Page MenuHomeFreeBSD

Allow DTrace audit provider probes to fire even if auditd(8) isn't running.
ClosedPublic

Authored by rwatson on Sep 28 2018, 2:32 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Nov 20, 4:32 AM
Unknown Object (File)
Oct 15 2024, 2:44 AM
Unknown Object (File)
Sep 26 2024, 4:42 AM
Unknown Object (File)
Sep 26 2024, 4:41 AM
Unknown Object (File)
Sep 20 2024, 7:41 PM
Unknown Object (File)
Sep 20 2024, 6:15 PM
Unknown Object (File)
Sep 17 2024, 5:59 PM
Unknown Object (File)
Sep 5 2024, 6:40 PM
Subscribers

Details

Summary
Rework the logic around quick checks for auditing that take place at
system-call entry and whenever audit arguments or return values are
captured:

1. Expose a single global, audit_syscalls_enabled, which controls
   whether the audit framework is entered, rather than exposing
   components of the policy -- e.g., if the trail is enabled,
   suspended, etc.

2. Introduce a new function audit_syscalls_enabled_update(), which is
   called to update audit_syscalls_enabled whenever an aspect of the
   policy changes, so that the value can be updated.

3. Remove a check of trail enablement/suspension from audit_new() --
   at the point where this function has been entered, we believe that
   system-call auditing is already in force, or we wouldn't get here,
   so simply proceed to more expensive policy checks.

4. Use an audit-provided global, audit_dtrace_enabled, rather than a
   dtaudit-provided global, to provide policy indicating whether
   dtaudit would like system calls to be audited.

5. Do some minor cosmetic renaming to clarify what various variables
   are for.

These changes collectively arrange it so that traditional audit
(trail, pipes) or the DTrace audit provider can enable system-call
probes without the other configured.  Otherwise, dtaudit cannot
capture system-call data without auditd(8) started.
Test Plan

Tested by Graeme Jenkinson (Cambridge) and myself with the DTrace audit
provider.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

Remove XXXRW comment accidentally left in.

asomers added inline comments.
sys/security/audit/audit.c
395 ↗(On Diff #48553)

I don't think you can remove this check unless you add similar logic to audit_proc_coredump. Otherwise it will generate AUE_CORE records even when auditing is disabled.

sys/security/audit/audit_dtrace.c
154 ↗(On Diff #48553)

I don't think you need to document this. There's plenty of stuff that's been removed over the years.

This revision is now accepted and ready to land.Sep 30 2018, 3:38 PM

Fix dtaudit module build for non-DTrace / non-Audit kernels by not using
ifdefs of externals in headers. This is a build rather than functional fix.

This revision now requires review to proceed.Oct 1 2018, 2:38 PM
This revision is now accepted and ready to land.Oct 1 2018, 2:41 PM
This revision was automatically updated to reflect the committed changes.