Page MenuHomeFreeBSD

Allow anonymous DTrace audit-provider tracing by preloading audit event file.
ClosedPublic

Authored by rwatson on Aug 4 2018, 11:18 AM.

Details

Summary

The kernel DTrace audit provider (dtaudit) relies on auditd(8) to
load /etc/security/audit_event to provide a list of audit event-number <->
name mappings. However, this occurs too late for anonymous tracing. With
this change, adding 'audit_event_load="YES"' to /boot/loader.conf will cause
the boot loader to preload the file, and then the kernel audit code will
parse it to register an initial set of audit event-number<->name mappings.
Those mappings can later be updated by auditd(8) if the configuration file
changes.

Test Plan

Used in the CADETS tracing environment at Cambridge. Graeme Jenkinson (Cambridge) and Domagoj Stolfa (Cambridge) have also reviewed this patch.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

rwatson created this revision.Aug 4 2018, 11:18 AM

What's anonymous tracing?

What's anonymous tracing?

This is a DTrace feature that allows a D script to be compiled and installed following reboot. The script attaches and runs from the point of DTrace initialisation (presumably loaded by the boot loader?), and a later userspace dtrace(1) session can attach to it and dump trace state. The DTrace audit provider allows DTrace scripts to attach to (and inspect) audit events as they fire, using per-event probes. The probe list requires that audit_event have been parsed and passed into the kernel, which of course doesn't happen until quite a lot later in the boot. With this change, the DTrace audit provider has access to that event list from the point of audit-subsystem initialisation, so all the probes are created then. Which means that anonymous DTrace scripts can attach to and use them prior to the start of any user process.

asomers accepted this revision.Aug 4 2018, 2:05 PM
asomers added a reviewer: imp.

I don't see anything wrong with this review. However, since you're modifying the boot loader you should check with @imp.

This revision is now accepted and ready to land.Aug 4 2018, 2:05 PM
markj accepted this revision as: markj.Aug 5 2018, 6:49 PM
markj added a subscriber: markj.
markj added inline comments.
stand/defaults/loader.conf
150 ↗(On Diff #46281)

Seems like this should go higher up in the file, together with other more specialized groupings of options.

sys/security/audit/audit_bsm_db.c
292 ↗(On Diff #46281)

Style: missing whitespace around the "-" operator.

rwatson updated this revision to Diff 46321.Aug 5 2018, 10:41 PM

Address comments from markj.
Shift position of defaults/loader.conf settings, adjust style around array
dereference.

This revision now requires review to proceed.Aug 5 2018, 10:41 PM
rwatson marked 2 inline comments as done.Aug 5 2018, 10:43 PM
markj accepted this revision as: markj.Aug 5 2018, 11:24 PM
This revision is now accepted and ready to land.Aug 5 2018, 11:24 PM
allanjude accepted this revision.Aug 6 2018, 3:32 PM
gnn accepted this revision.Aug 6 2018, 8:42 PM

LGTM

rwatson updated this revision to Diff 47609.Sep 3 2018, 11:48 AM

Merge forward; no functional changes to prior diff.

This revision now requires review to proceed.Sep 3 2018, 11:48 AM
This revision was not accepted when it landed; it landed in state Needs Review.Sep 3 2018, 2:26 PM
This revision was automatically updated to reflect the committed changes.