[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sudo-workers
Subject:    Re: [sudo-workers] [patch] to add support for BSM audit records
From:       Christian Peron <csjp () freebsd ! org>
Date:       2008-12-04 22:28:08
Message-ID: 20081204222808.GA53068 () jnz ! sqrt ! ca
[Download RAW message or body]

Ok, so I have tweaked things a bit.

- I have added code which checks the selection masks to see if we
  are interested in sudo events.
- I have added the "exec arg" audit token as per Robert's feedback.

Here is a sample audit trail for "sudo tcsh"

header_ex,90,10,sudo(1),0,10.0.0.2,Thu Dec  4 22:19:53 2008, + 99 msec
subject_ex,csjp,root,wheel,root,wheel,34134,34134,3450,192.168.11.111
exec arg,tcsh
return,success,0
trailer,90

Files can be found:

http://people.freebsd.org/~csjp/bsm_audit.c
http://people.freebsd.org/~csjp/bsm_audit.h
http://people.freebsd.org/~csjp/sudo.1228089242.diff

Cheers!

On Sun, Nov 30, 2008 at 05:49:22PM -0500, Todd C. Miller wrote:
> In message <20081128022748.GA23986@jnz.sqrt.ca>
> 	so spake Christian Peron (csjp):
> 
> > I would like to propose a patch to add BSM audit support to sudo.  This patch
> > and associated files adds support for the Sun's Basic Security Module (BSM)
> > Audit API and file format.  It should be noted that currently FreeBSD, OS X
> > and Solaris use BSM.  I have not tested on Solaris or OS X but, this patch
> > should build on both.  This is a starting point, it's possible that I could
> > be missing some key error conditions which require auditing.
> 
> As luck would have it I was reviewing the Apple BSD audit patches
> recently.  It's too late for this to go into sudo 1.7.0 but I'd
> like to have official support for BSM and Linux auditing in version
> 1.7.1.
> 
> I don't see the bsm_audit.c file in your diff, BTW.
> 
>  - todd

[prev in list] [next in list] [prev in thread] [next in thread]