From owner-trustedbsd-audit@freebsd.org  Tue Dec 18 14:49:49 2018
Return-Path: <owner-trustedbsd-audit@freebsd.org>
Delivered-To: trustedbsd-audit@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 225C3135398C
 for <trustedbsd-audit@mailman.ysv.freebsd.org>;
 Tue, 18 Dec 2018 14:49:49 +0000 (UTC)
 (envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [204.107.128.30])
 by mx1.freebsd.org (Postfix) with ESMTP id 9FA29700BF
 for <trustedbsd-audit@freebsd.org>; Tue, 18 Dec 2018 14:49:48 +0000 (UTC)
 (envelope-from rwatson@FreeBSD.org)
Received: from dhcp-10-248-105-123.eduroam.wireless.private.cam.ac.uk
 (global-5-142.nat-2.net.cam.ac.uk [131.111.5.142])
 by cyrus.watson.org (Postfix) with ESMTPSA id D6F44CB501;
 Tue, 18 Dec 2018 14:49:47 +0000 (UTC)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Subject: Re: new syscalls audit events
From: "Robert N. M. Watson" <rwatson@FreeBSD.org>
In-Reply-To: <20181214161615.lvk2gsqtf7gij4fc@thinkpad-gandi>
Date: Tue, 18 Dec 2018 14:49:43 +0000
Cc: trustedbsd-audit@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <8BA9D408-41F8-4E59-8AA9-39740A2F65C5@FreeBSD.org>
References: <20181214161615.lvk2gsqtf7gij4fc@thinkpad-gandi>
To: Jack Halford <jack@gandi.net>
X-Mailer: Apple Mail (2.3445.9.1)
X-Rspamd-Queue-Id: 9FA29700BF
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-2.96 / 15.00];
 local_wl_from(0.00)[FreeBSD.org];
 NEURAL_HAM_MEDIUM(-1.00)[-0.999,0];
 NEURAL_HAM_LONG(-1.00)[-0.999,0];
 NEURAL_HAM_SHORT(-0.96)[-0.964,0];
 ASN(0.00)[asn:11288, ipnet:204.107.128.0/24, country:US]
X-BeenThere: trustedbsd-audit@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TrustedBSD Audit Discussion List <trustedbsd-audit.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/trustedbsd-audit>, 
 <mailto:trustedbsd-audit-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/trustedbsd-audit/>
List-Post: <mailto:trustedbsd-audit@freebsd.org>
List-Help: <mailto:trustedbsd-audit-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/trustedbsd-audit>, 
 <mailto:trustedbsd-audit-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 14:49:49 -0000

Hi Jack:

Excellent news on adding per-thread credential support. If you are =
looking for reviewers for the patch, do let me know.

Regarding the below:

On 14 Dec 2018, at 16:16, Jack Halford <jack@gandi.net> wrote:

> I'm currently writing a patch for 3 new syscalls for per-thread =
credentials, 2
> of these are auditable (setcred and revertcred, see [1]). The wiki =
page about
> adding auditing events says to contact you in case of need of a new =
BSM event.
> I'm prettu sure I've added my events in all the right place, however I =
can't see
> any of my syscalls in the auditpipe.
>=20
> So far I've done the following:
>=20
> 1) added relevant information in
> 	- contrib/openbsm/etc/audit_event
> 	- contrib/openbsm/sys/bsm/audit_kevents.h
> 	- sys/bsm/audit_kevents.h

These changes will need to be upstreamed to OpenBSM in GitHub. As there =
might be conflicting new events using the same numbers, do use the =
numbers assigned by OpenBSM rather than those that might appear most =
obvious in FreeBSD, as BSM is used across several operating systems, and =
we require consistent event-number assignment.

> 	- sys/kern/syscalls.master
> 	- sys/compat/freebsd32/syscalls.master

You will also need to modify sys/security/audit_bsm_klib.c to generate =
BSM records and encode arguments/return values/etc.

> 2) regenerate sysvector, build and install kernel and world
>=20
> 3) `make -C usb.sbin install` doesn't seems to install
> the new /etc/audit_event so I cp'd it by hand

I suspect that it is the libbsm target that installs the headers and =
config files for OpenBSM, rather than auditd.

Robert

> Any pointers? I'd like to get this working before the review for =
obvious
> reasons...
>=20
> [1]: https://github.com/jzck/freebsd/pull/1/files
>=20
> --
> Best,
> Jack


From owner-trustedbsd-audit@freebsd.org  Tue Dec 18 16:25:06 2018
Return-Path: <owner-trustedbsd-audit@freebsd.org>
Delivered-To: trustedbsd-audit@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 062B31336185
 for <trustedbsd-audit@mailman.ysv.freebsd.org>;
 Tue, 18 Dec 2018 16:25:06 +0000 (UTC) (envelope-from jack@gandi.net)
Received: from gandi.net (mail12.gandi.net [217.70.182.73])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9DE9A7486E;
 Tue, 18 Dec 2018 16:25:05 +0000 (UTC) (envelope-from jack@gandi.net)
Received: from thinkpad-gandi (tgordon.gandi.net [217.70.181.24])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by gandi.net (Postfix) with ESMTPS id 52CC3160347;
 Tue, 18 Dec 2018 16:24:58 +0000 (UTC)
Date: Tue, 18 Dec 2018 17:24:58 +0100
From: Jack Halford <jack@gandi.net>
To: "Robert N. M. Watson" <rwatson@FreeBSD.org>
Cc: trustedbsd-audit@freebsd.org
Subject: Re: Re: new syscalls audit events
Message-ID: <20181218162458.m36gxcrimwri3ttz@thinkpad-gandi>
References: <20181214161615.lvk2gsqtf7gij4fc@thinkpad-gandi>
 <8BA9D408-41F8-4E59-8AA9-39740A2F65C5@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <8BA9D408-41F8-4E59-8AA9-39740A2F65C5@FreeBSD.org>
User-Agent: NeoMutt/20180716
X-Rspamd-Queue-Id: 9DE9A7486E
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-6.99 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[];
 NEURAL_HAM_SHORT(-0.99)[-0.986,0]
X-Mailman-Approved-At: Tue, 18 Dec 2018 19:14:23 +0000
X-BeenThere: trustedbsd-audit@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TrustedBSD Audit Discussion List <trustedbsd-audit.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/trustedbsd-audit>, 
 <mailto:trustedbsd-audit-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/trustedbsd-audit/>
List-Post: <mailto:trustedbsd-audit@freebsd.org>
List-Help: <mailto:trustedbsd-audit-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/trustedbsd-audit>, 
 <mailto:trustedbsd-audit-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 16:25:06 -0000

>> 	- contrib/openbsm/etc/audit_event
>> 	- contrib/openbsm/sys/bsm/audit_kevents.h
>> 	- sys/bsm/audit_kevents.h
>
>These changes will need to be upstreamed to OpenBSM in GitHub. As there might be conflicting new events using the same numbers, do use the numbers assigned by OpenBSM rather than those that might appear most obvious in FreeBSD, as BSM is used across several operating systems, and we require consistent event-number assignment.
>
>> 	- sys/kern/syscalls.master
>> 	- sys/compat/freebsd32/syscalls.master
>
>You will also need to modify sys/security/audit_bsm_klib.c to generate BSM records and encode arguments/return values/etc.

Thanks for the reply, I'll look into upstreaming all this to github
before my review then. Likely after the holidays.

-- 
Jack