Welcome, and also POSIX.1e auditing (fwd)

Robert Watson robert at cyrus.watson.org
Wed Mar 3 21:34:14 GMT 1999 

On Tue, 2 Mar 1999, Casey Schaufler wrote:

> Audit:
> 
> The audit section is a disaster. The two major camps fought so hard
> that in the end no one survived, and the spec shows it. There are
> a few good ideas present, but the section lacks any sort of
> usefullness.

I have thus far implemented large parts of the auditing code for FreeBSD
4.0.  A brief outline essentially went like this: 

Kernel:

Add some light-weight audit hooks optimized for the common case, that
queue to a device (/dev/audit).  A few syscalls were added, including an
aud_write_sc (wrapped by the library call aud_write), aud_switch_sc
(wrapped by aud_switch), and aud_get_id_sc (wrapped appropriately).
aud_write also queues to /dev/audit, although not checked in the kernel
for accuracy, but stamped with supporting information (such as the audit
id of the process).

Daemon:

Simple auditd that listens on /dev/audit (after disabling auditing of
itself for the obvious reason :-), and then verifies the validity of
forwarded records, and writes them to /var/log/audit, with hooks for
processing and filtering that I have not yet implemented.  Largely relies
on the library calls (aud_read, aud_valid, etc) to do the work.

Library:

Built up a structure fairly close to that described in the draft, with
limitations based on ambiguities or OS based limitations (no such thing as
an atomic read of an audit record).

I defined a simple flattened structure for audit records that I use for
all byte-wise transmission of records.  The format is designed so that
the kernel can just append to the end of a buffer to add more information,
and copy the whole buffer to userland via normal device reads, rather than
actually being a multi-dimmensional structure one imagines from the audit
record description.  In the library, however, a far more expensive
structure is used.

I have not yet profiled, or even hooked all the syscalls.  The main
concern I had from an implementation standpoint was efficiency: full
auditing would occur at almost every syscall.  I considered alternatives
to a /dev/audit in the form of the kernel directly dumping to a file
(similar to the BSD accounting behavior), but went for simplicity on my
first pass at the problem.

More information about the posix1e mailing list