From owner-trustedbsd-audit@freebsd.org Tue Jan 17 12:39:42 2017 Return-Path: Delivered-To: trustedbsd-audit@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89B49CB2983 for ; Tue, 17 Jan 2017 12:39:42 +0000 (UTC) (envelope-from lstipakov@gmail.com) Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 55C571262 for ; Tue, 17 Jan 2017 12:39:42 +0000 (UTC) (envelope-from lstipakov@gmail.com) Received: by mail-io0-x231.google.com with SMTP id j18so113328164ioe.2 for ; Tue, 17 Jan 2017 04:39:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=YOrhj5eQ4TnNRwXwO2svEkwFqNpBwfDwCaArnEVlgv4=; b=TA/c7gQcphKjqJWDn7/8x0XbI7ch4jIuzGP2st8jjWhYbIrn0L4rOji/QxcNUIvo2n MvakrH4ok5bGZH9HoiP0DNpapUy+/FOGtIxb/vzisUk+g9r9DehC44/4iOj3dq7wyOjZ 2d8nwNzU/pK6tnKk5awF5Iy9OvGa3WNbvPa4HHHbs212c0568gUob9mV7O6hQine/UGe dVoLJzmnL5lxJ8AvKVmRQzQx+LUoO+2XGVrRvgiiqhAdQou7tQ9J/rUFCnOhiHYDohW9 hi3cg0cEipIl5uewwB65kTK0Z24l1PesUu+ZKIp71PStqTxfeaE/tzNyCc3EeSZRCnXH infQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=YOrhj5eQ4TnNRwXwO2svEkwFqNpBwfDwCaArnEVlgv4=; b=OZ+xAFAQJHyqqvyyCQ8dNdE5unslm3sDOtLbcTF6NIte+OHvz9xs9z9pprSolJtkYA O+G8dzgWzKqg9E4jkDZugvJPXkfVUjvxnF+RoUUn2J4zga1mXQttLTHckLGfp7TL64pn Xn4KvbeH4PSCf2PN3fUPVkG0fzMYoUmrJtudaEOhT7Vu65X8vInNI+raPuIXLEXHuQzO lDQjwohVVS+fAvC91RfEPknrvMlYWGuv+J3FSoVNYcHqvbzL+swJc+ATHwssKQdpGPun umf/M6vKDNWp6n8HxLLZkNlRIEvn95k96sBqYQAQ7ePOASWa7OkFo8eUBXjww2jONOXa gv6A== X-Gm-Message-State: AIkVDXIE41mRyH4iM0SlXqPTYAPl/oMYsxHQ5uNh/muQpz/53mz/ftMfSj8XGAvbhst1jJezERpOjP2jG6n/HQ== X-Received: by 10.107.142.84 with SMTP id q81mr16176365iod.169.1484656781429; Tue, 17 Jan 2017 04:39:41 -0800 (PST) MIME-Version: 1.0 Received: by 10.79.147.9 with HTTP; Tue, 17 Jan 2017 04:39:40 -0800 (PST) From: Lev Stipakov Date: Tue, 17 Jan 2017 14:39:40 +0200 Message-ID: Subject: posix_spawn and pid To: trustedbsd-audit@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: trustedbsd-audit@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: TrustedBSD Audit Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 12:39:42 -0000 Hello, I have an issue with bsmaudit on macOS. Sorry if this is wrong place for this question - Apple asked me to file a bug, which I did month ago, but nothing has happened so far. So, I use bsmaudit for obtaining information about launched processed. I noticed that in _some_ cases "posix_spawn" record contains wrong pid - parent pid - instead of process pid. Problem is easy to reproduce, here are steps (assuming you have macOS): 1) Add "ex,pc" to flags and naflags in audit_control 2) sudo audit -s and logout to apply changes 3) sudo praudit /dev/auditpipe | grep -A7 'posix_spawn\|exec' 4) open fish shell (does not reproduce with bash/zsh, probably fish uses some special posix_spawn flags) 5) check shell''s pid: > echo %self > 74763 6) run "ls" in subshell > echo (/bin/ls) 7) check praudit's output: header,150,11,posix_spawn(2),0,Tue Jan 17 14:29:56 2017, + 70 msec argument,0,0x1249b,child PID exec arg,/bin/ls path,/bin/ls path,/bin/ls attribute,100755,root,wheel,16777220,7281523,0 subject,admin,admin,staff,admin,staff,74763,100098,50331650,0.0.0.0 return,success,0 trailer,150 Note that subject has pid "74763", which is shell's pid, not ls! My questions are: 1) Is it a bug in audit functionality? all fields seems to be correct except pid. 2) Anything I could do to mitigate it? I maintain a dictionary of {pid, process info}, and when I get, say, file event from audit, I could attribute that event to certain process info. Current behavior makes my dictionary unusable. -- -Lev