svn commit: r316176 - in head/sys: conf modules/dtrace modules/dtrace/dtaudit security/audit
Konstantin Belousov
kostikbel at gmail.com
Thu Mar 30 06:39:44 UTC 2017
On Wed, Mar 29, 2017 at 07:58:00PM +0000, Robert Watson wrote:
> Author: rwatson
> Date: Wed Mar 29 19:58:00 2017
> New Revision: 316176
> URL: https://svnweb.freebsd.org/changeset/base/316176
>
> Log:
> Add an experimental DTrace audit provider, which allows users of DTrace to
> instrument security event auditing rather than relying on conventional BSM
> trail files or audit pipes:
>
> - Add a set of per-event 'commit' probes, which provide access to
> particular auditable events at the time of commit in system-call return.
> These probes gain access to audit data via the in-kernel audit_record
> data structure, providing convenient access to system-call arguments and
> return values in a single probe.
>
> - Add a set of per-event 'bsm' probes, which provide access to particular
> auditable events at the time of BSM record generation in the audit
> worker thread. These probes have access to the in-kernel audit_record
> data structure and BSM representation as would be written to a trail
> file or audit pipe -- i.e., asynchronously in the audit worker thread.
>
> DTrace probe arguments consist of the name of the audit event (to support
> future mechanisms of instrumenting multiple events via a single probe --
> e.g., using classes), a pointer to the in-kernel audit record, and an
> optional pointer to the BSM data and its length. For human convenience,
> upper-case audit event names (AUE_...) are converted to lower case in
> DTrace.
>
> DTrace scripts can now cause additional audit-based data to be collected
> on system calls, and inspect internal and BSM representations of the data.
> They do not affect data captured in the audit trail or audit pipes
> configured in the system. auditd(8) must be configured and running in
> order to provide a database of event information, as well as other audit
> configuration parameters (e.g., to capture command-line arguments or
> environmental variables) for the provider to operate.
>
> Reviewed by: gnn, jonathan, markj
> Sponsored by: DARPA, AFRL
> MFC after: 3 weeks
> Differential Revision: https://reviews.freebsd.org/D10149
On kernels configs which do not have AUDIT option (and no any DTRACE-related
options), I get
/usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:184:8: error: implicit declaration of function 'au_evnamemap_lookup' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
ene = au_evnamemap_lookup(event);
^
/usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:184:6: error: incompatible integer to pointer conversion assigning to 'struct evname_elem *' from 'int' [-Werror,-Wint-conversion]
ene = au_evnamemap_lookup(event);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:197:23: error: no member named 'ene_commit_probe_enabled' in 'struct evname_elem'
probe_enabled = ene->ene_commit_probe_enabled ||
~~~ ^
/usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:198:11: error: no member named 'ene_bsm_probe_enabled' in 'struct evname_elem'
ene->ene_bsm_probe_enabled;
~~~ ^
/usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:220:35: error: no member named 'k_dtaudit_state' in 'struct kaudit_record'
ene = (struct evname_elem *)kar->k_dtaudit_state;
~~~ ^
etc.
More information about the svn-src-head
mailing list