freebsd security - Jul 2007 - OpenBSM questions

Hello

I have some issues with OpenBSM which i cannot resolve, so i decided to 
ask there.

1) I found some bugs in the auditreduce utility and created patch for it 
- http://www.freebsd.org/cgi/query-pr.cgi?pr=114534.
Please, someone from freebsd team - take it, i think its better to fix 
this before next release.
2) I found that when i`m using XDM as login manager with OpenBSM, all my 
audit events comes with subject -1, and becauseof this i cant filter 
them with audit_user policy. When i`m using console "login" all work
as
designed and i got logged in user in the subject.
I think that xdm must be patched to support audit, i found  audit code 
in the  login sources. My be someone already did such patches?
3) All services running from rc scripts also using "-1" as their 
subject. How can i change subject for such programs? E.g. mysql work 
with myslq uid/gid and i want create special policy for the mysql in the 
audit_user file, but "subject" of such events is always
"-1", so i cant
do this.

P.S. I`m using FreeBSD-STABLE.

On Sat, 14 Jul 2007, Alex Samorukov wrote:
> I have some issues with OpenBSM which i cannot resolve, so i decided to ask
> there.
>
> 1) I found some bugs in the auditreduce utility and created patch for it - 
> http://www.freebsd.org/cgi/query-pr.cgi?pr=114534. Please, someone from 
> freebsd team - take it, i think its better to fix this before next release.
I was not aware of this PR, thanks for pointing it out.  In the future, if no 
one picks up an audit-related PR, feel free to send e-mail to 
trustedbsd-audit@TrustedBSD.org and/or directly to me.  I've grabbed
ownership
of this PR and will apply the changes to OpenBSM, hopefully today.
> 2) I found that when i`m using XDM as login manager with OpenBSM, all my 
> audit events comes with subject -1, and becauseof this i cant filter them 
> with audit_user policy. When i`m using console "login" all work
as designed
> and i got logged in user in the subject. I think that xdm must be patched
to
> support audit, i found audit code in the > login sources. My be someone 
> already did such patches?
This is correct -- login services must be modified to properly set up user 
audit state at login.  I am not familiar with work relating to this with xdm, 
kdm, gdm, etc, but it would be very good to see this happen.  Possibly, e-mail 
to the port maintainers of these may be called for, possibly with patches.
> 3) All services running from rc scripts also using "-1" as their
subject.
> How can i change subject for such programs? E.g. mysql work with myslq 
> uid/gid and i want create special policy for the mysql in the audit_user 
> file, but "subject" of such events is always "-1", so i
cant do this.
Hmm.  Right now there isn't a tool to do this, but there probably should be.
> P.S. I`m using FreeBSD-STABLE.
The patch you've submitted will go first into OpenBSM, then 7-CURRENT, and 
then at some point an MFC to 6-STABLE.  Fortunately, you've caught be just 
before I released OpenBSM 1.0 alpha 15, which will be the last import (we 
hope) before 7.0.  If you're aware of any other outstanding issues relating
to
OpenBSM, please let me know.

Robert N M Watson
Computer Laboratory
University of Cambridge

<<On Sat, 14 Jul 2007 16:45:14 +0100 (BST), Robert Watson
<rwatson@freebsd.org> said:
> This is correct -- login services must be modified to properly set up user 
> audit state at login.  I am not familiar with work relating to this with
xdm,
> kdm, gdm, etc, but it would be very good to see this happen.
Surely this is something that belongs in a PAM module...?  The whole
point of the PAM framework is that you should *not* have to modify
every program that does a login when new mechanisms are introduced or
policy changes.

-GAWollman