Project

General

Profile

Actions
Copy link

Bug #11842

closed

Want audit events for auditon(A_SETPMASK) and friends

Added by John Levon over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Alex Wilson
Category:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
External Bug:

Description

Via Alex Wilson, who also wrote the fix:

There are a number of auditon() calls which let you opt out of auditing at present (e.g. auditon(A_SETPMASK) which lets you opt a different process out of auditing!) which do not produce audit events.

We should produce audit events when these are called.

See https://github.com/joyent/illumos-joyent/issues/195 for Alex's testing notes.

Related issues

Related to illumos gate - Feature #11037: SMB File access audit logging (reserve IDs)ClosedGordon Ross2019-05-15

Actions
Actions
Copy link
 #1

Updated by John Levon over 3 years ago

Alex's original testing notes:


    Built new PI from clobber with the patch
    Booted new PI on a test machine
    Verified that "auditconfig -setpmask $$ as,lo" now produces an audit event
    Verified that "praudit" prints the new audit event properly
    Verified that removing the "as" class causes the new event for setpmask to be suppressed
    Verified that "auditconfig -setkmask" now produces an event
    Verified that adding the "aa" class causes events from "auditconfig -getkmask" and "auditconfig -getpinfo" to be produced, and that removing it suppresses them

I re-verified a few of these after the merge.

Actions
Copy link
 #2

Updated by Robert Mustacchi over 3 years ago

Example praudit XML output:

<record version="2" event="auditon(2) - set kernel mask" modifier="sp" host="90-e2-ba-d3-ec-a0" iso8601="2019-09-30 07:27:31.780 +00:00">
  <argument arg-num="2" value="0x21000" desc="setkmask:as_success"/>
  <argument arg-num="2" value="0x21000" desc="setkmask:as_failure"/>
  <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="12583" sid="3441870303" tid="3245 71168 10.33.1.141"/>
  <use_of_privilege result="successful use of priv">sys_audit</use_of_privilege>
  <return errval="success" retval="0"/>
  <zone name="global"/>
</record>

<record version="2" event="auditon(2) - set process preselection mask" modifier="sp" host="90-e2-ba-d3-ec-a0" iso8601="2019-09-30 07:44:56.165 +00:00">
  <argument arg-num="3" value="0x2e67" desc="setpmask:pid"/>
  <argument arg-num="3" value="0x40221022" desc="setpmask:as_success"/>
  <argument arg-num="3" value="0x40221022" desc="setpmask:as_failure"/>
  <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="13104" sid="3441870303" tid="3245 71168 10.33.1.141"/>
  <use_of_privilege result="successful use of priv">sys_audit</use_of_privilege>
  <return errval="success" retval="0"/>
  <zone name="global"/>
</record>
Actions
Copy link
 #3

Updated by Electric Monk over 3 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit 241bfedfbd27da9d3f2aa7ffaafa5da978f23afe

commit  241bfedfbd27da9d3f2aa7ffaafa5da978f23afe
Author: Alex Wilson <alex@uq.edu.au>
Date:   2019-10-29T16:17:30.000Z

    11842 Want audit events for auditon(A_SETPMASK) and friends
    Reviewed by: John Levon <john.levon@joyent.com>
    Reviewed by: Andy Fiddaman <andy@omniosce.org>
    Approved by: Robert Mustacchi <rm@fingolfin.org>

Actions
Copy link
 #4

Updated by Gordon Ross 4 months ago

  • Related to Feature #11037: SMB File access audit logging (reserve IDs) added
Actions
Copy link

Also available in: Atom PDF