Project

General

Profile

Actions

Bug #11842

closed

Want audit events for auditon(A_SETPMASK) and friends

Added by John Levon about 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

Via Alex Wilson, who also wrote the fix:

There are a number of auditon() calls which let you opt out of auditing at present (e.g. auditon(A_SETPMASK) which lets you opt a different process out of auditing!) which do not produce audit events.

We should produce audit events when these are called.

See https://github.com/joyent/illumos-joyent/issues/195 for Alex's testing notes.

Actions #1

Updated by John Levon almost 2 years ago

Alex's original testing notes:


    Built new PI from clobber with the patch
    Booted new PI on a test machine
    Verified that "auditconfig -setpmask $$ as,lo" now produces an audit event
    Verified that "praudit" prints the new audit event properly
    Verified that removing the "as" class causes the new event for setpmask to be suppressed
    Verified that "auditconfig -setkmask" now produces an event
    Verified that adding the "aa" class causes events from "auditconfig -getkmask" and "auditconfig -getpinfo" to be produced, and that removing it suppresses them

I re-verified a few of these after the merge.

Actions #2

Updated by Robert Mustacchi almost 2 years ago

Example praudit XML output:

<record version="2" event="auditon(2) - set kernel mask" modifier="sp" host="90-e2-ba-d3-ec-a0" iso8601="2019-09-30 07:27:31.780 +00:00">
  <argument arg-num="2" value="0x21000" desc="setkmask:as_success"/>
  <argument arg-num="2" value="0x21000" desc="setkmask:as_failure"/>
  <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="12583" sid="3441870303" tid="3245 71168 10.33.1.141"/>
  <use_of_privilege result="successful use of priv">sys_audit</use_of_privilege>
  <return errval="success" retval="0"/>
  <zone name="global"/>
</record>
<record version="2" event="auditon(2) - set process preselection mask" modifier="sp" host="90-e2-ba-d3-ec-a0" iso8601="2019-09-30 07:44:56.165 +00:00">
  <argument arg-num="3" value="0x2e67" desc="setpmask:pid"/>
  <argument arg-num="3" value="0x40221022" desc="setpmask:as_success"/>
  <argument arg-num="3" value="0x40221022" desc="setpmask:as_failure"/>
  <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="13104" sid="3441870303" tid="3245 71168 10.33.1.141"/>
  <use_of_privilege result="successful use of priv">sys_audit</use_of_privilege>
  <return errval="success" retval="0"/>
  <zone name="global"/>
</record>
Actions #3

Updated by Electric Monk almost 2 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit 241bfedfbd27da9d3f2aa7ffaafa5da978f23afe

commit  241bfedfbd27da9d3f2aa7ffaafa5da978f23afe
Author: Alex Wilson <alex@uq.edu.au>
Date:   2019-10-29T16:17:30.000Z

    11842 Want audit events for auditon(A_SETPMASK) and friends
    Reviewed by: John Levon <john.levon@joyent.com>
    Reviewed by: Andy Fiddaman <andy@omniosce.org>
    Approved by: Robert Mustacchi <rm@fingolfin.org>

Actions

Also available in: Atom PDF