >] >>> - S<<< [B<-audit-interface> (file | sysvmq)] >>> + S<<< [B<-auditlog> [>:]>[>]] >>> + S<<< [B<-audit-interface> >] >>> S<<< [B<-d> >] >>> S<<< [B<-p> >] >>> S<<< [B<-spare> >] >>> diff --git a/doc/man-pages/pod8/fragments/volserver-options.pod b/doc/man-pages/pod8/fragments/volserver-options.pod index 87e5aae386..f422105daa 100644 --- a/doc/man-pages/pod8/fragments/volserver-options.pod +++ b/doc/man-pages/pod8/fragments/volserver-options.pod @@ -25,18 +25,20 @@ restarted. This option is provided for compatibility with older versions. Sets the number of server lightweight processes (LWPs) to run. Provide an integer between C<4> and C<16>. The default is C<9>. -=item B<-auditlog> > +=item B<-auditlog> [>:]>[:>] Turns on audit logging, and sets the path for the audit log. The audit log records information about RPC calls, including the name of the RPC call, the host that submitted the call, the authenticated entity (user) that issued the call, the parameters for the call, and if the call -succeeded or failed. +succeeded or failed. See L for an explanation of the audit +facility. -=item B<-audit-interface> (file | sysvmq) +=item B<-audit-interface> > -Specifies what audit interface to use. Defaults to C. See -L for an explanation of each interface. +Sets the default audit interface used by the B<-auditlog> option. The +initial default is the C interface. See L for +an explanation of each interface. =item B<-udpsize> > diff --git a/doc/man-pages/pod8/fragments/volserver-synopsis.pod b/doc/man-pages/pod8/fragments/volserver-synopsis.pod index 53655b6728..d9a2467b06 100644 --- a/doc/man-pages/pod8/fragments/volserver-synopsis.pod +++ b/doc/man-pages/pod8/fragments/volserver-synopsis.pod @@ -1,7 +1,7 @@ B [B<-log>] S<<< [B<-p> >] >>> - S<<< [B<-auditlog> >] >>> - S<<< [B<-audit-interface> (file | sysvmq)] >>> + S<<< [B<-auditlog> [>:]>[:>]] >>> + S<<< [B<-audit-interface> >] >>> S<<< [B<-logfile >] >>> S<<< [B<-config> >] >>> S<<< [B<-udpsize> >] >>> S<<< [B<-d> >] >>> diff --git a/doc/man-pages/pod8/ptserver.pod b/doc/man-pages/pod8/ptserver.pod index 31c5086dac..ad1b9773f3 100644 --- a/doc/man-pages/pod8/ptserver.pod +++ b/doc/man-pages/pod8/ptserver.pod @@ -14,8 +14,8 @@ ptserver S<<< [B<-database> | B<-db> >] >>> S<<< [B<-default_access> > >] >>> [B<-restricted>] [B<-restrict_anonymous>] [B<-enable_peer_stats>] [B<-enable_process_stats>] [B<-allow-dotted-principals>] - [B<-rxbind>] S<<< [B<-auditlog> >] >>> - S<<< [B<-audit-interface> (file | sysvmq)] >>> + [B<-rxbind>] S<<< [B<-auditlog> [>:]>[:>]] >>> + S<<< [B<-audit-interface> >] >>> S<<< [B<-syslog>[=>]] >>> S<<< [B<-logfile> >] >>> [B<-transarc-logs>] @@ -178,18 +178,20 @@ service. In a typical configuration this will be F - this option allows the use of alternative configuration locations for testing purposes. -=item B<-auditlog> > +=item B<-auditlog> [>:]>:>] Turns on audit logging, and sets the path for the audit log. The audit log records information about RPC calls, including the name of the RPC call, the host that submitted the call, the authenticated entity (user) that issued the call, the parameters for the call, and if the call -succeeded or failed. +succeeded or failed. See L for an explanation of the audit +facility. -=item B<-audit-interface> (file | sysvmq) +=item B<-audit-interface> > -Specifies what audit interface to use. Defaults to C. See -L for an explanation of each interface. +Sets the default audit interface used by the B<-auditlog> option. The +initial default is the C interface. See L for +an explanation of each interface. =item B<-rxmaxmtu> > diff --git a/doc/man-pages/pod8/vlserver.pod b/doc/man-pages/pod8/vlserver.pod index 485d772e7d..f50e4310ee 100644 --- a/doc/man-pages/pod8/vlserver.pod +++ b/doc/man-pages/pod8/vlserver.pod @@ -20,8 +20,8 @@ vlserver [B<-noauth>] [B<-smallmem>] S<<< [B<-config> >] >>> S<<< [B<-syslog>[=>]>] >>> [B<-enable_peer_stats>] [B<-enable_process_stats>] - S<<< [B<-auditlog> >] >>> - S<<< [B<-audit-interface> (file | sysvmq)] >>> + S<<< [B<-auditlog> [>:]>[:>]] >>> + S<<< [B<-audit-interface> >] >>> S<<< [B<-restricted_query> (anyuser | admin)] >>> S<< [B<-s2scrypt> (rxgk-crypt | never)] >> [B<-help>] @@ -119,18 +119,20 @@ user.admin PTS entry. Sites whose Kerberos realms don't have these collisions between principal names may disable this check by starting the server with this option. -=item B<-auditlog> > +=item B<-auditlog> [>:]>[:>] Turns on audit logging, and sets the path for the audit log. The audit log records information about RPC calls, including the name of the RPC call, the host that submitted the call, the authenticated entity (user) that issued the call, the parameters for the call, and if the call -succeeded or failed. +succeeded or failed. See L for an explanation of the audit +facility. -=item B<-audit-interface> (file | sysvmq) +=item B<-audit-interface> > -Specifies what audit interface to use. Defaults to C. See -L for an explanation of each interface. +Sets the default audit interface used by the B<-auditlog> option. The +initial default is the C interface. See L for +an explanation of each interface. =item B<-rxbind> diff --git a/src/bozo/bosserver.c b/src/bozo/bosserver.c index 1befdc972c..f470e60dc0 100644 --- a/src/bozo/bosserver.c +++ b/src/bozo/bosserver.c @@ -877,7 +877,7 @@ main(int argc, char **argv, char **envp) int rxMaxMTU = -1; afs_uint32 host = htonl(INADDR_ANY); char *auditIface = NULL; - char *auditFileName = NULL; + struct cmd_item *auditLogList = NULL; struct rx_securityClass **securityClasses; afs_int32 numClasses; int DoPeerRPCStats = 0; @@ -985,9 +985,9 @@ main(int argc, char **argv, char **envp) /* general server options */ cmd_AddParmAtOffset(opts, OPT_auditinterface, "-audit-interface", CMD_SINGLE, - CMD_OPTIONAL, "audit interface (file or sysvmq)"); + CMD_OPTIONAL, "default interface"); cmd_AddParmAtOffset(opts, OPT_auditlog, "-auditlog", CMD_SINGLE, - CMD_OPTIONAL, "audit log path"); + CMD_OPTIONAL, "[interface:]path[:options]"); cmd_AddParmAtOffset(opts, OPT_transarc_logs, "-transarc-logs", CMD_FLAG, CMD_OPTIONAL, "enable Transarc style logging"); @@ -1043,16 +1043,8 @@ main(int argc, char **argv, char **envp) #endif /* general server options */ - cmd_OptionAsString(opts, OPT_auditlog, &auditFileName); - - if (cmd_OptionAsString(opts, OPT_auditinterface, &auditIface) == 0) { - if (osi_audit_interface(auditIface)) { - printf("Invalid audit interface '%s'\n", auditIface); - free(auditIface); - exit(1); - } - free(auditIface); - } + cmd_OptionAsString(opts, OPT_auditinterface, &auditIface); + cmd_OptionAsList(opts, OPT_auditlog, &auditLogList); cmd_OptionAsFlag(opts, OPT_transarc_logs, &DoTransarcLogs); @@ -1138,8 +1130,12 @@ main(int argc, char **argv, char **envp) exit(1); } - if (auditFileName != NULL) - osi_audit_file(auditFileName); + /* Process the audit related options now that the directory checks are + * done. */ + code = osi_audit_cmd_Options(auditIface, auditLogList); + free(auditIface); + if (code) + exit(1); /* try to read the key from the config file */ tdir = afsconf_Open(AFSDIR_SERVER_ETC_DIRPATH); @@ -1230,6 +1226,9 @@ main(int argc, char **argv, char **envp) /* initialize audit user check */ osi_audit_set_user_check(bozo_confdir, bozo_IsLocalRealmMatch); + /* Finish audit initialization */ + osi_audit_open(); + bozo_CreateRxBindFile(host); /* for local scripts */ /* allow super users to manage RX statistics */ diff --git a/src/budb/server.c b/src/budb/server.c index f35f47fe2f..97a700c5ba 100644 --- a/src/budb/server.c +++ b/src/budb/server.c @@ -163,8 +163,8 @@ initializeArgHandler(void) cmd_AddParm(cptr, "-ubikbuffers", CMD_SINGLE, CMD_OPTIONAL, "the number of ubik buffers"); - cmd_AddParm(cptr, "-auditlog", CMD_SINGLE, CMD_OPTIONAL, - "audit log path"); + cmd_AddParm(cptr, "-auditlog", CMD_LIST, CMD_OPTIONAL, + "[interface:]path[:options]"); cmd_AddParm(cptr, "-p", CMD_SINGLE, CMD_OPTIONAL, "number of processes"); @@ -173,7 +173,7 @@ initializeArgHandler(void) "bind the Rx socket (primary interface only)"); cmd_AddParm(cptr, "-audit-interface", CMD_SINGLE, CMD_OPTIONAL, - "audit interface (file or sysvmq)"); + "default interface"); cmd_AddParm(cptr, "-transarc-logs", CMD_FLAG, CMD_OPTIONAL, "enable Transarc style logging"); @@ -183,6 +183,8 @@ int argHandler(struct cmd_syndesc *as, void *arock) { + char *auditIface = NULL; + /* globalConfPtr provides the handle for the configuration information */ /* database directory */ @@ -245,30 +247,23 @@ argHandler(struct cmd_syndesc *as, void *arock) rxBind = 1; } - /* -audit-interface */ - if (as->parms[10].items != 0) { - char *interface = as->parms[10].items->data; + /* -audit-interface and -auditlog */ + if (as->parms[10].items != 0) + auditIface = as->parms[10].items->data; - if (osi_audit_interface(interface)) { - printf("Invalid audit interface '%s'\n", interface); + if (as->parms[7].items != 0) { + int code; + code = osi_audit_cmd_Options(auditIface, as->parms[7].items); + if (code) BUDB_EXIT(-1); - } } + /* -transarc-logs */ if (as->parms[11].items != 0) { logopts.lopt_rotateOnOpen = 1; logopts.lopt_rotateStyle = logRotate_old; } - /* -auditlog */ - /* needs to be after -audit-interface, so we osi_audit_interface - * before we osi_audit_file */ - if (as->parms[7].items != 0) { - char *fileName = as->parms[7].items->data; - - osi_audit_file(fileName); - } - return 0; } @@ -415,7 +410,6 @@ main(int argc, char **argv) logopts.lopt_filename = AFSDIR_SERVER_BUDBLOG_FILEPATH; osi_audit_init(); - osi_audit(BUDB_StartEvent, 0, AUD_END); initialize_BUDB_error_table(); initializeArgHandler(); @@ -455,6 +449,10 @@ main(int argc, char **argv) if (helpOption) BUDB_EXIT(0); + /* Start auditing */ + osi_audit_open(); + osi_audit(BUDB_StartEvent, 0, AUD_END); + /* open the log file */ OpenLog(&logopts); diff --git a/src/butc/tcmain.c b/src/butc/tcmain.c index 84029639f0..d151fbd87e 100644 --- a/src/butc/tcmain.c +++ b/src/butc/tcmain.c @@ -844,8 +844,7 @@ WorkerBee(struct cmd_syndesc *as, void *arock) #endif char hoststr[16]; afs_uint32 host = htonl(INADDR_ANY); - char *auditFileName = NULL; - char *auditInterface = NULL; + char *auditIface = NULL; debugLevel = 0; @@ -1006,18 +1005,20 @@ WorkerBee(struct cmd_syndesc *as, void *arock) /* Start auditing */ osi_audit_init(); - if (as->parms[9].items) { - auditFileName = as->parms[9].items->data; - } - if (auditFileName != NULL) - osi_audit_file(auditFileName); - if (as->parms[10].items) { - auditInterface = as->parms[10].items->data; - if (osi_audit_interface(auditInterface)) { - TLog(0, "Invalid audit interface '%s'\n", auditInterface); + /* Process -audit-interface and -auditlog */ + if (as->parms[10].items != NULL) + auditIface = as->parms[10].items->data; + + if (as->parms[9].items != NULL) { + int code; + code = osi_audit_cmd_Options(auditIface, as->parms[9].items); + if (code) { + TLog(0, "Error processing -audit-interface or -auditlog parameters"); exit(1); } } + + osi_audit_open(); osi_audit(TC_StartEvent, 0, AUD_END); osi_audit_set_user_check(butc_confdir, tc_IsLocalRealmMatch); @@ -1258,9 +1259,10 @@ main(int argc, char **argv) "Force multiple XBSA server support"); cmd_AddParm(ts, "-rxbind", CMD_FLAG, CMD_OPTIONAL, "bind Rx socket"); - cmd_AddParm(ts, "-auditlog", CMD_SINGLE, CMD_OPTIONAL, "location of audit log"); + cmd_AddParm(ts, "-auditlog", CMD_LIST, CMD_OPTIONAL, + "[interface:]path[:options]"); cmd_AddParm(ts, "-audit-interface", CMD_SINGLE, CMD_OPTIONAL, - "interface to use for audit logging"); + "default interface"); cmd_AddParm(ts, "-allow_unauthenticated", CMD_FLAG, CMD_OPTIONAL, "allow unauthenticated inbound RPCs (requires firewalling)"); diff --git a/src/ptserver/ptserver.c b/src/ptserver/ptserver.c index c718eceae0..d90a319269 100644 --- a/src/ptserver/ptserver.c +++ b/src/ptserver/ptserver.c @@ -260,8 +260,8 @@ main(int argc, char **argv) struct logOptions logopts; char *whoami = "ptserver"; - char *auditFileName = NULL; - char *interface = NULL; + char *auditIface = NULL; + struct cmd_item *auditLogList = NULL; char *s2s_crypt_behavior = NULL; #ifdef AFS_AIX32_ENV @@ -280,7 +280,6 @@ main(int argc, char **argv) sigaction(SIGSEGV, &nsa, NULL); #endif osi_audit_init(); - osi_audit(PTS_StartEvent, 0, AUD_END); /* Initialize dirpaths */ if (!(initAFSDirPath() & AFSDIR_SERVER_PATHS_OK)) { @@ -332,10 +331,10 @@ main(int argc, char **argv) CMD_FLAG, CMD_OPTIONAL, "enable restricted anonymous mode"); /* general server options */ - cmd_AddParmAtOffset(opts, OPT_auditlog, "-auditlog", CMD_SINGLE, - CMD_OPTIONAL, "location of audit log"); + cmd_AddParmAtOffset(opts, OPT_auditlog, "-auditlog", CMD_LIST, + CMD_OPTIONAL, "[interface:]path[:options]"); cmd_AddParmAtOffset(opts, OPT_auditiface, "-audit-interface", CMD_SINGLE, - CMD_OPTIONAL, "interface to use for audit logging"); + CMD_OPTIONAL, "default interface"); cmd_AddParmAtOffset(opts, OPT_config, "-config", CMD_SINGLE, CMD_OPTIONAL, "configuration location"); cmd_AddParmAtOffset(opts, OPT_debug, "-d", CMD_SINGLE, @@ -400,15 +399,9 @@ main(int argc, char **argv) cmd_OptionAsFlag(opts, OPT_restrict_anonymous, &restrict_anonymous); /* general server options */ - cmd_OptionAsString(opts, OPT_auditlog, &auditFileName); - if (cmd_OptionAsString(opts, OPT_auditiface, &interface) == 0) { - if (osi_audit_interface(interface)) { - printf("Invalid audit interface '%s'\n", interface); - PT_EXIT(1); - } - free(interface); - } + cmd_OptionAsString(opts, OPT_auditiface, &auditIface); + cmd_OptionAsList(opts, OPT_auditlog, &auditLogList); cmd_OptionAsString(opts, OPT_database, &pr_dbaseName); @@ -481,12 +474,15 @@ main(int argc, char **argv) s2s_crypt_behavior = NULL; } + code = osi_audit_cmd_Options(auditIface, auditLogList); + free(auditIface); + if (code) + PT_EXIT(1); + cmd_FreeOptions(&opts); - if (auditFileName) { - osi_audit_file(auditFileName); - osi_audit(PTS_StartEvent, 0, AUD_END); - } + osi_audit_open(); + osi_audit(PTS_StartEvent, 0, AUD_END); OpenLog(&logopts); #ifdef AFS_PTHREAD_ENV @@ -652,5 +648,6 @@ main(int argc, char **argv) rx_StartServer(1); osi_audit(PTS_FinishEvent, -1, AUD_END); + osi_audit_close(); exit(0); } diff --git a/src/viced/viced.c b/src/viced/viced.c index 6d29129284..5326a53ffc 100644 --- a/src/viced/viced.c +++ b/src/viced/viced.c @@ -735,6 +735,8 @@ ShutDownAndCore(int dopanic) if (!dopanic) PrintCounters(); + /* allow audit interfaces to shutdown */ + osi_audit_close(); /* shut down volume package */ VShutdown(); @@ -958,7 +960,8 @@ ParseArgs(int argc, char *argv[]) struct cmd_syndesc *opts; int lwps_max; - char *auditFileName = NULL; + char *auditIface = NULL; + struct cmd_item *auditLogList = NULL; char *sync_behavior = NULL; #if defined(AFS_AIX32_ENV) @@ -1078,10 +1081,10 @@ ParseArgs(int argc, char *argv[]) "disable callback breaks on reattach"); /* general options */ - cmd_AddParmAtOffset(opts, OPT_auditlog, "-auditlog", CMD_SINGLE, - CMD_OPTIONAL, "location of audit log"); + cmd_AddParmAtOffset(opts, OPT_auditlog, "-auditlog", CMD_LIST, + CMD_OPTIONAL, "[interface:]path[:options]"); cmd_AddParmAtOffset(opts, OPT_auditiface, "-audit-interface", CMD_SINGLE, - CMD_OPTIONAL, "interface to use for audit logging"); + CMD_OPTIONAL, "default interface"); cmd_AddParmAtOffset(opts, OPT_debug, "-d", CMD_SINGLE, CMD_OPTIONAL, "debug level"); cmd_AddParmAtOffset(opts, OPT_mrafslogs, "-mrafslogs", CMD_FLAG, @@ -1315,16 +1318,8 @@ ParseArgs(int argc, char *argv[]) cmd_OptionAsFlag(opts, OPT_novbc, &novbc); /* general server options */ - cmd_OptionAsString(opts, OPT_auditlog, &auditFileName); - - if (cmd_OptionAsString(opts, OPT_auditiface, &optstring) == 0) { - if (osi_audit_interface(optstring)) { - printf("Invalid audit interface '%s'\n", optstring); - return -1; - } - free(optstring); - optstring = NULL; - } + cmd_OptionAsString(opts, OPT_auditiface, &auditIface); + cmd_OptionAsList(opts, OPT_auditlog, &auditLogList); if (cmd_OptionAsInt(opts, OPT_threads, &lwps) == 0) { lwps_max = max_fileserver_thread() - FILESERVER_HELPER_THREADS; @@ -1433,9 +1428,10 @@ ParseArgs(int argc, char *argv[]) cmd_OptionAsString(opts, OPT_config, &FS_configPath); - - if (auditFileName) - osi_audit_file(auditFileName); + code = osi_audit_cmd_Options(auditIface, auditLogList); + free(auditIface); + if (code) + return -1; if (lwps > 64) { host_thread_quota = 5; @@ -1917,6 +1913,9 @@ main(int argc, char *argv[]) opr_softsig_Register(SIGTERM, CheckDescriptors_Signal); #endif + /* finish audit interface initalization */ + osi_audit_open(); + #if defined(AFS_SGI_ENV) /* give this guy a non-degrading priority so help busy servers */ schedctl(NDPRI, 0, NDPNORMMAX); diff --git a/src/vlserver/vlserver.c b/src/vlserver/vlserver.c index 36e02a8c51..f7f80e1d59 100644 --- a/src/vlserver/vlserver.c +++ b/src/vlserver/vlserver.c @@ -185,8 +185,8 @@ main(int argc, char **argv) char *vl_dbaseName; char *configDir; - char *auditFileName = NULL; - char *interface = NULL; + struct cmd_item *auditLogList = NULL; + char *auditIface = NULL; char *optstring = NULL; char *s2s_crypt_behavior = NULL; @@ -236,10 +236,10 @@ main(int argc, char **argv) CMD_OPTIONAL, "optimise for small memory systems"); /* general server options */ - cmd_AddParmAtOffset(opts, OPT_auditlog, "-auditlog", CMD_SINGLE, - CMD_OPTIONAL, "location of audit log"); + cmd_AddParmAtOffset(opts, OPT_auditlog, "-auditlog", CMD_LIST, + CMD_OPTIONAL, "[interface:]path[:options]"); cmd_AddParmAtOffset(opts, OPT_auditiface, "-audit-interface", CMD_SINGLE, - CMD_OPTIONAL, "interface to use for audit logging"); + CMD_OPTIONAL, "default interface"); cmd_AddParmAtOffset(opts, OPT_config, "-config", CMD_SINGLE, CMD_OPTIONAL, "configuration location"); cmd_AddParmAtOffset(opts, OPT_debug, "-d", CMD_SINGLE, @@ -311,15 +311,8 @@ main(int argc, char **argv) /* general server options */ - cmd_OptionAsString(opts, OPT_auditlog, &auditFileName); - - if (cmd_OptionAsString(opts, OPT_auditiface, &interface) == 0) { - if (osi_audit_interface(interface)) { - printf("Invalid audit interface '%s'\n", interface); - return -1; - } - free(interface); - } + cmd_OptionAsString(opts, OPT_auditiface, &auditIface); + cmd_OptionAsList(opts, OPT_auditlog, &auditLogList); cmd_OptionAsString(opts, OPT_database, &vl_dbaseName); @@ -408,9 +401,10 @@ main(int argc, char **argv) s2s_crypt_behavior = NULL; } - if (auditFileName) { - osi_audit_file(auditFileName); - } + code = osi_audit_cmd_Options(auditIface, auditLogList); + free(auditIface); + if (code) + return -1; OpenLog(&logopts); #ifdef AFS_PTHREAD_ENV @@ -420,6 +414,8 @@ main(int argc, char **argv) SetupLogSignals(); #endif + osi_audit_open(); + tdir = afsconf_Open(configDir); if (!tdir) { VLog(0, diff --git a/src/volser/volmain.c b/src/volser/volmain.c index 22e3e155ad..68db1fbb20 100644 --- a/src/volser/volmain.c +++ b/src/volser/volmain.c @@ -78,7 +78,8 @@ int rxkadDisableDotCheck = 0; int DoPreserveVolumeStats = 1; int rxJumbograms = 0; /* default is to not send and receive jumbograms. */ int rxMaxMTU = -1; -char *auditFileName = NULL; +static char *auditIface = NULL; +static struct cmd_item *auditLogList = NULL; static struct logOptions logopts; char *configDir = NULL; @@ -259,7 +260,6 @@ static int ParseArgs(int argc, char **argv) { int code; int optval; - char *optstring = NULL; struct cmd_syndesc *opts; char *sleepSpec = NULL; char *sync_behavior = NULL; @@ -277,10 +277,10 @@ ParseArgs(int argc, char **argv) { "debug level"); cmd_AddParmAtOffset(opts, OPT_threads, "-p", CMD_SINGLE, CMD_OPTIONAL, "number of threads"); - cmd_AddParmAtOffset(opts, OPT_auditlog, "-auditlog", CMD_SINGLE, - CMD_OPTIONAL, "location of audit log"); + cmd_AddParmAtOffset(opts, OPT_auditlog, "-auditlog", CMD_LIST, + CMD_OPTIONAL, "[interface:]path[:options]"); cmd_AddParmAtOffset(opts, OPT_audit_interface, "-audit-interface", - CMD_SINGLE, CMD_OPTIONAL, "interface to use for audit logging"); + CMD_SINGLE, CMD_OPTIONAL, "default interface"); cmd_AddParmAtOffset(opts, OPT_nojumbo, "-nojumbo", CMD_FLAG, CMD_OPTIONAL, "disable jumbograms"); cmd_AddParmAtOffset(opts, OPT_jumbo, "-jumbo", CMD_FLAG, CMD_OPTIONAL, @@ -376,16 +376,10 @@ ParseArgs(int argc, char **argv) { } else udpBufSize = optval; } - cmd_OptionAsString(opts, OPT_auditlog, &auditFileName); - if (cmd_OptionAsString(opts, OPT_audit_interface, &optstring) == 0) { - if (osi_audit_interface(optstring)) { - printf("Invalid audit interface '%s'\n", optstring); - return -1; - } - free(optstring); - optstring = NULL; - } + cmd_OptionAsString(opts, OPT_audit_interface, &auditIface); + cmd_OptionAsList(opts, OPT_auditlog, &auditLogList); + if (cmd_OptionAsInt(opts, OPT_threads, &lwps) == 0) { if (lwps > MAXLWP) { printf("Warning: '-p %d' is too big; using %d instead\n", lwps, MAXLWP); @@ -478,13 +472,15 @@ main(int argc, char **argv) exit(1); } - if (auditFileName) { - if (osi_audit_file(auditFileName)) { - fprintf(stderr, "error from opening auditlog %s\n", auditFileName); - exit(1); - } - } + code = osi_audit_cmd_Options(auditIface, auditLogList); + free(auditIface); + auditIface = NULL; + if (code) + return -1; + + osi_audit_open(); osi_audit(VS_StartEvent, 0, AUD_END); + #ifdef AFS_SGI_VNODE_GLUE if (afs_init_kernel_config(-1) < 0) { printf @@ -654,6 +650,7 @@ main(int argc, char **argv) rx_StartServer(1); /* Donate this process to the server process pool */ osi_audit(VS_FinishEvent, (-1), AUD_END); + osi_audit_close(); Abort("StartServer returned?"); AFS_UNREACHED(return 0); }