On Fri, 22 Sep 2006, Joerg Pernfuss wrote:
On Sun, 17 Sep 2006 09:19:03 +0100 (BST)
Robert Watson <[EMAIL PROTECTED]> wrote:
I've just comitted a fix to syscalls.master and regenerated the remaining
system call files, which should correct the auditctl: Invalid Argument
error being returned by auditd. In short order, this fix should be on the
cvsup mirrors -- please let me know if it resolves the problem you were
experiencing.
Thank you for that quick fix Robert, but sadly I am still somewhat at a
loss. The auditd does run now, but does not write back any audit data at
all. I have run at least three full buildworlds during the time you see
below, set flags, deleted things, logged in, logged out, logged in via ssh
to the external interface, ssh'ed to localhost. No gain. /var/log/audit
looks like this:
<snip>
My audit_control file:
dir:/var/audit
flags:all
minfree:20
naflags:lo
My audit_user file:
root:all:no
elessar:all:no
This is somewhat troubling -- I have RELENG_6 audit running on a number of
boxes without problems. Your configuration looks reasonable, though. There
are a few things we can try. The first thing to look at is whether the audit
library and commands are having trouble parsing your configuration files for
some reason -- maybe there is extra white space, and we need to increase
tolerance of unexpected white space, for example. There's a tool in
src/contrib/openbsm/tools called audump, which parses the configuration files
and then spits out what it thinks it found to stdout. It's not built by
default, but it can be quite useful when debugging. You can build it by doing
the following in the tools directory:
-Wall -g -o /tmp/audump audump.c -lbsm
Then, as root, run:
/tmp/audump control
I believe there's a bug in audump's user database support currently, but at
the very least that will tell us if the control file is being properly parsed.
Ideally, the output will very much resemble your configuration file -- if
there's a significant difference, that could be the source of this problem.
Right now the id(1) command in -STABLE doesn't print audit properties of the
process, but I've attached a patch that causes it to do so when "id -a" is
run. If you could apply this patch and run "id -a" as root, that would be
helpful.
Robert N M Watson
Computer Laboratory
University of Cambridge
Index: Makefile
===================================================================
RCS file: /home/ncvs/src/usr.bin/id/Makefile,v
retrieving revision 1.11
diff -u -r1.11 Makefile
--- Makefile 19 May 2004 21:06:36 -0000 1.11
+++ Makefile 23 Sep 2006 12:23:40 -0000
@@ -1,10 +1,18 @@
# @(#)Makefile 8.1 (Berkeley) 6/6/93
# $FreeBSD: src/usr.bin/id/Makefile,v 1.11 2004/05/19 21:06:36 dwmalone Exp $
+.include <bsd.own.mk>
+
PROG= id
WARNS?= 6
LINKS= ${BINDIR}/id ${BINDIR}/groups
LINKS+= ${BINDIR}/id ${BINDIR}/whoami
MAN= id.1 groups.1 whoami.1
+.if ${MK_AUDIT} != "no"
+CFLAGS+= -DUSE_BSM_AUDIT
+DPADD+= ${LIBBSM}
+LDADD+= -lbsm
+.endif
+
.include <bsd.prog.mk>
Index: id.1
===================================================================
RCS file: /home/ncvs/src/usr.bin/id/id.1,v
retrieving revision 1.15
diff -u -r1.15 id.1
--- id.1 29 Apr 2005 08:37:52 -0000 1.15
+++ id.1 23 Sep 2006 12:30:46 -0000
@@ -53,6 +53,8 @@
.Fl P
.Op Ar user
.Nm
+.Fl a
+.Nm
.Fl g Op Fl nr
.Op Ar user
.Nm
@@ -84,6 +86,9 @@
Display the MAC label of the current process.
.It Fl P
Display the id as a password file entry.
+.It Fl a
+Display the process audit user ID and other process audit properties, which
+requires privilege.
.It Fl g
Display the effective group ID as a number.
.It Fl n
Index: id.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/id/id.c,v
retrieving revision 1.27
diff -u -r1.27 id.c
--- id.c 28 May 2006 12:32:30 -0000 1.27
+++ id.c 23 Sep 2006 12:30:16 -0000
@@ -48,6 +48,10 @@
#include <sys/param.h>
#include <sys/mac.h>
+#ifdef USE_BSM_AUDIT
+#include <bsm/audit.h>
+#endif
+
#include <err.h>
#include <errno.h>
#include <grp.h>
@@ -60,6 +64,7 @@
void id_print(struct passwd *, int, int, int);
void pline(struct passwd *);
void pretty(struct passwd *);
+void auditid(void);
void group(struct passwd *, int);
void maclabel(void);
void usage(void);
@@ -73,9 +78,11 @@
struct group *gr;
struct passwd *pw;
int Gflag, Mflag, Pflag, ch, gflag, id, nflag, pflag, rflag, uflag;
+ int aflag;
const char *myname;
Gflag = Mflag = Pflag = gflag = nflag = pflag = rflag = uflag = 0;
+ aflag = 0;
myname = strrchr(argv[0], '/');
myname = (myname != NULL) ? myname + 1 : argv[0];
@@ -89,7 +96,7 @@
}
while ((ch = getopt(argc, argv,
- (isgroups || iswhoami) ? "" : "PGMgnpru")) != -1)
+ (isgroups || iswhoami) ? "" : "PGMagnpru")) != -1)
switch(ch) {
case 'G':
Gflag = 1;
@@ -100,6 +107,9 @@
case 'P':
Pflag = 1;
break;
+ case 'a':
+ aflag = 1;
+ break;
case 'g':
gflag = 1;
break;
@@ -125,7 +135,7 @@
if (iswhoami && argc > 0)
usage();
- switch(Gflag + Pflag + gflag + pflag + uflag) {
+ switch(Gflag + Mflag + Pflag + aflag + gflag + pflag + uflag) {
case 1:
break;
case 0:
@@ -141,6 +151,16 @@
if (Mflag && pw != NULL)
usage();
+#ifdef USE_BSM_AUDIT
+ if (aflag) {
+ auditid();
+ exit(0);
+ }
+#else
+ if (aflag)
+ usage();
+#endif
+
if (gflag) {
id = pw ? pw->pw_gid : rflag ? getgid() : getegid();
if (nflag && (gr = getgrgid(id)))
@@ -278,6 +298,22 @@
printf("\n");
}
+#ifdef USE_BSM_AUDIT
+void
+auditid(void)
+{
+ auditinfo_t auditinfo;
+
+ if (getaudit(&auditinfo) < 0)
+ err(-1, "getauditinfo");
+ printf("auid=%d\n", auditinfo.ai_auid);
+ printf("mask.success=0x%08x\n", auditinfo.ai_mask.am_success);
+ printf("mask.failure=0x%08x\n", auditinfo.ai_mask.am_failure);
+ printf("termid.port=0x%08x\n", auditinfo.ai_termid.port);
+ printf("asid=%d\n", auditinfo.ai_asid);
+}
+#endif
+
void
group(struct passwd *pw, int nflag)
{
@@ -382,11 +418,16 @@
else if (iswhoami)
(void)fprintf(stderr, "usage: whoami\n");
else
- (void)fprintf(stderr, "%s\n%s\n%s\n%s\n%s\n%s\n%s\n",
+ (void)fprintf(stderr, "%s\n%s\n%s\n%s%s\n%s\n%s\n%s\n",
"usage: id [user]",
" id -G [-n] [user]",
" id -M",
" id -P [user]",
+#ifdef USE_BSM_AUDIT
+ " id -a\n",
+#else
+ "",
+#endif
" id -g [-nr] [user]",
" id -p [user]",
" id -u [-nr] [user]");
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
