Commit Graph

53 Commits

Author SHA1 Message Date
Jonathan Anderson
778b0e42a8 Provide ability to audit cap_rights_t arguments.
We wish to be able to audit capability rights arguments; this code
provides the necessary infrastructure.

This commit does not, of itself, turn on such auditing for any
system call; that should follow shortly.

Approved by: mentor (rwatson), re (Capsicum blanket)
Sponsored by: Google Inc
2011-07-18 12:58:18 +00:00
Christian S.J. Peron
24ffe72448 Add a case to make sure that internal audit records get converted
to BSM format for lpathconf(2) events.

MFC after:	2 weeks
2010-05-04 15:29:07 +00:00
Christian S.J. Peron
583450efd7 Make sure we convert audit records that were produced as the result of the
closefrom(2) syscall.
2010-01-31 22:31:01 +00:00
Robert Watson
e4b4bbb665 Audit file descriptors passed to fooat(2) system calls, which are used
instead of the root/current working directory as the starting point for
lookups.  Up to two such descriptors can be audited.  Add audit record
BSM encoding for fooat(2).

Note: due to an error in the OpenBSM 1.1p1 configuration file, a
further change is required to that file in order to fix openat(2)
auditing.

Approved by:	re (kib)
Reviewed by:	rdivacky (fooat(2) portions)
Obtained from:	TrustedBSD Project
MFC after:	1 month
2009-07-28 21:39:58 +00:00
Robert Watson
6196f898bb Create audit records for AUE_POSIX_OPENPT, currently w/o arguments.
Approved by:	re (audit argument blanket)
2009-07-02 16:33:38 +00:00
Robert Watson
deedc899fd Fix comment misthink.
Submitted by:	b. f. <bf1783 at googlemail.com>
Approved by:	re (audit argument blanket)
MFC after:	1 week
2009-07-02 09:50:13 +00:00
Robert Watson
2a5658382a Clean up a number of aspects of token generation from audit arguments to
system calls:

- Centralize generation of argument tokens for VM addresses in a macro,
  ADDR_TOKEN(), and properly encode 64-bit addresses in 64-bit arguments.
- Fix up argument numbers across a large number of syscalls so that they
  match the numeric argument into the system call.
- Don't audit the address argument to ioctl(2) or ptrace(2), but do keep
  generating tokens for mmap(2), minherit(2), since they relate to passing
  object access across execve(2).

Approved by:	re (audit argument blanket)
Obtained from:	TrustedBSD Project
MFC after:	1 week
2009-07-02 09:15:30 +00:00
Robert Watson
03f7b00438 For access(2) and eaccess(2), audit the requested access mode.
Approved by:	re (audit argument blanket)
MFC after:	3 days
2009-07-01 22:47:45 +00:00
Robert Watson
6d5a61563a When auditing unmount(2), capture FSID arguments as regular text strings
rather than as paths, which would lead to them being treated as relative
pathnames and hence confusingly converted into absolute pathnames.

Capture flags to unmount(2) via an argument token.

Approved by:	re (audit argument blanket)
MFC after:	3 days
2009-07-01 16:56:56 +00:00
Robert Watson
422d786676 Audit the file descriptor number passed to lseek(2).
Approved by:	re (kib)
MFC after:	3 days
2009-07-01 15:37:23 +00:00
Robert Watson
2ef24dde7c udit the 'options' argument to wait4(2).
Approved by:	re (kib)
MFC after:	3 days
2009-07-01 12:36:10 +00:00
Robert Watson
4df4e33572 Merge OpenBSM 1.1 changes to the FreeBSD 8.x kernel:
- Add and use mapping of fcntl(2) commands to new BSM constant space.
- Adopt (int) rather than (long) arguments to a number of auditon(2)
  commands, as has happened in Solaris, and add compatibility code to
  handle the old comments.

Note that BSM_PF_IEEE80211 is partially but not fully removed, as the
userspace OpenBSM 1.1alpha5 code still depends on it.  Once userspace
is updated, I'll GCC the kernel constant.

MFC after:		2 weeks
Sponsored by:		Apple, Inc.
Obtained from:		TrustedBSD Project
Portions submitted by:	sson
2009-04-19 14:53:17 +00:00
Robert Watson
8b14aeee4b Audit AUE_MAC_EXECVE; currently just the standard AUE_EXECVE arguments
and not the label.

Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
MFC after:	1 week
2009-02-08 14:24:35 +00:00
Robert Watson
4ba1f444c5 Audit the flag argument to the nfssvc(2) system call.
Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
2009-02-08 14:04:08 +00:00
Robert Watson
fcdb2e9607 Call au_errno_to_bsm() on the errno value passed into au_to_return32()
to convert local FreeBSD error numbers into BSM error numbers.

Obtained from:	TrustedBSD Project
2008-12-31 11:56:35 +00:00
Robert Watson
a760c0b245 Regularize /* FALLTHROUGH */ comments in the BSM event type switch, and
add one that was missing.

MFC after:	3 weeks
Coverity ID:	3960
2008-11-25 11:25:45 +00:00
Christian S.J. Peron
ffbcef5a42 Add support for extended header BSM tokens. Currently we use the
regular header tokens.  The extended header tokens contain an IP
or IPv6 address which makes it possible to identify which host an
audit record came from when audit records are centralized.

If the host information has not been specified, the system will
default to the old style headers.  Otherwise, audit records that
are created as a result of system calls will contain host information.

This implemented has been designed to be consistent with the Solaris
implementation.  Host information is set/retrieved using the A_GETKAUDIT
and A_SETKAUDIT auditon(2) commands.  These commands require that a
pointer to a auditinfo_addr_t object is passed.  Currently only IP and
IPv6 address families are supported.

The users pace bits associated with this change will follow in an
openbsm import.

Reviewed by:	rwatson, (sson, wsalamon (older version))
MFC after:	1 month
2008-11-11 21:57:03 +00:00
Robert Watson
3f3978840e More fully audit fexecve(2) and its arguments.
Obtained from:	TrustedBSD Project
Sponsored by:	Google, Inc.
2008-08-25 13:50:01 +00:00
Robert Watson
93536b495d If an AUE_SYSCTL_NONADMIN audit event is selected, generate a record
with equivilent content to AUE_SYSCTL.

Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:54:32 +00:00
Robert Watson
30d0721b59 Further minor style fixes to audit.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:49:30 +00:00
Robert Watson
1814e5b748 Remove unneeded \ at the end of a macro.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:08:27 +00:00
Robert Watson
3c4636a7d4 Further minor white space tweaks.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 17:06:49 +00:00
Robert Watson
fc1286c81d Generally avoid <space><tab> as a white space anomoly.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 16:44:48 +00:00
Robert Watson
0c0a142a52 Use #define<tab> rather than #define<space>.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 16:21:59 +00:00
Robert Watson
f1cb603072 Comment fix.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 16:02:21 +00:00
Robert Watson
98ee1b30aa Comment typo fix.
Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 15:54:10 +00:00
Robert Watson
bc9a43d698 In preparation to sync Apple and FreeBSD versions of security audit,
pick up the Apple Computer -> Apple change in their copyright and
license templates.

Obtained from:	Apple Inc.
MFC after:	3 days
2008-07-22 15:29:48 +00:00
Robert Watson
dda409d4ec Use __FBSDID() for $FreeBSD$ IDs in the audit code.
MFC after:	3 days
2008-04-13 22:06:56 +00:00
Robert Watson
303d3f35fb Rename several audit functions in the global kernel symbol namespace to
have audit_ on the front:

- canon_path -> audit_canon_path
- msgctl_to_event -> audit_msgctl_to_event
- semctl_to_event -> audit_semctl_to_event

MFC after:	1 month
2008-02-25 20:28:00 +00:00
Christian S.J. Peron
0f7e334a95 Fix gratuitous whitespace bug
MFC after:	1 week
Obtained from:	TrustedBSD Project
2008-01-18 19:57:21 +00:00
Christian S.J. Peron
cd109a68ae Add a case for AUE_LISTEN. This removes the following console error message:
"BSM conversion requested for unknown event 43140"

It should be noted that we need to audit the fd argument for this system
call.

Obtained from:	TrustedBSD Project
MFC after:	1 week
2008-01-18 19:50:34 +00:00
Christian S.J. Peron
57274c513c Implement AUE_CORE, which adds process core dump support into the kernel.
This change introduces audit_proc_coredump() which is called by coredump(9)
to create an audit record for the coredump event.  When a process
dumps a core, it could be security relevant.  It could be an indicator that
a stack within the process has been overflowed with an incorrectly constructed
malicious payload or a number of other events.

The record that is generated looks like this:

header,111,10,process dumped core,0,Thu Oct 25 19:36:29 2007, + 179 msec
argument,0,0xb,signal
path,/usr/home/csjp/test.core
subject,csjp,csjp,staff,csjp,staff,1101,1095,50457,10.37.129.2
return,success,1
trailer,111

- We allocate a completely new record to make sure we arent clobbering
  the audit data associated with the syscall that produced the core
  (assuming the core is being generated in response to SIGABRT  and not
  an invalid memory access).
- Shuffle around expand_name() so we can use the coredump name at the very
  beginning of the coredump call.  Make sure we free the storage referenced
  by "name" if we need to bail out early.
- Audit both successful and failed coredump creation efforts

Obtained from:	TrustedBSD Project
Reviewed by:	rwatson
MFC after:	1 month
2007-10-26 01:23:07 +00:00
Christian S.J. Peron
088b56a874 Use extended process token. The in kernel process audit
state is stored in an extended subject token now.  Make sure
that we are using the extended data.  This fixes the termID
for process tokens.

Obtained from:	TrustedBSD Project
Discussed with:	rwatson
MFC after:	1 week
2007-10-24 00:05:52 +00:00
Robert Watson
536b405093 Remove two boot printfs generated by Audit to announce it's presence,
and replace with software-testable sysctl node (security.audit) that
can be used to detect kernel audit support.

Obtained from:	TrustedBSD Project
Approved by:	re (kensmith)
2007-07-01 20:51:30 +00:00
Christian S.J. Peron
cac465aa7f - Add audit_arg_audinfo_addr() for auditing the arguments for setaudit_addr(2)
- In audit_bsm.c, make sure all the arguments: ARG_AUID, ARG_ASID, ARG_AMASK,
  and ARG_TERMID{_ADDR} are valid before auditing their arguments. (This is done
  for both setaudit and setaudit_addr.
- Audit the arguments passed to setaudit_addr(2)
- AF_INET6 does not equate to AU_IPv6. Change this in au_to_in_addr_ex() so the
  audit token is created with the correct type. This fixes the processing of the
  in_addr_ex token in users pace.
- Change the size of the token (as generated by the kernel) from 5*4 bytes to
  4*4 bytes (the correct size of an ip6 address)
- Correct regression from ucred work which resulted in getaudit() not returning
  E2BIG if the subject had an ip6 termid
- Correct slight regression in getaudit(2) which resulted in the size of a pointer
  being passed instead of the size of the structure. (This resulted in invalid
  auditinfo data being returned via getaudit(2))

Reviewed by:	rwatson
Approved by:	re@ (kensmith)
Obtained from:	TrustedBSD Project
MFC after:	1 month
2007-06-27 17:01:15 +00:00
Robert Watson
3666798f15 Clean up, and sometimes remove, a number of audit-related implementation
comments.

Obtained from:	TrutstedBSD Project
2007-06-11 22:10:54 +00:00
Robert Watson
d8c0f4dc21 Clean up audit comments--formatting, spelling, etc. 2007-06-01 21:58:59 +00:00
Christian S.J. Peron
f0cbfcc468 Fix the handling of IPv6 addresses for subject and process BSM audit
tokens. Currently, we do not support the set{get}audit_addr(2) system
calls which allows processes like sshd to set extended or ip6
information for subject tokens.

The approach that was taken was to change the process audit state
slightly to use an extended terminal ID in the kernel. This allows
us to store both IPv4 IPv6 addresses. In the case that an IPv4 address
is in use, we convert the terminal ID from an struct auditinfo_addr to
a struct auditinfo.

If getaudit(2) is called when the subject is bound to an ip6 address,
we return E2BIG.

- Change the internal audit record to store an extended terminal ID
- Introduce ARG_TERMID_ADDR
- Change the kaudit <-> BSM conversion process so that we are using
  the appropriate subject token. If the address associated with the
  subject is IPv4, we use the standard subject32 token. If the subject
  has an IPv6 address associated with them, we use an extended subject32
  token.
- Fix a couple of endian issues where we do a couple of byte swaps when
  we shouldn't be. IP addresses are already in the correct byte order,
  so reading the ip6 address 4 bytes at a time and swapping them results
  in in-correct address data. It should be noted that the same issue was
  found in the openbsm library and it has been changed there too on the
  vendor branch
- Change A_GETPINFO to use the appropriate structures
- Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does,
  but can also handle ip6 addresses
- Adjust get{set}audit(2) syscalls to convert the data
  auditinfo <-> auditinfo_addr
- Fully implement set{get}audit_addr(2)

NOTE: This adds the ability for processes to correctly set extended subject
information. The appropriate userspace utilities still need to be updated.

MFC after:	1 month
Reviewed by:	rwatson
Obtained from:	TrustedBSD
2007-04-13 14:55:19 +00:00
Robert Watson
42edcb0058 Add BSM conversion switch entries for a number of system calls, many
administrative, to prevent console warnings and enable basic event
auditing (generally without arguments).

MFC after:	3 days
Obtained from:	TrustedBSD Project
2006-10-03 20:43:48 +00:00
Robert Watson
04f11621df Rather than allocating all buffer memory for the completed BSM record
when allocating the record in the first place, allocate the final buffer
when closing the BSM record.  At that point, more size information is
available, so a sufficiently large buffer can be allocated.

This allows the kernel to generate audit records in excess of
MAXAUDITDATA bytes, but is consistent with Solaris's behavior.  This only
comes up when auditing command line arguments, in which case we presume
the administrator really does want the data as they have specified the
policy flag to gather them.

Obtained from:	TrustedBSD Project
MFC after:	3 days
2006-09-20 13:23:40 +00:00
Christian S.J. Peron
600d74bfa1 Make sure that lutimes(2) gets processed and converted into a BSM record.
Submitted by:	rwatson
MFC after:	1 day
2006-09-18 17:55:32 +00:00
Robert Watson
31214759fa Add AUE_SYSARCH to the list of audit events during BSM conversion to prevent
a console warning.  Eventually, we will capture more arguments for sysarch.

Obtained from:	TrustedBSD Project
MFC after:	3 days
2006-09-17 11:42:40 +00:00
Robert Watson
af8bc757de Add a BSM conversion switch case for AUE_GETCWD, so that a console
warning isn't generated when __getcwd() is invoked.

MFC after:	3 days
Obtained from:	TrustedBSD Project
2006-09-09 10:23:44 +00:00
Wayne Salamon
ae1078d657 Audit the argv and env vectors passed in on exec:
Add the argument auditing functions for argv and env.
  Add kernel-specific versions of the tokenizer functions for the
  arg and env represented as a char array.
  Implement the AUDIT_ARGV and AUDIT_ARGE audit policy commands to
  enable/disable argv/env auditing.
  Call the argument auditing from the exec system calls.

Obtained from: TrustedBSD Project
Approved by: rwatson (mentor)
2006-09-01 11:45:40 +00:00
Robert Watson
1c4d2797dd Update kernel OpenBSM parts, especially src/sys/bsm, for the OpenBSM
1.0 alpha 9 import.  See the OpenBSM import commit message for a
detailed summary of changes.

Obtained from:  TrustedBSD Project
2006-08-26 08:17:58 +00:00
Wayne Salamon
65ee602e0c Audit the remaining parameters to the extattr system calls. Generate
the audit records for those calls.

Obtained from: TrustedBSD Project
Approved by: rwatson (mentor)
2006-07-06 19:33:38 +00:00
Robert Watson
7365463843 When generating BSM tokens for mkfifo(), include mode argument.
Submitted by:	wsalamon
Obtained from:	TrustedBSD Project
2006-06-05 16:14:49 +00:00
Robert Watson
5619113c96 When generating the process token, need to check whether the
process was sucessfully audited.  Otherwise, generate the PID
token. This change covers the pid < 0 cases, and pid lookup
failure cases.

Submitted by:	wsalamon
Obtained from:	TrustedBSD Project
2006-06-05 16:12:00 +00:00
Robert Watson
4b6d6bcffd Merge OpenBSM 1.0 alpha 6 changes for BSM token creation to
src/sys/security/audit:

- Clarify and clean up AUR_ types to match Solaris.
- Clean up use of host vs. network byte order for IP addresses.
- Remove combined user/kernel implementations of some token creation
  calls, such as au_to_file(), header calls, etc.

Obtained from:	TrustedBSD Project
2006-06-05 13:13:02 +00:00
Robert Watson
871499fef5 Merge Perforce change 93581 from TrustedBSD audit3 branch:
Mega-style patch.

Obtained from:	TrustedBSD Project
2006-03-19 17:34:00 +00:00