[Fed-Talk] Security Issue: ssh and bsm
[Fed-Talk] Security Issue: ssh and bsm
- Subject: [Fed-Talk] Security Issue: ssh and bsm
- From: Michael L Walker <email@hidden>
- Date: Sun, 7 Oct 2007 17:50:41 -0700
Setup:
Dual 2.3 GHz PowerPC G5/ 3GB SDRAM XServe
OSX 10.4.10 Server
Also tested with:
450GHz PowerPC G4
OSX 10.4.10 Client
Problem: bsm audit and ssh
This is a follow-up to the previous email I posted where certain
events are not being logged.
It appears that bsm functionality quits working when a user logs in
using ssh.
With /etc/security/audit_control set to "all" a logged in user will
report all unix commands (like trying to cd into a directory with no
privs., etc.). However, as soon as a user logs into the machine
using ssh, audit just stops logging. The auditd is still running,
but most (if not all) unix commands are no longer logged from all
users (not just the ssh session) Under most instances the auditd
must be restarted to resume required logging.
This causes another issue, in that I was under the assumption in the
configuration that you could halt the system if an error occurs in
the bsm system. Which of course does not happen during this failure.
The only indication at this point that auditd has quit working
(besides gaps in the logs) is in /var/log/secure.log with the error
message:
"sshd[1309]: error: BSM audit: bsm_audit_session_setup: setaudit_addr
failed: Function not implemented"
Anybody seen this before? Anybody know of any work around?
Also, is there a Apple Security contact to report this potential
security hole?
Thanks,
Mike
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden