From owner-freebsd-security@FreeBSD.ORG Sat Jul 14 16:02:24 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C4EB916A400 for ; Sat, 14 Jul 2007 16:02:24 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 9F4B313C48D for ; Sat, 14 Jul 2007 16:02:24 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id AD23A471CE; Sat, 14 Jul 2007 11:45:14 -0400 (EDT) Date: Sat, 14 Jul 2007 16:45:14 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Alex Samorukov In-Reply-To: <46985815.3060308@os2.kiev.ua> Message-ID: <20070714164146.Q80803@fledge.watson.org> References: <46985815.3060308@os2.kiev.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: OpenBSM questions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2007 16:02:24 -0000 On Sat, 14 Jul 2007, Alex Samorukov wrote: > I have some issues with OpenBSM which i cannot resolve, so i decided to ask > there. > > 1) I found some bugs in the auditreduce utility and created patch for it - > http://www.freebsd.org/cgi/query-pr.cgi?pr=114534. Please, someone from > freebsd team - take it, i think its better to fix this before next release. I was not aware of this PR, thanks for pointing it out. In the future, if no one picks up an audit-related PR, feel free to send e-mail to trustedbsd-audit@TrustedBSD.org and/or directly to me. I've grabbed ownership of this PR and will apply the changes to OpenBSM, hopefully today. > 2) I found that when i`m using XDM as login manager with OpenBSM, all my > audit events comes with subject -1, and becauseof this i cant filter them > with audit_user policy. When i`m using console "login" all work as designed > and i got logged in user in the subject. I think that xdm must be patched to > support audit, i found audit code in the > login sources. My be someone > already did such patches? This is correct -- login services must be modified to properly set up user audit state at login. I am not familiar with work relating to this with xdm, kdm, gdm, etc, but it would be very good to see this happen. Possibly, e-mail to the port maintainers of these may be called for, possibly with patches. > 3) All services running from rc scripts also using "-1" as their subject. > How can i change subject for such programs? E.g. mysql work with myslq > uid/gid and i want create special policy for the mysql in the audit_user > file, but "subject" of such events is always "-1", so i cant do this. Hmm. Right now there isn't a tool to do this, but there probably should be. > P.S. I`m using FreeBSD-STABLE. The patch you've submitted will go first into OpenBSM, then 7-CURRENT, and then at some point an MFC to 6-STABLE. Fortunately, you've caught be just before I released OpenBSM 1.0 alpha 15, which will be the last import (we hope) before 7.0. If you're aware of any other outstanding issues relating to OpenBSM, please let me know. Robert N M Watson Computer Laboratory University of Cambridge