Page MenuHomeFreeBSD

Allow anonymous DTrace audit-provider tracing by preloading audit event file.
ClosedPublic

Authored by rwatson on Aug 4 2018, 11:18 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Nov 23, 2:13 AM
Unknown Object (File)
Wed, Nov 20, 5:59 PM
Unknown Object (File)
Mon, Nov 4, 5:23 AM
Unknown Object (File)
Mon, Nov 4, 5:23 AM
Unknown Object (File)
Mon, Nov 4, 5:22 AM
Unknown Object (File)
Mon, Nov 4, 5:22 AM
Unknown Object (File)
Mon, Nov 4, 5:20 AM
Unknown Object (File)
Mon, Nov 4, 4:54 AM
Subscribers

Details

Summary

The kernel DTrace audit provider (dtaudit) relies on auditd(8) to
load /etc/security/audit_event to provide a list of audit event-number <->
name mappings. However, this occurs too late for anonymous tracing. With
this change, adding 'audit_event_load="YES"' to /boot/loader.conf will cause
the boot loader to preload the file, and then the kernel audit code will
parse it to register an initial set of audit event-number<->name mappings.
Those mappings can later be updated by auditd(8) if the configuration file
changes.

Test Plan

Used in the CADETS tracing environment at Cambridge. Graeme Jenkinson (Cambridge) and Domagoj Stolfa (Cambridge) have also reviewed this patch.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

What's anonymous tracing?

This is a DTrace feature that allows a D script to be compiled and installed following reboot. The script attaches and runs from the point of DTrace initialisation (presumably loaded by the boot loader?), and a later userspace dtrace(1) session can attach to it and dump trace state. The DTrace audit provider allows DTrace scripts to attach to (and inspect) audit events as they fire, using per-event probes. The probe list requires that audit_event have been parsed and passed into the kernel, which of course doesn't happen until quite a lot later in the boot. With this change, the DTrace audit provider has access to that event list from the point of audit-subsystem initialisation, so all the probes are created then. Which means that anonymous DTrace scripts can attach to and use them prior to the start of any user process.

asomers added a reviewer: imp.

I don't see anything wrong with this review. However, since you're modifying the boot loader you should check with @imp.

This revision is now accepted and ready to land.Aug 4 2018, 2:05 PM
markj added a subscriber: markj.
markj added inline comments.
stand/defaults/loader.conf
150 ↗(On Diff #46281)

Seems like this should go higher up in the file, together with other more specialized groupings of options.

sys/security/audit/audit_bsm_db.c
292 ↗(On Diff #46281)

Style: missing whitespace around the "-" operator.

Address comments from markj.
Shift position of defaults/loader.conf settings, adjust style around array
dereference.

This revision now requires review to proceed.Aug 5 2018, 10:41 PM
This revision is now accepted and ready to land.Aug 5 2018, 11:24 PM

Merge forward; no functional changes to prior diff.

This revision now requires review to proceed.Sep 3 2018, 11:48 AM
This revision was not accepted when it landed; it landed in state Needs Review.Sep 3 2018, 2:26 PM
This revision was automatically updated to reflect the committed changes.