Defining an API for audit filter modules

Robert Watson rwatson at FreeBSD.org
Tue Mar 28 15:16:01 UTC 2006 

Recently as part of the audit3 work, I added a new facility, audit pipes, to 
the FreeBSD kernel.  Audit pipes are synthetic devices that appear in /dev, 
and allow direct access to the the BSM audit record stream without dealing 
with the complexities of accessing the trail via the file system.  This avoids 
locating the trail files, parsing the files to seek to current events, dealing 
with file ownership and rotation issues, synchronizing with the audit daemon, 
etc.  It also moves us in the direction of avoiding having to commit the 
records to disk at all if live analysis (such as intrusion detection) is the 
goal of the logging, rather than producing a reliable trail for later use. 
Audit pipes, in particular, offer lossy delivery of discete records: the 
application can set the maximum queue depth, and track overflows (drops), etc.

In order to make audit pipes more accessible and immediately useful for 
application developers, I have recently prototyped an audit filter daemon and 
audit filter API.  The goal of this work is to allow developers to produce 
"pluggable modules" to a standard module API, which will be presented audit 
records as they arrive via a live audit pipe (or potentially other source, 
such as a socket).  The daemon provides both the I/O engine and execution 
context for BSM record management: the shared objects simply have to present 
an API to the daemon that it can use to submit records to for examination and 
handling.

Right now, the module API defined in audit_filter.h is quite limited:

typedef int (*audit_filter_attach_t)(void **instance, int argc, char *argv[]);

   Called when a module is attached by the daemon, in order to allow the filter
   to register state (via 'instance'), accept arguments (via 'argc' and
   'argv'), and optionally to reject attachment if the circumstances aren't
   right.

typedef int (*audit_filter_reinit_t)(void *instance, int argc, char *argv[]);

   Called when the auditfilterd configuration file is changed, resulting in the
   arguments for a module changing.  The new arguments are presented via 'argc'
   and 'argv'.  If an error is returned, the module is detached.

typedef void (*audit_filter_record_t)(void *instance, struct timespec *ts,
             int token_count, const tokenstr_t *tok[]);

   Called when an audit record is available for inspection by the module.  The
   record is pre-parsed into an array of token structures using au_fetch_tok().

typedef void (*audit_filter_bsmrecord_t)(void *instance, struct timespec *ts,
             void *data, u_int len);

   Called when an audit record is available for inspection by the module.  The
   record is presented in BSM bytestream, as some modules may wish to perform
   their own BSM handling rather than relying on the parsing performed using
   the libbsm routine.

typedef void (*audit_filter_detach_t)(void *instance);

   Called when the module is being detached, in order to allow the module to
   free any state, close files, etc.

This API will appear in OpenBSM 1.0a6 in the next week or so, once the code 
has stabilized a bit more.  However, the purpose of this e-mail isn't just to 
draw your attention to this new part of OpenBSM, but also to solicit feedback. 
In particular, I'm interested in two sorts of feedback:

(1) Comments on the API components thus far defined.  I do currently provide
     instance state, although a module could currently as easily use its own
     global state.  I did this to allow for the possibility of a module being
     loaded more than once at a time with different arguments, although that is
     currently not supported.  However, maybe there's more that needs to be
     done here.

(2) Comments on future API components.  One of the things I'd like to do is
     add an interest filter mechanism so that modules can push interest into
     the daemon, and eventually the kernel, to control the set of records
     gathered.  An easy obvious direction would be to allow the specification
     based on mechanisms already present via pre-selection: i.e., the request a
     mask of event classes based on audit identity.  You can imagine more
     complicated things, and ideas on how far to take this would be welcome.
     Are there other useful things that are clearly missing for an application
     you may have in mind?

Thanks,

Robert N M Watson

More information about the trustedbsd-audit mailing list