2006-09-25 11:40:29 +00:00
|
|
|
OpenBSM 1.0 alpha 12
|
|
|
|
|
|
|
|
- Correct bug in auditreduce which prevented the -c option from working
|
|
|
|
correctly when the user specifies to process successful or failed events.
|
|
|
|
The problem stemmed from not having access to the return token at the time
|
|
|
|
the initial preselection occurred, but now a second preselection process
|
|
|
|
occurs while processing the return token.
|
|
|
|
- getacfilesz(3) API added to read new audit_control(5) filesz setting,
|
|
|
|
which auditd(8) now sets the kernel audit trail rotation size to.
|
|
|
|
- auditreduce(1) now uses stdin if no file names are specified on the command
|
|
|
|
line; this was the documented behavior previously, but it was not
|
|
|
|
implemented. Be more specific in auditreduce(1)'s examples section about
|
|
|
|
what might be done with the output of auditreduce.
|
|
|
|
- Add audit_warn(5) closefile event so that administrators can hook
|
|
|
|
termination of an audit trail file. For example, this might be used to
|
|
|
|
compress the trail file after it is closed.
|
|
|
|
- auditreduce(1) now uses regular expressions for pathname matching. Users can
|
|
|
|
now supply one or more (comma delimited) regular expressions for searching
|
|
|
|
the pathnames. If one of the regular expressions is prefixed with a tilde
|
|
|
|
(~), and a path matches, it will be excluded from the search results.
|
|
|
|
|
2006-09-21 07:07:33 +00:00
|
|
|
OpenBSM 1.0 alpha 11
|
|
|
|
|
|
|
|
- Reclassify certain read/write operations as having no class rather than the
|
|
|
|
fr/fw class; our default classes audit intent (open) not operations (read,
|
|
|
|
write).
|
|
|
|
- Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads
|
|
|
|
and writes of sysctls as separate events. Add additional kernel
|
|
|
|
environment and jail events for FreeBSD.
|
|
|
|
- Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER
|
|
|
|
(issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued
|
|
|
|
by the kernel audit implementation) so that they can be distinguished.
|
|
|
|
- Disable rate limiting of rotate requests; as the kernel doesn't retransmit
|
|
|
|
a dropped request, the log file will otherwise grow indefinitely if the
|
|
|
|
trigger is dropped.
|
|
|
|
- Improve auditd debugging output.
|
|
|
|
- Fix a number of threading related bugs in audit_control file reading
|
|
|
|
routines.
|
|
|
|
- Add APIs au_poltostr() and au_strtopol() to convert between text
|
|
|
|
representations of audit_control policy flags and the flags passed to
|
|
|
|
auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY).
|
|
|
|
- Add API getacpol() to return the 'policy:' entry from audit_control, an
|
|
|
|
extension to the Solaris file format to allow specification of policy
|
|
|
|
persistent flags.
|
|
|
|
- Update audump to print the audit_control policy field.
|
|
|
|
- Update auditd to read the audit_control policy field and set the kernel
|
|
|
|
policy to match it when configuring/reconfiguring. Remove the -s and -h
|
|
|
|
arguments as these policies are now set via the configuration file. If a
|
|
|
|
policy line is not found in the configuration file, continue with the
|
|
|
|
current default of setting AUDIT_CNT.
|
|
|
|
- Fix bugs in the parsing of large execve(2) arguments and environmental
|
|
|
|
variable tokens; increase maximum parsed argument and variable count.
|
|
|
|
- configure now detects strlcat(), used by policy-related functions.
|
|
|
|
- Reference token and record sample files added to test tree.
|
|
|
|
|
2006-09-02 09:37:14 +00:00
|
|
|
OpenBSM 1.0 alpha 10
|
|
|
|
|
|
|
|
- auditd now generates complete audit records for its events, as required for
|
|
|
|
application-submitted audit records in the the FreeBSD kernel audit
|
|
|
|
implementation.
|
|
|
|
|
2006-08-26 08:04:15 +00:00
|
|
|
OpenBSM 1.0 alpha 9
|
|
|
|
|
|
|
|
- Rename many OpenBSM-specific constants and API elements containing the
|
|
|
|
strings "BSM" and "bsm" to "AUDIT" and "audit", observing that this is true
|
|
|
|
for almost all existing constants and APIs.
|
|
|
|
- Instead of passing a per-instance cookie directly into all audit filter
|
|
|
|
APIs, pass in the audit filter daemon state pointer, which is then used by
|
|
|
|
the module using an audit_filter_{get,set}cookie() API. This will allow
|
|
|
|
future service APIs provided by the filter daemon to maintain their own
|
|
|
|
state -- for example, per-module preselection state.
|
|
|
|
|
|
|
|
OpenBSM 1.0 alpha 8
|
|
|
|
|
|
|
|
- Correct typo in definition of AUR_INT.
|
|
|
|
- Adopt OpenSolaris constant values for AUDIT_* configuration flags.
|
|
|
|
- Arguments to au_to_exec_args() and au_to_exec_env() no longer const.
|
|
|
|
- Add kernel versions of au_to_exec_args() and au_to_exec_env().
|
|
|
|
- Fix exec argument type that is printed for env strings from 'arg' to 'env'.
|
|
|
|
- New OpenBSM token version number assigned, constants added for other
|
|
|
|
commonly seen version numbers.
|
|
|
|
- OpenBSM-specific events assigned numbers in the 43xxx range to avoid future
|
|
|
|
collisions with Solaris. Darwin events renamed to AUE_DARWIN_foo, as they
|
|
|
|
are now deprecated numberings.
|
|
|
|
- autoconf now detects clock_gettime(), which is not available on Darwin.
|
|
|
|
- praudit output fixes relating to arg32 and arg64 tokens.
|
|
|
|
- Maximum record size updated to 64k-1 to match Solaris record size limit.
|
|
|
|
- Various style and comment cleanups in include files.
|
|
|
|
|
2006-06-27 18:06:41 +00:00
|
|
|
OpenBSM 1.0 alpha 7
|
|
|
|
|
|
|
|
- Adopted Solaris-compatible format for subject32_ex and subject64_ex
|
|
|
|
tokens, which previously did not correctly implement variable length
|
|
|
|
address storage.
|
|
|
|
- Prefer inttypes.h to stdint.h; enhance queue.h detection to test for
|
|
|
|
TAILQ_FOREACH_SAFE(), which is present in recent BSD queue.h's, but not
|
|
|
|
older ones. OpenBSM now builds on some FreeBSD 4.x version.
|
|
|
|
- New event types for extended attributes, ACLs, and scheduling.
|
|
|
|
|
Vendor branch import of TrustedBSD OpenBSM 1.0 alpha 6:
- Use AU_TO_WRITE and AU_NO_TO_WRITE for the 'keep' argument to au_close();
previously we used hard-coded 0 and 1 values.
- Add man page for au_open(), au_write(), au_close(), and
au_close_buffer().
- Support a more complete range of data types for the arbitrary data token:
add AUR_CHAR (alias to AUR_BYTE), remove AUR_LONG, add AUR_INT32 (alias
to AUR_INT), add AUR_INT64.
- Add au_close_token(), which allows writing a single token_t to a memory
buffer. Not likely to be used much by applications, but useful for
writing test tools.
- Modify au_to_file() so that it accepts a timeval in user space, not just
kernel -- this is not a Solaris BSM API so can be modified without
causing compatibility issues.
- Define a new API, au_to_header32_tm(), which adds a struct timeval
argument to the ordinary au_to_header32(), which is now implemented by
wrapping au_to_header32_tm() and calling gettimeofday(). #ifndef KERNEL
the APIs that invoke gettimeofday(), rather than having a variable
definition. Don't try to retrieve time zone information using
gettimeofday(), as it's not needed, and introduces possible failure
modes.
- Don't perform byte order transformations on the addr/machine fields of
the terminal ID that appears in the process32/subject32 tokens. These
are assumed to be IP addresses, and as such, to be in network byte
order.
- Universally, APIs now assume that IP addresses and ports are provided
in network byte order. APIs now generally provide these types in
network byte order when decoding.
- Beginnings of an OpenBSM test framework can now be found in openbsm/test.
This code is not built or installed by default.
- auditd now assigns more appropriate syslog levels to its debugging and
error information.
- Support for audit filters introduced: audit filters are dynamically
loaded shared objects that run in the context of a new daemon,
auditfilterd. The daemon reads from an audit pipe and feeds both BSM and
parsed versions of records to shared objects using a module API. This
will provide a framework for the writing of intrusion detection services.
- New utility API, audit_submit(), added to capture common elements of audit
record submission for many applications.
Obtained from: TrustedBSD Project
2006-06-05 10:52:12 +00:00
|
|
|
OpenBSM 1.0 alpha 6
|
|
|
|
|
|
|
|
- Use AU_TO_WRITE and AU_NO_TO_WRITE for the 'keep' argument to au_close();
|
|
|
|
previously we used hard-coded 0 and 1 values.
|
|
|
|
- Add man page for au_open(), au_write(), au_close(), and
|
|
|
|
au_close_buffer().
|
|
|
|
- Support a more complete range of data types for the arbitrary data token:
|
|
|
|
add AUR_CHAR (alias to AUR_BYTE), remove AUR_LONG, add AUR_INT32 (alias
|
|
|
|
to AUR_INT), add AUR_INT64.
|
|
|
|
- Add au_close_token(), which allows writing a single token_t to a memory
|
|
|
|
buffer. Not likely to be used much by applications, but useful for
|
|
|
|
writing test tools.
|
|
|
|
- Modify au_to_file() so that it accepts a timeval in user space, not just
|
|
|
|
kernel -- this is not a Solaris BSM API so can be modified without
|
|
|
|
causing compatibility issues.
|
|
|
|
- Define a new API, au_to_header32_tm(), which adds a struct timeval
|
|
|
|
argument to the ordinary au_to_header32(), which is now implemented by
|
|
|
|
wrapping au_to_header32_tm() and calling gettimeofday(). #ifndef KERNEL
|
|
|
|
the APIs that invoke gettimeofday(), rather than having a variable
|
|
|
|
definition. Don't try to retrieve time zone information using
|
|
|
|
gettimeofday(), as it's not needed, and introduces possible failure
|
|
|
|
modes.
|
|
|
|
- Don't perform byte order transformations on the addr/machine fields of
|
|
|
|
the terminal ID that appears in the process32/subject32 tokens. These
|
|
|
|
are assumed to be IP addresses, and as such, to be in network byte
|
|
|
|
order.
|
|
|
|
- Universally, APIs now assume that IP addresses and ports are provided
|
|
|
|
in network byte order. APIs now generally provide these types in
|
|
|
|
network byte order when decoding.
|
|
|
|
- Beginnings of an OpenBSM test framework can now be found in openbsm/test.
|
|
|
|
This code is not built or installed by default.
|
|
|
|
- auditd now assigns more appropriate syslog levels to its debugging and
|
|
|
|
error information.
|
|
|
|
- Support for audit filters introduced: audit filters are dynamically
|
|
|
|
loaded shared objects that run in the context of a new daemon,
|
|
|
|
auditfilterd. The daemon reads from an audit pipe and feeds both BSM and
|
|
|
|
parsed versions of records to shared objects using a module API. This
|
|
|
|
will provide a framework for the writing of intrusion detection services.
|
|
|
|
- New utility API, audit_submit(), added to capture common elements of audit
|
|
|
|
record submission for many applications.
|
|
|
|
|
Vendor branch import of TrustedBSD OpenBSM 1.0 alpha 5:
- Update install notes to indicate /etc files are to be installed manually.
- On systems without LOG_SECURITY, use LOG_AUTH.
- Convert to autoconf/automake in order to move to a more portable (not
BSD-specific) build infrastructure, and more easy conditional building of
components. Currently, the primary feature loss is that automake does
not have native support for manual symlinks. This will be addressed in a
future OpenBSM release.
- Add compat/queue.h, to be used on systems dated BSD queue macro libraries
(as found on Linux).
- Rename CHANGELOG to HISTORY, as our change log doesn't follow some of the
existing conventions for a CHANGELOG.
- Some private data structures moved from audit.h to audit_internal.h to
prevent inappropriate use by applications and name space pollution.
- Improved detection and use of endian macros using autoconf.
- Avoid non-portable use of struct in6_addr, which is largely opaque.
- Avoid leaking BSD kernel socket related token code to user space in
bsm_token.c.
- Teach System V IPC calls to look for Linux naming variations for certain
struct ipc_perm fields.
- Test for audit system calls, and if not present, don't build
bsm_wrappers.c, bsm_notify.c, audit(8), and auditd(8), which rely on
those system calls.
- au_close() is not implemented on systems that don't have audit system
calls, but au_close_buffer() is.
- Work around missing BSDisms in bsm_wrapper.c.
- Fix nested includes so including libbsm.h in an application on Linux
picks up the necessary definitions.
Obtained from: TrustedBSD Project
2006-03-04 16:45:52 +00:00
|
|
|
OpenBSM 1.0 alpha 5
|
|
|
|
|
|
|
|
- Update install notes to indicate /etc files are to be installed manually.
|
|
|
|
- On systems without LOG_SECURITY, use LOG_AUTH.
|
|
|
|
- Convert to autoconf/automake in order to move to a more portable (not
|
|
|
|
BSD-specific) build infrastructure, and more easy conditional building of
|
|
|
|
components. Currently, the primary feature loss is that automake does
|
|
|
|
not have native support for manual symlinks. This will be addressed in a
|
|
|
|
future OpenBSM release.
|
|
|
|
- Add compat/queue.h, to be used on systems dated BSD queue macro libraries
|
|
|
|
(as found on Linux).
|
|
|
|
- Rename CHANGELOG to HISTORY, as our change log doesn't follow some of the
|
|
|
|
existing conventions for a CHANGELOG.
|
|
|
|
- Some private data structures moved from audit.h to audit_internal.h to
|
|
|
|
prevent inappropriate use by applications and name space pollution.
|
|
|
|
- Improved detection and use of endian macros using autoconf.
|
|
|
|
- Avoid non-portable use of struct in6_addr, which is largely opaque.
|
|
|
|
- Avoid leaking BSD kernel socket related token code to user space in
|
|
|
|
bsm_token.c.
|
|
|
|
- Teach System V IPC calls to look for Linux naming variations for certain
|
|
|
|
struct ipc_perm fields.
|
|
|
|
- Test for audit system calls, and if not present, don't build
|
|
|
|
bsm_wrappers.c, bsm_notify.c, audit(8), and auditd(8), which rely on
|
|
|
|
those system calls.
|
|
|
|
- au_close() is not implemented on systems that don't have audit system
|
|
|
|
calls, but au_close_buffer() is.
|
|
|
|
- Work around missing BSDisms in bsm_wrapper.c.
|
|
|
|
- Fix nested includes so including libbsm.h in an application on Linux
|
|
|
|
picks up the necessary definitions.
|
|
|
|
|
|
|
|
OpenBSM 1.0 alpha 4
|
|
|
|
|
|
|
|
- Remove "audit" user example from audit_user, as it's not present on most
|
|
|
|
systems.
|
|
|
|
- Add cannot_audit() function non-Darwin systems that wraps auditon();
|
|
|
|
required by OpenSSH BSM support. Convert Darwin cannot_audit() into a
|
|
|
|
function rather than a macro.
|
|
|
|
- Library build fixed on Darwin following include file tweaks. The native
|
|
|
|
Darwin sys/audit.h conflicts with bsm/audit.h due to duplicate types, so
|
|
|
|
for now we force bsm_wrappers.c to not perform a nested include of
|
|
|
|
sys/audit.h.
|
|
|
|
|
|
|
|
OpenBSM 1.0 alpha 3
|
|
|
|
|
|
|
|
- Man page formatting, cross reference, mlinks, and accuracy improvements.
|
|
|
|
- auditd and tools now compile and run on FreeBSD/arm.
|
|
|
|
- auditd will now fchown() the trail file to the audit review group, if
|
|
|
|
defined at compile-time.
|
|
|
|
- Added AUE_SYSARCH for FreeBSD.
|
|
|
|
- Definition of AUE_SETFSGID fixed for Linux.
|
|
|
|
|
|
|
|
OpenBSM 1.0 alpha 2
|
|
|
|
|
|
|
|
- Man page formatting improvements.
|
|
|
|
- A number of new audit event identifiers for FreeBSD, Linux, and POSIX.1b
|
|
|
|
events.
|
|
|
|
- Remove 'tfm' class, unused in OpenBSM.
|
|
|
|
|
|
|
|
OpenBSM 1.0 alpha 1
|
|
|
|
|
|
|
|
- Import of Darwin74 BSM drop
|
|
|
|
- Use 'syslog' for audit log warnings, rather than echoing to a file in
|
|
|
|
audit_warn.
|
|
|
|
- Compile using BSD make infrastructure.
|
|
|
|
- Integrate bsm/ include files from Darwin74 XNU drop into OpenBSM.
|
|
|
|
- Narrow set of symbols and defines that are exposed in user space: don't
|
|
|
|
compile in code relying on kernel-only types such as 'struct socket'.
|
|
|
|
- Add README, including basic build documentation.
|
|
|
|
- Compilation of Apple-specific notify and Machroutines now #ifdef __APPLE__.
|
|
|
|
- Staticize libbsm global variables to avoid leakage into application.
|
|
|
|
- Add free_au_user_ent() so that au_user_ent's don't have to be leaked.
|
|
|
|
- Clean up bogus nul-termination checks in libbsm.
|
|
|
|
- Add libbsm API man pages: au_class.3 au_control.3 au_event.3
|
|
|
|
au_free_token.3 au_io.3 au_mask.3 au_token.3 au_user.3 libbsm.3.
|
|
|
|
- Add man pages for BSM system calls: audit.2 auditctl.2 auditon.2 getaudit.2
|
|
|
|
getauid.2 setaudit.2 setauid.2
|
|
|
|
- Modify various libbsm interfaces to more consistently return 'errno' values
|
|
|
|
on failure.
|
|
|
|
- Break out au_close() into constituent parts, allowing records to be written
|
|
|
|
to memory as well as files.
|
|
|
|
- Prefix various defines with 'BSM_' to reduce name space pollution.
|
|
|
|
- Added audit_internal.h, which can be used by a kernel audit implementation
|
|
|
|
wanting to rely on libbsm components.
|
|
|
|
- Build with warnings, and eliminate warnings.
|
|
|
|
- Make libbsm endian-independent, storing and reading BSM are big endian
|
|
|
|
(network byte order) rather than native byte order. More consistently
|
|
|
|
print IP addresses using the IP address print routine. These changes
|
|
|
|
make use of sys/endian.h from *BSD; since this isn't present on Darwin,
|
|
|
|
add it to OpenBSM as compat/endian.h, which is used only on Darwin.
|
|
|
|
- Import of Darwin80 BSM drop, including 64-bit file IDs, better
|
|
|
|
documentation of private APIs, and bug fixes.
|
|
|
|
- White space cleanup.
|
|
|
|
- Add audit.log.5, a first cut at a man page documenting the BSM file format.
|
|
|
|
- Teach au_read_rec() to recognize stand-alone file tokens, which are present
|
|
|
|
at the beginning and end of Solaris audit trails. Technically, these
|
|
|
|
appear to violate the high level BSM spec, which suggests that all tokens
|
|
|
|
are present in records, but need to be supported.
|
|
|
|
- Implement HEADER64, ATTR64, SUBJECT64 token types, which make it possible
|
|
|
|
to run praudit(1) on basic Solaris BSM streams.
|
|
|
|
- Switched to Solaris spelling of token names; Darwin spellings are now
|
|
|
|
deprecated and will be removed in a future version of OpenBSM.
|
|
|
|
- Adopt Solaris model for representing IPv4 and IPv6 addresses.
|
|
|
|
- Prefer C99 types.
|
|
|
|
- Attempt to universally adopt the BSD style(9) coding style for
|
|
|
|
consistency.
|
|
|
|
- auditreduce(1) now has a usage message.
|
|
|
|
- Update support for auditctl(2) system call to support FreeBSD.
|
|
|
|
- Add support for /dev/audit as the trigger source on FreeBSD.
|
|
|
|
- Add additional event types for Darwin, FreeBSD, and Solaris. Annotate
|
|
|
|
conflicts (there are a few, unfortunately). Correct spellings, comment,
|
|
|
|
sort, etc. These include {get,set}res[ug]id(), sendfile(), lchflags(),
|
|
|
|
eaccess(), kqueue(), kevent(), poll(), lchmod().
|
|
|
|
- Relicensed under a BSD license, many thanks to Apple, Inc!
|
|
|
|
- Many bug fixes, cleanups, thread safety in the class, control, event,
|
|
|
|
and user system audit databases. Annotate some persisting atomicity
|
|
|
|
bugs associated with the API and implementation.
|
|
|
|
- Add audump test tool.
|
|
|
|
- Adopt OpenSolaris BSM API memory semantics: caller allocates memory,
|
|
|
|
or static memory is returned for non-_r() versions of API calls.
|
|
|
|
_free() calls dropped as a result, and source code compatibility with
|
|
|
|
OpenSolaris improved significantly.
|
|
|
|
- Annotate BSM events with origin OS and compatibility information.
|
|
|
|
- auditd(8), audit(8) added to the OpenBSM distribution. auditd extended
|
|
|
|
to support reloading of kernel event table.
|
|
|
|
- Allow comments in /etc/security configuration files.
|
|
|
|
|
2006-09-25 11:40:29 +00:00
|
|
|
$P4: //depot/projects/trustedbsd/openbsm/HISTORY#39 $
|