From owner-svn-src-all@freebsd.org Sun Apr 28 13:07:40 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3CD4A157DA33; Sun, 28 Apr 2019 13:07:40 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CCDC891EB6; Sun, 28 Apr 2019 13:07:39 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A11D4AFAD; Sun, 28 Apr 2019 13:07:39 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x3SD7dsm006712; Sun, 28 Apr 2019 13:07:39 GMT (envelope-from rwatson@FreeBSD.org) Received: (from rwatson@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x3SD7dei006710; Sun, 28 Apr 2019 13:07:39 GMT (envelope-from rwatson@FreeBSD.org) Message-Id: <201904281307.x3SD7dei006710@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rwatson set sender to rwatson@FreeBSD.org using -f From: Robert Watson Date: Sun, 28 Apr 2019 13:07:39 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r346814 - head/share/man/man4 X-SVN-Group: head X-SVN-Commit-Author: rwatson X-SVN-Commit-Paths: head/share/man/man4 X-SVN-Commit-Revision: 346814 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: CCDC891EB6 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.98)[-0.978,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Apr 2019 13:07:40 -0000 Author: rwatson Date: Sun Apr 28 13:07:38 2019 New Revision: 346814 URL: https://svnweb.freebsd.org/changeset/base/346814 Log: Add a man page for the DTrace Audit Provider, since we are now growing a set of provider man pages. MFC after: 3 days Sponsored by: DARPA, AFRL Added: head/share/man/man4/dtrace_audit.4 (contents, props changed) Modified: head/share/man/man4/Makefile Modified: head/share/man/man4/Makefile ============================================================================== --- head/share/man/man4/Makefile Sun Apr 28 09:54:50 2019 (r346813) +++ head/share/man/man4/Makefile Sun Apr 28 13:07:38 2019 (r346814) @@ -887,7 +887,8 @@ _ccd.4= ccd.4 .endif .if ${MK_CDDL} != "no" -_dtrace_provs= dtrace_io.4 \ +_dtrace_provs= dtrace_audit.4 \ + dtrace_io.4 \ dtrace_ip.4 \ dtrace_lockstat.4 \ dtrace_proc.4 \ @@ -896,6 +897,8 @@ _dtrace_provs= dtrace_io.4 \ dtrace_tcp.4 \ dtrace_udp.4 \ dtrace_udplite.4 + +MLINKS+= dtrace_audit.4 dtaudit.4 .endif .if ${MK_EFI} != "no" Added: head/share/man/man4/dtrace_audit.4 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/man/man4/dtrace_audit.4 Sun Apr 28 13:07:38 2019 (r346814) @@ -0,0 +1,178 @@ +.\"- +.\" SPDX-License-Identifier: BSD-2-Clause +.\" +.\" Copyright (c) 2019 Robert N. M. Watson +.\" +.\" This software was developed by BAE Systems, the University of Cambridge +.\" Computer Laboratory, and Memorial University under DARPA/AFRL contract +.\" FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent Computing +.\" (TC) research program. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd April 28, 2019 +.Dt DTRACE_AUDIT 4 +.Os +.Sh NAME +.Nm dtrace_audit +.Nd A DTrace provider for tracing +.Xr audit 4 +events +.Sh SYNOPSIS +.Pp +.Fn audit:event:aue_*:commit "char *eventname" "struct audit_record *ar" +.Fn audit:event:aue_*:bsm "char *eventname" "struct audit_record *ar" "const void *" "size_t" +.Pp +To compile this module into the kernel, place the following in your kernel +configuration file: +.Pp +.Bd -literal -offset indent +.Cd "options DTAUDIT" +.Ed +.Pp +Alternatively, to load the module at boot time, place the following line in +.Xr loader.conf 5 : +.Bd -literal -offset indent +dtaudit_load="YES" +.Ed +.Sh DESCRIPTION +The DTrace +.Nm dtaudit +provider allows users to trace events in the kernel security auditing +subsystem, +.Xr audit 4 . +.Xr audit 4 +provides detailed logging of a configurable set of security-relevant system +calls, including key arguments (such as file paths) and return values that are +copied race-free as the system call proceeds. +The +.Nm dtaudit +provider allows DTrace scripts to selectively enable in-kernel audit-record +capture for system calls, and then access those records in either the +in-kernel format or BSM format (\c +.Xr audit.log 5 ) +when the system call completes. +While the in-kernel audit record data structure is subject to change as the +kernel changes over time, it is a much more friendly interface for use in D +scripts than either those available via the DTrace system-call provider or the +BSM trail itself. +.Ss Configuration +The +.Nm dtaudit +provider relies on +.Xr audit 4 +being compiled into the kernel. +.Nm dtaudit +probes become available only once there is an event-to-name mapping installed +in the kernel, normally done by +.Xr auditd 8 +during the boot process, if audit is enabled in +.Xr rc.conf 5 : +.Bd -literal -offset indent +auditd_enable="YES" +.Ed +.Pp +If +.Nm dtaudit +probes are required earlier in boot -- for example, in single-user mode -- or +without enabling +.Xr audit 4 , +they can be preloaded in the boot loader by adding this line to +.Xr loader.conf 5 . +.Bd -literal -offset indent +audit_event_load="YES" +.Ed +.Ss Probes +The +.Fn audit:event:aue_*:commit +probes fire synchronously during system-call return, giving access to two +arguments: a +.Vt char * +audit event name, and +the +.Vt struct audit_record * +in-kernel audit record. +Because the probe fires in system-call return, the user thread has not yet +regained control, and additional information from the thread and process +remains available for capture by the script. +.Pp +The +.Fn audit:event:aue_*:bsm +probes fire asynchonously from system-call return, following BSM conversion +and just prior to being written to disk, giving access to four arguments: a +.Vt char * +audit event name, the +.Vt struct audit_record * +in-kernel audit record, a +.Vt const void * +pointer to the converted BSM record, and a +.Vt size_t +for the length of the BSM record. +.Sh IMPLEMENTATION NOTES +When a set of +.Nm dtaudit +probes are registered, corresponding in-kernel audit records will be captured +and their probes will fire regardless of whether the +.Xr audit 4 +subsystem itself would have captured the record for the purposes of writing it +to the audit trail, or for delivery to a +.Xr auditpipe 4 . +In-kernel audit records allocated only because of enabled +.Xr dtaudit 4 +probes will not be unnecessarily written to the audit trail or enabled pipes. +.Sh SEE ALSO +.Xr dtrace 1 , +.Xr audit 4 , +.Xr audit.log 5 , +.Xr loader.conf 5 , +.Xr rc.conf 5 , +.Xr auditd 8 +.Sh HISTORY +The +.Nm dtaudit +provider first appeared in +.Fx 12.0 . +.Sh AUTHORS +This software and this manual page were developed by BAE Systems, the +University of Cambridge Computer Laboratory, and Memorial University under +DARPA/AFRL contract +.Pq FA8650-15-C-7558 +.Pq Do CADETS Dc , +as part of the DARPA Transparent Computing (TC) research program. +The +.Nm dtaudit +provider and this manual page were written by +.An Robert Watson Aq Mt rwatson@FreeBSD.org . +.Sh BUGS +Because +.Xr audit 4 +maintains its primary event-to-name mapping database in userspace, that +database must be loaded into the kernel before +.Nm dtaudit +probes become available. +.Pp +.Nm dtaudit +is only able to provide access to system-call audit events, not the full +scope of userspace events, such as those relating to login, password change, +and so on.