From owner-trustedbsd-audit@freebsd.org Tue Dec 18 14:49:49 2018 Return-Path: Delivered-To: trustedbsd-audit@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 225C3135398C for ; Tue, 18 Dec 2018 14:49:49 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [204.107.128.30]) by mx1.freebsd.org (Postfix) with ESMTP id 9FA29700BF for ; Tue, 18 Dec 2018 14:49:48 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from dhcp-10-248-105-123.eduroam.wireless.private.cam.ac.uk (global-5-142.nat-2.net.cam.ac.uk [131.111.5.142]) by cyrus.watson.org (Postfix) with ESMTPSA id D6F44CB501; Tue, 18 Dec 2018 14:49:47 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: new syscalls audit events From: "Robert N. M. Watson" In-Reply-To: <20181214161615.lvk2gsqtf7gij4fc@thinkpad-gandi> Date: Tue, 18 Dec 2018 14:49:43 +0000 Cc: trustedbsd-audit@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <8BA9D408-41F8-4E59-8AA9-39740A2F65C5@FreeBSD.org> References: <20181214161615.lvk2gsqtf7gij4fc@thinkpad-gandi> To: Jack Halford X-Mailer: Apple Mail (2.3445.9.1) X-Rspamd-Queue-Id: 9FA29700BF X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.96)[-0.964,0]; ASN(0.00)[asn:11288, ipnet:204.107.128.0/24, country:US] X-BeenThere: trustedbsd-audit@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: TrustedBSD Audit Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2018 14:49:49 -0000 Hi Jack: Excellent news on adding per-thread credential support. If you are = looking for reviewers for the patch, do let me know. Regarding the below: On 14 Dec 2018, at 16:16, Jack Halford wrote: > I'm currently writing a patch for 3 new syscalls for per-thread = credentials, 2 > of these are auditable (setcred and revertcred, see [1]). The wiki = page about > adding auditing events says to contact you in case of need of a new = BSM event. > I'm prettu sure I've added my events in all the right place, however I = can't see > any of my syscalls in the auditpipe. >=20 > So far I've done the following: >=20 > 1) added relevant information in > - contrib/openbsm/etc/audit_event > - contrib/openbsm/sys/bsm/audit_kevents.h > - sys/bsm/audit_kevents.h These changes will need to be upstreamed to OpenBSM in GitHub. As there = might be conflicting new events using the same numbers, do use the = numbers assigned by OpenBSM rather than those that might appear most = obvious in FreeBSD, as BSM is used across several operating systems, and = we require consistent event-number assignment. > - sys/kern/syscalls.master > - sys/compat/freebsd32/syscalls.master You will also need to modify sys/security/audit_bsm_klib.c to generate = BSM records and encode arguments/return values/etc. > 2) regenerate sysvector, build and install kernel and world >=20 > 3) `make -C usb.sbin install` doesn't seems to install > the new /etc/audit_event so I cp'd it by hand I suspect that it is the libbsm target that installs the headers and = config files for OpenBSM, rather than auditd. Robert > Any pointers? I'd like to get this working before the review for = obvious > reasons... >=20 > [1]: https://github.com/jzck/freebsd/pull/1/files >=20 > -- > Best, > Jack