Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 28 Apr 2019 13:07:39 +0000 (UTC)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r346814 - head/share/man/man4
Message-ID:  <201904281307.x3SD7dei006710@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: rwatson
Date: Sun Apr 28 13:07:38 2019
New Revision: 346814
URL: https://svnweb.freebsd.org/changeset/base/346814

Log:
  Add a man page for the DTrace Audit Provider, since we are now growing a set
  of provider man pages.
  
  MFC after:	3 days
  Sponsored by:	DARPA, AFRL

Added:
  head/share/man/man4/dtrace_audit.4   (contents, props changed)
Modified:
  head/share/man/man4/Makefile

Modified: head/share/man/man4/Makefile
==============================================================================
--- head/share/man/man4/Makefile	Sun Apr 28 09:54:50 2019	(r346813)
+++ head/share/man/man4/Makefile	Sun Apr 28 13:07:38 2019	(r346814)
@@ -887,7 +887,8 @@ _ccd.4=		ccd.4
 .endif
 
 .if ${MK_CDDL} != "no"
-_dtrace_provs=	dtrace_io.4 \
+_dtrace_provs=	dtrace_audit.4 \
+		dtrace_io.4 \
 		dtrace_ip.4 \
 		dtrace_lockstat.4 \
 		dtrace_proc.4 \
@@ -896,6 +897,8 @@ _dtrace_provs=	dtrace_io.4 \
 		dtrace_tcp.4 \
 		dtrace_udp.4 \
 		dtrace_udplite.4
+
+MLINKS+=	dtrace_audit.4 dtaudit.4
 .endif
 
 .if ${MK_EFI} != "no"

Added: head/share/man/man4/dtrace_audit.4
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/man/man4/dtrace_audit.4	Sun Apr 28 13:07:38 2019	(r346814)
@@ -0,0 +1,178 @@
+.\"-
+.\" SPDX-License-Identifier: BSD-2-Clause
+.\"
+.\" Copyright (c) 2019 Robert N. M. Watson
+.\"
+.\" This software was developed by BAE Systems, the University of Cambridge
+.\" Computer Laboratory, and Memorial University under DARPA/AFRL contract
+.\" FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent Computing
+.\" (TC) research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd April 28, 2019
+.Dt DTRACE_AUDIT 4
+.Os
+.Sh NAME
+.Nm dtrace_audit
+.Nd A DTrace provider for tracing
+.Xr audit 4
+events
+.Sh SYNOPSIS
+.Pp
+.Fn audit:event:aue_*:commit "char *eventname" "struct audit_record *ar"
+.Fn audit:event:aue_*:bsm "char *eventname" "struct audit_record *ar" "const void *" "size_t"
+.Pp
+To compile this module into the kernel, place the following in your kernel
+configuration file:
+.Pp
+.Bd -literal -offset indent
+.Cd "options DTAUDIT"
+.Ed
+.Pp
+Alternatively, to load the module at boot time, place the following line in
+.Xr loader.conf 5 :
+.Bd -literal -offset indent
+dtaudit_load="YES"
+.Ed
+.Sh DESCRIPTION
+The DTrace
+.Nm dtaudit
+provider allows users to trace events in the kernel security auditing
+subsystem,
+.Xr audit 4 .
+.Xr audit 4
+provides detailed logging of a configurable set of security-relevant system
+calls, including key arguments (such as file paths) and return values that are
+copied race-free as the system call proceeds.
+The
+.Nm dtaudit
+provider allows DTrace scripts to selectively enable in-kernel audit-record
+capture for system calls, and then access those records in either the
+in-kernel format or BSM format (\c
+.Xr audit.log 5 )
+when the system call completes.
+While the in-kernel audit record data structure is subject to change as the
+kernel changes over time, it is a much more friendly interface for use in D
+scripts than either those available via the DTrace system-call provider or the
+BSM trail itself.
+.Ss Configuration
+The
+.Nm dtaudit
+provider relies on
+.Xr audit 4
+being compiled into the kernel.
+.Nm dtaudit
+probes become available only once there is an event-to-name mapping installed
+in the kernel, normally done by
+.Xr auditd 8
+during the boot process, if audit is enabled in
+.Xr rc.conf 5 :
+.Bd -literal -offset indent
+auditd_enable="YES"
+.Ed
+.Pp
+If
+.Nm dtaudit
+probes are required earlier in boot -- for example, in single-user mode -- or
+without enabling
+.Xr audit 4 ,
+they can be preloaded in the boot loader by adding this line to
+.Xr loader.conf 5 .
+.Bd -literal -offset indent
+audit_event_load="YES"
+.Ed
+.Ss Probes
+The
+.Fn audit:event:aue_*:commit
+probes fire synchronously during system-call return, giving access to two
+arguments: a
+.Vt char *
+audit event name, and
+the
+.Vt struct audit_record *
+in-kernel audit record.
+Because the probe fires in system-call return, the user thread has not yet
+regained control, and additional information from the thread and process
+remains available for capture by the script.
+.Pp
+The
+.Fn audit:event:aue_*:bsm
+probes fire asynchonously from system-call return, following BSM conversion
+and just prior to being written to disk, giving access to four arguments: a
+.Vt char *
+audit event name, the
+.Vt struct audit_record *
+in-kernel audit record, a
+.Vt const void *
+pointer to the converted BSM record, and a
+.Vt size_t
+for the length of the BSM record.
+.Sh IMPLEMENTATION NOTES
+When a set of
+.Nm dtaudit
+probes are registered, corresponding in-kernel audit records will be captured
+and their probes will fire regardless of whether the
+.Xr audit 4
+subsystem itself would have captured the record for the purposes of writing it
+to the audit trail, or for delivery to a
+.Xr auditpipe 4 .
+In-kernel audit records allocated only because of enabled
+.Xr dtaudit 4
+probes will not be unnecessarily written to the audit trail or enabled pipes.
+.Sh SEE ALSO
+.Xr dtrace 1 ,
+.Xr audit 4 ,
+.Xr audit.log 5 ,
+.Xr loader.conf 5 ,
+.Xr rc.conf 5 ,
+.Xr auditd 8
+.Sh HISTORY
+The
+.Nm dtaudit
+provider first appeared in
+.Fx 12.0 .
+.Sh AUTHORS
+This software and this manual page were developed by BAE Systems, the
+University of Cambridge Computer Laboratory, and Memorial University under
+DARPA/AFRL contract
+.Pq FA8650-15-C-7558
+.Pq Do CADETS Dc ,
+as part of the DARPA Transparent Computing (TC) research program.
+The
+.Nm dtaudit
+provider and this manual page were written by
+.An Robert Watson Aq Mt rwatson@FreeBSD.org .
+.Sh BUGS
+Because
+.Xr audit 4
+maintains its primary event-to-name mapping database in userspace, that
+database must be loaded into the kernel before
+.Nm dtaudit
+probes become available.
+.Pp
+.Nm dtaudit
+is only able to provide access to system-call audit events, not the full
+scope of userspace events, such as those relating to login, password change,
+and so on.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201904281307.x3SD7dei006710>