#
fa1decc4 |
| 13-Aug-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Merge r196122 from head to stable/8:
Correctly audit real gids following changes to the audit record argument interface.
Approved by: re (kib)
|
#
9eb3e463 |
| 12-Aug-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Correctly audit real gids following changes to the audit record argument interface.
Approved by: re (kib)
|
#
11e9b8ba |
| 04-Aug-2009 |
Oleksandr Tymoshenko <gonzo@FreeBSD.org> |
- MFC @196061
|
#
791b0ad2 |
| 29-Jul-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Eliminate ARG_UPATH[12] arguments to AUDIT_ARG_UPATH() and instead provide specific macros, AUDIT_ARG_UPATH1() and AUDIT_ARG_UPATH2() to capture path information for audit records. This allows us to
Eliminate ARG_UPATH[12] arguments to AUDIT_ARG_UPATH() and instead provide specific macros, AUDIT_ARG_UPATH1() and AUDIT_ARG_UPATH2() to capture path information for audit records. This allows us to move the definitions of ARG_* out of the public audit header file, as they are an implementation detail of our current kernel-internal audit record, which may change.
Approved by: re (kensmith) Obtained from: TrustedBSD Project MFC after: 1 month
show more ...
|
#
b146fc1b |
| 28-Jul-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Rework vnode argument auditing to follow the same structure, in order to avoid exposing ARG_ macros/flag values outside of the audit code in order to name which one of two possible vnodes will be aud
Rework vnode argument auditing to follow the same structure, in order to avoid exposing ARG_ macros/flag values outside of the audit code in order to name which one of two possible vnodes will be audited for a system call.
Approved by: re (kib) Obtained from: TrustedBSD Project MFC after: 1 month
show more ...
|
#
e4b4bbb6 |
| 28-Jul-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Audit file descriptors passed to fooat(2) system calls, which are used instead of the root/current working directory as the starting point for lookups. Up to two such descriptors can be audited. Ad
Audit file descriptors passed to fooat(2) system calls, which are used instead of the root/current working directory as the starting point for lookups. Up to two such descriptors can be audited. Add audit record BSM encoding for fooat(2).
Note: due to an error in the OpenBSM 1.1p1 configuration file, a further change is required to that file in order to fix openat(2) auditing.
Approved by: re (kib) Reviewed by: rdivacky (fooat(2) portions) Obtained from: TrustedBSD Project MFC after: 1 month
show more ...
|
#
09c817ba |
| 03-Jul-2009 |
Oleksandr Tymoshenko <gonzo@FreeBSD.org> |
- MFC
|
#
9e4c1521 |
| 01-Jul-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Define missing audit argument macro AUDIT_ARG_SOCKET(), and capture the domain, type, and protocol arguments to socket(2) and socketpair(2).
Approved by: re (audit argument blanket) MFC after: 3 days
|
#
14961ba7 |
| 27-Jun-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Replace AUDIT_ARG() with variable argument macros with a set more more specific macros for each audit argument type. This makes it easier to follow call-graphs, especially for automated analysis too
Replace AUDIT_ARG() with variable argument macros with a set more more specific macros for each audit argument type. This makes it easier to follow call-graphs, especially for automated analysis tools (such as fxr).
In MFC, we should leave the existing AUDIT_ARG() macros as they may be used by third-party kernel modules.
Suggested by: brooks Approved by: re (kib) Obtained from: TrustedBSD Project MFC after: 1 week
show more ...
|
Revision tags: release/7.2.0_cvs, release/7.2.0 |
|
#
1829d5da |
| 12-Mar-2009 |
Warner Losh <imp@FreeBSD.org> |
Update the projects tree to a newer FreeBSD current.
|
#
b3f468e2 |
| 09-Mar-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Add a new thread-private flag, TDP_AUDITREC, to indicate whether or not there is an audit record hung off of td_ar on the current thread. Test this flag instead of td_ar when auditing syscall argumen
Add a new thread-private flag, TDP_AUDITREC, to indicate whether or not there is an audit record hung off of td_ar on the current thread. Test this flag instead of td_ar when auditing syscall arguments or checking for an audit record to commit on syscall return. Under these circumstances, td_pflags is much more likely to be in the cache (especially if there is no auditing of the current system call), so this should help reduce cache misses in the system call return path.
MFC after: 1 week Reported by: kris Obtained from: TrustedBSD Project
show more ...
|
#
cd6bbe65 |
| 06-Jan-2009 |
Robert Watson <rwatson@FreeBSD.org> |
In AUDIT_SYSCALL_EXIT(), invoke audit_syscall_exit() only if an audit record is active on the current thread--historically we may always have wanted to enter the audit code if auditing was enabled, b
In AUDIT_SYSCALL_EXIT(), invoke audit_syscall_exit() only if an audit record is active on the current thread--historically we may always have wanted to enter the audit code if auditing was enabled, but now we just commit the audit record so don't need to enter if there isn't one.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
show more ...
|
Revision tags: release/7.1.0_cvs, release/7.1.0, release/6.4.0_cvs, release/6.4.0 |
|
#
4ebff7e0 |
| 12-Nov-2008 |
Robert Watson <rwatson@FreeBSD.org> |
Move audit-internal function definitions for getting and setting audit kinfo state to audit_private.h.
|
#
ffbcef5a |
| 11-Nov-2008 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Add support for extended header BSM tokens. Currently we use the regular header tokens. The extended header tokens contain an IP or IPv6 address which makes it possible to identify which host an au
Add support for extended header BSM tokens. Currently we use the regular header tokens. The extended header tokens contain an IP or IPv6 address which makes it possible to identify which host an audit record came from when audit records are centralized.
If the host information has not been specified, the system will default to the old style headers. Otherwise, audit records that are created as a result of system calls will contain host information.
This implemented has been designed to be consistent with the Solaris implementation. Host information is set/retrieved using the A_GETKAUDIT and A_SETKAUDIT auditon(2) commands. These commands require that a pointer to a auditinfo_addr_t object is passed. Currently only IP and IPv6 address families are supported.
The users pace bits associated with this change will follow in an openbsm import.
Reviewed by: rwatson, (sson, wsalamon (older version)) MFC after: 1 month
show more ...
|
#
f6d4a8a7 |
| 31-Jul-2008 |
Robert Watson <rwatson@FreeBSD.org> |
Further synchronization of copyrights, licenses, white space, etc from Apple and from the OpenBSM vendor tree.
Obtained from: Apple Inc., TrustedBSD Project MFC after: 3 days
|
#
bc9a43d6 |
| 22-Jul-2008 |
Robert Watson <rwatson@FreeBSD.org> |
In preparation to sync Apple and FreeBSD versions of security audit, pick up the Apple Computer -> Apple change in their copyright and license templates.
Obtained from: Apple Inc. MFC after: 3 days
|
#
7d8ab8ba |
| 06-May-2008 |
Robert Watson <rwatson@FreeBSD.org> |
When testing whether to enter the audit argument gathering code, rather than checking whether audit is enabled globally, instead check whether the current thread has an audit record. This avoids ent
When testing whether to enter the audit argument gathering code, rather than checking whether audit is enabled globally, instead check whether the current thread has an audit record. This avoids entering the audit code to collect argument data if auditing is enabled but the current system call is not of interest to audit.
MFC after: 1 week Sponsored by: Apple, Inc.
show more ...
|
#
fa9e0a18 |
| 27-Apr-2008 |
Robert Watson <rwatson@FreeBSD.org> |
Fix include guard spelling.
MFC after: 3 days Submitted by: diego
|
#
81efe39d |
| 24-Apr-2008 |
Robert Watson <rwatson@FreeBSD.org> |
Use logic or, not binary or, when deciding whether or not a system call exit requires entering the audit code. The result is much the same, but they mean different things.
MFC afer: 3 days Submitte
Use logic or, not binary or, when deciding whether or not a system call exit requires entering the audit code. The result is much the same, but they mean different things.
MFC afer: 3 days Submitted by: Diego Giagio <dgiagio at gmail dot com>
show more ...
|
Revision tags: release/7.0.0_cvs, release/7.0.0, release/6.3.0_cvs, release/6.3.0 |
|
#
57274c51 |
| 26-Oct-2007 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Implement AUE_CORE, which adds process core dump support into the kernel. This change introduces audit_proc_coredump() which is called by coredump(9) to create an audit record for the coredump event.
Implement AUE_CORE, which adds process core dump support into the kernel. This change introduces audit_proc_coredump() which is called by coredump(9) to create an audit record for the coredump event. When a process dumps a core, it could be security relevant. It could be an indicator that a stack within the process has been overflowed with an incorrectly constructed malicious payload or a number of other events.
The record that is generated looks like this:
header,111,10,process dumped core,0,Thu Oct 25 19:36:29 2007, + 179 msec argument,0,0xb,signal path,/usr/home/csjp/test.core subject,csjp,csjp,staff,csjp,staff,1101,1095,50457,10.37.129.2 return,success,1 trailer,111
- We allocate a completely new record to make sure we arent clobbering the audit data associated with the syscall that produced the core (assuming the core is being generated in response to SIGABRT and not an invalid memory access). - Shuffle around expand_name() so we can use the coredump name at the very beginning of the coredump call. Make sure we free the storage referenced by "name" if we need to bail out early. - Audit both successful and failed coredump creation efforts
Obtained from: TrustedBSD Project Reviewed by: rwatson MFC after: 1 month
show more ...
|
#
cac465aa |
| 27-Jun-2007 |
Christian S.J. Peron <csjp@FreeBSD.org> |
- Add audit_arg_audinfo_addr() for auditing the arguments for setaudit_addr(2) - In audit_bsm.c, make sure all the arguments: ARG_AUID, ARG_ASID, ARG_AMASK, and ARG_TERMID{_ADDR} are valid before a
- Add audit_arg_audinfo_addr() for auditing the arguments for setaudit_addr(2) - In audit_bsm.c, make sure all the arguments: ARG_AUID, ARG_ASID, ARG_AMASK, and ARG_TERMID{_ADDR} are valid before auditing their arguments. (This is done for both setaudit and setaudit_addr. - Audit the arguments passed to setaudit_addr(2) - AF_INET6 does not equate to AU_IPv6. Change this in au_to_in_addr_ex() so the audit token is created with the correct type. This fixes the processing of the in_addr_ex token in users pace. - Change the size of the token (as generated by the kernel) from 5*4 bytes to 4*4 bytes (the correct size of an ip6 address) - Correct regression from ucred work which resulted in getaudit() not returning E2BIG if the subject had an ip6 termid - Correct slight regression in getaudit(2) which resulted in the size of a pointer being passed instead of the size of the structure. (This resulted in invalid auditinfo data being returned via getaudit(2))
Reviewed by: rwatson Approved by: re@ (kensmith) Obtained from: TrustedBSD Project MFC after: 1 month
show more ...
|
#
faef5371 |
| 08-Jun-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each sys
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS.
Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
show more ...
|
#
d8c0f4dc |
| 01-Jun-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Clean up audit comments--formatting, spelling, etc.
|
#
34bf2d2c |
| 30-May-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Remove unused !AUDIT audit_proc_*() prototypes: unlike in Mac OS X, we don't define or use these functions if AUDIT isn't configured.
Obtained from: TrustedBSD Project
|
#
f0cbfcc4 |
| 13-Apr-2007 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens.
The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo.
If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG.
- Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2)
NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated.
MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
show more ...
|