some questions about audit
Wayne Salamon
wsalamon at computer.org
Wed Oct 12 11:25:29 GMT 2005
On Oct 12, 2005, at 5:33 AM, panxj wrote:
> Hi,all:
> I have downloaded trustedbsd_audit3 through perforce, and wanna
> to add some further enhancement to it. I'm reading the soure code,
> but now have some questions:
> (1)There are over 1000 system-calls in current system(including the
> bianry-compatible system-calls, such as functions listed in
> linux_sysent). But arguments-collection points are only added in
> about 28 funcitons. Is it sufficient? And is there any documents
> about why these collection points are added?
The goal of auditing is to log access to protected objects (files,
shared memory, etc.) Therefore, not all system calls will be audited,
but rather those that provide access to these objects. There are some
areas where the object isn't obvious, such as when super-user access
is required for a system call (the shutdown() syscall, for example).
In this case the "object" is super-user privilege.
Many system calls will not have any audited arguments. In those
cases, having the audit event associated with the
system call in syscalls.master will cause an audit record to be
generated that will contain header, subject, and trailer tokens.
In the TrustedBSD audit3 branch, the notes/syscall_audit.tsv file (a
work in progress) contains information on the system calls, what
arguments are audited, and other information. In addition, the Basic
Security Module documentation available from Sun contains much of the
information on what is audited for the system. The rationale for
auditing a system call is based on object access; what arguments get
audited is, in many cases, a judgement call, although it's usually
obvious (e.g. the new file mode for chmod()).
> (2)What's the status of the audit-subsystem? If it has been done
> for 90%, or 30%? When it will be added to the release?
>
The audit infrastructure is in place, and works (although some issues
need to be resolved). For the kernel, as you've noticed, many system
calls need auditing. Several user space programs still need to be
examined, and auditing added (user space can submit audit records via
the audit() system call).
Can you describe what enhancements you are considering?
------------------------
Wayne Salamon
wsalamon at freebsd.org
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list