|
Description
|
While doing code inspection of copyin() usage in the audit module, I noticed difference in what setauid(2) does and what is audited in aus_auditsys():
$SRC/uts/common/c2/audit_syscalls.c:setauid():
248 if (copyin(auid_p, &auid, sizeof (au_id_t))) {
249 return (EFAULT);
250 }
While in aus_auditsys() the address, not value of the argument is written to the audit trail:
$SRC/uts/common/c2/audit_event.c: aus_auditsys()
2755 case AUE_SETAUID:
2756 au_uwrite(au_to_arg32(2, "setauid", (uint32_t)a1));
This is consistent with the following audit records generated by auditconfig -setauid and auditconfig -setaudit:
bash-3.00# auditconfig -setauid 1 auditconfig -getaudit
audit id = daemon(1)
process preselection mask = all(0xffffffff,0xffffffff)
terminal id (maj,min,host) = 10545,5632,car-not(10.6.39.105)
audit session id = 2756141207
produces:
header,111,2,setauid(2),sp,snare,2007-05-17 01:16:20.825 -07:00
argument,2,0x8047d80,setauid
subject,daemon,root,root,root,root,100887,2756141207,10545 5632 car-not
use of privilege,successful use of priv,sys_audit
return,success,0
bash-3.00# auditconfig -setaudit 1 all 10545,5632,10.6.39.105 1234 auditconfig -getaudit
audit id = daemon(1)
process preselection mask = all(0xffffffff,0xffffffff)
terminal id (maj,min,host) = 10545,5632,car-not(10.6.39.105)
audit session id = 1234
produces:
header,194,2,setaudit_addr(2),sp,snare,2007-05-17 01:20:54.866 -07:00
argument,1,0x1,auid
argument,1,0xa4c41600,port
argument,1,0x4,type
ip address,car-not
argument,1,0xffffffff,as_success
argument,1,0xffffffff,as_failure
argument,1,0x4d2,asid
subject,daemon,root,root,root,root,100900,1234,10545 5632 car-not
use of privilege,successful use of priv,sys_audit
return,success,0
Note in the second case auid is audited correctly as daemon(1) while in the first case address of the argument is written, not value of 1.
bsmrecord(1m) tells "audit user ID" for both cases.
|
