svn commit: r339085 - head/sys/security/audit

Alan Somers asomers at freebsd.org
Tue Oct 2 17:22:13 UTC 2018 

On Tue, Oct 2, 2018 at 9:58 AM Robert Watson <rwatson at freebsd.org> wrote:

> Author: rwatson
> Date: Tue Oct  2 15:58:17 2018
> New Revision: 339085
> URL: https://svnweb.freebsd.org/changeset/base/339085
>
> Log:
>   Rework the logic around quick checks for auditing that take place at
>   system-call entry and whenever audit arguments or return values are
>   captured:
>
>   1. Expose a single global, audit_syscalls_enabled, which controls
>      whether the audit framework is entered, rather than exposing
>      components of the policy -- e.g., if the trail is enabled,
>      suspended, etc.
>
>   2. Introduce a new function audit_syscalls_enabled_update(), which is
>      called to update audit_syscalls_enabled whenever an aspect of the
>      policy changes, so that the value can be updated.
>
>   3. Remove a check of trail enablement/suspension from audit_new() --
>      at the point where this function has been entered, we believe that
>      system-call auditing is already in force, or we wouldn't get here,
>      so simply proceed to more expensive policy checks.
>
>   4. Use an audit-provided global, audit_dtrace_enabled, rather than a
>      dtaudit-provided global, to provide policy indicating whether
>      dtaudit would like system calls to be audited.
>
>   5. Do some minor cosmetic renaming to clarify what various variables
>      are for.
>
>   These changes collectively arrange it so that traditional audit
>   (trail, pipes) or the DTrace audit provider can enable system-call
>   probes without the other configured.  Otherwise, dtaudit cannot
>   capture system-call data without auditd(8) started.
>
>   Reviewed by:          gnn
>   Sponsored by:         DARPA, AFRL
>   Approved by:          re (gjb)
>   Differential Revision:        https://reviews.freebsd.org/D17348
>
> Modified:
>   head/sys/security/audit/audit.c
>   head/sys/security/audit/audit.h
>   head/sys/security/audit/audit_dtrace.c
>   head/sys/security/audit/audit_private.h
>   head/sys/security/audit/audit_syscalls.c
>   head/sys/security/audit/audit_worker.c
>

Did you check the logic around audit_proc_coredump too?  I think this
change will cause AUE_CORE events to be emitted even when auditing is
disabled.
-Alan

More information about the svn-src-head mailing list