Problems with auditd -- resolved

Robert Watson rwatson at FreeBSD.org
Sat Sep 23 05:31:33 PDT 2006 

On Fri, 22 Sep 2006, Joerg Pernfuss wrote:

> On Sun, 17 Sep 2006 09:19:03 +0100 (BST)
> Robert Watson <rwatson at FreeBSD.org> wrote:
>
>> I've just comitted a fix to syscalls.master and regenerated the remaining 
>> system call files, which should correct the auditctl: Invalid Argument 
>> error being returned by auditd.  In short order, this fix should be on the 
>> cvsup mirrors -- please let me know if it resolves the problem you were 
>> experiencing.
>
> Thank you for that quick fix Robert, but sadly I am still somewhat at a 
> loss. The auditd does run now, but does not write back any audit data at 
> all. I have run at least three full buildworlds during the time you see 
> below, set flags, deleted things, logged in, logged out, logged in via ssh 
> to the external interface, ssh'ed to localhost. No gain. /var/log/audit 
> looks like this:
<snip>
> My audit_control file:
> 	dir:/var/audit
> 	flags:all
> 	minfree:20
> 	naflags:lo
>
> My audit_user file:
> 	root:all:no
> 	elessar:all:no

This is somewhat troubling -- I have RELENG_6 audit running on a number of 
boxes without problems.  Your configuration looks reasonable, though.  There 
are a few things we can try.  The first thing to look at is whether the audit 
library and commands are having trouble parsing your configuration files for 
some reason -- maybe there is extra white space, and we need to increase 
tolerance of unexpected white space, for example.  There's a tool in 
src/contrib/openbsm/tools called audump, which parses the configuration files 
and then spits out what it thinks it found to stdout.  It's not built by 
default, but it can be quite useful when debugging.  You can build it by doing 
the following in the tools directory:

    -Wall -g -o /tmp/audump audump.c -lbsm

Then, as root, run:

    /tmp/audump control

I believe there's a bug in audump's user database support currently, but at 
the very least that will tell us if the control file is being properly parsed. 
Ideally, the output will very much resemble your configuration file -- if 
there's a significant difference, that could be the source of this problem.

Right now the id(1) command in -STABLE doesn't print audit properties of the 
process, but I've attached a patch that causes it to do so when "id -a" is 
run.  If you could apply this patch and run "id -a" as root, that would be 
helpful.

Robert N M Watson
Computer Laboratory
University of Cambridge

Index: Makefile
===================================================================
RCS file: /home/ncvs/src/usr.bin/id/Makefile,v
retrieving revision 1.11
diff -u -r1.11 Makefile
--- Makefile	19 May 2004 21:06:36 -0000	1.11
+++ Makefile	23 Sep 2006 12:23:40 -0000
@@ -1,10 +1,18 @@
  #	@(#)Makefile	8.1 (Berkeley) 6/6/93
  # $FreeBSD: src/usr.bin/id/Makefile,v 1.11 2004/05/19 21:06:36 dwmalone Exp $

+.include <bsd.own.mk>
+
  PROG=	id
  WARNS?=	6
  LINKS=	${BINDIR}/id ${BINDIR}/groups
  LINKS+=	${BINDIR}/id ${BINDIR}/whoami
  MAN=	id.1 groups.1 whoami.1

+.if ${MK_AUDIT} != "no"
+CFLAGS+=	-DUSE_BSM_AUDIT
+DPADD+=	${LIBBSM}
+LDADD+=	-lbsm
+.endif
+
  .include <bsd.prog.mk>
Index: id.1
===================================================================
RCS file: /home/ncvs/src/usr.bin/id/id.1,v
retrieving revision 1.15
diff -u -r1.15 id.1
--- id.1	29 Apr 2005 08:37:52 -0000	1.15
+++ id.1	23 Sep 2006 12:30:46 -0000
@@ -53,6 +53,8 @@
  .Fl P
  .Op Ar user
  .Nm
+.Fl a
+.Nm
  .Fl g Op Fl nr
  .Op Ar user
  .Nm
@@ -84,6 +86,9 @@
  Display the MAC label of the current process.
  .It Fl P
  Display the id as a password file entry.
+.It Fl a
+Display the process audit user ID and other process audit properties, which
+requires privilege.
  .It Fl g
  Display the effective group ID as a number.
  .It Fl n
Index: id.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/id/id.c,v
retrieving revision 1.27
diff -u -r1.27 id.c
--- id.c	28 May 2006 12:32:30 -0000	1.27
+++ id.c	23 Sep 2006 12:30:16 -0000
@@ -48,6 +48,10 @@
  #include <sys/param.h>
  #include <sys/mac.h>

+#ifdef USE_BSM_AUDIT
+#include <bsm/audit.h>
+#endif
+
  #include <err.h>
  #include <errno.h>
  #include <grp.h>
@@ -60,6 +64,7 @@
  void	id_print(struct passwd *, int, int, int);
  void	pline(struct passwd *);
  void	pretty(struct passwd *);
+void	auditid(void);
  void	group(struct passwd *, int);
  void	maclabel(void);
  void	usage(void);
@@ -73,9 +78,11 @@
  	struct group *gr;
  	struct passwd *pw;
  	int Gflag, Mflag, Pflag, ch, gflag, id, nflag, pflag, rflag, uflag;
+	int aflag;
  	const char *myname;

  	Gflag = Mflag = Pflag = gflag = nflag = pflag = rflag = uflag = 0;
+	aflag = 0;

  	myname = strrchr(argv[0], '/');
  	myname = (myname != NULL) ? myname + 1 : argv[0];
@@ -89,7 +96,7 @@
  	}

  	while ((ch = getopt(argc, argv,
-	    (isgroups || iswhoami) ? "" : "PGMgnpru")) != -1)
+	    (isgroups || iswhoami) ? "" : "PGMagnpru")) != -1)
  		switch(ch) {
  		case 'G':
  			Gflag = 1;
@@ -100,6 +107,9 @@
  		case 'P':
  			Pflag = 1;
  			break;
+		case 'a':
+			aflag = 1;
+			break;
  		case 'g':
  			gflag = 1;
  			break;
@@ -125,7 +135,7 @@
  	if (iswhoami && argc > 0)
  		usage();

-	switch(Gflag + Pflag + gflag + pflag + uflag) {
+	switch(Gflag + Mflag + Pflag + aflag + gflag + pflag + uflag) {
  	case 1:
  		break;
  	case 0:
@@ -141,6 +151,16 @@
  	if (Mflag && pw != NULL)
  		usage();

+#ifdef USE_BSM_AUDIT
+	if (aflag) {
+		auditid();
+		exit(0);
+	}
+#else
+	if (aflag)
+		usage();
+#endif
+
  	if (gflag) {
  		id = pw ? pw->pw_gid : rflag ? getgid() : getegid();
  		if (nflag && (gr = getgrgid(id)))
@@ -278,6 +298,22 @@
  	printf("\n");
  }

+#ifdef USE_BSM_AUDIT
+void
+auditid(void)
+{
+	auditinfo_t auditinfo;
+
+	if (getaudit(&auditinfo) < 0)
+		err(-1, "getauditinfo");
+	printf("auid=%d\n", auditinfo.ai_auid);
+	printf("mask.success=0x%08x\n", auditinfo.ai_mask.am_success);
+	printf("mask.failure=0x%08x\n", auditinfo.ai_mask.am_failure);
+	printf("termid.port=0x%08x\n", auditinfo.ai_termid.port);
+	printf("asid=%d\n", auditinfo.ai_asid);
+}
+#endif
+
  void
  group(struct passwd *pw, int nflag)
  {
@@ -382,11 +418,16 @@
  	else if (iswhoami)
  		(void)fprintf(stderr, "usage: whoami\n");
  	else
-		(void)fprintf(stderr, "%s\n%s\n%s\n%s\n%s\n%s\n%s\n",
+		(void)fprintf(stderr, "%s\n%s\n%s\n%s%s\n%s\n%s\n%s\n",
  		    "usage: id [user]",
  		    "       id -G [-n] [user]",
  		    "       id -M",
  		    "       id -P [user]",
+#ifdef USE_BSM_AUDIT
+		    "       id -a\n",
+#else
+		    "",
+#endif
  		    "       id -g [-nr] [user]",
  		    "       id -p [user]",
  		    "       id -u [-nr] [user]");

More information about the freebsd-stable mailing list