some questions about audit

Wayne Salamon wsalamon at computer.org
Wed Oct 12 11:25:29 GMT 2005 

On Oct 12, 2005, at 5:33 AM, panxj wrote:

> Hi,all:
>     I have downloaded trustedbsd_audit3 through perforce, and wanna  
> to add some further enhancement to it. I'm reading the soure code,  
> but now have some questions:
> (1)There are over 1000 system-calls in current system(including the  
> bianry-compatible system-calls, such as functions listed in  
> linux_sysent). But arguments-collection points are only added in  
> about 28 funcitons. Is it sufficient? And is there any documents  
> about why these collection points are added?

The goal of auditing is to log access to protected objects (files,  
shared memory, etc.) Therefore, not all system calls will be audited,  
but rather those that provide access to these objects. There are some  
areas where the object isn't obvious, such as when super-user access  
is required for a system call (the shutdown() syscall, for example).  
In this case the "object" is super-user privilege.

Many system calls will not have any audited arguments. In those  
cases, having the audit event associated with the
system call in syscalls.master will cause an audit record to be  
generated that will contain header, subject, and trailer tokens.

In the TrustedBSD audit3 branch, the notes/syscall_audit.tsv file (a  
work in progress) contains information on the system calls, what  
arguments are audited, and other information. In addition, the Basic  
Security Module documentation available from Sun contains much of the  
information on what is audited for the system. The rationale for  
auditing a system call is based on object access; what arguments get  
audited is, in many cases, a judgement call, although it's usually  
obvious (e.g. the new file mode for chmod()).

> (2)What's the status of the audit-subsystem? If it has been done  
> for 90%, or 30%? When it will be added to the release?
>

The audit infrastructure is in place, and works (although some issues  
need to be resolved). For the kernel, as you've noticed, many system  
calls need auditing.  Several user space programs still need to be  
examined, and auditing added (user space can submit audit records via  
the audit() system call).

Can you describe what enhancements you are considering?

------------------------
Wayne Salamon
wsalamon at freebsd.org

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message

More information about the trustedbsd-audit mailing list