Audit TODO, syscalls
Tom Rhodes
trhodes at FreeBSD.org
Fri May 6 15:32:23 GMT 2005
On Thu, 5 May 2005 16:51:04 -0400
Wayne Salamon <wsalamon at computer.org> wrote:
> By popular demand...
>
> Here's a quick TODO list for auditing. I'll be doing the BSM token
> function merge soon:
>
> * Add a file token to the audit startup record, containing the audit
> log file.
> * Look at what auditd writes when the file is rotated.
> * System calls: list of what needs auditing, and what has been
> audited so far.
> * Test programs: Check current coverage, add tests for events not
> currently
> tested.
> * Merge the new BSM lib functionality into the kernel.
> * Fix up pathname lookups in kernel. Decide when/what to audit, and
> remove
> canon_path().
> * MAC->Audit integration, where the audit system pulls MAC label
> information from policies.
> * More documentation, akin to an admin guide, answering the questions
> "What is audit for, and how do I use it?"
Note, I have a chapter written which I hope addresses this:
http://people.freebsd.org/~trhodes/audit/audit.html
> * Modify existing apps to set audit session info (login, ssh, etc.),
> test them, etc. Add auditing to apps. (OpenSSH may have this already?)
>
> Attached is the list of system calls, whether they need audited, and
> current audit state. Some system calls are trivial to audit because
> they have no special tokens, just header/subject/trailer tokens in
> the record. Others require more thought, and we'll probably need some
> new tokens at some point.
>
> For entries where I don't indicate auditing 'Y' or 'N', I haven't had
> time to look at these calls yet. The general criteria to decide
> whether to audit is whether the object being accessed is protected by
> DAC permissions, OR the credentials of the user are checked (suser()
> usually). Auditing is NOT a general purpose event tracing mechanism
> in the kernel. At least I don't think it is.
>
> Enjoy.
>
--
Tom Rhodes
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list