notes since the last import:
OpenBSM 1.0 alpha 11
- Reclassify certain read/write operations as having no class rather than the
fr/fw class; our default classes audit intent (open) not operations (read,
write).
- Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads
and writes of sysctls as separate events. Add additional kernel
environment and jail events for FreeBSD.
- Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER
(issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued
by the kernel audit implementation) so that they can be distinguished.
- Disable rate limiting of rotate requests; as the kernel doesn't retransmit
a dropped request, the log file will otherwise grow indefinitely if the
trigger is dropped.
- Improve auditd debugging output.
- Fix a number of threading related bugs in audit_control file reading
routines.
- Add APIs au_poltostr() and au_strtopol() to convert between text
representations of audit_control policy flags and the flags passed to
auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY).
- Add API getacpol() to return the 'policy:' entry from audit_control, an
extension to the Solaris file format to allow specification of policy
persistent flags.
- Update audump to print the audit_control policy field.
- Update auditd to read the audit_control policy field and set the kernel
policy to match it when configuring/reconfiguring. Remove the -s and -h
arguments as these policies are now set via the configuration file. If a
policy line is not found in the configuration file, continue with the
current default of setting AUDIT_CNT.
- Fix bugs in the parsing of large execve(2) arguments and environmental
variable tokens; increase maximum parsed argument and variable count.
- configure now detects strlcat(), used by policy-related functions.
- Reference token and record sample files added to test tree.
Obtained from: TrustedBSD Project
- auditd now generates complete audit records for its events, as required for
application-submitted audit records in the the FreeBSD kernel audit
implementation.
This also restores contrib/openbsm/bsm/audit_record to the vendor version
after the build fixes previously committed; however, this file is not used
in the build.
Obtained from: TrustedBSD Project
contrib/openbsm/bsm and sys/bsm. This will help avoid triggering
problems due to an inconsistent include order between the base and
lib32 builds. We will continue to import these files on the vendor
branch. Files used purely in user space (audit_uevents.h) are not
removed.
Suggested by: ru
+ Add PAM and LOGIN_CAP support. Mostly from FreeBSD.
+ Implement option "-D", for running ftpd in standalone mode (daemon).
+ NLST should return 450 instead of 550 upon error, per RFC 959.
+ Add recvbufsize configuration option
+ Remove unreachable code (res could never be NULL here), Coverity CID 712.
+ Set file to NULL after calling fclose(), Coverity CID 2669.
+ Make sure that "su" is initialized before dereferencing it, Coverity CID 1075.
+ Cleanup utmp and utmpx support.
the build. The openbsm folks are free to fix it in any other way they
see fit once they resurface.
Basically, make everything always be const char **, even though const
char ** usually should be 'const char * const *' in most cases. This
makes the three different definitions consistant and allows world to
build.
notes since the last import:
OpenBSM 1.0 alpha 9
- Rename many OpenBSM-specific constants and API elements containing the
strings "BSM" and "bsm" to "AUDIT" and "audit", observing that this is true
for almost all existing constants and APIs.
- Instead of passing a per-instance cookie directly into all audit filter
APIs, pass in the audit filter daemon state pointer, which is then used by
the module using an audit_filter_{get,set}cookie() API. This will allow
future service APIs provided by the filter daemon to maintain their own
state -- for example, per-module preselection state.
OpenBSM 1.0 alpha 8
- Correct typo in definition of AUR_INT.
- Adopt OpenSolaris constant values for AUDIT_* configuration flags.
- Arguments to au_to_exec_args() and au_to_exec_env() no longer const.
- Add kernel versions of au_to_exec_args() and au_to_exec_env().
- Fix exec argument type that is printed for env strings from 'arg' to 'env'.
- New OpenBSM token version number assigned, constants added for other
commonly seen version numbers.
- OpenBSM-specific events assigned numbers in the 43xxx range to avoid future
collisions with Solaris. Darwin events renamed to AUE_DARWIN_foo, as they
are now deprecated numberings.
- autoconf now detects clock_gettime(), which is not available on Darwin.
- praudit output fixes relating to arg32 and arg64 tokens.
- Maximum record size updated to 64k-1 to match Solaris record size limit.
- Various style and comment cleanups in include files.
This is an MFC candidate to RELENG_6.
Obtained from: TrustedBSD Project
notes:
- Adopted Solaris-compatible format for subject32_ex and subject64_ex
tokens, which previously did not correctly implement variable length
address storage.
- Prefer inttypes.h to stdint.h; enhance queue.h detection to test for
TAILQ_FOREACH_SAFE(), which is present in recent BSD queue.h's, but not
older ones. OpenBSM now builds on some FreeBSD 4.x version.
- New event types for extended attributes, ACLs, and scheduling.
Obtained from: TrustedBSD Project
the CVS import, and suggest removing it for the real import, rather than
suggesting it for testing. This will hopefully prevent me (and others)
from making errors.
in http://www.iana.org/assignments/icmp-parameters. Thankfully
IANA's list aggrees with <netinet/ip_icmp.h>.
I've tried to do this in a way which is mostly consistent with
tcptraceroute and Debian's version of traceroute. However, sometimes
a letter is used twice by these versions, so I've gone with:
LBL tcptr Debian (chosen)
ICMP_UNREACH_NET !N !N !N !N
ICMP_UNREACH_HOST !H !H !H !H
ICMP_UNREACH_PROTOCOL !P !P !P !P
ICMP_UNREACH_PORT ! !p ! !
ICMP_UNREACH_NEEDFRAG !F-%d !F !F-<%d> !F-<%d>
ICMP_UNREACH_SRCFAIL !S !S !S !S
ICMP_UNREACH_NET_UNKNOWN !<%d> !U !<%d> !U
ICMP_UNREACH_HOST_UNKNOWN !<%d> !U !<%d> !W
ICMP_UNREACH_ISOLATED !<%d> !I !I !I
ICMP_UNREACH_NET_PROHIB !<%d> !A !A !A
ICMP_UNREACH_HOST_PROHIB !<%d> !C !C !Z
ICMP_UNREACH_TOSNET !<%d> !T !T !Q
ICMP_UNREACH_TOSHOST !<%d> !T !T !T
ICMP_UNREACH_FILTER_PROHIB !X !A !A !X
ICMP_UNREACH_HOST_PRECEDENCE !V !<%d> !V !V
ICMP_UNREACH_PRECEDENCE_CUTOFF !C !<%d> !C !C
Graham Wilson is planning to use the same codes in Debian's version.
MFC after: 3 weeks
non-shared object, do not reserve space in .plt and .rela.plt
for regular symbols neither defined nor referenced in shared objects.
This is a backport of rev. 1.101 (sourceware.org repository) to
Binutils 2.15 which fixes the creation of bogus relocations in the
PLT of Firefox and Thunderbird binaries and which in turn caused
them to segfault in rtld(1). This is committed to the vendor branch
as it doesn't represent a local change but the original vendor fix
is from after elf_link_hash_flags was replaced with bitfields.
PR: sparc64/89486
Approved by: maintainer timeout
Obtained from: NetBSD
MFC after: 1 week
- Use AU_TO_WRITE and AU_NO_TO_WRITE for the 'keep' argument to au_close();
previously we used hard-coded 0 and 1 values.
- Add man page for au_open(), au_write(), au_close(), and
au_close_buffer().
- Support a more complete range of data types for the arbitrary data token:
add AUR_CHAR (alias to AUR_BYTE), remove AUR_LONG, add AUR_INT32 (alias
to AUR_INT), add AUR_INT64.
- Add au_close_token(), which allows writing a single token_t to a memory
buffer. Not likely to be used much by applications, but useful for
writing test tools.
- Modify au_to_file() so that it accepts a timeval in user space, not just
kernel -- this is not a Solaris BSM API so can be modified without
causing compatibility issues.
- Define a new API, au_to_header32_tm(), which adds a struct timeval
argument to the ordinary au_to_header32(), which is now implemented by
wrapping au_to_header32_tm() and calling gettimeofday(). #ifndef KERNEL
the APIs that invoke gettimeofday(), rather than having a variable
definition. Don't try to retrieve time zone information using
gettimeofday(), as it's not needed, and introduces possible failure
modes.
- Don't perform byte order transformations on the addr/machine fields of
the terminal ID that appears in the process32/subject32 tokens. These
are assumed to be IP addresses, and as such, to be in network byte
order.
- Universally, APIs now assume that IP addresses and ports are provided
in network byte order. APIs now generally provide these types in
network byte order when decoding.
- Beginnings of an OpenBSM test framework can now be found in openbsm/test.
This code is not built or installed by default.
- auditd now assigns more appropriate syslog levels to its debugging and
error information.
- Support for audit filters introduced: audit filters are dynamically
loaded shared objects that run in the context of a new daemon,
auditfilterd. The daemon reads from an audit pipe and feeds both BSM and
parsed versions of records to shared objects using a module API. This
will provide a framework for the writing of intrusion detection services.
- New utility API, audit_submit(), added to capture common elements of audit
record submission for many applications.
Obtained from: TrustedBSD Project
to a host behind a firewall where only specific services are allowed.
For example, to trace the hops to an HTTP server behind a firewall,
$ traceroute -e -P tcp -p 80 www-firewalled.example.com
MFC after: 1 week
require the authenticator announce EAPOL version 1 don't have to hack
the code to get a working setup.
Discussed with Jouni; he's committed a similar set of changes to
his devel branch and I sent him these changes so I'm committing
this on the vendor branch in the expectation it will appear in
the next import.
MFC after: 1 week
Correctly identify the user running opiepasswd(1) when the login name
differs from the account name. [2]
Security: FreeBSD-SA-06:11.ipsec [1]
Security: FreeBSD-SA-06:12.opie [2]
- Update install notes to indicate /etc files are to be installed manually.
- On systems without LOG_SECURITY, use LOG_AUTH.
- Convert to autoconf/automake in order to move to a more portable (not
BSD-specific) build infrastructure, and more easy conditional building of
components. Currently, the primary feature loss is that automake does
not have native support for manual symlinks. This will be addressed in a
future OpenBSM release.
- Add compat/queue.h, to be used on systems dated BSD queue macro libraries
(as found on Linux).
- Rename CHANGELOG to HISTORY, as our change log doesn't follow some of the
existing conventions for a CHANGELOG.
- Some private data structures moved from audit.h to audit_internal.h to
prevent inappropriate use by applications and name space pollution.
- Improved detection and use of endian macros using autoconf.
- Avoid non-portable use of struct in6_addr, which is largely opaque.
- Avoid leaking BSD kernel socket related token code to user space in
bsm_token.c.
- Teach System V IPC calls to look for Linux naming variations for certain
struct ipc_perm fields.
- Test for audit system calls, and if not present, don't build
bsm_wrappers.c, bsm_notify.c, audit(8), and auditd(8), which rely on
those system calls.
- au_close() is not implemented on systems that don't have audit system
calls, but au_close_buffer() is.
- Work around missing BSDisms in bsm_wrapper.c.
- Fix nested includes so including libbsm.h in an application on Linux
picks up the necessary definitions.
Obtained from: TrustedBSD Project
- Remove "audit" user example from audit_user, as it's not present on most
systems.
- Add cannot_audit() function non-Darwin systems that wraps auditon();
required by OpenSSH BSM support. Convert Darwin cannot_audit() into a
function rather than a macro.
- Library build fixed on Darwin following include file tweaks. The native
Darwin sys/audit.h conflicts with bsm/audit.h due to duplicate types, so
for now we force bsm_wrappers.c to not perform a nested include of
sys/audit.h.
Obtained from: TrustedBSD Project
- Man page formatting, cross reference, mlinks, and accuracy improvements.
- auditd and tools now compile and run on FreeBSD/arm.
- auditd will now fchown() the trail file to the audit review group, if
defined at compile-time.
- Added AUE_SYSARCH for FreeBSD.
- Definition of AUE_SETFSGID fixed for Linux.
Many thanks to: brueffer, cognet
Obtained from: TrustedBSD Project
- Man page formatting improvements.
- A number of new audit event identifiers for FreeBSD, Linux, and POSIX.1b
events.
- Remove 'tfm' class, unused in OpenBSM.
Obtained from: TrustedBSD Project
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
Correct insecure temporary file usage in ee. [06:02]
Correct a race condition when setting file permissions, sanitize file
names by default, and fix a buffer overflow when handling files
larger than 4GB in cpio. [06:03]
Fix an error in the handling of IP fragments in ipfw which can cause
a kernel panic. [06:04]
Security: FreeBSD-SA-06:01.texindex
Security: FreeBSD-SA-06:02.ee
Security: FreeBSD-SA-06:03.cpio
Security: FreeBSD-SA-06:04.ipfw
probe
Before:
5 *
freebsd (195.250.137.134) 19.086 ms 24.694 ms
After:
5 * freebsd (195.250.137.134) 19.086 ms 24.694 ms
Fixes: bin/90098
Reported by: Jeremy Chadwick <freebsd@jdc.parodius.com>
Approved by: andre
MFC after: 1 day
basically disables any access unless other strings are set in the config
file. Note, that there is no way to set the communities back to NULL once
they're set to something not NULL.
part of the structure was a hack to maintain binary compatibility with
Sun binaries, and my understanding is that it's not needed generally
on sparc systems running other operating systems. Therefore, hide this
code behind the same set of tests as in lib/bind/include/netdb.h.
This file is being imported on the vendor branch because a similar change
(or change with similar effect) will be in the next version of BIND 9.
This change will not affect other platforms in any way.
interface up when it is running AND the link is not down (that is, it is
up or unknown). If the interface is running but the link is down, we return
state 'dormant', because we're waiting for an external event. Otherwise
the interface is 'down'.
Submitted by: csjp
Reviewed by: glebius
* freebsd-spec.h (FBSD_TARGET_OS_CPP_BUILTINS):
Use builtin_define_with_int_value() instead of
adding a new check for every new major FreeBSD version.
Motivated by: simon
Discussed with: obrien, kan
version has a bug where it fails to properly cancel the polling loop
that periodically queries the BSSID (this is done to detect the
association/disassociation state). The timeout is supposed to fire
once a second, but the eloop_cancel_timeout() call uses a different
'user data' value than what was passed to eloop_register_timeout(),
so cancelling the timeouts fails. This results in an additional timeout
being created each time an EAPOL packet is received, which can lead
to dozens of unwanted timeouts firing every second instead of just one.
the range allowed by that function, resulting in undefined behaviour.
Our undefined behaviour in multibyte locales happened to differ from
glibc's, resulting in errors parsing option strings.
Obtained from: Corinna Vinschen (Red Hat)
system boot, and hook it up in the system.
The separate script is needed because in the presence of various
interface lists in rc.conf ($network_interfaces, $cloned_interfaces,
$sppp_interfaces, $gif_interfaces, more to come) it is hard to start
them orderly, so that pfsync is brought up after its syncdev, which
is required for the proper startup of pfsync.
Discussed with: mlaier on -pf
MFC after: 5 days
file cannot be linked into place when requested (not required) to do it,
reassure them that cpio is still intelligent enough that it will perform
a full copy instead.
This file is already off the vendor branch and there hasn't been a bc
release in more than 4 years so I can't see any harm in fixing this.
Submitted by: Arne Woerner <arne_woerner at yahoo dot com>
PR: gnu/86627
Before (backslash in c syntax meaning):
6 p16-2-0-0.r21.sttlwa01.us.bb.verio.net (129.250.2.180) 71.027 ms \
p16-1-1-3.r20.sttlwa01.us.bb.verio.net (129.250.2.6) 66.730 ms 66.535 ms
7 xe-0-2-0.r20.sttlwa01.us.bb.verio.net (129.250.4.16) 71.092 ms \
xe-3-1.r00.sttlwa01.us.bb.verio.net (129.250.2.205) 66.598 ms \
xe-0-2-0.r20.sttlwa01.us.bb.verio.net (129.250.4.16) 71.024 ms
After:
6 p16-2-0-0.r21.sttlwa01.us.bb.verio.net (129.250.2.180) 71.027 ms
p16-1-1-3.r20.sttlwa01.us.bb.verio.net (129.250.2.6) 66.730 ms 66.535 ms
7 xe-0-2-0.r20.sttlwa01.us.bb.verio.net (129.250.4.16) 71.092 ms
xe-3-1.r00.sttlwa01.us.bb.verio.net (129.250.2.205) 66.598 ms
xe-0-2-0.r20.sttlwa01.us.bb.verio.net (129.250.4.16) 71.024 ms
Submitted by: Richard A Steenbergen <ras at e-gerbil.net>
MFC after: 3 days
researched by glebius, and incorporated by ISC into the next
version of BIND. Unfortunately, it looks like their release
will come after the release of FreeBSD 6, so we will bring
this in now.
The patch addresses a problem with high-load resolvers which
hit memory barriers. Without this patch, running the resolving
name server out of memory would lead to "unpredictable results."
Of course, the canonical answer to this problem is to put more
memory into the system, however that is not always possible, and
the code should be able to handle this situation gracefully in
any case.
(Note this makes the vendor branch not represent Binutils in the vendor's
CVS repository at any point in time. Portmgr did not like the state of
Binutils on Sparc that represented the point in time the vendor fixed this
issue. I'd rather have fixed this on RELENG_6.)
Approved by: re
This allows FreeBSD/PPC to build and run out of stock CVS sources. This
also takes the file off of the vendor branch.
Submitted by: kan, grehan
Approved by: re, kan
The ipfw tables lookup code caches the result of the last query. The
kernel may process multiple packets concurrently, performing several
concurrent table lookups. Due to an insufficient locking, a cached
result can become corrupted that could cause some addresses to be
incorrectly matched against a lookup table.
Submitted by: ru
Reviewed by: csjp, mlaier
Security: CAN-2005-2019
Security: FreeBSD-SA-05:13.ipfw
Correct bzip2 permission race condition vulnerability.
Obtained from: Steve Grubb via RedHat
Security: CAN-2005-0953
Security: FreeBSD-SA-05:14.bzip2
Approved by: obrien
Correct TCP connection stall denial of service vulnerability.
A TCP packets with the SYN flag set is accepted for established
connections, allowing an attacker to overwrite certain TCP options.
Submitted by: Noritoshi Demizu
Reviewed by: andre, Mohan Srinivasan
Security: CAN-2005-2068
Security: FreeBSD-SA-05:15.tcp
Approved by: re (security blanket), cperciva
(1) "ipf -T" is broken for fetching single entries and
(2) loading rules with numbered collections does not order insertion right.
(3) stats aren't accumulated for hash table memory failures
Approved by: re (dwhite)
BZ_NO_COMPRESS support to the bzip2 sources directly (yes, this takes file
off the vendor branch, but looks like bzip2 maintainer doesn't care), so that
it will not be removed when the next upgrade is performed. Also, add a short
note on how to test bzip2 support.
Pointy hat to: obrien
Correct comment (libz -> libbz2) and remove useless full path to zutil.h
while I am here.
o print-fr.c returned to code on vendor branch
o remove pmap_prot.h include from print-sunrprc.c
o remove gcc/i386-specific ntoh* write-arounds from tcpdump-stdinc.h
Reviewed by: bms