Rework the logic around quick checks for auditing that take place at system-call entry and whenever audit arguments or return values are captured: 1. Expose a single global, audit_syscalls_enabled, which controls whether the audit framework is entered, rather than exposing components of the policy -- e.g., if the trail is enabled, suspended, etc. 2. Introduce a new function audit_syscalls_enabled_update(), which is called to update audit_syscalls_enabled whenever an aspect of the policy changes, so that the value can be updated. 3. Remove a check of trail enablement/suspension from audit_new() -- at the point where this function has been entered, we believe that system-call auditing is already in force, or we wouldn't get here, so simply proceed to more expensive policy checks. 4. Use an audit-provided global, audit_dtrace_enabled, rather than a dtaudit-provided global, to provide policy indicating whether dtaudit would like system calls to be audited. 5. Do some minor cosmetic renaming to clarify what various variables are for. These changes collectively arrange it so that traditional audit (trail, pipes) or the DTrace audit provider can enable system-call probes without the other configured. Otherwise, dtaudit cannot capture system-call data without auditd(8) started.
Details
Details
- Reviewers
gnn - Group Reviewers
Audit - Commits
- rS339085: Rework the logic around quick checks for auditing that take place at
Tested by Graeme Jenkinson (Cambridge) and myself with the DTrace audit
provider.
Diff Detail
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Passed - Unit
No Test Coverage - Build Status
Buildable 19864 Build 19392: arc lint + arc unit
Event Timeline
sys/security/audit/audit.c | ||
---|---|---|
395 | I don't think you can remove this check unless you add similar logic to audit_proc_coredump. Otherwise it will generate AUE_CORE records even when auditing is disabled. | |
sys/security/audit/audit_dtrace.c | ||
154 | I don't think you need to document this. There's plenty of stuff that's been removed over the years. |
Comment Actions
Fix dtaudit module build for non-DTrace / non-Audit kernels by not using
ifdefs of externals in headers. This is a build rather than functional fix.