On Wed, Mar 29, 2017 at 07:58:00PM +0000, Robert Watson wrote:
> Author: rwatson
> Date: Wed Mar 29 19:58:00 2017
> New Revision: 316176
> URL: https://svnweb.freebsd.org/changeset/base/316176
>
> Log:
> Add an experimental DTrace audit provider, which allows users of DTrace to
> instrument security event auditing rather than relying on conventional BSM
> trail files or audit pipes:
>
> - Add a set of per-event 'commit' probes, which provide access to
> particular auditable events at the time of commit in system-call return.
> These probes gain access to audit data via the in-kernel audit_record
> data structure, providing convenient access to system-call arguments and
> return values in a single probe.
>
> - Add a set of per-event 'bsm' probes, which provide access to particular
> auditable events at the time of BSM record generation in the audit
> worker thread. These probes have access to the in-kernel audit_record
> data structure and BSM representation as would be written to a trail
> file or audit pipe -- i.e., asynchronously in the audit worker thread.
>
> DTrace probe arguments consist of the name of the audit event (to support
> future mechanisms of instrumenting multiple events via a single probe --
> e.g., using classes), a pointer to the in-kernel audit record, and an
> optional pointer to the BSM data and its length. For human convenience,
> upper-case audit event names (AUE_...) are converted to lower case in
> DTrace.
>
> DTrace scripts can now cause additional audit-based data to be collected
> on system calls, and inspect internal and BSM representations of the data.
> They do not affect data captured in the audit trail or audit pipes
> configured in the system. auditd(8) must be configured and running in
> order to provide a database of event information, as well as other audit
> configuration parameters (e.g., to capture command-line arguments or
> environmental variables) for the provider to operate.
>
> Reviewed by: gnn, jonathan, markj
> Sponsored by: DARPA, AFRL
> MFC after: 3 weeks
> Differential Revision: https://reviews.freebsd.org/D10149
On kernels configs which do not have AUDIT option (and no any DTRACE-related
options), I get
/usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:184:8:
error: implicit declaration of function 'au_evnamemap_lookup' is invalid in
C99 [-Werror,-Wimplicit-function-declaration]
ene = au_evnamemap_lookup(event);
^
/usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:184:6:
error: incompatible integer to pointer conversion assigning to 'struct
evname_elem *' from 'int' [-Werror,-Wint-conversion]
ene = au_evnamemap_lookup(event);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:197:23:
error: no member named 'ene_commit_probe_enabled' in 'struct evname_elem'
probe_enabled = ene->ene_commit_probe_enabled ||
~~~ ^
/usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:198:11:
error: no member named 'ene_bsm_probe_enabled' in 'struct evname_elem'
ene->ene_bsm_probe_enabled;
~~~ ^
/usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:220:35:
error: no member named 'k_dtaudit_state' in 'struct kaudit_record'
ene = (struct evname_elem *)kar->k_dtaudit_state;
~~~ ^
etc.
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
