HBSD: add HBSD_LOG_SUID_SGID option (!52) · Merge requests · HardenedBSD / HardenedBSD

Loic requested to merge loic/HardenedBSD:HBSD_LOG into hardened/current/master Dec 01, 2021

    HBSD: add HBSD_LOG_SUID_SGID option
    
    Added HBSD_LOG_SUID_SGID that can be used to audit a strange system behavior.
    The option is not added to replace auditd which is more comprehensive,
    they is intended to provide a simple analysis can be activated simply and quickly at any time.
    
    The option is disabled by default but they is easily activated via sysctl:
    sysctl kern.features.hbsd_log_suid_sgid=1
    
    Then you can analyze the logs in this way:
    dmesg | grep SUID
    [123] [HBSD INTERNAL] uid=1001 exec /usr/local/bin/sudo (SUID/SGID)
    
    Signed-off-by: Loic <loic.f@hardenedbsd.org>
    Reviewed-by: Shawn Webb <shawn.webb@hardenedbsd.org>

Edited Jun 10, 2022 by Loic

HBSD: add HBSD_LOG_SUID_SGID option

Merge request reports