kauth: Add support for updated audit facility

New functionality was added to the audit facility that allows multiple audit logs. The updated audit interfaces require a specific calling sequence even if multiple audit logs are not used. Support for multiple auditlogs is not supported for kauth. Since kauth does not use libcmd for processing the command line, and adding support for multiple audit log instances requires additional effort, that is not warranted. Update kauth to follow the proper calling sequences for the audit facility. Update help message and manpage entries for -auditlog and -audit-interface. Make note that multiple -auditlogs are not supported. Change-Id: I98111b1e399e6687fde235bc2eadf0a28fa8acf4 Reviewed-on: https://gerrit.openafs.org/13782 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
2025-01-18 06:50:12 +00:00 · 2019-09-25 13:39:40 -06:00 · 2019-09-25 13:39:40 -06:00 · 611507d8b5
commit 611507d8b5
parent 5069c697c7
2 changed files with 30 additions and 13 deletions
--- a/doc/man-pages/pod8/kaserver.pod
+++ b/doc/man-pages/pod8/kaserver.pod
@ -8,8 +8,8 @@ kaserver - Initializes the Authentication Server
 <div class="synopsis">

 B<kaserver> [B<-noAuth>] [B<-database> <I<dbpath>>]
-    S<<< [B<-auditlog> <I<log path>>] >>>
-    S<<< [B<-audit-interface> (file | sysvmq)] >>>
+    S<<< [B<-auditlog> [<I<interface name>>:]<I<path to log file>>[:<I<parameters to interface>>]] >>>
+    S<<< [B<-audit-interface> <I<interface name>>] >>>
    S<<< [B<-localfiles> <I<lclpath>>] >>> S<<< [B<-minhours> <I<n>>] >>>
    S<<< [B<-servers> <I<serverlist>>] >>> [B<-enable_peer_stats>]
    [B<-enable_process_stats>] [B<-rxbind>] [B<-crossrealm>] [B<-help>]
@ -109,18 +109,22 @@ Provide the B<-localfiles> argument along with this one; otherwise, the
 B<-localfiles> argument is also set to the value of this argument, which
 is probably inappropriate.

-=item B<-auditlog> <I<log path>>
+=item B<-auditlog> [<I<interface name>>:]<I<path to log file>>[:<I<parameters to interface>>]

 Turns on audit logging, and sets the path for the audit log.  The audit
 log records information about RPC calls, including the name of the RPC
 call, the host that submitted the call, the authenticated entity (user)
 that issued the call, the parameters for the call, and if the call
-succeeded or failed.
+succeeded or failed.  See L<fileserver(8)> for an explanation of the audit
+facility.

-=item B<-audit-interface> (file | sysvmq)
+Note: kaserver supports only a single -auditlog.

-Specifies what audit interface to use. Defaults to C<file>. See
-L<fileserver(8)> for an explanation of each interface.
+=item B<-audit-interface> <I<interface name>>
+
+Sets the default audit interface used by the B<-auditlog> option.  The
+initial default is the C<file> interface. See L<fileserver(8)> for
+an explanation of each interface.

 =item B<-localfiles> <I<lclpath>>

--- a/src/kauth/kaserver.c
+++ b/src/kauth/kaserver.c
@ -171,6 +171,7 @@ main(int argc, char *argv[])
    char clones[MAXHOSTSPERCELL];
    char hoststr[16];
    afs_uint32 host = ntohl(INADDR_ANY);
+    char *auditIFace = NULL;
    char *auditFileName = NULL;
    struct logOptions logopts;

@ -202,7 +203,8 @@ main(int argc, char *argv[])
    if (argc == 0) {
      usage:
 	printf("Usage: kaserver [-noAuth] [-database <dbpath>] "
-	       "[-auditlog <log path>] [-audit-interface <file|sysvmq>] "
+	       "[-auditlog [<interface>:]<path>[:<options>]] "
+	       "[-audit-interface <default interface>] "
 	       "[-rxbind] [-localfiles <lclpath>] [-minhours <n>] "
 	       "[-servers <serverlist>] [-crossrealm] "
 	       "[-enable_peer_stats] [-enable_process_stats] "
@ -252,15 +254,18 @@ main(int argc, char *argv[])
 		lclpath = dbpath;
 	}
 	else if (strncmp(arg, "-auditlog", arglen) == 0) {
+	    if (a + 1 >= argc) {
+		fprintf(stderr, "missing argument for -auditlog\n");
+		exit(2);
+	    }
 	    auditFileName = argv[++a];

 	} else if (strncmp(arg, "-audit-interface", arglen) == 0) {
-	    char *interface = argv[++a];
-
-	    if (osi_audit_interface(interface)) {
-		printf("Invalid audit interface '%s'\n", interface);
-		exit(1);
+	    if (a + 1 >= argc) {
+		fprintf(stderr, "missing argument for -audit-interface\n");
+		exit(2);
 	    }
+	    auditIFace = argv[++a];

 	} else if (strcmp(arg, "-localfiles") == 0)
 	    lclpath = argv[++a];
@ -304,10 +309,18 @@ main(int argc, char *argv[])
 	}
    }

+    if (auditIFace) {
+	if (osi_audit_interface(auditIFace)) {
+	    fprintf(stderr, "Invalid audit-interface '%s'\n", auditIFace);
+	    exit(1);
+	}
+    }
    if (auditFileName) {
 	osi_audit_file(auditFileName);
    }

+    osi_audit_open();
+
    if ((code = ka_CellConfig(cellservdb)))
 	goto abort;
    cell = ka_LocalCell();