Audit TODO, syscalls
Wayne Salamon
wsalamon at computer.org
Thu May 5 20:51:04 GMT 2005
By popular demand...
Here's a quick TODO list for auditing. I'll be doing the BSM token
function merge soon:
* Add a file token to the audit startup record, containing the audit
log file.
* Look at what auditd writes when the file is rotated.
* System calls: list of what needs auditing, and what has been
audited so far.
* Test programs: Check current coverage, add tests for events not
currently
tested.
* Merge the new BSM lib functionality into the kernel.
* Fix up pathname lookups in kernel. Decide when/what to audit, and
remove
canon_path().
* MAC->Audit integration, where the audit system pulls MAC label
information from policies.
* More documentation, akin to an admin guide, answering the questions
"What is audit for, and how do I use it?"
* Modify existing apps to set audit session info (login, ssh, etc.),
test them, etc. Add auditing to apps. (OpenSSH may have this already?)
Attached is the list of system calls, whether they need audited, and
current audit state. Some system calls are trivial to audit because
they have no special tokens, just header/subject/trailer tokens in
the record. Others require more thought, and we'll probably need some
new tokens at some point.
For entries where I don't indicate auditing 'Y' or 'N', I haven't had
time to look at these calls yet. The general criteria to decide
whether to audit is whether the object being accessed is protected by
DAC permissions, OR the credentials of the user are checked (suser()
usually). Auditing is NOT a general purpose event tracing mechanism
in the kernel. At least I don't think it is.
Enjoy.
-------------- next part --------------
/*
* Audited system call list.
* Field 1 -> System call name
* Field 2 -> System call number
* Field 3 -> Needs auditing
* Field 4 -> Auditing done
* Field 5 -> Comments
*/
SYS_syscall 0 Y N
SYS_exit 1 Y N
SYS_fork 2 Y Y
SYS_read 3 N N
SYS_write 4 N N
SYS_open 5 Y N
SYS_close 6 Y N
SYS_wait4 7
SYS_link 9 Y N
SYS_unlink 10 Y N
SYS_chdir 12 Y Y
SYS_fchdir 13 Y Y
SYS_mknod 14 Y N
SYS_chmod 15 Y Y
SYS_chown 16 Y Y
SYS_break 17 N N
SYS_getpid 20 N N
SYS_mount 21 Y N
SYS_unmount 22 Y N
SYS_setuid 23 Y N
SYS_getuid 24 N
SYS_geteuid 25 N
SYS_ptrace 26 Y N
SYS_recvmsg 27 Y N
SYS_sendmsg 28 Y N
SYS_recvfrom 29 Y N
SYS_accept 30 Y N
SYS_getpeername 31 N
SYS_getsockname 32 N
SYS_access 33 Y N
SYS_chflags 34 Y Y
SYS_fchflags 35 Y Y
SYS_sync 36 N
SYS_kill 37 Y N
SYS_getppid 39 N
SYS_dup 41
SYS_pipe 42 Y N
SYS_getegid 43 N
SYS_profil 44 Y N
SYS_ktrace 45 Y N
SYS_getgid 47 N
SYS_getlogin 49 N
SYS_setlogin 50 Y N
SYS_acct 51 Y N
SYS_sigaltstack 53
SYS_ioctl 54 Y N
SYS_reboot 55 Y N
SYS_revoke 56 Y N
SYS_symlink 57 Y N
SYS_readlink 58 Y N
SYS_execve 59 Y N
SYS_umask 60 Y N
SYS_chroot 61 Y N
SYS_msync 65
SYS_vfork 66 Y Y
SYS_sbrk 69 N
SYS_sstk 70
SYS_vadvise 72 N
SYS_munmap 73 Y N
SYS_mprotect 74 Y N
SYS_madvise 75 Y N suser() check
SYS_mincore 78
SYS_getgroups 79 N
SYS_setgroups 80 Y N
SYS_getpgrp 81 N
SYS_setpgid 82 Y N
SYS_setitimer 83
SYS_swapon 85 Y N
SYS_getitimer 86 N
SYS_getdtablesize 89 N
SYS_dup2 90 N
SYS_fcntl 92 Y N
SYS_select 93 N
SYS_fsync 95 Y N
SYS_setpriority 96 Y N
SYS_socket 97 Y N
SYS_connect 98 Y N
SYS_getpriority 100 N
SYS_bind 104 Y N
SYS_setsockopt 105 Y N
SYS_listen 106 N
SYS_gettimeofday 116 N
SYS_getrusage 117 N
SYS_getsockopt 118 N
SYS_readv 120 N
SYS_writev 121 N
SYS_settimeofday 122 Y N
SYS_fchown 123 Y Y
SYS_fchmod 124 Y Y
SYS_setreuid 126 Y N
SYS_setregid 127 Y N
SYS_rename 128 Y N
SYS_flock 131 Y N
SYS_mkfifo 132 Y N
SYS_sendto 133 Y N
SYS_shutdown 134 Y N
SYS_socketpair 135 Y N
SYS_mkdir 136 Y N
SYS_rmdir 137 Y N
SYS_utimes 138 Y N
SYS_adjtime 140 Y N
SYS_setsid 147 Y N
SYS_quotactl 148 Y N
SYS_nfssvc 155 Y N
SYS_lgetfh 160 Y N
SYS_getfh 161 Y N
SYS_getdomainname 162 Y N
SYS_setdomainname 163 Y N
SYS_uname 164
SYS_sysarch 165 Y N suser() check for some cmds
SYS_rtprio 166 Y N
SYS_semsys 169 Y N calls __semctl, semop
SYS_msgsys 170 Y N calls msgget, msgrcv
SYS_shmsys 171 Y N calls oshmctl, shmget, shmctl
SYS_pread 173
SYS_pwrite 174
SYS_ntp_adjtime 176 Y N
SYS_setgid 181 Y N
SYS_setegid 182 Y N
SYS_seteuid 183 Y N
SYS_stat 188 Y N
SYS_fstat 189 Y N
SYS_lstat 190 Y N
SYS_pathconf 191 Y N
SYS_fpathconf 192 Y N
SYS_getrlimit 194 N
SYS_setrlimit 195 Y N
SYS_getdirentries 196 Y Y
SYS_mmap 197 Y N
SYS___syscall 198
SYS_lseek 199 N
SYS_truncate 200 Y N
SYS_ftruncate 201 Y N
SYS___sysctl 202 Y N
SYS_mlock 203 Y N
SYS_munlock 204 Y N
SYS_undelete 205 Y N
SYS_futimes 206 Y Y
SYS_getpgid 207 N
SYS_poll 209
SYS___semctl 220 Y N
SYS_semget 221 Y N
SYS_semop 222 Y N
SYS_msgctl 224 Y N
SYS_msgget 225 Y N
SYS_msgsnd 226 Y N
SYS_msgrcv 227 Y N
SYS_shmat 228 Y N
SYS_shmctl 229 Y N
SYS_shmdt 230 Y N
SYS_shmget 231 Y N
SYS_clock_gettime 232
SYS_clock_settime 233 Y N
SYS_clock_getres 234
SYS_nanosleep 240
SYS_minherit 250 Y N
SYS_rfork 251 Y Y
SYS_openbsd_poll 252
SYS_issetugid 253
SYS_lchown 254 Y Y
SYS_getdents 272 Y N
SYS_lchmod 274 Y Y
SYS_netbsd_lchown 275 Y N
SYS_lutimes 276 Y N
SYS_netbsd_msync 277
SYS_nstat 278 Y N
SYS_nfstat 279 Y N
SYS_nlstat 280 Y N
SYS_fhopen 298 Y N
SYS_fhstat 299 Y N
SYS_modnext 300
SYS_modstat 301
SYS_modfnext 302
SYS_modfind 303
SYS_kldload 304 Y N
SYS_kldunload 305 Y N
SYS_kldfind 306 Y N
SYS_kldnext 307 Y N
SYS_kldstat 308 Y N
SYS_kldfirstmod 309 Y N
SYS_getsid 310 N
SYS_setresuid 311 Y N
SYS_setresgid 312 Y N
SYS_aio_return 314
SYS_aio_suspend 315
SYS_aio_cancel 316
SYS_aio_error 317
SYS_aio_read 318
SYS_aio_write 319
SYS_lio_listio 320
SYS_yield 321
SYS_mlockall 324 Y N
SYS_munlockall 325 Y N
SYS___getcwd 326
SYS_sched_setparam 327
SYS_sched_getparam 328
SYS_sched_setscheduler 329
SYS_sched_getscheduler 330
SYS_sched_yield 331
SYS_sched_get_priority_max 332
SYS_sched_get_priority_min 333
SYS_sched_rr_get_interval 334
SYS_utrace 335
SYS_kldsym 337
SYS_jail 338 Y N
SYS_sigprocmask 340 Y N
SYS_sigsuspend 341 Y N
SYS_sigpending 343 Y N
SYS_sigtimedwait 345
SYS_sigwaitinfo 346
SYS___acl_get_file 347 Y N
SYS___acl_set_file 348 Y N
SYS___acl_get_fd 349 Y N
SYS___acl_set_fd 350 Y N
SYS___acl_delete_file 351 Y N
SYS___acl_delete_fd 352 Y N
SYS___acl_aclcheck_file 353 Y N
SYS___acl_aclcheck_fd 354 Y N
SYS_extattrctl 355 Y N
SYS_extattr_set_file 356 Y N
SYS_extattr_get_file 357 Y N
SYS_extattr_delete_file 358 Y N
SYS_aio_waitcomplete 359
SYS_getresuid 360 N
SYS_getresgid 361 N
SYS_kqueue 362
SYS_kevent 363
SYS_extattr_set_fd 371 Y N
SYS_extattr_get_fd 372
SYS_extattr_delete_fd 373 Y N
SYS___setugid 374
SYS_nfsclnt 375
SYS_eaccess 376
SYS_nmount 378
SYS_kse_exit 379
SYS_kse_wakeup 380
SYS_kse_create 381
SYS_kse_thr_interrupt 382
SYS_kse_release 383
SYS___mac_get_proc 384 Y N
SYS___mac_set_proc 385 Y N
SYS___mac_get_fd 386 Y N
SYS___mac_get_file 387 Y N
SYS___mac_set_fd 388 Y N
SYS___mac_set_file 389 Y N
SYS_kenv 390
SYS_lchflags 391 Y Y
SYS_uuidgen 392 N N
SYS_sendfile 393 Y N
SYS_mac_syscall 394 Y N
SYS_getfsstat 395 Y N
SYS_statfs 396 Y N
SYS_fstatfs 397 Y N
SYS_fhstatfs 398 Y N
SYS_ksem_close 400
SYS_ksem_post 401
SYS_ksem_wait 402
SYS_ksem_trywait 403
SYS_ksem_init 404
SYS_ksem_open 405
SYS_ksem_unlink 406
SYS_ksem_getvalue 407
SYS_ksem_destroy 408
SYS___mac_get_pid 409 Y N
SYS___mac_get_link 410 Y N
SYS___mac_set_link 411 Y N
SYS_extattr_set_link 412 Y N
SYS_extattr_get_link 413 Y N
SYS_extattr_delete_link 414 Y N
SYS___mac_execve 415 Y N
SYS_sigaction 416
SYS_sigreturn 417
SYS_getcontext 421 Y N
SYS_setcontext 422 Y N
SYS_swapcontext 423 Y N
SYS_swapoff 424 Y N
SYS___acl_get_link 425 Y N
SYS___acl_set_link 426 Y N
SYS___acl_delete_link 427 Y N
SYS___acl_aclcheck_link 428 Y N
SYS_sigwait 429
SYS_thr_create 430 Y N
SYS_thr_exit 431 Y N
SYS_thr_self 432 Y N
SYS_thr_kill 433 Y N
SYS__umtx_lock 434 Y N
SYS__umtx_unlock 435 Y N
SYS_jail_attach 436 Y N
SYS_extattr_list_fd 437 Y N
SYS_extattr_list_file 438 Y N
SYS_extattr_list_link 439 Y N
SYS_kse_switchin 440
SYS_ksem_timedwait 441
SYS_thr_suspend 442
SYS_thr_wake 443
SYS_audit 444 Y N
SYS_auditon 445 Y N
SYS_getauid 446 Y N
SYS_setauid 447 Y N
SYS_getaudit 448 Y N
SYS_setaudit 449 Y N
SYS_getaudit_addr 450 Y N
SYS_setaudit_addr 451 Y N
SYS_auditctl 452 Y N
-------------- next part --------------
-------
Wayne Salamon
More information about the trustedbsd-audit
mailing list