From owner-freebsd-stable@FreeBSD.ORG Sat Sep 23 12:31:33 2006 Return-Path: X-Original-To: stable@FreeBSD.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C12B416A407 for ; Sat, 23 Sep 2006 12:31:33 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6072243D5C for ; Sat, 23 Sep 2006 12:31:33 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id E32BE46DE7; Sat, 23 Sep 2006 08:31:32 -0400 (EDT) Date: Sat, 23 Sep 2006 13:31:32 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Joerg Pernfuss In-Reply-To: <20060922025016.6bc38025@loki.starkstrom.lan> Message-ID: <20060923130543.Y1938@fledge.watson.org> References: <20060917091750.T74654@fledge.watson.org> <20060922025016.6bc38025@loki.starkstrom.lan> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: stable@FreeBSD.org Subject: Re: Problems with auditd -- resolved X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Sep 2006 12:31:33 -0000 On Fri, 22 Sep 2006, Joerg Pernfuss wrote: > On Sun, 17 Sep 2006 09:19:03 +0100 (BST) > Robert Watson wrote: > >> I've just comitted a fix to syscalls.master and regenerated the remaining >> system call files, which should correct the auditctl: Invalid Argument >> error being returned by auditd. In short order, this fix should be on the >> cvsup mirrors -- please let me know if it resolves the problem you were >> experiencing. > > Thank you for that quick fix Robert, but sadly I am still somewhat at a > loss. The auditd does run now, but does not write back any audit data at > all. I have run at least three full buildworlds during the time you see > below, set flags, deleted things, logged in, logged out, logged in via ssh > to the external interface, ssh'ed to localhost. No gain. /var/log/audit > looks like this: > My audit_control file: > dir:/var/audit > flags:all > minfree:20 > naflags:lo > > My audit_user file: > root:all:no > elessar:all:no This is somewhat troubling -- I have RELENG_6 audit running on a number of boxes without problems. Your configuration looks reasonable, though. There are a few things we can try. The first thing to look at is whether the audit library and commands are having trouble parsing your configuration files for some reason -- maybe there is extra white space, and we need to increase tolerance of unexpected white space, for example. There's a tool in src/contrib/openbsm/tools called audump, which parses the configuration files and then spits out what it thinks it found to stdout. It's not built by default, but it can be quite useful when debugging. You can build it by doing the following in the tools directory: -Wall -g -o /tmp/audump audump.c -lbsm Then, as root, run: /tmp/audump control I believe there's a bug in audump's user database support currently, but at the very least that will tell us if the control file is being properly parsed. Ideally, the output will very much resemble your configuration file -- if there's a significant difference, that could be the source of this problem. Right now the id(1) command in -STABLE doesn't print audit properties of the process, but I've attached a patch that causes it to do so when "id -a" is run. If you could apply this patch and run "id -a" as root, that would be helpful. Robert N M Watson Computer Laboratory University of Cambridge Index: Makefile =================================================================== RCS file: /home/ncvs/src/usr.bin/id/Makefile,v retrieving revision 1.11 diff -u -r1.11 Makefile --- Makefile 19 May 2004 21:06:36 -0000 1.11 +++ Makefile 23 Sep 2006 12:23:40 -0000 @@ -1,10 +1,18 @@ # @(#)Makefile 8.1 (Berkeley) 6/6/93 # $FreeBSD: src/usr.bin/id/Makefile,v 1.11 2004/05/19 21:06:36 dwmalone Exp $ +.include + PROG= id WARNS?= 6 LINKS= ${BINDIR}/id ${BINDIR}/groups LINKS+= ${BINDIR}/id ${BINDIR}/whoami MAN= id.1 groups.1 whoami.1 +.if ${MK_AUDIT} != "no" +CFLAGS+= -DUSE_BSM_AUDIT +DPADD+= ${LIBBSM} +LDADD+= -lbsm +.endif + .include Index: id.1 =================================================================== RCS file: /home/ncvs/src/usr.bin/id/id.1,v retrieving revision 1.15 diff -u -r1.15 id.1 --- id.1 29 Apr 2005 08:37:52 -0000 1.15 +++ id.1 23 Sep 2006 12:30:46 -0000 @@ -53,6 +53,8 @@ .Fl P .Op Ar user .Nm +.Fl a +.Nm .Fl g Op Fl nr .Op Ar user .Nm @@ -84,6 +86,9 @@ Display the MAC label of the current process. .It Fl P Display the id as a password file entry. +.It Fl a +Display the process audit user ID and other process audit properties, which +requires privilege. .It Fl g Display the effective group ID as a number. .It Fl n Index: id.c =================================================================== RCS file: /home/ncvs/src/usr.bin/id/id.c,v retrieving revision 1.27 diff -u -r1.27 id.c --- id.c 28 May 2006 12:32:30 -0000 1.27 +++ id.c 23 Sep 2006 12:30:16 -0000 @@ -48,6 +48,10 @@ #include #include +#ifdef USE_BSM_AUDIT +#include +#endif + #include #include #include @@ -60,6 +64,7 @@ void id_print(struct passwd *, int, int, int); void pline(struct passwd *); void pretty(struct passwd *); +void auditid(void); void group(struct passwd *, int); void maclabel(void); void usage(void); @@ -73,9 +78,11 @@ struct group *gr; struct passwd *pw; int Gflag, Mflag, Pflag, ch, gflag, id, nflag, pflag, rflag, uflag; + int aflag; const char *myname; Gflag = Mflag = Pflag = gflag = nflag = pflag = rflag = uflag = 0; + aflag = 0; myname = strrchr(argv[0], '/'); myname = (myname != NULL) ? myname + 1 : argv[0]; @@ -89,7 +96,7 @@ } while ((ch = getopt(argc, argv, - (isgroups || iswhoami) ? "" : "PGMgnpru")) != -1) + (isgroups || iswhoami) ? "" : "PGMagnpru")) != -1) switch(ch) { case 'G': Gflag = 1; @@ -100,6 +107,9 @@ case 'P': Pflag = 1; break; + case 'a': + aflag = 1; + break; case 'g': gflag = 1; break; @@ -125,7 +135,7 @@ if (iswhoami && argc > 0) usage(); - switch(Gflag + Pflag + gflag + pflag + uflag) { + switch(Gflag + Mflag + Pflag + aflag + gflag + pflag + uflag) { case 1: break; case 0: @@ -141,6 +151,16 @@ if (Mflag && pw != NULL) usage(); +#ifdef USE_BSM_AUDIT + if (aflag) { + auditid(); + exit(0); + } +#else + if (aflag) + usage(); +#endif + if (gflag) { id = pw ? pw->pw_gid : rflag ? getgid() : getegid(); if (nflag && (gr = getgrgid(id))) @@ -278,6 +298,22 @@ printf("\n"); } +#ifdef USE_BSM_AUDIT +void +auditid(void) +{ + auditinfo_t auditinfo; + + if (getaudit(&auditinfo) < 0) + err(-1, "getauditinfo"); + printf("auid=%d\n", auditinfo.ai_auid); + printf("mask.success=0x%08x\n", auditinfo.ai_mask.am_success); + printf("mask.failure=0x%08x\n", auditinfo.ai_mask.am_failure); + printf("termid.port=0x%08x\n", auditinfo.ai_termid.port); + printf("asid=%d\n", auditinfo.ai_asid); +} +#endif + void group(struct passwd *pw, int nflag) { @@ -382,11 +418,16 @@ else if (iswhoami) (void)fprintf(stderr, "usage: whoami\n"); else - (void)fprintf(stderr, "%s\n%s\n%s\n%s\n%s\n%s\n%s\n", + (void)fprintf(stderr, "%s\n%s\n%s\n%s%s\n%s\n%s\n%s\n", "usage: id [user]", " id -G [-n] [user]", " id -M", " id -P [user]", +#ifdef USE_BSM_AUDIT + " id -a\n", +#else + "", +#endif " id -g [-nr] [user]", " id -p [user]", " id -u [-nr] [user]");