Welcome, and also POSIX.1e auditing (fwd)
Robert Watson
robert at cyrus.watson.org
Wed Mar 3 21:34:14 GMT 1999
On Tue, 2 Mar 1999, Casey Schaufler wrote:
> Audit:
>
> The audit section is a disaster. The two major camps fought so hard
> that in the end no one survived, and the spec shows it. There are
> a few good ideas present, but the section lacks any sort of
> usefullness.
I have thus far implemented large parts of the auditing code for FreeBSD
4.0. A brief outline essentially went like this:
Kernel:
Add some light-weight audit hooks optimized for the common case, that
queue to a device (/dev/audit). A few syscalls were added, including an
aud_write_sc (wrapped by the library call aud_write), aud_switch_sc
(wrapped by aud_switch), and aud_get_id_sc (wrapped appropriately).
aud_write also queues to /dev/audit, although not checked in the kernel
for accuracy, but stamped with supporting information (such as the audit
id of the process).
Daemon:
Simple auditd that listens on /dev/audit (after disabling auditing of
itself for the obvious reason :-), and then verifies the validity of
forwarded records, and writes them to /var/log/audit, with hooks for
processing and filtering that I have not yet implemented. Largely relies
on the library calls (aud_read, aud_valid, etc) to do the work.
Library:
Built up a structure fairly close to that described in the draft, with
limitations based on ambiguities or OS based limitations (no such thing as
an atomic read of an audit record).
I defined a simple flattened structure for audit records that I use for
all byte-wise transmission of records. The format is designed so that
the kernel can just append to the end of a buffer to add more information,
and copy the whole buffer to userland via normal device reads, rather than
actually being a multi-dimmensional structure one imagines from the audit
record description. In the library, however, a far more expensive
structure is used.
I have not yet profiled, or even hooked all the syscalls. The main
concern I had from an implementation standpoint was efficiency: full
auditing would occur at almost every syscall. I considered alternatives
to a /dev/audit in the form of the kernel directly dumping to a file
(similar to the BSD accounting behavior), but went for simplicity on my
first pass at the problem.
More information about the posix1e
mailing list