OpenBSM questions

Hello

I have some issues with OpenBSM which i cannot resolve, so i
decided to 
ask there.

1) I found some bugs in the auditreduce utility and created
patch for it 
- ht
tp://www.freebsd.org/cgi/query-pr.cgi?pr=114534.
Please, someone from freebsd team - take it, i think its
better to fix 
this before next release.
2) I found that when i`m using XDM as login manager with
OpenBSM, all my 
audit events comes with subject -1, and becauseof this i
cant filter 
them with audit_user policy. When i`m using console
"login" all work as 
designed and i got logged in user in the subject.
I think that xdm must be patched to support audit, i found 
audit code 
in the  login sources. My be someone already did such
patches?
3) All services running from rc scripts also using
"-1" as their 
subject. How can i change subject for such programs? E.g.
mysql work 
with myslq uid/gid and i want create special policy for the
mysql in the 
audit_user file, but "subject" of such events is
always "-1", so i cant 
do this.

P.S. I`m using FreeBSD-STABLE.
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

On Sat, 14 Jul 2007, Alex Samorukov wrote:

> I have some issues with OpenBSM which i cannot resolve,
so i decided to ask 
> there.
>
> 1) I found some bugs in the auditreduce utility and
created patch for it - 
> ht
tp://www.freebsd.org/cgi/query-pr.cgi?pr=114534. Please,
someone from 
> freebsd team - take it, i think its better to fix this
before next release.

I was not aware of this PR, thanks for pointing it out.  In
the future, if no 
one picks up an audit-related PR, feel free to send e-mail
to 
trustedbsd-auditTrustedBSD.org and/or directly to me. 
I've grabbed ownership 
of this PR and will apply the changes to OpenBSM, hopefully
today.

> 2) I found that when i`m using XDM as login manager
with OpenBSM, all my 
> audit events comes with subject -1, and becauseof this
i cant filter them 
> with audit_user policy. When i`m using console
"login" all work as designed 
> and i got logged in user in the subject. I think that
xdm must be patched to 
> support audit, i found audit code in the > login
sources. My be someone 
> already did such patches?

This is correct -- login services must be modified to
properly set up user 
audit state at login.  I am not familiar with work relating
to this with xdm, 
kdm, gdm, etc, but it would be very good to see this happen.
 Possibly, e-mail 
to the port maintainers of these may be called for, possibly
with patches.

> 3) All services running from rc scripts also using
"-1" as their subject. 
> How can i change subject for such programs? E.g. mysql
work with myslq 
> uid/gid and i want create special policy for the mysql
in the audit_user 
> file, but "subject" of such events is always
"-1", so i cant do this.

Hmm.  Right now there isn't a tool to do this, but there
probably should be.

> P.S. I`m using FreeBSD-STABLE.

The patch you've submitted will go first into OpenBSM, then
7-CURRENT, and 
then at some point an MFC to 6-STABLE.  Fortunately, you've
caught be just 
before I released OpenBSM 1.0 alpha 15, which will be the
last import (we 
hope) before 7.0.  If you're aware of any other outstanding
issues relating to 
OpenBSM, please let me know.

Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

On Sat, 14 Jul 2007, Garrett Wollman wrote:

> <<On Sat, 14 Jul 2007 16:45:14 +0100 (BST),
Robert Watson 
> <rwatsonfreebsd.org> said:
>
>> This is correct -- login services must be modified
to properly set up user 
>> audit state at login.  I am not familiar with work
relating to this with 
>> xdm, kdm, gdm, etc, but it would be very good to
see this happen.
>
> Surely this is something that belongs in a PAM
module...?  The whole point 
> of the PAM framework is that you should *not* have to
modify every program 
> that does a login when new mechanisms are introduced or
policy changes.

Setting login state is not the only thing that audit does. 
Audit requirements 
also exist to audit failures in the login process that may
be entirely 
unrelated to authentication.

That said, I'm not 100% sure that the audit state, leaving
aside the auditing 
of login events, couldn't be done in a PAM module.  An
interesting question is 
why the rest of the UNIX credential is also not set up using
PAM -- see calls 
to setlogin(2), setusercontext(3), etc, in login.c and other
things involved 
in login.

Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

<<On Sat, 14 Jul 2007 16:45:14 +0100 (BST), Robert
Watson <rwatsonfreebsd.org> said:

> This is correct -- login services must be modified to
properly set up user 
> audit state at login.  I am not familiar with work
relating to this with xdm, 
> kdm, gdm, etc, but it would be very good to see this
happen.

Surely this is something that belongs in a PAM module...? 
The whole
point of the PAM framework is that you should *not* have to
modify
every program that does a login when new mechanisms are
introduced or
policy changes.

-GAWollman

_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"