From owner-freebsd-security@FreeBSD.ORG Sun Jun 26 17:03:30 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 16FEC106564A for ; Sun, 26 Jun 2011 17:03:30 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id ADE3D8FC19 for ; Sun, 26 Jun 2011 17:03:29 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:81fa:c190:36e6:c949]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 55BBE4AC1C for ; Sun, 26 Jun 2011 21:03:28 +0400 (MSD) Date: Sun, 26 Jun 2011 21:03:26 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <1307023935.20110626210326@serebryakov.spb.ru> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: quoted-printable Subject: How to add new audit class? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2011 17:03:30 -0000 Hello, Freebsd-security. I want to create mixed audit class for ``security-sensible'' events. For example, I need to audit: exec*() syscalls from standard `pc' class, but not wait4() or fork(), because fork() is not interesting (new process image is security-sensible, not new process itself) and occurred too often and create noise. connect()/accept() from "nt", but not setsockopt(), for the same reasons. And so on. How should I create new system class? What need to be putted into "classmask" in audit_class(5)? How should I edit audit_event(5) file, as it seems, that one event could belong only to one class, and I don't want to remove these events from their natural classes. --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Mon Jun 27 00:02:45 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D9F8B106564A; Mon, 27 Jun 2011 00:02:45 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 86BC08FC08; Mon, 27 Jun 2011 00:02:45 +0000 (UTC) Received: by iwr19 with SMTP id 19so5149319iwr.13 for ; Sun, 26 Jun 2011 17:02:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to; bh=bTjPiTFB5QVogB5+lKIf2ZROOIHx7/J7pFihkfP8neA=; b=aTh3zcNNko9nptX025+VNSqwsGVgW8RlInjvn4lpL4FVOerazgsvuqqnyprepD52/5 6ZncmCMNdssTd8T1YkXR2IgSS0kARgw7NqRXjapCUc9HaurOQ0v7fMEQwIlHQy38AaAF wE776KNVtTMMYUCi9ev0MpRXywrB8zQCSuFyY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; b=NILe7U/s1Ecswe+4kETR8A6Q8dt3u3lIo/Z46BXr0EtYMFG9u5yuj8i173pcvHeuCv 6nwTDDLcSOR7JDgeXhiw8qj5i4xLQa/pOpLvXNx5NDKAVSU5X+VTkY2pnrHtCqcFG0NU mwj7uRkDVFqBRhZ1Bhfvim/xHHa8IhqxmRFTw= Received: by 10.42.132.7 with SMTP id b7mr6773072ict.0.1309131491530; Sun, 26 Jun 2011 16:38:11 -0700 (PDT) Received: from disbatch.dataix.local (adsl-99-190-86-179.dsl.klmzmi.sbcglobal.net [99.190.86.179]) by mx.google.com with ESMTPS id a9sm4824345icy.6.2011.06.26.16.38.09 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 26 Jun 2011 16:38:10 -0700 (PDT) Sender: "J. Hellenthal" Received: from disbatch.dataix.local (localhost [127.0.0.1]) by disbatch.dataix.local (8.14.5/8.14.5) with ESMTP id p5QNc7lO059414 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 26 Jun 2011 19:38:07 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by disbatch.dataix.local (8.14.5/8.14.5/Submit) id p5QNc72S059413; Sun, 26 Jun 2011 19:38:07 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Sun, 26 Jun 2011 19:38:07 -0400 From: jhell To: Lev Serebryakov Message-ID: <20110626233807.GC38064@DataIX.net> References: <1307023935.20110626210326@serebryakov.spb.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PmA2V3Z32TCmWXqI" Content-Disposition: inline In-Reply-To: <1307023935.20110626210326@serebryakov.spb.ru> Cc: freebsd-security@freebsd.org Subject: Re: How to add new audit class? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2011 00:02:46 -0000 --PmA2V3Z32TCmWXqI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jun 26, 2011 at 09:03:26PM +0400, Lev Serebryakov wrote: > Hello, Freebsd-security. >=20 > I want to create mixed audit class for ``security-sensible'' events. > For example, I need to audit: >=20 > exec*() syscalls from standard `pc' class, but not wait4() or > fork(), because fork() is not interesting (new process image is > security-sensible, not new process itself) and occurred too often > and create noise. >=20 > connect()/accept() from "nt", but not setsockopt(), for the same > reasons. >=20 > And so on. >=20 > How should I create new system class? What need to be putted into > "classmask" in audit_class(5)? How should I edit audit_event(5) file, > as it seems, that one event could belong only to one class, and I > don't want to remove these events from their natural classes. >=20 Giving some background here I had a similiar type thing I was going through with fcntl etc... for some remote diskless X machines that were logging 1000+ fcntl changes every 5 seconds! "I didn't going with auditing those machines ;) What it came down to though was making good use of auditreduce(1) to get the output you would like to investigate. Good thing the resulting storage files are compressed eh? ;) To sum it up simply it comes down to "...class mask size is fixed in the ABI and difficult to expand" http://lists.freebsd.org/pipermail/freebsd-bugs/2010-December/042542.html Hope this helps some. --PmA2V3Z32TCmWXqI Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJOB8LeAAoJEJBXh4mJ2FR+ROUH/RpiKllFIc3K6ezHsI01KXCx u/CrppxQJmVXsxzuNDqYsG442CqYng0Ngc6kE50dSpxv6qYJPFKxp/DWAMSeyw+N sQJLCclqse2ytTLqKGko+FbLrBFDztsiiGODMaZjuPrhagbhjPkwcgh8/k8bMHaT RmOilP8pVU1XWMSAIpWqJvDt1QQ9AdSg6e06wYkVY4vMKaL9t+14X+KX2RSljVU+ RIwLWnVqsqM+k2WD+HugkrUy3cgBkhEpD0axqQK6peOszA0reVyjXGX5vVr+kLob 5s9rAJ2Bvab6/k9gE+slfNJX3q9U37/J/se9XI2bZHISxN6Eh3TWBqq1Lgkv2DU= =1n+9 -----END PGP SIGNATURE----- --PmA2V3Z32TCmWXqI-- From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 10:59:21 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 05E391065672; Wed, 29 Jun 2011 10:59:21 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 9CD4C8FC18; Wed, 29 Jun 2011 10:59:20 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:6c18:a9f5:6840:825]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 414364AC1C; Wed, 29 Jun 2011 14:59:19 +0400 (MSD) Date: Wed, 29 Jun 2011 14:59:15 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <1191160420.20110629145915@serebryakov.spb.ru> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: quoted-printable Cc: developers@freebsd.org Subject: OpenBSM: does somebody work on it? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 10:59:21 -0000 Hello, Freebsd-security. I'm trying to use audit, and has some problems. First one is impossiblity to create custom event class, and second one I hit is with auditreduce(1) auditreduce doesn't filter events by date (-b/-a/-d options with any arguments produces empty output), it doesn't merge files properly and doesn't pick up files automagically, as Solaris' one does. It doesn't have -C/-M/-O functionality of Solaris' one, too. So, proper merging of audit trial files seems to be impossible :( I could try to fix & extend auditreduce(1), but does somebdy but me need it? Does somebody use audit on FreeBSD on production systems? --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 12:44:51 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69AB8106566C; Wed, 29 Jun 2011 12:44:51 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) by mx1.freebsd.org (Postfix) with ESMTP id EA57A8FC16; Wed, 29 Jun 2011 12:44:50 +0000 (UTC) Received: from rack.patpro.net (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP id 998C71CC020; Wed, 29 Jun 2011 14:26:49 +0200 (CEST) X-Virus-Scanned: amavisd-new at patpro.net Received: from amavis-at-patpro.net ([127.0.0.1]) by rack.patpro.net (rack.patpro.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ETJCTJnR95i7; Wed, 29 Jun 2011 14:26:44 +0200 (CEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP; Wed, 29 Jun 2011 14:26:44 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/signed; boundary=Apple-Mail-9-330722501; protocol="application/pkcs7-signature"; micalg=sha1 From: Patrick Proniewski X-Priority: 3 (Normal) In-Reply-To: <1191160420.20110629145915@serebryakov.spb.ru> Date: Wed, 29 Jun 2011 14:26:44 +0200 Message-Id: References: <1191160420.20110629145915@serebryakov.spb.ru> To: Lev Serebryakov X-Mailer: Apple Mail (2.1084) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Liste FreeBSD-security Subject: Re: OpenBSM: does somebody work on it? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 12:44:51 -0000 --Apple-Mail-9-330722501 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 29 juin 2011, at 12:59, Lev Serebryakov wrote: > auditreduce doesn't filter events by date (-b/-a/-d options with any > arguments produces empty output), it doesn't merge files properly and > doesn't pick up files automagically, as Solaris' one does. It doesn't > have -C/-M/-O functionality of Solaris' one, too. So, proper merging > of audit trial files seems to be impossible :( >=20 > I could try to fix & extend auditreduce(1), but does somebdy but me > need it? >=20 > Does somebody use audit on FreeBSD on production systems? I do, almost (I've not finished my settup, but I'm auditing a production = server). May be you'll find this interesting: = http://forums.freebsd.org/showthread.php?t=3D23716#9 patpro= --Apple-Mail-9-330722501-- From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 14:23:32 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CCE5B1065673 for ; Wed, 29 Jun 2011 14:23:32 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6B9758FC0A for ; Wed, 29 Jun 2011 14:23:32 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:6c18:a9f5:6840:825]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 057FB4AC1C; Wed, 29 Jun 2011 18:23:30 +0400 (MSD) Date: Wed, 29 Jun 2011 18:23:27 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <696682733.20110629182327@serebryakov.spb.ru> To: Patrick Proniewski In-Reply-To: References: <1191160420.20110629145915@serebryakov.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: quoted-printable Cc: Liste FreeBSD-security Subject: Re: OpenBSM: does somebody work on it? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 14:23:32 -0000 Hello, Patrick. You wrote 29 =E8=FE=ED=FF 2011 =E3., 16:26:44: > I do, almost (I've not finished my settup, but I'm auditing a production = server). > May be you'll find this interesting: > http://forums.freebsd.org/showthread.php?t=3D23716#9 It seems, even system ftpd doesn't use setaudit() :( --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 13:39:27 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D996106564A; Wed, 29 Jun 2011 13:39:27 +0000 (UTC) (envelope-from sson@FreeBSD.org) Received: from ns1.son.org (son.org [65.48.68.179]) by mx1.freebsd.org (Postfix) with ESMTP id E62F38FC12; Wed, 29 Jun 2011 13:39:26 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by ns1.son.org (Postfix) with ESMTP id D8E0CF6E6DE; Wed, 29 Jun 2011 08:21:09 -0500 (CDT) Received: from ns1.son.org ([127.0.0.1]) by localhost (ns1.dev-random.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4UCnvXBmkD9h; Wed, 29 Jun 2011 08:21:06 -0500 (CDT) Received: from nextstepng.son.org (adsl-76-203-224-96.dsl.rcsntx.sbcglobal.net [76.203.224.96]) by ns1.son.org (Postfix) with ESMTP id 2E1E3F6E6D7; Wed, 29 Jun 2011 08:21:06 -0500 (CDT) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Stacey Son X-Priority: 3 (Normal) In-Reply-To: <1191160420.20110629145915@serebryakov.spb.ru> Date: Wed, 29 Jun 2011 08:21:03 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <1191160420.20110629145915@serebryakov.spb.ru> To: Lev Serebryakov X-Mailer: Apple Mail (2.1084) X-Mailman-Approved-At: Wed, 29 Jun 2011 14:30:15 +0000 Cc: freebsd-security@freebsd.org, developers@freebsd.org Subject: Re: OpenBSM: does somebody work on it? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 13:39:27 -0000 On Jun 29, 2011, at 5:59 AM, Lev Serebryakov wrote: > Hello, Freebsd-security. >=20 > I'm trying to use audit, and has some problems. First one is > impossiblity to create custom event class, and second one I hit is > with auditreduce(1) >=20 > auditreduce doesn't filter events by date (-b/-a/-d options with any > arguments produces empty output), it doesn't merge files properly and > doesn't pick up files automagically, as Solaris' one does. It doesn't > have -C/-M/-O functionality of Solaris' one, too. So, proper merging > of audit trial files seems to be impossible :( >=20 > I could try to fix & extend auditreduce(1), but does somebdy but me > need it? >=20 > Does somebody use audit on FreeBSD on production systems? FYI, a better place to discuss this would be the trustedbsd-audit = mailing list. There are quite of few people that use OpenBSM in = production on FreeBSD and Mac OS X that hang out on that list usually. Regards, -stacey.= From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 15:11:24 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89DCB1065670 for ; Wed, 29 Jun 2011 15:11:24 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 52BDE8FC13 for ; Wed, 29 Jun 2011 15:11:24 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:6c18:a9f5:6840:825]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 9616A4AC1C for ; Wed, 29 Jun 2011 19:11:23 +0400 (MSD) Date: Wed, 29 Jun 2011 19:11:19 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <15687116.20110629191119@serebryakov.spb.ru> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: quoted-printable Subject: More questions about audit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 15:11:24 -0000 Hello, Freebsd-security. I'm grepping all sources for programs, which support audit and found strange thing: find . -name '*.c*' -print | \ grep -v -E '^./(sys|contrib/openbsm|tools/regression)' | \ xargs grep -E "\<(audit|au_)" shows, that only login(1), su(1), id(1) and sshd(1) uses audit. And even sshd(8) raise question: it doesn't call setaudit(2)! Even more, such command doesn't show anything about user login via ssh: auditreduce -m AUE_login /dev/auditpipe0 | praudit Yes, I have "lo" class enabled for all users, and, yes, auditreduce -r USER /dev/auditpipe0 | praudit shows activity after login... What do I do wrong? P.S. Maybe, here is more adequate list for BSM Audit questions? --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 19:49:23 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2657C106566B; Wed, 29 Jun 2011 19:49:23 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) by mx1.freebsd.org (Postfix) with ESMTP id CC3A58FC08; Wed, 29 Jun 2011 19:49:22 +0000 (UTC) Received: from rack.patpro.net (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP id BFB261CC020; Wed, 29 Jun 2011 21:49:21 +0200 (CEST) X-Virus-Scanned: amavisd-new at patpro.net Received: from amavis-at-patpro.net ([127.0.0.1]) by rack.patpro.net (rack.patpro.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8tk1McEoSH9N; Wed, 29 Jun 2011 21:49:19 +0200 (CEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP; Wed, 29 Jun 2011 21:49:19 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/signed; boundary=Apple-Mail-7-357277473; protocol="application/pkcs7-signature"; micalg=sha1 From: Patrick Proniewski X-Priority: 3 (Normal) In-Reply-To: <696682733.20110629182327@serebryakov.spb.ru> Date: Wed, 29 Jun 2011 21:49:19 +0200 Message-Id: <5AD25EEF-D753-4480-9809-613447A470AC@patpro.net> References: <1191160420.20110629145915@serebryakov.spb.ru> <696682733.20110629182327@serebryakov.spb.ru> To: Lev Serebryakov X-Mailer: Apple Mail (2.1084) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Liste FreeBSD-security Subject: Re: OpenBSM: does somebody work on it? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 19:49:23 -0000 --Apple-Mail-7-357277473 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On 29 juin 2011, at 16:23, Lev Serebryakov wrote: > Hello, Patrick. > You wrote 29 =D0=B8=D1=8E=D0=BD=D1=8F 2011 =D0=B3., 16:26:44: >=20 >> I do, almost (I've not finished my settup, but I'm auditing a = production server). >> May be you'll find this interesting: >> http://forums.freebsd.org/showthread.php?t=3D23716#9 > It seems, even system ftpd doesn't use setaudit() :( as long as it uses login to log users into the system, I don't think it = needs to use setaudit(). But I'm no BSM guru at all :) The audit system starts auditing a user as soon at he(r) logs in on the = system. I'll give ftpd a try if I have some spare time. patpro= --Apple-Mail-7-357277473-- From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 20:04:23 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 23B92106566C; Wed, 29 Jun 2011 20:04:23 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) by mx1.freebsd.org (Postfix) with ESMTP id C8B378FC12; Wed, 29 Jun 2011 20:04:22 +0000 (UTC) Received: from rack.patpro.net (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP id 2612A1CC020; Wed, 29 Jun 2011 22:04:22 +0200 (CEST) X-Virus-Scanned: amavisd-new at patpro.net Received: from amavis-at-patpro.net ([127.0.0.1]) by rack.patpro.net (rack.patpro.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VqXv8E0vS01Q; Wed, 29 Jun 2011 22:04:20 +0200 (CEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP; Wed, 29 Jun 2011 22:04:20 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/signed; boundary=Apple-Mail-8-358177775; protocol="application/pkcs7-signature"; micalg=sha1 From: Patrick Proniewski X-Priority: 3 (Normal) In-Reply-To: <15687116.20110629191119@serebryakov.spb.ru> Date: Wed, 29 Jun 2011 22:04:19 +0200 Message-Id: <290F5B80-4EA1-401A-A834-2A4C85473DEB@patpro.net> References: <15687116.20110629191119@serebryakov.spb.ru> To: Lev Serebryakov X-Mailer: Apple Mail (2.1084) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: More questions about audit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 20:04:23 -0000 --Apple-Mail-8-358177775 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 29 juin 2011, at 17:11, Lev Serebryakov wrote: > Even more, such command doesn't show anything about user login via > ssh: >=20 > auditreduce -m AUE_login /dev/auditpipe0 | praudit >=20 > Yes, I have "lo" class enabled for all users, and, yes, >=20 > auditreduce -r USER /dev/auditpipe0 | praudit >=20 > shows activity after login... # praudit -l /dev/auditpipe0 header,99,11,OpenSSH login,0,Wed Jun 29 21:21:22 2011, + 603 = msec,subject_ex,*******,text,successful login = patpro,return,success,0,trailer,99, header,481,11,execve(2),0,Wed Jun 29 21:21:22 2011, + 668 msec,exec = arg,-bash,exec env,*******,return,success,0,trailer,481, ../.. header,94,11,logout - local,0,Wed Jun 29 21:21:25 2011, + 328 = msec,subject_ex,*******,text,sshd logout = patpro,return,success,0,trailer,94, You see "OpenSSH login" as event's name. That's what you need to look = for: # grep "OpenSSH login" /etc/security/audit_event=20 32800:AUE_openssh:OpenSSH login:lo so, you must try: # auditreduce -m AUE_openssh /dev/auditpipe0 | praudit But I don't get good results with that command. It looks like = auditreduce wait for a good amount of events before sending the result = to stdout. This will show your logins : # auditreduce -m AUE_openssh /var/audit/current | praudit patpro --Apple-Mail-8-358177775-- From owner-freebsd-security@FreeBSD.ORG Thu Jun 30 15:58:48 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 33243106566C for ; Thu, 30 Jun 2011 15:58:48 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id EE7788FC0C for ; Thu, 30 Jun 2011 15:58:47 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.4/8.14.4) with ESMTP id p5UFwh2W026417 for ; Thu, 30 Jun 2011 11:58:43 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <4E0C9D26.2050108@sentex.net> Date: Thu, 30 Jun 2011 11:58:30 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.67 on IPv6:2607:f3e0:0:1::12 Subject: Old SSH bug on RELENG_4 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2011 15:58:48 -0000 I am sure someone has some boxes out there still.... http://lists.grok.org.uk/pipermail/full-disclosure/2011-June/081722.html A simple work around *seems* to be to disable PAM on sshd. i.e in /etc/ssh/sshd_config set the following from yes to no # Change to no to disable PAM authentication ChallengeResponseAuthentication no I wonder if other apps that make use of PAM can trigger the bug as well ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/