Date: Sun, 8 Jul 2007 13:32:09 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 123117 for review Message-ID: <200707081332.l68DW9Z2099606@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=123117 Change 123117 by rwatson@rwatson_peppercorn on 2007/07/08 13:31:24 Synchronize audit kernel event list to OpenSolaris, including picking up the *at(2) system call events. Tidy up, correct, enhance comments. In two cases where OpenBSM defines events that duplicate Solaris events, prefer the Solaris definition. Flag a few more events as Solaris-specific. Remove XXX comments that are no longer required. Observer that we're getting really close to Solaris events colliding with older Darwin events. Affected files ... .. //depot/projects/trustedbsd/openbsm/HISTORY#53 edit .. //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#49 edit .. //depot/projects/trustedbsd/openbsm/etc/audit_event#22 edit Differences ... ==== //depot/projects/trustedbsd/openbsm/HISTORY#53 (text+ko) ==== @@ -3,6 +3,8 @@ - Fix bug when processing in_addr_ex tokens. - Restore the behavior of printing the string/text specified while auditing arg32 tokens. +- Synchronized audit event list to Solaris, picking up the *at(2) system call + definitions, now required for FreeBSD and Linux. OpenBSM 1.0 alpha 14 @@ -290,4 +292,4 @@ to support reloading of kernel event table. - Allow comments in /etc/security configuration files. -$P4: //depot/projects/trustedbsd/openbsm/HISTORY#52 $ +$P4: //depot/projects/trustedbsd/openbsm/HISTORY#53 $ ==== //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#49 (text+ko) ==== @@ -26,7 +26,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#48 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#49 $ */ #ifndef _BSM_AUDIT_KEVENTS_H_ @@ -44,11 +44,12 @@ #define AUE_NULL 0 #define AUE_EXIT 1 #define AUE_FORK 2 +#define AUE_FORKALL AUE_FORK /* Solaris-specific. */ #define AUE_OPEN 3 #define AUE_CREAT 4 #define AUE_LINK 5 #define AUE_UNLINK 6 -#define AUE_DELETE AUE_UNLINK +#define AUE_DELETE AUE_UNLINK /* Darwin-specific. */ #define AUE_EXEC 7 #define AUE_CHDIR 8 #define AUE_MKNOD 9 @@ -57,7 +58,7 @@ #define AUE_UMOUNT 12 #define AUE_JUNK 13 /* Solaris-specific. */ #define AUE_ACCESS 14 -#define AUE_CHECKUSERACCESS AUE_ACCESS +#define AUE_CHECKUSERACCESS AUE_ACCESS /* Darwin-specific. */ #define AUE_KILL 15 #define AUE_STAT 16 #define AUE_LSTAT 17 @@ -156,7 +157,7 @@ #define AUE_SEMOP 110 #define AUE_CORE 111 /* Solaris-specific, currently. */ #define AUE_CLOSE 112 -#define AUE_SYSTEMBOOT 113 +#define AUE_SYSTEMBOOT 113 /* Solaris-specific. */ #define AUE_ASYNC_DAEMON_EXIT 114 /* Solaris-specific. */ #define AUE_NFSSVC_EXIT 115 /* Solaris-specific. */ #define AUE_WRITEL 128 /* Solaris-specific. */ @@ -179,9 +180,14 @@ #define AUE_GETKERNSTATE 147 /* Solaris-specific. */ #define AUE_SETKERNSTATE 148 /* Solaris-specific. */ #define AUE_GETPORTAUDIT 149 /* Solaris-specific. */ -#define AUE_AUDISTAT 150 /* Solaris-specific. */ +#define AUE_AUDITSTAT 150 /* Solaris-specific. */ +#define AUE_REVOKE 151 +#define AUE_MAC 152 /* Solaris-specific. */ #define AUE_ENTERPROM 153 /* Solaris-specific. */ #define AUE_EXITPROM 154 /* Solaris-specific. */ +#define AUE_IFLOAT 155 /* Solaris-specific. */ +#define AUE_PFLOAT 156 /* Solaris-specific. */ +#define AUE_UPRIV 157 /* Solaris-specific. */ #define AUE_IOCTL 158 #define AUE_SOCKET 183 #define AUE_SENDTO 184 @@ -193,28 +199,30 @@ #define AUE_RECVMSG 190 #define AUE_RECVFROM 191 #define AUE_READ 192 +#define AUE_GETDENTS 193 #define AUE_LSEEK 194 #define AUE_WRITE 195 #define AUE_WRITEV 196 #define AUE_NFS 197 /* Solaris-specific. */ #define AUE_READV 198 - /* XXXRW: XXX Solaris old stat()? */ +#define AUE_OSTAT 199 /* Solaris-specific. */ #define AUE_SETUID 200 /* XXXRW: Solaris old setuid? */ #define AUE_STIME 201 /* XXXRW: Solaris old stime? */ #define AUE_UTIME 202 /* XXXRW: Solaris old utime? */ #define AUE_NICE 203 /* XXXRW: Solaris old nice? */ - /* XXXRW: Solaris old setpgrp? */ -#define AUE_SETGID 205 /* XXXRW: Solaris old setgid? */ - /* XXXRW: Solaris readl? */ - /* XXXRW: Solaris readvl()? */ +#define AUE_OSETPGRP 204 /* Solaris-specific. */ +#define AUE_SETGID 205 +#define AUE_READL 206 /* Solaris-specific. */ +#define AUE_READVL 207 /* Solaris-specific. */ +#define AUE_FSTAT 208 #define AUE_DUP2 209 #define AUE_MMAP 210 #define AUE_AUDIT 211 -#define AUE_PRIOCNTLSYS 212 +#define AUE_PRIOCNTLSYS 212 /* Solaris-specific. */ #define AUE_MUNMAP 213 #define AUE_SETEGID 214 #define AUE_SETEUID 215 -#define AUE_PUTMSG 216 +#define AUE_PUTMSG 216 /* Solaris-specific. */ #define AUE_GETMSG 217 /* Solaris-specific. */ #define AUE_PUTPMSG 218 /* Solaris-specific. */ #define AUE_GETPMSG 219 /* Solaris-specific. */ @@ -231,26 +239,27 @@ #define AUE_AUDITON_SETCOND 230 #define AUE_AUDITON_GETCLASS 231 #define AUE_AUDITON_SETCLASS 232 -#define AUE_UTSSYS 233 /* Solaris-specific. */ +#define AUE_FUSERS 233 /* Solaris-specific; also UTSSYS? */ #define AUE_STATVFS 234 -#define AUE_XSTAT 235 -#define AUE_LXSTAT 236 +#define AUE_XSTAT 235 /* Solaris-specific. */ +#define AUE_LXSTAT 236 /* Solaris-specific. */ #define AUE_LCHOWN 237 #define AUE_MEMCNTL 238 /* Solaris-specific. */ #define AUE_SYSINFO 239 /* Solaris-specific. */ #define AUE_XMKNOD 240 /* Solaris-specific. */ #define AUE_FORK1 241 - /* XXXRW: Solaris modctl()? */ +#define AUE_MODCTL 242 /* Solaris-specific. */ #define AUE_MODLOAD 243 #define AUE_MODUNLOAD 244 #define AUE_MODCONFIG 245 /* Solaris-specific. */ #define AUE_MODADDMAJ 246 /* Solaris-specific. */ -#define AUE_SOCKACCEPT 247 -#define AUE_SOCKCONNECT 248 -#define AUE_SOCKSEND 249 -#define AUE_SOCKRECEIVE 250 +#define AUE_SOCKACCEPT 247 /* Solaris-specific. */ +#define AUE_SOCKCONNECT 248 /* Solaris-specific. */ +#define AUE_SOCKSEND 249 /* Solaris-specific. */ +#define AUE_SOCKRECEIVE 250 /* Solaris-specific. */ #define AUE_ACLSET 251 #define AUE_FACLSET 252 +#define AUE_DOORFS 253 /* Solaris-specific. */ #define AUE_DOORFS_DOOR_CALL 254 /* Solaris-specific. */ #define AUE_DOORFS_DOOR_RETURN 255 /* Solaris-specific. */ #define AUE_DOORFS_DOOR_CREATE 256 /* Solaris-specific. */ @@ -262,11 +271,42 @@ #define AUE_P_ONLINE 262 /* Solaris-specific. */ #define AUE_PROCESSOR_BIND 263 /* Solaris-specific. */ #define AUE_INST_SYNC 264 /* Solaris-specific. */ -#define AUE_SOCK_CONFIG 265 /* Solaris-specific. */ +#define AUE_SOCKCONFIG 265 /* Solaris-specific. */ #define AUE_SETAUDIT_ADDR 266 #define AUE_GETAUDIT_ADDR 267 +#define AUE_UMOUNT2 268 /* Solaris-specific. */ +#define AUE_FSAT 269 /* Solaris-specific. */ +#define AUE_OPENAT_R 270 +#define AUE_OPENAT_RC 271 +#define AUE_OPENAT_RT 272 +#define AUE_OPENAT_RTC 273 +#define AUE_OPENAT_W 274 +#define AUE_OPENAT_WC 275 +#define AUE_OPENAT_WT 276 +#define AUE_OPENAT_WTC 277 +#define AUE_OPENAT_RW 278 +#define AUE_OPENAT_RWC 279 +#define AUE_OPENAT_RWT 280 +#define AUE_OPENAT_RWTC 281 +#define AUE_RENAMEAT 282 +#define AUE_FSTATAT 283 +#define AUE_FCHOWNAT 284 +#define AUE_FUTIMESAT 285 +#define AUE_UNLINKAT 286 #define AUE_CLOCK_SETTIME 287 #define AUE_NTP_ADJTIME 288 +#define AUE_SETPPRIV 289 /* Solaris-specific. */ +#define AUE_MODDEVPLCY 290 /* Solaris-specific. */ +#define AUE_MODADDPRIV 291 /* Solaris-specific. */ +#define AUE_CRYPTOADM 292 /* Solaris-specific. */ +#define AUE_CONFIGKSSL 293 /* Solaris-specific. */ +#define AUE_BRANDSYS 294 /* Solaris-specific. */ +#define AUE_PF_POLICY_ADDRULE 295 /* Solaris-specific. */ +#define AUE_PF_POLICY_DELRULE 296 /* Solaris-specific. */ +#define AUE_PF_POLICY_CLONE 297 /* Solaris-specific. */ +#define AUE_PF_POLICY_FLIP 298 /* Solaris-specific. */ +#define AUE_PF_POLICY_FLUSH 299 /* Solaris-specific. */ +#define AUE_PF_POLICY_ALGS 300 /* Solaris-specific. */ /* * Events added for Apple Darwin that potentially collide with future Solaris @@ -281,30 +321,30 @@ #define AUE_DARWIN_PROFILE 305 #define AUE_DARWIN_KTRACE 306 #define AUE_DARWIN_SETLOGIN 307 -#define AUE_DARWIN_REBOOT 308 /* XXX: See AUE_REBOOT. */ +#define AUE_DARWIN_REBOOT 308 #define AUE_DARWIN_REVOKE 309 #define AUE_DARWIN_UMASK 310 #define AUE_DARWIN_MPROTECT 311 -#define AUE_DARWIN_SETPRIORITY 312 /* XXX: See AUE_SETPRIORITY. */ -#define AUE_DARWIN_SETTIMEOFDAY 313 /* XXX: See AUE_SETTIMEOFDAY. */ -#define AUE_DARWIN_FLOCK 314 /* XXX: See AUE_FLOCK. */ +#define AUE_DARWIN_SETPRIORITY 312 +#define AUE_DARWIN_SETTIMEOFDAY 313 +#define AUE_DARWIN_FLOCK 314 #define AUE_DARWIN_MKFIFO 315 #define AUE_DARWIN_POLL 316 -#define AUE_DARWIN_SOCKETPAIR 317 /* XXXRW: See AUE_SOCKETPAIR. */ +#define AUE_DARWIN_SOCKETPAIR 317 #define AUE_DARWIN_FUTIMES 318 #define AUE_DARWIN_SETSID 319 #define AUE_DARWIN_SETPRIVEXEC 320 /* Darwin-specific. */ -#define AUE_DARWIN_NFSSVC 321 /* XXX: See AUE_NFS_SVC. */ -#define AUE_DARWIN_GETFH 322 /* XXX: See AUE_NFS_GETFH. */ -#define AUE_DARWIN_QUOTACTL 323 /* XXX: See AUE_QUOTACTL. */ +#define AUE_DARWIN_NFSSVC 321 +#define AUE_DARWIN_GETFH 322 +#define AUE_DARWIN_QUOTACTL 323 #define AUE_DARWIN_ADDPROFILE 324 /* Darwin-specific. */ #define AUE_DARWIN_KDEBUGTRACE 325 /* Darwin-specific. */ #define AUE_DARWIN_KDBUGTRACE AUE_KDEBUGTRACE #define AUE_DARWIN_FSTAT 326 #define AUE_DARWIN_FPATHCONF 327 #define AUE_DARWIN_GETDIRENTRIES 328 -#define AUE_DARWIN_TRUNCATE 329 /* XXX: See AUE_TRUNCATE. */ -#define AUE_DARWIN_FTRUNCATE 330 /* XXX: See AUE_FTRUNCATE. */ +#define AUE_DARWIN_TRUNCATE 329 +#define AUE_DARWIN_FTRUNCATE 330 #define AUE_DARWIN_SYSCTL 331 #define AUE_DARWIN_MLOCK 332 #define AUE_DARWIN_MUNLOCK 333 @@ -343,6 +383,11 @@ * These often duplicate events added to the Solaris set by Darwin, but use * event identifiers in a higher range in order to avoid colliding with * future Solaris additions. + * + * If an event in this section is later added to Solaris, we prefer the + * Solaris event identifier, and add _OPENBSM_ to the OpenBSM-specific + * identifier so that old trails can still be processed, but new trails use + * the Solaris identifier. */ #define AUE_GETFSSTAT 43001 #define AUE_PTRACE 43002 @@ -351,7 +396,7 @@ #define AUE_PROFILE 43005 #define AUE_KTRACE 43006 #define AUE_SETLOGIN 43007 -#define AUE_REVOKE 43008 +#define AUE_OPENBSM_REVOKE 43008 /* Solaris event now preferred. */ #define AUE_UMASK 43009 #define AUE_MPROTECT 43010 #define AUE_MKFIFO 43011 @@ -362,7 +407,7 @@ #define AUE_ADDPROFILE 43016 /* Darwin-specific. */ #define AUE_KDEBUGTRACE 43017 /* Darwin-specific. */ #define AUE_KDBUGTRACE AUE_KDEBUGTRACE -#define AUE_FSTAT 43018 +#define AUE_OPENBSM_FSTAT 43018 /* Solaris event now preferred. */ #define AUE_FPATHCONF 43019 #define AUE_GETDIRENTRIES 43020 #define AUE_SYSCTL 43021 ==== //depot/projects/trustedbsd/openbsm/etc/audit_event#22 (text+ko) ==== @@ -1,5 +1,5 @@ # -# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#21 $ +# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#22 $ # 0:AUE_NULL:indir system call:no 1:AUE_EXIT:exit(2):pc @@ -140,8 +140,13 @@ 148:AUE_SETKERNSTATE:setkernstate(2):ad 149:AUE_GETPORTAUDIT:getportaudit(2):ad 150:AUE_AUDITSTAT:auditstat(2):ad +151:AUE_REVOKE:revoke(2):cl +152:AUE_MAC:Solaris AUE_MAC:no 153:AUE_ENTERPROM:enter prom:ad 154:AUE_EXITPROM:exit prom:ad +155:AUE_IFLOAT:Solaris AUE_IFLOAT:no +156:AUE_PFLOAT:Solaris AUE_PFLOAT:no +157:AUE_UPRIV:Solaris AUE_UPRIV:no 158:AUE_IOCTL:ioctl(2):io 173:AUE_ONESIDE:one-sided session record:nt 174:AUE_MSGGETL:msggetl(2):ip @@ -165,19 +170,19 @@ 196:AUE_WRITEV:writev(2):no 197:AUE_NFS:nfs server:ad 198:AUE_READV:readv(2):no -199:AUE_OSTAT:old stat(2):fa +199:AUE_OSTAT:Solaris old stat(2):fa 200:AUE_SETUID:setuid(2):pc 201:AUE_STIME:old stime(2):ad 202:AUE_UTIME:old utime(2):fm 203:AUE_NICE:old nice(2):pc -204:AUE_OSETPGRP:old setpgrp(2):pc +204:AUE_OSETPGRP:Solaris old setpgrp(2):pc 205:AUE_SETGID:setgid(2):pc 206:AUE_READL:readl(2):no 207:AUE_READVL:readvl(2):no 209:AUE_DUP2:dup2(2):no 210:AUE_MMAP:mmap(2):no 211:AUE_AUDIT:audit(2):ot -212:AUE_PRIOCNTLSYS:priocntlsys(2):pc +212:AUE_PRIOCNTLSYS:Solaris priocntlsys(2):pc 213:AUE_MUNMAP:munmap(2):cl 214:AUE_SETEGID:setegid(2):pc 215:AUE_SETEUID:seteuid(2):pc @@ -201,7 +206,7 @@ 233:AUE_UTSSYS:utssys(2) - fusers:ad 234:AUE_STATVFS:statvfs(2):fa 235:AUE_XSTAT:xstat(2):fa -236:AUE_LXSTAT:lx6stat(2):fa +236:AUE_LXSTAT:lxstat(2):fa 237:AUE_LCHOWN:lchown(2):fm 238:AUE_MEMCNTL:memcntl(2):ot 239:AUE_SYSINFO:sysinfo(2):ad @@ -230,12 +235,43 @@ 262:AUE_P_ONLINE:p_online(2):ad 263:AUE_PROCESSOR_BIND:processor_bind(2):ad 264:AUE_INST_SYNC:inst_sync(2):ad +265:AUE_SOCKCONFIG:configure socket:nt 266:AUE_SETAUDIT_ADDR:setaudit_addr(2):ad 267:AUE_GETAUDIT_ADDR:getaudit_addr(2):ad -268:AUE_CLOCK_SETTIME:clock_settime(2):ad -269:AUE_NTP_ADJTIME:ntp_adjtime(2):ad +268:AUE_UMOUNT2:Solaris umount(2):ad +269:AUE_FSAT:fsat(2) - place holder:no +270:AUE_OPENAT_R:openat(2) - read:fr +271:AUE_OPENAT_RC:openat(2) - read,creat:fc,fr,fa,fm +272:AUE_OPENAT_RT:openat(2) - read,trunc:fd,fr,fa,fm +273:AUE_OPENAT_RTC:openat(2) - read,creat,trunc:fc,fd,fr,fa,fm +274:AUE_OPENAT_W:openat(2) - write:fw +275:AUE_OPENAT_WC:openat(2) - write,creat:fc,fw,fa,fm +276:AUE_OPENAT_WT:openat(2) - write,trunc:fd,fw,fa,fm +277:AUE_OPENAT_WTC:openat(2) - write,creat,trunc:fc,fd,fw,fa,fm +278:AUE_OPENAT_RW:openat(2) - read,write:fr,fw +279:AUE_OPENAT_RWC:openat(2) - read,write,create:fc,fw,fr,fa,fm +280:AUE_OPENAT_RWTC:openat(2) - read,write,creat,trunc:fc,fd,fw,fr,fa,fm +282:AUE_RENAMEAT:renameat(2):fc,fd +283:AUE_FSTATAT:fstatat(2):fa +284:AUE_FCHOWNAT:fchownat(2):fm +285:AUE_FUTIMESAT:futimesat(2):fm +286:AUE_UNLINKAT:unlinkat(2):fd +287:AUE_CLOCK_SETTIME:clock_settime(2):ad +288:AUE_NTP_ADJTIME:ntp_adjtime(2):ad +289:AUE_SETPPRIV:setppriv(2):pc +290:AUE_MODDEVPLCY:modctl(2) - configure device policy:ad +291:AUE_MODADDPRIV:modctl(2) - configure additional privilege:ad +292:AUE_CRYPTOADM:kernel cryptographic framework:ad +293:AUE_CONFIGKSSL:configure kernel SSL:ad +294:AUE_BRANDSYS:brandsys(2):ot +295:AUE_PF_POLICY_ADDRULE:Add IPsec policy rule:ad +296:AUE_PF_POLICY_DELRULE:Delete IPsec policy rule:ad +297:AUE_PF_POLICY_CLONE:Clone IPsec policy:ad +298:AUE_PF_POLICY_FLIP:Flip IPsec policy:ad +299:AUE_PF_POLICY_FLUSH:Flush IPsec policy rules:ad +300:AUE_PF_POLICY_ALGS:Update IPsec algorithms:ad # -# What follows are deprecated Darwin event numbers that may someday conflict +# What follows are deprecated Darwin event numbers that may soon conflict # with Solaris events. # 301:AUE_DARWIN_GETFSSTAT:getfsstat(2):fa @@ -309,7 +345,7 @@ 43005:AUE_PROFILE:profil(2):pc 43006:AUE_KTRACE:ktrace(2):pc 43007:AUE_SETLOGIN:setlogin(2):pc -43008:AUE_REVOKE:revoke(2):cl +43008:AUE_OPENBSM_REVOKE:revoke(2):cl 43009:AUE_UMASK:umask(2):pc 43010:AUE_MPROTECT:mprotect(2):fm 43011:AUE_MKFIFO:mkfifo(2):fc @@ -319,7 +355,7 @@ 43015:AUE_SETPRIVEXEC:setprivexec(2):pc 43016:AUE_ADDPROFILE:system call:pc 43017:AUE_KDEBUGTRACE:system call:pc -43018:AUE_FSTAT:fstat(2):fa +43018:AUE_OPENBSM_FSTAT:fstat(2):fa 43019:AUE_FPATHCONF:fpathconf(2):fa 43020:AUE_GETDIRENTRIES:getdirentries(2):no 43021:AUE_SYSCTL:sysctl(3):ot
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707081332.l68DW9Z2099606>