Vendor import TrustedBSD OpenBSM 1.0, with the following change history
since the last import:

OpenBSM 1.0

- Fix bug in auditreduce(8) which resulted in a memory fault/crash when
the user specifi

Vendor import TrustedBSD OpenBSM 1.0, with the following change history
since the last import:

OpenBSM 1.0

- Fix bug in auditreduce(8) which resulted in a memory fault/crash when
the user specified an event name with -m.
- Remove AU_.* hard-coded audit class constants, as udit classes are now
entirely dynamically configured using /etc/security/audit_class.

MFC after: 3 days
Obtained from: TrustedBSD Project

show more ...

Resolve conflicts from import of OpenBSM 1.0 alpha15 ($FreeBSD$/$P4$
conflict).

Approved by: re (hrs)

Vendor import TrustedBSD OpenBSM 1.0 alpha 15, with the following change
history since the last import:

OpenBSM 1.0 alpha 15

- Fix bug when processing in_addr_ex tokens.
- Restore the behavior of p

Vendor import TrustedBSD OpenBSM 1.0 alpha 15, with the following change
history since the last import:

OpenBSM 1.0 alpha 15

- Fix bug when processing in_addr_ex tokens.
- Restore the behavior of printing the string/text specified while
auditing arg32 tokens.
- Synchronized audit event list to Solaris, picking up the *at(2) system call
definitions, now required for FreeBSD and Linux. Added additional events
for *at(2) system calls not present in Solaris.
- Bugs in auditreduce(8) fixed allowing partial date strings to be used in
filtering events.

Approved by: re (hrs)
MFC after: 3 weeks
Obtained from: TrustedBSD Project

show more ...

Resolve conflicts from OpenBSM 1.0 alpha 14 import.

Vendor import TrustedBSD OpenBSM 1.0 alpha 14, with the following change
history notes since the last import:

OpenBSM 1.0 alpha 14

- Fix endian issues when processing IPv6 addresses for extended su

Vendor import TrustedBSD OpenBSM 1.0 alpha 14, with the following change
history notes since the last import:

OpenBSM 1.0 alpha 14

- Fix endian issues when processing IPv6 addresses for extended subject
and process tokens.
- gcc41 warnings clean.
- Teach audit_submit(3) about getaudit_addr(2).
- Add support for zonename tokens.

OpenBSM 1.0 alpha 13

- compat/clock_gettime.h now provides a compatibility implementation of
clock_gettime(), which fixes building on Mac OS X.
- Countless man page improvements, markup fixes, content fixs, etc.
- XML printing support via "praudit -x".
- audit.log.5 expanded to include additional BSM token types.
- Added encoding and decoding routines for process64_ex, process32_ex,
subject32_ex, header64, and attr64 tokens.
- Additional audit event identifiers for listen, mlockall/munlockall,
getpath, POSIX message queues, and mandatory access control.

Approved by: re (bmah)
MFC after: 3 weeks
Obtained from: TrustedBSD Project

show more ...

Resolve conflicts from OpenBSM 1.0 alpha 12 import.

Obtained from: TrustedBSD Project

Vendor import TrustedBSD OpenBSM 1.0 alpha 12, with the following change
history notes since the last import:

OpenBSM 1.0 alpha 12

- Correct bug in auditreduce which prevented the -c option from wo

Vendor import TrustedBSD OpenBSM 1.0 alpha 12, with the following change
history notes since the last import:

OpenBSM 1.0 alpha 12

- Correct bug in auditreduce which prevented the -c option from working
correctly when the user specifies to process successful or failed events.
The problem stemmed from not having access to the return token at the time
the initial preselection occurred, but now a second preselection process
occurs while processing the return token.
- getacfilesz(3) API added to read new audit_control(5) filesz setting,
which auditd(8) now sets the kernel audit trail rotation size to.
- auditreduce(1) now uses stdin if no file names are specified on the command
line; this was the documented behavior previously, but it was not
implemented. Be more specific in auditreduce(1)'s examples section about
what might be done with the output of auditreduce.
- Add audit_warn(5) closefile event so that administrators can hook
termination of an audit trail file. For example, this might be used to
compress the trail file after it is closed.
- auditreduce(1) now uses regular expressions for pathname matching. Users can
now supply one or more (comma delimited) regular expressions for searching
the pathnames. If one of the regular expressions is prefixed with a tilde
(~), and a path matches, it will be excluded from the search results.

MFC after: 3 days
Obtained from: TrustedBSD Project

show more ...

Resolve conflicts from OpenBSM 1.0 alpha 11 vendor import: we have locally
added $FreeBSD$ to /etc configuration files to assist mergemaster.

Vendor import of OpenBSM 1.0 alpha 11, with the following change history
notes since the last import:

OpenBSM 1.0 alpha 11

- Reclassify certain read/write operations as having no class rather than

Vendor import of OpenBSM 1.0 alpha 11, with the following change history
notes since the last import:

OpenBSM 1.0 alpha 11

- Reclassify certain read/write operations as having no class rather than the
fr/fw class; our default classes audit intent (open) not operations (read,
write).
- Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads
and writes of sysctls as separate events. Add additional kernel
environment and jail events for FreeBSD.
- Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER
(issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued
by the kernel audit implementation) so that they can be distinguished.
- Disable rate limiting of rotate requests; as the kernel doesn't retransmit
a dropped request, the log file will otherwise grow indefinitely if the
trigger is dropped.
- Improve auditd debugging output.
- Fix a number of threading related bugs in audit_control file reading
routines.
- Add APIs au_poltostr() and au_strtopol() to convert between text
representations of audit_control policy flags and the flags passed to
auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY).
- Add API getacpol() to return the 'policy:' entry from audit_control, an
extension to the Solaris file format to allow specification of policy
persistent flags.
- Update audump to print the audit_control policy field.
- Update auditd to read the audit_control policy field and set the kernel
policy to match it when configuring/reconfiguring. Remove the -s and -h
arguments as these policies are now set via the configuration file. If a
policy line is not found in the configuration file, continue with the
current default of setting AUDIT_CNT.
- Fix bugs in the parsing of large execve(2) arguments and environmental
variable tokens; increase maximum parsed argument and variable count.
- configure now detects strlcat(), used by policy-related functions.
- Reference token and record sample files added to test tree.

Obtained from: TrustedBSD Project

show more ...

Resolove conflicts from OpenBSM 1.0 alpha 9 into audit_event.

Obtained from: TrustedBSD Project

Vendor import of OpenBSM 1.0 alpha 9, with the following change history
notes since the last import:

OpenBSM 1.0 alpha 9

- Rename many OpenBSM-specific constants and API elements containing the
s

Vendor import of OpenBSM 1.0 alpha 9, with the following change history
notes since the last import:

OpenBSM 1.0 alpha 9

- Rename many OpenBSM-specific constants and API elements containing the
strings "BSM" and "bsm" to "AUDIT" and "audit", observing that this is true
for almost all existing constants and APIs.
- Instead of passing a per-instance cookie directly into all audit filter
APIs, pass in the audit filter daemon state pointer, which is then used by
the module using an audit_filter_{get,set}cookie() API. This will allow
future service APIs provided by the filter daemon to maintain their own
state -- for example, per-module preselection state.

OpenBSM 1.0 alpha 8

- Correct typo in definition of AUR_INT.
- Adopt OpenSolaris constant values for AUDIT_* configuration flags.
- Arguments to au_to_exec_args() and au_to_exec_env() no longer const.
- Add kernel versions of au_to_exec_args() and au_to_exec_env().
- Fix exec argument type that is printed for env strings from 'arg' to 'env'.
- New OpenBSM token version number assigned, constants added for other
commonly seen version numbers.
- OpenBSM-specific events assigned numbers in the 43xxx range to avoid future
collisions with Solaris. Darwin events renamed to AUE_DARWIN_foo, as they
are now deprecated numberings.
- autoconf now detects clock_gettime(), which is not available on Darwin.
- praudit output fixes relating to arg32 and arg64 tokens.
- Maximum record size updated to 64k-1 to match Solaris record size limit.
- Various style and comment cleanups in include files.

This is an MFC candidate to RELENG_6.

Obtained from: TrustedBSD Project

show more ...

Resolve conflicts from OpenBSM 1.0 alpha 7 import.

Obtained from: TrustedBSD Project

Vendor import of OpenBSM 1.0 alpha 7, with the following change history
notes:

- Adopted Solaris-compatible format for subject32_ex and subject64_ex
tokens, which previously did not correctly impl

Vendor import of OpenBSM 1.0 alpha 7, with the following change history
notes:

- Adopted Solaris-compatible format for subject32_ex and subject64_ex
tokens, which previously did not correctly implement variable length
address storage.
- Prefer inttypes.h to stdint.h; enhance queue.h detection to test for
TAILQ_FOREACH_SAFE(), which is present in recent BSD queue.h's, but not
older ones. OpenBSM now builds on some FreeBSD 4.x version.
- New event types for extended attributes, ACLs, and scheduling.

Obtained from: TrustedBSD Project

show more ...

Take contrib/openbsm/etc configuration files off the vendor branch in
order to add $FreeBSD$ tags, which helps mergemaster better manage
updating them.

Requested by: several
Obtained from: TrustedBS

Take contrib/openbsm/etc configuration files off the vendor branch in
order to add $FreeBSD$ tags, which helps mergemaster better manage
updating them.

Requested by: several
Obtained from: TrustedBSD Project

show more ...

Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local exte

Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.

This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.

This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.

Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project

show more ...