jail: Optionally allow audit session state to be configured in a jail
AcceptedPublic
Actions

Authored by markj on Mon, Aug 4, 3:13 PM.

Details

Reviewers

Group Reviewers

Jails
Audit

Summary

Currently it is impossible for a privileged, jailed process to set audit
session state. This can result in suprising audit event misattribution.
For example, suppose a user ssh'es into a jail and restarts a service;
normally, sshd sets audit state such that events generated by the SSH
session are attributed to the newly authenticated user, but in a jail,
the corresponding setaudit(2) call fails, so events are attributed to
the user who had started sshd in the jail (typically the user who had
started the jail itself by some means).

While this behaviour is reasonable, administrators might want to trust
the jailed sshd to reset audit state, such that the authenticated user
appears in audit logs. Add a jail knob to enable this. Add a simple
regression test.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 65944
Build 62827: arc lint + arc unit

Event Timeline

markj created this revision.Mon, Aug 4, 3:13 PM

Herald added subscribers: ziaee, olce, imp. · View Herald TranscriptMon, Aug 4, 3:13 PM

markj requested review of this revision.Mon, Aug 4, 3:13 PM

Harbormaster completed remote builds in B65944: Diff 159709.Mon, Aug 4, 3:13 PM

kevans accepted this revision as: kevans.Tue, Aug 5, 2:16 PM

kevans added inline comments.

usr.sbin/jail/tests/jail_basic_test.sh
311	I'd like to see a test that demonstrate that a jail-run setaudit(2) still properly gets a zone tag in its audit records, but that's more of a tests/sys/audit problem and we already know that isn't a possibility today because they're populated based on a property of the ucred, rather than audit configuration. Not a blocker, just thinking out loud for future improvements.