Please try the attached patch:
cp audit.diff /usr/src/sys
patch < audit.diff
Recompile your kernel.
If please report success/failure to me.
On Thu, Oct 04, 2007 at 12:21:19AM -0400, [EMAIL PROTECTED] wrote:
> After reading this article:
>
> http://www.regdeveloper.co.uk/2006/11/13/freebsd_security_event_auditing/
>
> I decided to try audit. I edited /etc/security/audit_control
> as the article (and the handbook example) shows:
>
> dir:/var/audit
> flags:lo,+ex
> minfree:20
> naflags:lo
> policy:cnt
> filesz:0
>
> But having restarted auditd, I don't see audit events for
> process execution being generated. However, if I do this:
>
> dir:/var/audit
> flags:lo
> minfree:20
> naflags:lo,+ex
> policy:cnt
> filesz:0
>
> I get audit records for users executing programs. This seems
> completely wrong to me. Why are these events being classed as
> non-attributable when they're clearly being created by
> authenticated users?
>
> I am running 6.2-RELEASE-p7 which is vanilla apart from the
> addition of options MAC, AUDIT and VESA.
>
> --
> dc
> ___
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
--
Christian S.J. Peron
[EMAIL PROTECTED]
FreeBSD Committer
Index: kern/kern_prot.c
===
RCS file: /home/ncvs/src/sys/kern/kern_prot.c,v
retrieving revision 1.211
diff -u -r1.211 kern_prot.c
--- kern/kern_prot.c 12 Jun 2007 00:11:59 - 1.211
+++ kern/kern_prot.c 8 Oct 2007 17:59:34 -
@@ -1830,6 +1830,7 @@
#ifdef MAC
mac_copy_cred(src, dest);
#endif
+ dest->cr_flags = src->cr_flags;
}
/*
Index: security/audit/audit.c
===
RCS file: /home/ncvs/src/sys/security/audit/audit.c,v
retrieving revision 1.33
diff -u -r1.33 audit.c
--- security/audit/audit.c 1 Jul 2007 20:51:30 - 1.33
+++ security/audit/audit.c 8 Oct 2007 17:59:43 -
@@ -344,7 +344,7 @@
* Decide whether to commit the audit record by checking the error
* value from the system call and using the appropriate audit mask.
*/
- if (ar->k_ar.ar_subj_auid == AU_DEFAUDITID)
+ if ((ar->k_ar_commit & AR_AMASK_GLOBAL) != 0)
aumask = &audit_nae_mask;
else
aumask = &ar->k_ar.ar_subj_amask;
@@ -461,7 +461,7 @@
* event mask or the process audit mask.
*/
auid = td->td_ucred->cr_audit.ai_auid;
- if (auid == AU_DEFAUDITID)
+ if ((td->td_ucred->cr_flags & CRED_AMASK_GLOBAL) != 0)
aumask = &audit_nae_mask;
else
aumask = &td->td_ucred->cr_audit.ai_mask;
@@ -494,6 +494,13 @@
td->td_ar = audit_new(event, td);
else
td->td_ar = NULL;
+ /*
+ * If we have an audit record, and it's referencing the global
+ * preselection mask, set the AR_MASK_GLOBAL flag so we can make
+ * the distinction between the two.
+ */
+ if (td->td_ar != NULL && aumask == &audit_nae_mask)
+ td->td_ar->k_ar_commit |= AR_AMASK_GLOBAL;
}
/*
@@ -540,6 +547,7 @@
{
bzero(&cred->cr_audit, sizeof(cred->cr_audit));
+ cred->cr_flags |= CRED_AMASK_GLOBAL;
}
/*
Index: security/audit/audit_private.h
===
RCS file: /home/ncvs/src/sys/security/audit/audit_private.h,v
retrieving revision 1.16
diff -u -r1.16 audit_private.h
--- security/audit/audit_private.h 1 Jun 2007 21:58:58 - 1.16
+++ security/audit/audit_private.h 8 Oct 2007 17:59:43 -
@@ -86,6 +86,8 @@
#define AR_PRESELECT_USER_TRAIL 0x4000U
#define AR_PRESELECT_USER_PIPE 0x8000U
+#define AR_AMASK_GLOBAL 0x0001U
+
/*
* Audit data is generated as a stream of struct audit_record structures,
* linked by struct kaudit_record, and contain storage for possible audit so
Index: security/audit/audit_syscalls.c
===
RCS file: /home/ncvs/src/sys/security/audit/audit_syscalls.c,v
retrieving revision 1.21
diff -u -r1.21 audit_syscalls.c
--- security/audit/audit_syscalls.c 27 Jun 2007 17:01:15 - 1.21
+++ security/audit/audit_syscalls.c 8 Oct 2007 17:59:43 -
@@ -547,6 +547,7 @@
newcred->cr_audit.ai_termid.at_addr[0] = ai.ai_termid.machine;
newcred->cr_audit.ai_termid.at_port = ai.ai_termid.port;
newcred->cr_audit.ai_termid.at_type = AU_IPv4;
+ newcred->cr_flags &= ~CRED_AMASK_GLOBAL;
td->td_proc->p_ucred = newcred;
PROC_UNLOCK(td->td_proc);
crfree(oldcred);
@@ -604,6 +605,7 @@
if (error)
goto fail;
newcred->cr_audit = aia;
+ newcred->cr_flags &= ~CRED_AMASK_GLOBAL;
td->td_proc->p_ucred = newcred;
PROC_UNLOCK(td->td_proc);
crfree(oldcred);
Index: sys/ucred.h
===
RCS file: /home/ncvs/src/sys/sys/ucred.h,v
retrieving revision 1.55
diff -u -r1.55 ucred.h
--- sys/ucred.h 7 Jun 2007 22:27:15 - 1.55
+++ sys/ucred.h 8 Oct 2007 17:59:43 -
@@ -58,6 +58,8 @@
#define cr_endcopy cr_labe