Re: audit doesn't seem to be working correctly.

[Christian S.J. Peron]

On Tue, Oct 09, 2007 at 12:13:04AM -0400, [EMAIL PROTECTED] wrote:
[..]
> 
> I completely missed the replies to this thread. At least
> I now know it's due to an actual problem rather than my
> inability to follow instructions!
> 

Well,

The problem that I thought was there, wasn't actually there,
which is why I said to ignore the patch :)

I've tried to reproduce the problems you are seeing but
I have not been able to.

So far I've tried on -CURRENT and RELENG_6. We are aware
of some issues on RELENG_6_2 specifically with !i386
architectures (i.e. amd64, sparc64 etc).

Is it possible you can send me:

(1) The output to uname -a
(2) Your /etc/security directory
(3) How are you logging in to this machine, SSH? Telnet?

(3) is important because the login program will be responsible
for setting up the audit ID and preselection masks.

Hopefully with this information, we can get to the bottom of this.

-- 
Christian S.J. Peron
[EMAIL PROTECTED]
FreeBSD Committer
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: audit doesn't seem to be working correctly.

[dexterclarke]

> Please try the attached patch:
> 
> cp audit.diff /usr/src/sys
> patch < audit.diff
> 
> Recompile your kernel.
> 
> If please report success/failure to me.
> 

I completely missed the replies to this thread. At least
I now know it's due to an actual problem rather than my
inability to follow instructions!

thanks!

--
dc
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: audit doesn't seem to be working correctly.

[Christian S.J. Peron]

On Mon, Oct 08, 2007 at 01:18:28PM -0500, Christian S.J. Peron wrote:
> Please try the attached patch:
> 
> cp audit.diff /usr/src/sys
> patch < audit.diff
> 
> Recompile your kernel.
> 
> If please report success/failure to me.
> 

Actually.. ignore this patch.

Sorry about that.

-- 
Christian S.J. Peron
[EMAIL PROTECTED]
FreeBSD Committer
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: audit doesn't seem to be working correctly.

[Christian S.J. Peron]

Please try the attached patch:

cp audit.diff /usr/src/sys
patch < audit.diff

Recompile your kernel.

If please report success/failure to me.

On Thu, Oct 04, 2007 at 12:21:19AM -0400, [EMAIL PROTECTED] wrote:
> After reading this article:
> 
> http://www.regdeveloper.co.uk/2006/11/13/freebsd_security_event_auditing/
> 
> I decided to try audit. I edited /etc/security/audit_control
> as the article (and the handbook example) shows:
> 
> dir:/var/audit
> flags:lo,+ex
> minfree:20
> naflags:lo
> policy:cnt
> filesz:0
> 
> But having restarted auditd, I don't see audit events for
> process execution being generated. However, if I do this:
> 
> dir:/var/audit
> flags:lo
> minfree:20
> naflags:lo,+ex
> policy:cnt
> filesz:0
> 
> I get audit records for users executing programs. This seems
> completely wrong to me. Why are these events being classed as
> non-attributable when they're clearly being created by
> authenticated users?
> 
> I am running 6.2-RELEASE-p7 which is vanilla apart from the
> addition of options MAC, AUDIT and VESA.
> 
> --
> dc
> ___
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"

-- 
Christian S.J. Peron
[EMAIL PROTECTED]
FreeBSD Committer
Index: kern/kern_prot.c
===
RCS file: /home/ncvs/src/sys/kern/kern_prot.c,v
retrieving revision 1.211
diff -u -r1.211 kern_prot.c
--- kern/kern_prot.c	12 Jun 2007 00:11:59 -	1.211
+++ kern/kern_prot.c	8 Oct 2007 17:59:34 -
@@ -1830,6 +1830,7 @@
 #ifdef MAC
 	mac_copy_cred(src, dest);
 #endif
+	dest->cr_flags = src->cr_flags;
 }
 
 /*
Index: security/audit/audit.c
===
RCS file: /home/ncvs/src/sys/security/audit/audit.c,v
retrieving revision 1.33
diff -u -r1.33 audit.c
--- security/audit/audit.c	1 Jul 2007 20:51:30 -	1.33
+++ security/audit/audit.c	8 Oct 2007 17:59:43 -
@@ -344,7 +344,7 @@
 	 * Decide whether to commit the audit record by checking the error
 	 * value from the system call and using the appropriate audit mask.
 	 */
-	if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID)
+	if ((ar->k_ar_commit & AR_AMASK_GLOBAL) != 0)
 		aumask = &audit_nae_mask;
 	else
 		aumask = &ar->k_ar.ar_subj_amask;
@@ -461,7 +461,7 @@
 	 * event mask or the process audit mask.
 	 */
 	auid = td->td_ucred->cr_audit.ai_auid;
-	if (auid == AU_DEFAUDITID)
+	if ((td->td_ucred->cr_flags & CRED_AMASK_GLOBAL) != 0)
 		aumask = &audit_nae_mask;
 	else
 		aumask = &td->td_ucred->cr_audit.ai_mask;
@@ -494,6 +494,13 @@
 		td->td_ar = audit_new(event, td);
 	else
 		td->td_ar = NULL;
+	/*
+	 * If we have an audit record, and it's referencing the global
+	 * preselection mask, set the AR_MASK_GLOBAL flag so we can make
+	 * the distinction between the two.
+	 */
+	if (td->td_ar != NULL && aumask == &audit_nae_mask)
+		td->td_ar->k_ar_commit |= AR_AMASK_GLOBAL;
 }
 
 /*
@@ -540,6 +547,7 @@
 {
 
 	bzero(&cred->cr_audit, sizeof(cred->cr_audit));
+	cred->cr_flags |= CRED_AMASK_GLOBAL;
 }
 
 /*
Index: security/audit/audit_private.h
===
RCS file: /home/ncvs/src/sys/security/audit/audit_private.h,v
retrieving revision 1.16
diff -u -r1.16 audit_private.h
--- security/audit/audit_private.h	1 Jun 2007 21:58:58 -	1.16
+++ security/audit/audit_private.h	8 Oct 2007 17:59:43 -
@@ -86,6 +86,8 @@
 #define	AR_PRESELECT_USER_TRAIL	0x4000U
 #define	AR_PRESELECT_USER_PIPE	0x8000U
 
+#define	AR_AMASK_GLOBAL		0x0001U
+
 /*
  * Audit data is generated as a stream of struct audit_record structures,
  * linked by struct kaudit_record, and contain storage for possible audit so
Index: security/audit/audit_syscalls.c
===
RCS file: /home/ncvs/src/sys/security/audit/audit_syscalls.c,v
retrieving revision 1.21
diff -u -r1.21 audit_syscalls.c
--- security/audit/audit_syscalls.c	27 Jun 2007 17:01:15 -	1.21
+++ security/audit/audit_syscalls.c	8 Oct 2007 17:59:43 -
@@ -547,6 +547,7 @@
 	newcred->cr_audit.ai_termid.at_addr[0] = ai.ai_termid.machine;
 	newcred->cr_audit.ai_termid.at_port = ai.ai_termid.port;
 	newcred->cr_audit.ai_termid.at_type = AU_IPv4;
+	newcred->cr_flags &= ~CRED_AMASK_GLOBAL;
 	td->td_proc->p_ucred = newcred;
 	PROC_UNLOCK(td->td_proc);
 	crfree(oldcred);
@@ -604,6 +605,7 @@
 	if (error)
 		goto fail;
 	newcred->cr_audit = aia;
+	newcred->cr_flags &= ~CRED_AMASK_GLOBAL;
 	td->td_proc->p_ucred = newcred;
 	PROC_UNLOCK(td->td_proc);
 	crfree(oldcred);
Index: sys/ucred.h
===
RCS file: /home/ncvs/src/sys/sys/ucred.h,v
retrieving revision 1.55
diff -u -r1.55 ucred.h
--- sys/ucred.h	7 Jun 2007 22:27:15 -	1.55
+++ sys/ucred.h	8 Oct 2007 17:59:43 -
@@ -58,6 +58,8 @@
 #define	cr_endcopy	cr_labe

Re: linuxolator problem on i386

[sam]

/ On Monday 24 September 2007, sam wrote:
/>>/  
/>

/ # mount|grep linux

/>>>/ linprocfs on /usr/compat/linux/proc (linprocfs, local)
/>>>/ linsysfs on /usr/compat/linux/sys (linsysfs, local)
/>>/
/>>>/ # pkg_info | grep linux
/>>>/ linux_base-fc6-6_3  Base set of packages needed in Linux mode (for
/>>>/ i386/amd64)
/>>/
/>>>/ [private links to debug.log & ktrace.out]
/>>>/
/>>>/ please send me message after downloaded this files (for removing)
///>//>>/ cross-posting:
/>>>/ 
http://lists.freebsd.org/pipermail/freebsd-emulation/2007-September/003960.
/>>>/ html
/>>/> 
/>/>> I haven't tried it on i386 yet, but I know that this works on amd64 with linux 
/>/>> 2.4 compat and linux_base-fc4 on FreeBSD 7.

/>>/
/>/ - Pieter
/>/
/>/   
/> yes, working

but, this trouble in kernel
new linux-software require linux 2.6 support


Hello!

http://www.freebsd.org/cgi/query-pr.cgi?pr=117010
please help, any solutions ...

/Vladimir Ermakov


___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"