RIACS Auditing Package

Author:
	Matt Bishop
Author's current address:
	Department of Mathematics and Computer Science, Dartmouth College,
	Hanover, NH  03755
Send e-mail to:
	Matt.Bishop@dartmouth.edu
	...!decvax!dartvax!Matt.Bishop
Note:  much of the work on this package was done at:
	RIACS, MS 230-5, NASA Ames Research Center, Moffett Field, CA  94035

This is the RIACS Auditing Package -- really, a sophisticated file scanning
system.  Print and read the file install.ms to see how to get the package up
and running.  The change log comes at the end of the file; look for the line
containing "***** CHANGE LOG *****" and read from the paragraph above it to
the end of the file.

The individual files in this directory are:
	Environ.enc	Sample Environ file with end-to-end encryption
	Environ.pla	Sample Environ file without end-to-end encryption
	Make.bsd4	Makefile for 4.? BSD based systems
	Make.sysv	Makefile for System V Revision ? based systems
	README		this file
	RMake		remote installation Makefile for remote systems
	audit.8.man	skeleton for the manual page to audit.sh
	audit.sh	script to do the actual auditing
	auditcomm.8	manual page for auditcomm.c
	auditcomm.c	comm(8) with wild cards in tab-delimited fields
	auditfmt.8	manual page for auditfmt.c
	auditfmt.c	program to format output from audit
	auditgrep.8	manual page for auditgrep.c
	auditgrep.c	grep(8) for password files
	auditls.8	manual page for auditls.sh
	auditls.sh	program to log current state of file tree
	auditmail.8	manual page for auditmail.sh
	auditmail.sh	program to mail (or print) results of audit
	auditmerge.8	manual page for auditmerge.c
	auditmerge.c	program to merge wild cards with new master log
	auditpnm.8	manual page for auditpnm.c
	auditpnm.c	auditcomm(8) with patterns in first field
	auditscan.8	manual page for auditscan.c
	auditscan.c	find(1) modified for audit function
	cdes.1		manual page for cdes.c
	cdes.c		encryption/decryption/cryptographic checksumming
			program
	edprot.1	manual page for edprot.c
	edprot.c	program to protect ed(1) metacharacters
	gettype.8	manual page for gettype.sh
	gettype.sh	script to determine volume type file tree is mounted on
	install.ms	"Installing the RIACS File Scanning Subsystem"
	rinstall.8.man	skeleton for manual page for rinstall.sh
	rinstall.sh	script to install and compile logging programs on
			remote host to be audited
	runaudit.8.man	skeleton for manual page to runaudit.sh
	runaudit.sh	user interface to the package
	runaudit1.sh	lower-level user interface to the package
	timeout.1	manual page for timeout.c
	timeout.c	program to time out a command executed over a network
			connection

The Makefile has several options.  They are:
	make all
		to make everything but not install anything
	make clean
		delete all .o files
	make clobber
		delete all executables and .o files (essentially, restore it
		to the state where everything must be regenerated)
	make install
		to make and install all software locally, and to set up the
		remote installation software
	make man
		generate the man pages
	make print_install_doc
		print the installation document
	make print_man
		generate and print the manual pages
	make version
		change the current version number
The following are used internally, but you can use them if you care:
	make audit.8
	make rinstall.8
	make runaudit.8
		make a specific manual page
	make audit
	make auditcomm
	make auditfmt
	make auditgrep
	make auditls
	make auditmail
	make auditmerge
	make auditscan
	make edprot
	make gettype
	make rinstall
	make runaudit
	make runaudit1
	make timeout
		make a program

**************************** CHANGE LOG *********************************

>>>>>>>>>>>>>
> RIACS Audit Package version 2.0.0 Mon Jan  9 08:52:21 EST 1989 (bishop@bear)
>>>>>>>>>>>>>

If the -ga option was specified and there was not an existing master file,
you would get two error messages, one saying that the -ga was changed to
-g and the master file was being generated, and the second saying no changes
have been made.  Now you just get the first message.

First released version.  Still no cryptographic checksumming or
pattern ignore files (maybe soon ...)

>>>>>>>>>>>>>
> RIACS Audit Package version 2.1.0 Fri Mar 17 16:34:35 EST 1989 (Matt.Bishop@dartmouth.edu)
>>>>>>>>>>>>>

Changed lstat.c to use S_IFLNK, S_IFIFO, and S_IFSOCK in the conditional
compilation code for file types, rather than BSD4 and SYSV; the IRIS, which
is SYSV, supports symbolic links and so has S_IFLNK defined.  (see lstat.c;
changed lines 154, 169, and 272 BSD4 to S_IFLNK, added lines 276-277 to break
thest for S_IFSOCK out of one for S_IFLNK, and line 282 SYSV to S_IFIFO)

Added an explanation so when you get the error message
	egrep: regular expression too long
or any of a host of errors from sed, you also get some useful suggestions
about how to solve the problem, such as
	This error means one of the regular expressions
	in the ignore file <file name>
	is too long, or you have too many patterns in
	that file.  Try to consolidate patterns and
	shorten the longest one(s).
(see audit.sh, lines 532-541, added the "if test $? -eq 2" statement;
replaced line 619 with 627-637, the "if test $? -ne 0" statement;
replaced line 625 with 643-652, the "if test $? -ne 0" statement)

Added an error check so that if you try to access or create a master file
for the host "xxx", and there is no directory in the directory structure
for that host, you get an error message and that file system audit is
aborted cleanly, instead of getting error messages like:
		audit: <file name>: No such file or directory
		wc: <file name>: No such file or directory
		expr: syntax error
		audit: test: unknown operator 0
where <file name> is an internal temporary file. (see runaudit1.c,
lines 312-319; added the "if test ! -d ..." statement)

Altered a test in auditmerge.c which stopped building the merged line when
either the new or old lines ended; this caused master files with truncated
lines never to be fixed.  Now the merged line will be built until BOTH lines
end.  (see auditmerge.c, line 252; changed the "&&" to an "||")

Increased the buffer size (to 2 * BUFSIZ) of auditgrep.c to prevent really
bizarre input from overflowing it. (see auditgrep.c, line 49; added "2*")

Modified audit.sh and auditls.sh to pass to find(1) in auditls.sh any
(legal) options of the form "scan file systems mounted on this type of volume"
or "don't scan file systems mounted on this type of volume".  The user has
to put a line in the appropriate Environ file as follows:
find-fsskip	-fstype %s -prune	don't audit files mounted on volume
find-fsscan	! -fstype %s -prune	only audit files mounted on volume
The %s is replaced with one argument to the -o (using find-fsscan) or -n
(using find-fsskip) options. So if you want to look at files not on nfs or
rfs systems, and
	-fstype nfs -prune
is the argument to find that will prevent it from going down the hierarchy of
any directory on an nfs mounted volume, just put the first line
(find-fsskip... in the above) in the appropriate Environ file, and give the
options "-nnfs -nrfs" to runaudit; it is passed to auditls and used to do
the following find:
	find . \( -fstype nfs -prune -o -fstype rfs -prune \) -o -print
(see audit.sh; lines 127-132, 150, 393-394, 450-459, and 520-531 added;
lines 152 and 534 changed to include $FINDOPTS; and auditls.sh, lines 24-41,
48-51, and 53 added.)

In debug mode, requesting that a specific type of file volume be skipped or
only a specific type of file volume be audited caused the shell to try to
execute the remote mount(1) program with the -x flag set; if the remote mount
program were a binary, *splat*.  The code to add an "sh -$DEBUG" was moved
after the use of the mount program to avoid this (see audit.sh, lines 507-514
which used to come before the file volume analysis code.)

>>>>>>>>>>>>>
> RIACS Audit Package version 2.2.0 Wed May 17 12:15:25 EDT 1989 (Matt.Bishop@dartmouth.edu)
>>>>>>>>>>>>>

Fixed bug in auditmerge.c that caused seven tabs to be added after the
name of the file; replaced the "while" look at 625 with a "do..while" loop
and broke the "getfield" calls into two lines, and tested the result (the
bug was that the second call was not made until the first line was read).

>>>>>>>>>>>>>
> RIACS Audit Package version 3.0.0 Tue Jul 11 15:52:29 PDT 1989 (Matt.Bishop@dartmouth.edu)
>>>>>>>>>>>>>

Added end-to-end encryption, redid remote file scanning so as not to use
find; general cleanup

Second released distribution.

>>>>>>>>>>>>>
> RIACS Audit Package version 3.0.1 Wed Sep  6 08:23:51 PDT 1989 (Matt.Bishop@dartmouth.edu)
>>>>>>>>>>>>>

Fixed error in audit.sh that prevented the scan by setuid, setgid, block, char
from working; changed is line 364.

Two modifications to auditscan.c: the first fixed garbage information when
the file information of a file pointed to by a symbolic link was printed, and
the second prevented recursing down a directory tree when the root of the
tree is a symbolic link.  Added are lines 96-98, 969, deleted was line 94,
changed were lines 986 and 989.

>>>>>>>>>>>>>
> RIACS Audit Package version 3.1.0 Thu Sep 28 15:52:30 EDT 1989 (Matt.Bishop@dartmouth.edu)
>>>>>>>>>>>>>

Made some minor changes to the document "install.ms"; changed step 8 of the
installation procedure to conform to the actual arguments of rinstall.sh, and
deleted the second occurrence of the paragraph beginning "The Environ file
consists of ..." in section 4.2.

Modified "audit.sh" so that deleted and changed files were also run through
auditpnm to eliminate those covered by patterns; added are lines 832-836,
845-849

Modified "auditmail.sh" to improve the header for pattern file mismatches;
changed lines 48-52, added lines 53-55, 185-187

Modified "auditpnm.c" to take an optional argument of the form "-x.y";
if present, the first y characters of each input line are ignored; if
present, input lines are grouped in sets of x (except the last one,
which may contain less than x lines), and if any of the lines in the group
do not match the pattern, all are printed   Similarly, if any line is
a pattern mismatch (ie, matches the pattern but some other fields do not
match), all lines in the group are printed and beneath each mismatch the
appropriate pattern line (and the others line, if more than one pattern
line is mismatched) are also printed.  Also, a non-optional argument was
added; it is put at the head of each line in the mismatched file.  Changed
are numerous lines.

>>>>>>>>>>>>>
> RIACS Audit Package version 3.1.1 Wed Mar 21 14:46:25 EST 1990 (Matt.Bishop@dartmouth.edu)
>>>>>>>>>>>>>

If run locally without an Environ file, the program would fail because
defaults for the R_RECV and R_SEND programs were never defined.  Added
lines 144-145 in audit.sh to fix this.

>>>>>>>>>>>>>
> RIACS Audit Package version 3.1.2 Mon Jul  2 12:59:43 EDT 1990 (Matt.Bishop@dartmouth.edu)
>>>>>>>>>>>>>

The remote exit code gets botched, resulting in an empty file if the remote
file system does not exist.  Fixing this required having the remote file
scanner print its error code as the last output line, prefixed by "OUTP ERRC",
and then this used as the exit status.  Added were lines 642-648 of audit.sh;
line 650 was changed to delete the (new) extra last line.  Also, added were
lines 57-61, 119-120, 216-219, and 420-433, and changed were lines 173,
185-191, 209, 214, 234, 411, 602, 875, and 943, of auditscan.c.

>>>>>>>>>>>>>
> RIACS Audit Package version 3.1.3 Tue May 19 12:59:43 PDT 1992 (Matt.Bishop@dartmouth.edu)
>>>>>>>>>>>>>

The setpgrp() call in the BSD4 case of timeout.c did not work; it requires 2
arguments, not one.  Changed was line 70 of timeout.c
