From csjp at freebsd.org Thu Dec 4 17:28:08 2008 From: csjp at freebsd.org (Christian Peron) Date: Thu, 4 Dec 2008 16:28:08 -0600 Subject: [sudo-workers] [patch] to add support for BSM audit records In-Reply-To: <200811302249.mAUMnMOi013678@core.courtesan.com> References: <20081128022748.GA23986@jnz.sqrt.ca> <200811302249.mAUMnMOi013678@core.courtesan.com> Message-ID: <20081204222808.GA53068@jnz.sqrt.ca> Ok, so I have tweaked things a bit. - I have added code which checks the selection masks to see if we are interested in sudo events. - I have added the "exec arg" audit token as per Robert's feedback. Here is a sample audit trail for "sudo tcsh" header_ex,90,10,sudo(1),0,10.0.0.2,Thu Dec 4 22:19:53 2008, + 99 msec subject_ex,csjp,root,wheel,root,wheel,34134,34134,3450,192.168.11.111 exec arg,tcsh return,success,0 trailer,90 Files can be found: http://people.freebsd.org/~csjp/bsm_audit.c http://people.freebsd.org/~csjp/bsm_audit.h http://people.freebsd.org/~csjp/sudo.1228089242.diff Cheers! On Sun, Nov 30, 2008 at 05:49:22PM -0500, Todd C. Miller wrote: > In message <20081128022748.GA23986 at jnz.sqrt.ca> > so spake Christian Peron (csjp): > > > I would like to propose a patch to add BSM audit support to sudo. This patch > > and associated files adds support for the Sun's Basic Security Module (BSM) > > Audit API and file format. It should be noted that currently FreeBSD, OS X > > and Solaris use BSM. I have not tested on Solaris or OS X but, this patch > > should build on both. This is a starting point, it's possible that I could > > be missing some key error conditions which require auditing. > > As luck would have it I was reviewing the Apple BSD audit patches > recently. It's too late for this to go into sudo 1.7.0 but I'd > like to have official support for BSM and Linux auditing in version > 1.7.1. > > I don't see the bsm_audit.c file in your diff, BTW. > > - todd From Todd.Miller at courtesan.com Sun Dec 14 17:46:39 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sun, 14 Dec 2008 17:46:39 -0500 Subject: [sudo-workers] sudo 1.7.0rc9 available Message-ID: <200812142246.mBEMkdwE015626@core.courtesan.com> This is the final release candidate before sudo version 1.7.0 is available. Unless there's a problem reported this is what will be released as 1.7.0 on Friday December 19th. Download links: http://www.sudo.ws/sudo/dist/beta/sudo-1.7.0rc9.tar.gz ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7.0rc9.tar.gz Changes from Sudo 1.7.0rc8: * Fixed a problem with the password requirements for pseudo-commands such as -v and -l. * K&R compilation fixes. * HP-UX PAM fix when user enters ^C at password prompt. What's new in Sudo 1.7? * Rewritten parser that converts sudoers into a set of data structures. This eliminates a number of ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. It also adds support for per-command Defaults specifications. * Sudoers now supports a #include facility to allow the inclusion of other sudoers-format files. * Sudo's -l (list) flag has been enhanced: o applicable Defaults options are now listed o a command argument can be specified for testing whether a user may run a specific command. o a new -U flag can be used in conjunction with "sudo -l" to allow root (or a user with "sudo ALL") list another user's privileges. * A new -g flag has been added to allow the user to specify a primary group to run the command as. The sudoers syntax has been extended to include a group section in the Runas specification. * A uid may now be used anywhere a username is valid. * The "secure_path" run-time Defaults option has been restored. * Password and group data is now cached for fast lookups. * The file descriptor at which sudo starts closing all open files is now configurable via sudoers and, optionally, the command line. * Visudo will now warn about aliases that are defined but not used. * The -i and -s command line flags now take an optional command to be run via the shell. Previously, the argument was passed to the shell as a script to run. * Improved LDAP support. SASL authentication may now be used in conjunction when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf may be used to enable Kerberos. * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.: sudoers: ldap files to check LDAP, then /etc/sudoers. The default is "files", even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. * Support for /etc/environment on AIX and Linux. If sudo is run with the -i flag, the contents of /etc/environment are used to populate the new environment that is passed to the command being run. * If no terminal is available or if the new -A flag is specified, sudo will use a helper program to read the password if one is configured. Typically, this is a graphical password prompter such as ssh-askpass. * A new Defaults option, "mailfrom" that sets the value of the "From:" field in the warning/error mail. If unspecified, the login name of the invoking user is used. * A new flag, -n, may be used to indicate that sudo should not prompt the user for a password and, instead, exit with an error if authentication is required.