From owner-trustedbsd-audit@FreeBSD.ORG Wed Sep 20 16:00:53 2006 Return-Path: X-Original-To: trustedbsd-audit@freebsd.org Delivered-To: trustedbsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D98B16A403 for ; Wed, 20 Sep 2006 16:00:53 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2B0B43D49 for ; Wed, 20 Sep 2006 16:00:52 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 29DA146D2C for ; Wed, 20 Sep 2006 12:00:51 -0400 (EDT) Date: Wed, 20 Sep 2006 17:00:51 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: trustedbsd-audit@TrustedBSD.org Message-ID: <20060920165423.C37863@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: OpenBSM 1.0 alpha 11 released X-BeenThere: trustedbsd-audit@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD Audit Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 16:00:53 -0000 OpenBSM 1.0 alpha 11 is now up the web site, and is the first release after incorporation into the FreeBSD 6-STABLE tree. It incorporates a number of bug fixes and enhancements resulting from use by 6-STABLE users. The download can be found at: http://www.TrustedBSD.org/openbsm.html Change notes from OpenBSM 1.0 alpha 10 below. I'll be incorporating this drop into FreeBSD 7-CURRENT today, and 6-STABLE a few days later for inclusion in 6.2-BETA2. Robert N M Watson Computer Laboratory University of Cambridge OpenBSM 1.0 alpha 11 - Reclassify certain read/write operations as having no class rather than the fr/fw class; our default classes audit intent (open) not operations (read, write). - Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads and writes of sysctls as separate events. Add additional kernel environment and jail events for FreeBSD. - Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER (issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued by the kernel audit implementation) so that they can be distinguished. - Disable rate limiting of rotate requests; as the kernel doesn't retransmit a dropped request, the log file will otherwise grow indefinitely if the trigger is dropped. - Improve auditd debugging output. - Fix a number of threading related bugs in audit_control file reading routines. - Add APIs au_poltostr() and au_strtopol() to convert between text representations of audit_control policy flags and the flags passed to auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY). - Add API getacpol() to return the 'policy:' entry from audit_control, an extension to the Solaris file format to allow specification of policy persistent flags. - Update audump to print the audit_control policy field. - Update auditd to read the audit_control policy field and set the kernel policy to match it when configuring/reconfiguring. Remove the -s and -h arguments as these policies are now set via the configuration file. If a policy line is not found in the configuration file, continue with the current default of setting AUDIT_CNT. - Fix bugs in the parsing of large execve(2) arguments and environmental variable tokens; increase maximum parsed argument and variable count. - configure now detects strlcat(), used by policy-related functions. - Reference token and record sample files added to test tree.