new syscalls audit events
Robert N. M. Watson
rwatson at FreeBSD.org
Tue Dec 18 14:49:49 UTC 2018
Hi Jack:
Excellent news on adding per-thread credential support. If you are looking for reviewers for the patch, do let me know.
Regarding the below:
On 14 Dec 2018, at 16:16, Jack Halford <jack at gandi.net> wrote:
> I'm currently writing a patch for 3 new syscalls for per-thread credentials, 2
> of these are auditable (setcred and revertcred, see [1]). The wiki page about
> adding auditing events says to contact you in case of need of a new BSM event.
> I'm prettu sure I've added my events in all the right place, however I can't see
> any of my syscalls in the auditpipe.
>
> So far I've done the following:
>
> 1) added relevant information in
> - contrib/openbsm/etc/audit_event
> - contrib/openbsm/sys/bsm/audit_kevents.h
> - sys/bsm/audit_kevents.h
These changes will need to be upstreamed to OpenBSM in GitHub. As there might be conflicting new events using the same numbers, do use the numbers assigned by OpenBSM rather than those that might appear most obvious in FreeBSD, as BSM is used across several operating systems, and we require consistent event-number assignment.
> - sys/kern/syscalls.master
> - sys/compat/freebsd32/syscalls.master
You will also need to modify sys/security/audit_bsm_klib.c to generate BSM records and encode arguments/return values/etc.
> 2) regenerate sysvector, build and install kernel and world
>
> 3) `make -C usb.sbin install` doesn't seems to install
> the new /etc/audit_event so I cp'd it by hand
I suspect that it is the libbsm target that installs the headers and config files for OpenBSM, rather than auditd.
Robert
> Any pointers? I'd like to get this working before the review for obvious
> reasons...
>
> [1]: https://github.com/jzck/freebsd/pull/1/files
>
> --
> Best,
> Jack
More information about the trustedbsd-audit
mailing list