Date: Tue, 18 Dec 2018 14:49:43 +0000 From: "Robert N. M. Watson" <rwatson@FreeBSD.org> To: Jack Halford <jack@gandi.net> Cc: trustedbsd-audit@freebsd.org Subject: Re: new syscalls audit events Message-ID: <8BA9D408-41F8-4E59-8AA9-39740A2F65C5@FreeBSD.org> In-Reply-To: <20181214161615.lvk2gsqtf7gij4fc@thinkpad-gandi> References: <20181214161615.lvk2gsqtf7gij4fc@thinkpad-gandi>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Jack: Excellent news on adding per-thread credential support. If you are = looking for reviewers for the patch, do let me know. Regarding the below: On 14 Dec 2018, at 16:16, Jack Halford <jack@gandi.net> wrote: > I'm currently writing a patch for 3 new syscalls for per-thread = credentials, 2 > of these are auditable (setcred and revertcred, see [1]). The wiki = page about > adding auditing events says to contact you in case of need of a new = BSM event. > I'm prettu sure I've added my events in all the right place, however I = can't see > any of my syscalls in the auditpipe. >=20 > So far I've done the following: >=20 > 1) added relevant information in > - contrib/openbsm/etc/audit_event > - contrib/openbsm/sys/bsm/audit_kevents.h > - sys/bsm/audit_kevents.h These changes will need to be upstreamed to OpenBSM in GitHub. As there = might be conflicting new events using the same numbers, do use the = numbers assigned by OpenBSM rather than those that might appear most = obvious in FreeBSD, as BSM is used across several operating systems, and = we require consistent event-number assignment. > - sys/kern/syscalls.master > - sys/compat/freebsd32/syscalls.master You will also need to modify sys/security/audit_bsm_klib.c to generate = BSM records and encode arguments/return values/etc. > 2) regenerate sysvector, build and install kernel and world >=20 > 3) `make -C usb.sbin install` doesn't seems to install > the new /etc/audit_event so I cp'd it by hand I suspect that it is the libbsm target that installs the headers and = config files for OpenBSM, rather than auditd. Robert > Any pointers? I'd like to get this working before the review for = obvious > reasons... >=20 > [1]: https://github.com/jzck/freebsd/pull/1/files >=20 > -- > Best, > Jack
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8BA9D408-41F8-4E59-8AA9-39740A2F65C5>