Date: Sun, 28 Apr 2019 13:07:39 +0000 (UTC) From: Robert Watson <rwatson@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r346814 - head/share/man/man4 Message-ID: <201904281307.x3SD7dei006710@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rwatson Date: Sun Apr 28 13:07:38 2019 New Revision: 346814 URL: https://svnweb.freebsd.org/changeset/base/346814 Log: Add a man page for the DTrace Audit Provider, since we are now growing a set of provider man pages. MFC after: 3 days Sponsored by: DARPA, AFRL Added: head/share/man/man4/dtrace_audit.4 (contents, props changed) Modified: head/share/man/man4/Makefile Modified: head/share/man/man4/Makefile ============================================================================== --- head/share/man/man4/Makefile Sun Apr 28 09:54:50 2019 (r346813) +++ head/share/man/man4/Makefile Sun Apr 28 13:07:38 2019 (r346814) @@ -887,7 +887,8 @@ _ccd.4= ccd.4 .endif .if ${MK_CDDL} != "no" -_dtrace_provs= dtrace_io.4 \ +_dtrace_provs= dtrace_audit.4 \ + dtrace_io.4 \ dtrace_ip.4 \ dtrace_lockstat.4 \ dtrace_proc.4 \ @@ -896,6 +897,8 @@ _dtrace_provs= dtrace_io.4 \ dtrace_tcp.4 \ dtrace_udp.4 \ dtrace_udplite.4 + +MLINKS+= dtrace_audit.4 dtaudit.4 .endif .if ${MK_EFI} != "no" Added: head/share/man/man4/dtrace_audit.4 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/man/man4/dtrace_audit.4 Sun Apr 28 13:07:38 2019 (r346814) @@ -0,0 +1,178 @@ +.\"- +.\" SPDX-License-Identifier: BSD-2-Clause +.\" +.\" Copyright (c) 2019 Robert N. M. Watson +.\" +.\" This software was developed by BAE Systems, the University of Cambridge +.\" Computer Laboratory, and Memorial University under DARPA/AFRL contract +.\" FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent Computing +.\" (TC) research program. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd April 28, 2019 +.Dt DTRACE_AUDIT 4 +.Os +.Sh NAME +.Nm dtrace_audit +.Nd A DTrace provider for tracing +.Xr audit 4 +events +.Sh SYNOPSIS +.Pp +.Fn audit:event:aue_*:commit "char *eventname" "struct audit_record *ar" +.Fn audit:event:aue_*:bsm "char *eventname" "struct audit_record *ar" "const void *" "size_t" +.Pp +To compile this module into the kernel, place the following in your kernel +configuration file: +.Pp +.Bd -literal -offset indent +.Cd "options DTAUDIT" +.Ed +.Pp +Alternatively, to load the module at boot time, place the following line in +.Xr loader.conf 5 : +.Bd -literal -offset indent +dtaudit_load="YES" +.Ed +.Sh DESCRIPTION +The DTrace +.Nm dtaudit +provider allows users to trace events in the kernel security auditing +subsystem, +.Xr audit 4 . +.Xr audit 4 +provides detailed logging of a configurable set of security-relevant system +calls, including key arguments (such as file paths) and return values that are +copied race-free as the system call proceeds. +The +.Nm dtaudit +provider allows DTrace scripts to selectively enable in-kernel audit-record +capture for system calls, and then access those records in either the +in-kernel format or BSM format (\c +.Xr audit.log 5 ) +when the system call completes. +While the in-kernel audit record data structure is subject to change as the +kernel changes over time, it is a much more friendly interface for use in D +scripts than either those available via the DTrace system-call provider or the +BSM trail itself. +.Ss Configuration +The +.Nm dtaudit +provider relies on +.Xr audit 4 +being compiled into the kernel. +.Nm dtaudit +probes become available only once there is an event-to-name mapping installed +in the kernel, normally done by +.Xr auditd 8 +during the boot process, if audit is enabled in +.Xr rc.conf 5 : +.Bd -literal -offset indent +auditd_enable="YES" +.Ed +.Pp +If +.Nm dtaudit +probes are required earlier in boot -- for example, in single-user mode -- or +without enabling +.Xr audit 4 , +they can be preloaded in the boot loader by adding this line to +.Xr loader.conf 5 . +.Bd -literal -offset indent +audit_event_load="YES" +.Ed +.Ss Probes +The +.Fn audit:event:aue_*:commit +probes fire synchronously during system-call return, giving access to two +arguments: a +.Vt char * +audit event name, and +the +.Vt struct audit_record * +in-kernel audit record. +Because the probe fires in system-call return, the user thread has not yet +regained control, and additional information from the thread and process +remains available for capture by the script. +.Pp +The +.Fn audit:event:aue_*:bsm +probes fire asynchonously from system-call return, following BSM conversion +and just prior to being written to disk, giving access to four arguments: a +.Vt char * +audit event name, the +.Vt struct audit_record * +in-kernel audit record, a +.Vt const void * +pointer to the converted BSM record, and a +.Vt size_t +for the length of the BSM record. +.Sh IMPLEMENTATION NOTES +When a set of +.Nm dtaudit +probes are registered, corresponding in-kernel audit records will be captured +and their probes will fire regardless of whether the +.Xr audit 4 +subsystem itself would have captured the record for the purposes of writing it +to the audit trail, or for delivery to a +.Xr auditpipe 4 . +In-kernel audit records allocated only because of enabled +.Xr dtaudit 4 +probes will not be unnecessarily written to the audit trail or enabled pipes. +.Sh SEE ALSO +.Xr dtrace 1 , +.Xr audit 4 , +.Xr audit.log 5 , +.Xr loader.conf 5 , +.Xr rc.conf 5 , +.Xr auditd 8 +.Sh HISTORY +The +.Nm dtaudit +provider first appeared in +.Fx 12.0 . +.Sh AUTHORS +This software and this manual page were developed by BAE Systems, the +University of Cambridge Computer Laboratory, and Memorial University under +DARPA/AFRL contract +.Pq FA8650-15-C-7558 +.Pq Do CADETS Dc , +as part of the DARPA Transparent Computing (TC) research program. +The +.Nm dtaudit +provider and this manual page were written by +.An Robert Watson Aq Mt rwatson@FreeBSD.org . +.Sh BUGS +Because +.Xr audit 4 +maintains its primary event-to-name mapping database in userspace, that +database must be loaded into the kernel before +.Nm dtaudit +probes become available. +.Pp +.Nm dtaudit +is only able to provide access to system-call audit events, not the full +scope of userspace events, such as those relating to login, password change, +and so on.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201904281307.x3SD7dei006710>