Date: Mon, 8 Oct 2007 13:18:28 -0500 From: "Christian S.J. Peron" <csjp@FreeBSD.org> To: dexterclarke@Safe-mail.net Cc: freebsd-hackers@freebsd.org Subject: Re: audit doesn't seem to be working correctly. Message-ID: <20071008181828.GA75350@sub.vaned.net> In-Reply-To: <N1-_oTpkG9K9c@Safe-mail.net> References: <N1-_oTpkG9K9c@Safe-mail.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Please try the attached patch: cp audit.diff /usr/src/sys patch < audit.diff Recompile your kernel. If please report success/failure to me. On Thu, Oct 04, 2007 at 12:21:19AM -0400, dexterclarke@Safe-mail.net wrote: > After reading this article: > > http://www.regdeveloper.co.uk/2006/11/13/freebsd_security_event_auditing/ > > I decided to try audit. I edited /etc/security/audit_control > as the article (and the handbook example) shows: > > dir:/var/audit > flags:lo,+ex > minfree:20 > naflags:lo > policy:cnt > filesz:0 > > But having restarted auditd, I don't see audit events for > process execution being generated. However, if I do this: > > dir:/var/audit > flags:lo > minfree:20 > naflags:lo,+ex > policy:cnt > filesz:0 > > I get audit records for users executing programs. This seems > completely wrong to me. Why are these events being classed as > non-attributable when they're clearly being created by > authenticated users? > > I am running 6.2-RELEASE-p7 which is vanilla apart from the > addition of options MAC, AUDIT and VESA. > > -- > dc > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer --4Ckj6UjgE2iN1+kY Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="audit.diff" Index: kern/kern_prot.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_prot.c,v retrieving revision 1.211 diff -u -r1.211 kern_prot.c --- kern/kern_prot.c 12 Jun 2007 00:11:59 -0000 1.211 +++ kern/kern_prot.c 8 Oct 2007 17:59:34 -0000 @@ -1830,6 +1830,7 @@ #ifdef MAC mac_copy_cred(src, dest); #endif + dest->cr_flags = src->cr_flags; } /* Index: security/audit/audit.c =================================================================== RCS file: /home/ncvs/src/sys/security/audit/audit.c,v retrieving revision 1.33 diff -u -r1.33 audit.c --- security/audit/audit.c 1 Jul 2007 20:51:30 -0000 1.33 +++ security/audit/audit.c 8 Oct 2007 17:59:43 -0000 @@ -344,7 +344,7 @@ * Decide whether to commit the audit record by checking the error * value from the system call and using the appropriate audit mask. */ - if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID) + if ((ar->k_ar_commit & AR_AMASK_GLOBAL) != 0) aumask = &audit_nae_mask; else aumask = &ar->k_ar.ar_subj_amask; @@ -461,7 +461,7 @@ * event mask or the process audit mask. */ auid = td->td_ucred->cr_audit.ai_auid; - if (auid == AU_DEFAUDITID) + if ((td->td_ucred->cr_flags & CRED_AMASK_GLOBAL) != 0) aumask = &audit_nae_mask; else aumask = &td->td_ucred->cr_audit.ai_mask; @@ -494,6 +494,13 @@ td->td_ar = audit_new(event, td); else td->td_ar = NULL; + /* + * If we have an audit record, and it's referencing the global + * preselection mask, set the AR_MASK_GLOBAL flag so we can make + * the distinction between the two. + */ + if (td->td_ar != NULL && aumask == &audit_nae_mask) + td->td_ar->k_ar_commit |= AR_AMASK_GLOBAL; } /* @@ -540,6 +547,7 @@ { bzero(&cred->cr_audit, sizeof(cred->cr_audit)); + cred->cr_flags |= CRED_AMASK_GLOBAL; } /* Index: security/audit/audit_private.h =================================================================== RCS file: /home/ncvs/src/sys/security/audit/audit_private.h,v retrieving revision 1.16 diff -u -r1.16 audit_private.h --- security/audit/audit_private.h 1 Jun 2007 21:58:58 -0000 1.16 +++ security/audit/audit_private.h 8 Oct 2007 17:59:43 -0000 @@ -86,6 +86,8 @@ #define AR_PRESELECT_USER_TRAIL 0x00004000U #define AR_PRESELECT_USER_PIPE 0x00008000U +#define AR_AMASK_GLOBAL 0x00010000U + /* * Audit data is generated as a stream of struct audit_record structures, * linked by struct kaudit_record, and contain storage for possible audit so Index: security/audit/audit_syscalls.c =================================================================== RCS file: /home/ncvs/src/sys/security/audit/audit_syscalls.c,v retrieving revision 1.21 diff -u -r1.21 audit_syscalls.c --- security/audit/audit_syscalls.c 27 Jun 2007 17:01:15 -0000 1.21 +++ security/audit/audit_syscalls.c 8 Oct 2007 17:59:43 -0000 @@ -547,6 +547,7 @@ newcred->cr_audit.ai_termid.at_addr[0] = ai.ai_termid.machine; newcred->cr_audit.ai_termid.at_port = ai.ai_termid.port; newcred->cr_audit.ai_termid.at_type = AU_IPv4; + newcred->cr_flags &= ~CRED_AMASK_GLOBAL; td->td_proc->p_ucred = newcred; PROC_UNLOCK(td->td_proc); crfree(oldcred); @@ -604,6 +605,7 @@ if (error) goto fail; newcred->cr_audit = aia; + newcred->cr_flags &= ~CRED_AMASK_GLOBAL; td->td_proc->p_ucred = newcred; PROC_UNLOCK(td->td_proc); crfree(oldcred); Index: sys/ucred.h =================================================================== RCS file: /home/ncvs/src/sys/sys/ucred.h,v retrieving revision 1.55 diff -u -r1.55 ucred.h --- sys/ucred.h 7 Jun 2007 22:27:15 -0000 1.55 +++ sys/ucred.h 8 Oct 2007 17:59:43 -0000 @@ -58,6 +58,8 @@ #define cr_endcopy cr_label struct label *cr_label; /* MAC label */ struct auditinfo_addr cr_audit; /* Audit properties. */ + u_int cr_flags; /* Flags for this credential */ +#define CRED_AMASK_GLOBAL 0x00000001 }; #define NOCRED ((struct ucred *)0) /* no credential available */ #define FSCRED ((struct ucred *)-1) /* filesystem credential */ --4Ckj6UjgE2iN1+kY--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071008181828.GA75350>