BSDSec

deadsimple BSD Security Advisories and Announcements

FreeBSD Errata Notice FreeBSD-EN-25:02.audit

29 January, 2025 by errata-notices@freebsd.org | freebsd 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-25:02.audit                                          Errata Notice
                                                          The FreeBSD Project

Topic:          System call auditing disabled by DTrace

Category:       core
Module:         audit
Announced:      2025-01-29
Credits:        Joe Duin
Affects:        All supported versions of FreeBSD.
Corrected:      2025-01-17 13:40:36 UTC (stable/14, 14.2-STABLE)
                2025-01-29 18:54:51 UTC (releng/14.2, 14.2-RELEASE-p1)
                2025-01-29 18:55:18 UTC (releng/14.1, 14.1-RELEASE-p7)
                2025-01-17 13:40:56 UTC (stable/13, 13.4-STABLE)
                2025-01-29 18:55:24 UTC (releng/13.4, 13.4-RELEASE-p3)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

The audit(4) facility allows a system administrator to audit
security-relevant events.  System calls are one such security-related
event, and the audit(4) facility will record whether the system call was
successful along with other important details.

II.  Problem Description

When userspace invokes a system call, the kernel routes the call through
a common function which optionally logs an audit record for the call.
This function also calls into DTrace to implement system call tracing.
When both system call auditing and DTrace system call tracing are
enabled at the same time, a logic error causes auditing to be silently
disabled.

III. Impact

A privileged user can inhibit system call audit logging by running a
DTrace script which uses the "syscall" provider.  Once the DTrace script
exits, system call auditing will resume without any intervention.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date and reboot.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/EN-25:02/audit.patch
# fetch https://security.FreeBSD.org/patches/EN-25:02/audit.patch.asc
# gpg --verify audit.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/14/                              4b9ba274d736    stable/14-n270139
releng/14.2/                            71bf983f92ba  releng/14.2-n269508
releng/14.1/                            1574c53178e9  releng/14.1-n267729
stable/13/                              1bf531bcd791    stable/13-n259015
releng/13.4/                            f7b9cd733c39  releng/13.4-n258269
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:02.audit.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmeajKMACgkQbljekB8A
Gu/wIxAA38DHdcS7lmwRT/rYyuUICRW7v51RU/FMzbxJ/F0Aovh+mhKUjI3IU6Ym
HEfJpu0o0bRN+tf2cCz4JEO881NhipNsmZlZ62W1Rz3bIG0MmcCQ+9bYMlLcCKrB
V1GR/kve5ENZRi9R4eQ+zzrIMXnrL18QOY1BMxnuqT/QmA18LPx0XPGhecKj4L0+
brD7xvg8cGd6QYKz56PVKqgPSJtN6gl9qgiIb2jtTNoz9lyXf/88N4nvFTGB86Mj
wVQy9J/fdiHU6154xQq8HaIEk2q0kQsOM7fuEwms1yCgOKiOyYOL2Ohn1KDRD1Vh
ECWLldc2l67ioLY2o3I15O4gSPa+/NcEgtGxrgCcUbp6cWHAMYbDw8/Oth7eIdjB
tuv0Hu27ADJH9RawmrgziD9BzQzSK1qzzBLvic20pvU3tqlSTDWyrTfLYkkFoqjg
8tL3PULNtHgcoP1VwfhQjVZAB5XzCDvuxTOOG6po6Hp02zdLmuQzQ7M+p/Fz1Cf1
rftSNXfXS5vXnX18j51/I6KZaqRg039RVotVy7Pjy/+FWD5y8UGqp5QqPBlOvjve
62R+FKVVr/Ki17kuQMayCc2hoWS4nKirQK1Kb2AoKIur5HoIM7urUnIIanzLvmIT
tSJxvh1msNsOf2Q+1Yo6IP27Q9yjDTPZA+jFTzSL9lGiJAXoiVQŜwx
-----END PGP SIGNATURE-----