cvs commit: src/sys/security/audit audit.c audit_bsm_klib.c audit_ioctl.h audit_pipe.c audit_private.h audit_worker.c

Robert Watson rwatson at
Mon Jun 5 14:50:15 UTC 2006

rwatson     2006-06-05 14:48:17 UTC

  FreeBSD src repository

  Modified files:
    sys/security/audit   audit.c audit_bsm_klib.c audit_ioctl.h 
                         audit_pipe.c audit_private.h 
  Introduce support for per-audit pipe preselection independent from the
  global audit trail configuration.  This allows applications consuming
  audit trails to specify parameters for which audit records are of
  interest, including selecting records not required by the global trail.
  Allowing application interest specification without changing the global
  configuration allows intrusion detection systems to run without
  interfering with global auditing or each other (if multiple are
  present).  To implement this:
  - Kernel audit records now carry a flag to indicate whether they have
    been selected by the global trail or by the audit pipe subsystem,
    set during record commit, so that this information is available
    after BSM conversion when delivering the BSM to the trail and audit
    pipes in the audit worker thread asynchronously.  Preselection by
    either record target will cause the record to be kept.
  - Similar changes to preselection when the audit record is created
    when the system call is entering: consult both the global trail and
  - au_preselect() now accepts the class in order to avoid repeatedly
    looking up the mask for each preselection test.
  - Define a series of ioctls that allow applications to specify whether
    they want to track the global trail, or program their own
    preselection parameters: they may specify their own flags and naflags
    masks, similar to the global masks of the same name, as well as a set
    of per-auid masks.  They also set a per-pipe mode specifying whether
    they track the global trail, or user their own -- the door is left
    open for future additional modes.  A new ioctl is defined to allow a
    user process to flush the current audit pipe queue, which can be used
    after reprogramming pre-selection to make sure that only records of
    interest are received in future reads.
  - Audit pipe data structures are extended to hold the additional fields
    necessary to support preselection.  By default, audit pipes track the
    global trail, so "praudit /dev/auditpipe" will track the global audit
    trail even though praudit doesn't program the audit pipe selection
  - Comment about the complexities of potentially adding partial read
    support to audit pipes.
  By using a set of ioctls, applications can select which records are of
  interest, and toggle the preselection mode.
  Obtained from:  TrustedBSD Project
  Revision  Changes    Path
  1.15      +28 -16    src/sys/security/audit/audit.c
  1.4       +3 -6      src/sys/security/audit/audit_bsm_klib.c
  1.3       +32 -0     src/sys/security/audit/audit_ioctl.h
  1.7       +393 -13   src/sys/security/audit/audit_pipe.c
  1.9       +13 -3     src/sys/security/audit/audit_private.h
  1.8       +49 -27    src/sys/security/audit/audit_worker.c

More information about the cvs-src mailing list