Page MenuHomeFreeBSD

Allow DTrace audit provider probes to fire even if auditd(8) isn't running.
ClosedPublic

Authored by rwatson on Sep 28 2018, 2:32 PM.

Details

Summary
Rework the logic around quick checks for auditing that take place at
system-call entry and whenever audit arguments or return values are
captured:

1. Expose a single global, audit_syscalls_enabled, which controls
   whether the audit framework is entered, rather than exposing
   components of the policy -- e.g., if the trail is enabled,
   suspended, etc.

2. Introduce a new function audit_syscalls_enabled_update(), which is
   called to update audit_syscalls_enabled whenever an aspect of the
   policy changes, so that the value can be updated.

3. Remove a check of trail enablement/suspension from audit_new() --
   at the point where this function has been entered, we believe that
   system-call auditing is already in force, or we wouldn't get here,
   so simply proceed to more expensive policy checks.

4. Use an audit-provided global, audit_dtrace_enabled, rather than a
   dtaudit-provided global, to provide policy indicating whether
   dtaudit would like system calls to be audited.

5. Do some minor cosmetic renaming to clarify what various variables
   are for.

These changes collectively arrange it so that traditional audit
(trail, pipes) or the DTrace audit provider can enable system-call
probes without the other configured.  Otherwise, dtaudit cannot
capture system-call data without auditd(8) started.
Test Plan

Tested by Graeme Jenkinson (Cambridge) and myself with the DTrace audit
provider.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

rwatson created this revision.Sep 28 2018, 2:32 PM
rwatson updated this revision to Diff 48553.Sep 28 2018, 2:39 PM

Remove XXXRW comment accidentally left in.

asomers added inline comments.
sys/security/audit/audit.c
395 ↗(On Diff #48553)

I don't think you can remove this check unless you add similar logic to audit_proc_coredump. Otherwise it will generate AUE_CORE records even when auditing is disabled.

sys/security/audit/audit_dtrace.c
154 ↗(On Diff #48553)

I don't think you need to document this. There's plenty of stuff that's been removed over the years.

gnn accepted this revision.Sep 30 2018, 3:38 PM

LGTM

This revision is now accepted and ready to land.Sep 30 2018, 3:38 PM
rwatson updated this revision to Diff 48615.Oct 1 2018, 2:38 PM

Fix dtaudit module build for non-DTrace / non-Audit kernels by not using
ifdefs of externals in headers. This is a build rather than functional fix.

This revision now requires review to proceed.Oct 1 2018, 2:38 PM
gnn accepted this revision.Oct 1 2018, 2:41 PM

LGTM

This revision is now accepted and ready to land.Oct 1 2018, 2:41 PM
This revision was automatically updated to reflect the committed changes.