2 * Copyright 2008-2012 Red Hat Inc., Durham, North Carolina.
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Steve Grubb <sgrubb@redhat.com>
36 #include <sys/select.h>
38 #include <sys/socket.h>
41 #include <netinet/in.h>
42 #include <netinet/tcp.h>
44 #include <gssapi/gssapi.h>
45 #include <gssapi/gssapi_generic.h>
53 #include "remote-config.h"
55 #include "remote-fgets.h"
57 #define CONFIG_FILE "/etc/audisp/audisp-remote.conf"
60 /* MAX_AUDIT_MESSAGE_LENGTH, aligned to 4 KB so that an average q_append() only
61 writes to two disk disk blocks (1 aligned data block, 1 header block). */
62 #define QUEUE_ENTRY_SIZE (3*4096)
66 #define ET_PERMANENT -1
67 #define ET_TEMPORARY -2
70 static volatile int stop = 0;
71 static volatile int hup = 0;
72 static volatile int suspend = 0;
73 static volatile int dump = 0;
74 static volatile int transport_ok = 0;
75 static volatile int sock=-1;
76 static volatile int remote_ended = 0, quiet = 0;
81 static const char *SINGLE = "1";
82 static const char *HALT = "0";
83 static const char *INIT_PGM = "/sbin/init";
84 static const char *SPOOL_FILE = "/var/spool/audit/remote.log";
86 /* Local function declarations */
87 static int check_message(void);
88 static int relay_event(const char *s, size_t len);
89 static int init_transport(void);
90 static int stop_transport(void);
91 static int ar_read (int, void *, int);
92 static int ar_write (int, const void *, int);
95 /* We only ever talk to one server, so we don't need per-connection
96 credentials. These are the ones we talk to the server with. */
97 gss_ctx_id_t my_context;
99 #define REQ_FLAGS GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG
100 #define USE_GSS (config.enable_krb5)
103 /* Compile-time expression verification */
104 #define verify(E) do { \
105 char verify__[(E) ? 1 : -1]; \
112 static void term_handler( int sig )
118 * SIGHUP handler: re-read config
120 static void hup_handler( int sig )
125 static void reload_config(void)
127 stop_transport(); // FIXME: We should only stop transport if necessary
132 * SIGSUR1 handler: dump stats
134 static void user1_handler( int sig )
139 static void dump_stats(struct queue *queue)
141 syslog(LOG_INFO, "suspend=%s, transport_ok=%s, queue_size=%zu",
142 suspend ? "yes" : "no",
143 transport_ok ? "yes" : "no",
144 q_queue_length(queue));
149 * SIGSUR2 handler: resume logging
151 static void user2_handler( int sig )
157 * SIGCHLD handler: reap exiting processes
159 static void child_handler(int sig)
161 while (waitpid(-1, NULL, WNOHANG) > 0)
166 * Handlers for various events coming back from the remote server.
167 * Return -1 if the remote dispatcher should exit.
170 /* Loss of sync - got an invalid response. */
171 static int sync_error_handler (const char *why)
173 /* "why" has human-readable details on why we've lost (or will
174 be losing) sync. Sync errors are transient - if a retry
175 doesn't fix it, we eventually call network_failure_handler
176 which has all the user-tweakable actions. */
177 syslog (LOG_ERR, "lost/losing sync, %s", why);
181 static void change_runlevel(const char *level)
189 "audisp-remote failed to fork switching runlevels");
192 if (pid) /* Parent */
196 argv[0] = (char *)INIT_PGM;
197 argv[1] = (char *)level;
199 execve(INIT_PGM, argv, NULL);
200 syslog(LOG_ALERT, "audisp-remote failed to exec %s", INIT_PGM);
204 static void safe_exec(const char *exe, const char *message)
211 "Safe_exec passed NULL for program to execute");
218 "audisp-remote failed to fork doing safe_exec");
221 if (pid) /* Parent */
225 argv[0] = (char *)exe;
226 argv[1] = (char *)message;
228 execve(exe, argv, NULL);
229 syslog(LOG_ALERT, "audisp-remote failed to exec %s", exe);
233 static int do_action (const char *desc, const char *message,
235 failure_action_t action, const char *exe)
242 syslog (log_level, "%s, %s", desc, message);
245 safe_exec (exe, message);
249 "suspending remote logging due to %s", desc);
254 "remote logging disconnected due to %s, will attempt reconnection",
259 "remote logging is switching system to single user mode due to %s",
261 change_runlevel(SINGLE);
265 "remote logging halting system due to %s", desc);
266 change_runlevel(HALT);
269 syslog (log_level, "remote logging stopping due to %s, %s",
274 syslog (log_level, "unhandled action %d for %s", action, desc);
278 static int network_failure_handler (const char *message)
280 return do_action ("network failure", message,
282 config.network_failure_action,
283 config.network_failure_exe);
286 static int remote_disk_low_handler (const char *message)
288 return do_action ("remote server is low on disk space", message,
290 config.disk_low_action, config.disk_low_exe);
293 static int remote_disk_full_handler (const char *message)
295 return do_action ("remote server's disk is full", message,
297 config.disk_full_action, config.disk_full_exe);
300 static int remote_disk_error_handler (const char *message)
302 return do_action ("remote server has a disk error", message,
304 config.disk_error_action, config.disk_error_exe);
307 static int remote_server_ending_handler (const char *message)
311 return do_action ("remote server is going down", message,
313 config.remote_ending_action,
314 config.remote_ending_exe);
317 static int generic_remote_error_handler (const char *message)
319 return do_action ("unrecognized remote error", message,
320 LOG_ERR, config.generic_error_action,
321 config.generic_error_exe);
324 static int generic_remote_warning_handler (const char *message)
326 return do_action ("unrecognized remote warning", message,
328 config.generic_warning_action,
329 config.generic_warning_exe);
332 /* Report and handle a queue error, using errno. */
333 static void queue_error(void)
337 errno_str = strerror(errno);
338 do_action("queue error", errno_str, LOG_ERR, config.queue_error_action,
339 config.queue_error_exe);
342 static void send_heartbeat (void)
344 relay_event (NULL, 0);
347 static void do_overflow_action(void)
349 switch (config.overflow_action)
354 syslog(LOG_ERR, "queue is full - dropping event");
358 "Audisp-remote is suspending event processing due to overflowing its queue.");
363 "Audisp-remote is now changing the system to single user mode due to overflowing its queue");
364 change_runlevel(SINGLE);
368 "Audisp-remote is now halting the system due to overflowing its queue");
369 change_runlevel(HALT);
372 syslog(LOG_ALERT, "Unknown overflow action requested");
377 /* Initialize and return a queue depending on user's configuration.
378 On error return NULL and set errno. */
379 static struct queue *init_queue(void)
384 if (config.queue_file != NULL)
385 path = config.queue_file;
388 q_flags = Q_IN_MEMORY;
389 if (config.mode == M_STORE_AND_FORWARD)
390 /* FIXME: let user control Q_SYNC? */
391 q_flags |= Q_IN_FILE | Q_CREAT | Q_RESIZE;
392 verify(QUEUE_ENTRY_SIZE >= MAX_AUDIT_MESSAGE_LENGTH);
393 return q_open(q_flags, path, config.queue_depth, QUEUE_ENTRY_SIZE);
396 /* Send a record from QUEUE to the remote system */
397 static void send_one(struct queue *queue)
399 char event[MAX_AUDIT_MESSAGE_LENGTH];
402 if (suspend || !transport_ok)
405 len = q_peek(queue, event, sizeof(event));
413 /* We send len -1 to remove trailing \n */
414 if (relay_event(event, len-1) < 0)
417 if (q_drop_head(queue) != 0)
421 int main(int argc, char *argv[])
428 /* Register sighandlers */
430 sigemptyset(&sa.sa_mask);
431 /* Set handler for the ones we care about */
432 sa.sa_handler = term_handler;
433 sigaction(SIGTERM, &sa, NULL);
434 sa.sa_handler = hup_handler;
435 sigaction(SIGHUP, &sa, NULL);
436 sa.sa_handler = user1_handler;
437 sigaction(SIGUSR1, &sa, NULL);
438 sa.sa_handler = user2_handler;
439 sigaction(SIGUSR2, &sa, NULL);
440 sa.sa_handler = child_handler;
441 sigaction(SIGCHLD, &sa, NULL);
442 if (load_config(&config, CONFIG_FILE))
445 // ifd = open("test.log", O_RDONLY);
447 fcntl(ifd, F_SETFL, O_NONBLOCK);
449 /* We fail here if the transport can't be initialized because of some
450 * permanent (i.e. operator) problem, such as misspelled host name. */
451 rc = init_transport();
452 if (rc == ET_PERMANENT)
454 queue = init_queue();
456 syslog(LOG_ERR, "Error initializing audit record queue: %m");
460 #ifdef HAVE_LIBCAP_NG
462 capng_clear(CAPNG_SELECT_BOTH);
463 if (config.local_port && config.local_port < 1024)
464 capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
465 CAP_NET_BIND_SERVICE);
466 capng_apply(CAPNG_SELECT_BOTH);
468 syslog(LOG_NOTICE, "Audisp-remote started with queue_size: %zu",
469 q_queue_length(queue));
471 while (stop == 0) { //FIXME break out when socket is closed
474 char event[MAX_AUDIT_MESSAGE_LENGTH];
475 int n, fds = ifd + 1;
477 /* Load configuration */
484 /* Setup select flags */
486 FD_SET(ifd, &rfd); // input fd
489 // Setup socket to read acks from server
490 FD_SET(sock, &rfd); // remote socket
493 // If we have anything in the queue,
494 // find out if we can send it
495 if (q_queue_length(queue) && !suspend && transport_ok)
499 if (config.heartbeat_timeout > 0) {
500 tv.tv_sec = config.heartbeat_timeout;
502 n = select(fds, &rfd, &wfd, NULL, &tv);
504 n = select(fds, &rfd, &wfd, NULL, NULL);
506 continue; // If here, we had some kind of problem
508 if ((config.heartbeat_timeout > 0) && n == 0 && !remote_ended) {
509 /* We attempt a hearbeat if select fails, which
510 * may give us more heartbeats than we need. This
511 * is safer than too few heartbeats. */
518 // See if we got a shutdown message from the server
519 if (sock > 0 && FD_ISSET(sock, &rfd))
522 // If we broke out due to one of these, cycle to start
523 if (hup != 0 || stop != 0)
526 // See if input fd is also set
527 if (FD_ISSET(ifd, &rfd)) {
529 if (remote_fgets(event, sizeof(event), ifd)) {
530 if (!transport_ok && remote_ended &&
531 config.remote_ending_action ==
534 if (init_transport() ==
539 /* Strip out EOE records */
545 char *ptr = strchr(event, ' ');
553 continue; //malformed
555 if (q_append(queue, event) != 0) {
557 do_overflow_action();
561 } else if (remote_fgets_eof())
563 } while (remote_fgets_more(sizeof(event)));
565 // See if output fd is also set
566 if (sock > 0 && FD_ISSET(sock, &wfd)) {
567 // If so, try to drain backlog
568 while (q_queue_length(queue) && !suspend &&
569 !stop && transport_ok)
574 shutdown(sock, SHUT_RDWR);
577 free_config(&config);
578 q_len = q_queue_length(queue);
581 syslog(LOG_NOTICE, "audisp-remote is exiting on stop request, queue_size: %zu", q_len);
583 return q_len ? 1 : 0;
588 /* Communications under GSS is done by token exchanges. Each "token" may
589 contain a message, perhaps signed, perhaps encrypted. The messages within
590 are what we're interested in, but the network sees the tokens. The
591 protocol we use for transferring tokens is to send the length first,
592 four bytes MSB first, then the token data. We return nonzero on error. */
593 static int recv_token(int s, gss_buffer_t tok)
596 unsigned char lenbuf[4];
599 ret = ar_read(s, (char *) lenbuf, 4);
601 syslog(LOG_ERR, "GSS-API error reading token length");
605 } else if (ret != 4) {
606 syslog(LOG_ERR, "GSS-API error reading token length");
610 len = ( ((uint32_t)(lenbuf[0] & 0xFF) << 24)
611 | ((uint32_t)(lenbuf[1] & 0xFF) << 16)
612 | ((uint32_t)(lenbuf[2] & 0xFF) << 8)
613 | (uint32_t)(lenbuf[3] & 0xFF));
615 if (len > MAX_AUDIT_MESSAGE_LENGTH) {
617 "GSS-API error: event length excedes MAX_AUDIT_LENGTH");
621 tok->value = (char *) malloc(tok->length ? tok->length : 1);
622 if (tok->length && tok->value == NULL) {
623 syslog(LOG_ERR, "Out of memory allocating token data %zd %zx",
624 tok->length, tok->length);
628 ret = ar_read(s, (char *) tok->value, tok->length);
630 syslog(LOG_ERR, "GSS-API error reading token data");
633 } else if (ret != (int) tok->length) {
634 syslog(LOG_ERR, "GSS-API error reading token data");
643 int send_token(int s, gss_buffer_t tok)
646 unsigned char lenbuf[4];
649 if (tok->length > 0xffffffffUL)
653 lenbuf[0] = (len >> 24) & 0xff;
654 lenbuf[1] = (len >> 16) & 0xff;
655 lenbuf[2] = (len >> 8) & 0xff;
656 lenbuf[3] = len & 0xff;
658 ret = ar_write(s, (char *) lenbuf, 4);
660 syslog(LOG_ERR, "GSS-API error sending token length");
662 } else if (ret != 4) {
663 syslog(LOG_ERR, "GSS-API error sending token length");
667 ret = ar_write(s, tok->value, tok->length);
669 syslog(LOG_ERR, "GSS-API error sending token data");
671 } else if (ret != (int) tok->length) {
672 syslog(LOG_ERR, "GSS-API error sending token data");
679 static void gss_failure_2 (const char *msg, int status, int type)
681 OM_uint32 message_context = 0;
682 OM_uint32 min_status = 0;
683 gss_buffer_desc status_string;
686 gss_display_status (&min_status,
693 syslog (LOG_ERR, "GSS error: %s: %s",
694 msg, (char *)status_string.value);
696 gss_release_buffer(&min_status, &status_string);
697 } while (message_context != 0);
700 static void gss_failure (const char *msg, int major_status, int minor_status)
702 gss_failure_2 (msg, major_status, GSS_C_GSS_CODE);
704 gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE);
707 #define KCHECK(x,f) if (x) { \
708 syslog (LOG_ERR, "krb5 error: %s in %s\n", krb5_get_error_message (kcontext, x), f); \
711 #define KEYTAB_NAME "/etc/audisp/audisp-remote.key"
712 #define CCACHE_NAME "MEMORY:audisp-remote"
714 /* Each time we connect to the server, we negotiate a set of credentials and
715 a security context. To do this, we need our own credentials first. For
716 other Kerberos applications, the user will have called kinit (or otherwise
717 authenticated) first, but we don't have that luxury. So, we implement part
718 of kinit here. When our tickets expire, the usual close/open/retry logic
719 has us calling here again, where we re-init and get new tickets. */
720 static int negotiate_credentials (void)
722 gss_buffer_desc empty_token_buf = { 0, (void *) "" };
723 gss_buffer_t empty_token = &empty_token_buf;
724 gss_buffer_desc send_tok, recv_tok, *token_ptr;
725 gss_ctx_id_t *gss_context = &my_context;
726 gss_buffer_desc name_buf;
727 gss_name_t service_name_e;
728 OM_uint32 major_status, minor_status, init_sec_min_stat;
731 /* Getting an initial ticket is outside the scope of GSS, so
732 we use Kerberos calls here. */
735 krb5_context kcontext = NULL;
737 krb5_principal audit_princ;
738 krb5_ccache ccache = NULL;
740 krb5_get_init_creds_opt options;
741 krb5_keytab keytab = NULL;
742 const char *krb5_client_name;
746 const char *key_file;
748 token_ptr = GSS_C_NO_BUFFER;
749 *gss_context = GSS_C_NO_CONTEXT;
750 recv_tok.value = NULL;
752 krberr = krb5_init_context (&kcontext);
753 KCHECK (krberr, "krb5_init_context");
755 if (config.krb5_key_file)
756 key_file = config.krb5_key_file;
758 key_file = KEYTAB_NAME;
759 unsetenv ("KRB5_KTNAME");
760 setenv ("KRB5_KTNAME", key_file, 1);
762 if (stat (key_file, &st) == 0) {
763 if ((st.st_mode & 07777) != 0400) {
766 "%s is not mode 0400 (it's %#o) - compromised key?",
767 key_file, st.st_mode & 07777);
770 if (st.st_uid != 0) {
773 "%s is not owned by root (it's %d) - compromised key?",
774 key_file, st.st_uid);
779 /* This looks up the default real (*our* realm) from
780 /etc/krb5.conf (or wherever) */
781 krberr = krb5_get_default_realm (kcontext, &realm_name);
782 KCHECK (krberr, "krb5_get_default_realm");
784 krb5_client_name = config.krb5_client_name ?
785 config.krb5_client_name : "auditd";
786 if (gethostname(host_name, sizeof(host_name)) != 0) {
789 "gethostname: host name longer than %ld characters?",
794 syslog (LOG_ERR, "kerberos principal: %s/%s@%s\n",
795 krb5_client_name, host_name, realm_name);
796 /* Encode our own "name" as auditd/remote@EXAMPLE.COM. */
797 krberr = krb5_build_principal (kcontext, &audit_princ,
798 strlen(realm_name), realm_name,
799 krb5_client_name, host_name, NULL);
800 KCHECK (krberr, "krb5_build_principal");
802 /* Locate our machine's key table, where our private key is
804 krberr = krb5_kt_resolve (kcontext, key_file, &keytab);
805 KCHECK (krberr, "krb5_kt_resolve");
807 /* Identify a cache to hold the key in. The GSS wrappers look
808 up our credentials here. */
809 krberr = krb5_cc_resolve (kcontext, CCACHE_NAME, &ccache);
810 KCHECK (krberr, "krb5_cc_resolve");
812 setenv("KRB5CCNAME", CCACHE_NAME, 1);
814 memset(&my_creds, 0, sizeof(my_creds));
815 memset(&options, 0, sizeof(options));
816 krb5_get_init_creds_opt_set_address_list(&options, NULL);
817 krb5_get_init_creds_opt_set_forwardable(&options, 0);
818 krb5_get_init_creds_opt_set_proxiable(&options, 0);
819 krb5_get_init_creds_opt_set_tkt_life(&options, 24*60*60);
821 /* Load our credentials from the key table. */
822 krberr = krb5_get_init_creds_keytab(kcontext, &my_creds, audit_princ,
825 KCHECK (krberr, "krb5_get_init_creds_keytab");
827 /* Create the cache... */
828 krberr = krb5_cc_initialize(kcontext, ccache, audit_princ);
829 KCHECK (krberr, "krb5_cc_initialize");
831 /* ...and store our credentials in it. */
832 krberr = krb5_cc_store_cred(kcontext, ccache, &my_creds);
833 KCHECK (krberr, "krb5_cc_store_cred");
835 /* The GSS code now has a set of credentials for this program.
836 I.e. we know who "we" are. Now we talk to the server to
837 get its credentials and set up a security context for encryption. */
838 if (config.krb5_principal == NULL) {
839 const char *name = config.krb5_client_name ?
840 config.krb5_client_name : "auditd";
841 config.krb5_principal = (char *) malloc (strlen (name) + 1
842 + strlen (config.remote_server) + 1);
843 sprintf((char *)config.krb5_principal, "%s@%s",
844 name, config.remote_server);
846 slashptr = strchr (config.krb5_principal, '/');
850 name_buf.value = (char *)config.krb5_principal;
851 name_buf.length = strlen(name_buf.value) + 1;
852 major_status = gss_import_name(&minor_status, &name_buf,
853 (gss_OID) gss_nt_service_name, &service_name_e);
854 if (major_status != GSS_S_COMPLETE) {
855 gss_failure("importing name", major_status, minor_status);
859 /* Someone has to go first. In this case, it's us. */
860 if (send_token(sock, empty_token) < 0) {
861 (void) gss_release_name(&minor_status, &service_name_e);
865 /* The server starts this loop with the token we just sent
866 (the empty one). We start this loop with "no token". */
867 token_ptr = GSS_C_NO_BUFFER;
868 *gss_context = GSS_C_NO_CONTEXT;
871 /* Give GSS a chance to digest what we have so far. */
872 major_status = gss_init_sec_context(&init_sec_min_stat,
873 GSS_C_NO_CREDENTIAL, gss_context,
874 service_name_e, NULL, REQ_FLAGS, 0,
875 NULL, /* no channel bindings */
876 token_ptr, NULL, /* ignore mech type */
877 &send_tok, &ret_flags, NULL); /* ignore time_rec */
879 if (token_ptr != GSS_C_NO_BUFFER)
880 free(recv_tok.value);
882 /* Send the server any tokens requested of us. */
883 if (send_tok.length != 0) {
884 if (send_token(sock, &send_tok) < 0) {
885 (void) gss_release_buffer(&minor_status,
887 (void) gss_release_name(&minor_status,
892 (void) gss_release_buffer(&minor_status, &send_tok);
894 if (major_status != GSS_S_COMPLETE
895 && major_status != GSS_S_CONTINUE_NEEDED) {
896 gss_failure("initializing context", major_status,
898 (void) gss_release_name(&minor_status, &service_name_e);
899 if (*gss_context != GSS_C_NO_CONTEXT)
900 gss_delete_sec_context(&minor_status,
901 gss_context, GSS_C_NO_BUFFER);
905 /* Now get any tokens the sever sends back. We use
906 these back at the top of the loop. */
907 if (major_status == GSS_S_CONTINUE_NEEDED) {
908 if (recv_token(sock, &recv_tok) < 0) {
909 (void) gss_release_name(&minor_status,
913 token_ptr = &recv_tok;
915 } while (major_status == GSS_S_CONTINUE_NEEDED);
917 (void) gss_release_name(&minor_status, &service_name_e);
920 major_status = gss_inquire_context (&minor_status, &my_context, NULL,
921 &service_name_e, NULL, NULL,
923 if (major_status != GSS_S_COMPLETE) {
924 gss_failure("inquiring target name", major_status, minor_status);
927 major_status = gss_display_name(&minor_status, service_name_e,
929 gss_release_name(&minor_status, &service_name_e);
930 if (major_status != GSS_S_COMPLETE) {
931 gss_failure("displaying name", major_status, minor_status);
934 syslog(LOG_INFO, "GSS-API Connected to: %s",
935 (char *)recv_tok.value);
941 static int stop_sock(void)
944 shutdown(sock, SHUT_RDWR);
953 static int stop_transport(void)
957 switch (config.transport)
969 static int init_sock(void)
973 struct addrinfo hints;
974 char remote[BUF_SIZE];
978 syslog(LOG_NOTICE, "socket already setup");
982 memset(&hints, '\0', sizeof(hints));
983 hints.ai_flags = AI_ADDRCONFIG|AI_NUMERICSERV;
984 hints.ai_socktype = SOCK_STREAM;
985 snprintf(remote, BUF_SIZE, "%u", config.port);
986 rc = getaddrinfo(config.remote_server, remote, &hints, &ai);
990 "Error looking up remote host: %s - exiting",
992 if (rc == EAI_NONAME || rc == EAI_NODATA)
997 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
1000 syslog(LOG_ERR, "Error creating socket: %s",
1003 return ET_TEMPORARY;
1006 setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (char *)&one, sizeof (int));
1008 if (config.local_port != 0) {
1009 struct sockaddr_in address;
1011 memset (&address, 0, sizeof(address));
1012 address.sin_family = AF_INET;
1013 address.sin_port = htons(config.local_port);
1014 address.sin_addr.s_addr = htonl(INADDR_ANY);
1016 if (bind(sock, (struct sockaddr *)&address, sizeof(address))) {
1019 "Cannot bind local socket to port %d",
1022 return ET_TEMPORARY;
1026 if (connect(sock, ai->ai_addr, ai->ai_addrlen)) {
1028 syslog(LOG_ERR, "Error connecting to %s: %s",
1029 config.remote_server, strerror(errno));
1032 return ET_TEMPORARY;
1036 setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (char *)&one, sizeof (int));
1038 /* The idea here is to minimize the time between the message
1039 and the ACK, assuming that individual messages are
1040 infrequent enough that we can ignore the inefficiency of
1041 sending the header and message in separate packets. */
1042 if (config.format == F_MANAGED)
1043 setsockopt(sock, IPPROTO_TCP, TCP_NODELAY,
1044 (char *)&one, sizeof (int));
1048 if (negotiate_credentials ())
1049 return ET_PERMANENT;
1054 syslog(LOG_NOTICE, "Connected to %s", config.remote_server);
1058 static int init_transport(void)
1062 switch (config.transport)
1066 // We set this so that it will retry the connection
1067 if (rc == ET_TEMPORARY)
1077 static int ar_write (int sk, const void *buf, int len)
1082 r = write(sk, buf, len);
1083 } while (r < 0 && errno == EINTR);
1092 buf = (void *)((char *)buf + r);
1098 static int ar_read (int sk, void *buf, int len)
1100 int rc = 0, r, timeout = config.max_time_per_record * 1000;
1104 pfd.events=POLLIN | POLLPRI | POLLHUP | POLLERR | POLLNVAL;
1107 // reads can hang if cable is disconnected
1108 int prc = poll(&pfd, (nfds_t) 1, timeout);
1111 r = read(sk, buf, len);
1112 } while (r < 0 && errno == EINTR);
1121 buf = (void *)((char *)buf + r);
1127 static int relay_sock_ascii(const char *s, size_t len)
1134 if (!transport_ok) {
1135 if (init_transport ())
1139 rc = ar_write(sock, s, len);
1142 syslog(LOG_ERR,"Connection to %s closed unexpectedly - exiting",
1143 config.remote_server);
1152 /* Sending an encrypted message is pretty simple - wrap the message in
1153 a token, and send the token. The server unwraps it to get the
1154 original message. */
1155 static int send_msg_gss (unsigned char *header, const char *msg, uint32_t mlen)
1157 OM_uint32 major_status, minor_status;
1158 gss_buffer_desc utok, etok;
1161 utok.length = AUDIT_RMW_HEADER_SIZE + mlen;
1162 utok.value = malloc (utok.length);
1164 memcpy (utok.value, header, AUDIT_RMW_HEADER_SIZE);
1166 if (msg != NULL && mlen > 0)
1167 memcpy (utok.value+AUDIT_RMW_HEADER_SIZE, msg, mlen);
1169 major_status = gss_wrap (&minor_status,
1176 if (major_status != GSS_S_COMPLETE) {
1177 gss_failure("encrypting message", major_status, minor_status);
1181 rc = send_token (sock, &etok);
1183 (void) gss_release_buffer(&minor_status, &etok);
1188 /* Likewise here. */
1189 static int recv_msg_gss (unsigned char *header, char *msg, uint32_t *mlen)
1191 OM_uint32 major_status, minor_status;
1192 gss_buffer_desc utok, etok;
1194 uint32_t type, rlen, seq;
1196 rc = recv_token (sock, &etok);
1200 major_status = gss_unwrap (&minor_status, my_context, &etok,
1202 if (major_status != GSS_S_COMPLETE) {
1203 gss_failure("decrypting message", major_status, minor_status);
1208 if (utok.length < AUDIT_RMW_HEADER_SIZE) {
1209 sync_error_handler ("message too short");
1212 memcpy (header, utok.value, AUDIT_RMW_HEADER_SIZE);
1214 if (! AUDIT_RMW_IS_MAGIC (header, AUDIT_RMW_HEADER_SIZE)) {
1215 sync_error_handler ("bad magic number");
1219 AUDIT_RMW_UNPACK_HEADER (header, hver, mver, type, rlen, seq);
1221 if (rlen > MAX_AUDIT_MESSAGE_LENGTH) {
1222 sync_error_handler ("message too long");
1226 memcpy (msg, utok.value+AUDIT_RMW_HEADER_SIZE, rlen);
1234 static int send_msg_tcp (unsigned char *header, const char *msg, uint32_t mlen)
1238 rc = ar_write(sock, header, AUDIT_RMW_HEADER_SIZE);
1240 syslog(LOG_ERR, "send to %s failed", config.remote_server);
1244 if (msg != NULL && mlen > 0) {
1245 rc = ar_write(sock, msg, mlen);
1247 syslog(LOG_ERR, "send to %s failed",
1248 config.remote_server);
1255 static int recv_msg_tcp (unsigned char *header, char *msg, uint32_t *mlen)
1258 uint32_t type, rlen, seq;
1260 rc = ar_read (sock, header, AUDIT_RMW_HEADER_SIZE);
1262 syslog(LOG_ERR, "read from %s failed", config.remote_server);
1266 if (! AUDIT_RMW_IS_MAGIC (header, AUDIT_RMW_HEADER_SIZE)) {
1267 /* FIXME: the right thing to do here is close the socket
1268 * and start a new one. */
1269 sync_error_handler ("bad magic number");
1273 AUDIT_RMW_UNPACK_HEADER (header, hver, mver, type, rlen, seq);
1275 if (rlen > MAX_AUDIT_MESSAGE_LENGTH) {
1276 sync_error_handler ("message too long");
1280 if (rlen > 0 && ar_read (sock, msg, rlen) < rlen) {
1281 sync_error_handler ("ran out of data reading reply");
1287 static int check_message_managed(void)
1289 unsigned char header[AUDIT_RMW_HEADER_SIZE];
1291 uint32_t type, rlen, seq;
1292 char msg[MAX_AUDIT_MESSAGE_LENGTH+1];
1296 if (recv_msg_gss (header, msg, &rlen)) {
1302 if (recv_msg_tcp(header, msg, &rlen)) {
1307 AUDIT_RMW_UNPACK_HEADER(header, hver, mver, type, rlen, seq);
1310 if (type == AUDIT_RMW_TYPE_ENDING)
1311 return remote_server_ending_handler(msg);
1312 if (type == AUDIT_RMW_TYPE_DISKLOW)
1313 return remote_disk_low_handler(msg);
1314 if (type == AUDIT_RMW_TYPE_DISKFULL)
1315 return remote_disk_full_handler(msg);
1316 if (type == AUDIT_RMW_TYPE_DISKERROR)
1317 return remote_disk_error_handler(msg);
1321 /* This is to check for async notification like server is shutting down */
1322 static int check_message(void)
1326 switch (config.format)
1329 rc = check_message_managed();
1332 rc = check_message_ascii();
1342 static int relay_sock_managed(const char *s, size_t len)
1344 static int sequence_id = 1;
1345 unsigned char header[AUDIT_RMW_HEADER_SIZE];
1347 uint32_t type, rlen, seq;
1348 char msg[MAX_AUDIT_MESSAGE_LENGTH+1];
1349 int n_tries_this_message = 0;
1350 time_t now, then = 0;
1359 /* We want the first retry to be quick, in case the network
1360 failed for some fail-once reason. In this case, it goes
1361 "failure - reconnect - send". Only if this quick retry
1362 fails do we start pausing between retries to prevent
1363 swamping the local computer and the network. */
1364 if (n_tries_this_message > 1)
1365 sleep (config.network_retry_time);
1367 if (n_tries_this_message > config.max_tries_per_record) {
1368 network_failure_handler ("max retries exhausted");
1371 if ((now - then) > config.max_time_per_record) {
1372 network_failure_handler ("max retry time exhausted");
1376 n_tries_this_message ++;
1378 if (!transport_ok) {
1379 if (init_transport ())
1383 type = (s != NULL) ? AUDIT_RMW_TYPE_MESSAGE : AUDIT_RMW_TYPE_HEARTBEAT;
1384 AUDIT_RMW_PACK_HEADER (header, 0, type, len, sequence_id);
1388 if (send_msg_gss (header, s, len)) {
1394 if (send_msg_tcp (header, s, len)) {
1401 if (recv_msg_gss (header, msg, &rlen)) {
1407 if (recv_msg_tcp (header, msg, &rlen)) {
1412 AUDIT_RMW_UNPACK_HEADER (header, hver, mver, type, rlen, seq);
1415 /* Handle this first. It doesn't matter if seq compares or not
1416 * since the other end is going down...deal with it. */
1417 if (type == AUDIT_RMW_TYPE_ENDING)
1418 return remote_server_ending_handler (msg);
1420 if (seq != sequence_id) {
1421 /* FIXME: should we read another header and
1422 see if it matches? If so, we need to deal
1424 if (sync_error_handler ("mismatched response"))
1430 /* Specific errors we know how to deal with. */
1431 if (type == AUDIT_RMW_TYPE_DISKLOW)
1432 return remote_disk_low_handler (msg);
1433 if (type == AUDIT_RMW_TYPE_DISKFULL)
1434 return remote_disk_full_handler (msg);
1435 if (type == AUDIT_RMW_TYPE_DISKERROR)
1436 return remote_disk_error_handler (msg);
1438 /* Generic errors. */
1439 if (type & AUDIT_RMW_TYPE_FATALMASK)
1440 return generic_remote_error_handler (msg);
1441 if (type & AUDIT_RMW_TYPE_WARNMASK)
1442 return generic_remote_warning_handler (msg);
1447 static int relay_sock(const char *s, size_t len)
1451 switch (config.format)
1454 rc = relay_sock_managed (s, len);
1457 rc = relay_sock_ascii (s, len);
1467 /* Send audit event to remote system */
1468 static int relay_event(const char *s, size_t len)
1472 switch (config.transport)
1475 rc = relay_sock(s, len);