From owner-svn-src-all@freebsd.org Thu Mar 30 06:39:44 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6256DD25D85; Thu, 30 Mar 2017 06:39:44 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E3380903; Thu, 30 Mar 2017 06:39:43 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id v2U6ddvC037733 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 30 Mar 2017 09:39:39 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua v2U6ddvC037733 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id v2U6ddZb037732; Thu, 30 Mar 2017 09:39:39 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Thu, 30 Mar 2017 09:39:39 +0300 From: Konstantin Belousov To: Robert Watson Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r316176 - in head/sys: conf modules/dtrace modules/dtrace/dtaudit security/audit Message-ID: <20170330063939.GZ43712@kib.kiev.ua> References: <201703291958.v2TJw0hT049410@repo.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201703291958.v2TJw0hT049410@repo.freebsd.org> User-Agent: Mutt/1.8.0 (2017-02-23) X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Mar 2017 06:39:44 -0000 On Wed, Mar 29, 2017 at 07:58:00PM +0000, Robert Watson wrote: > Author: rwatson > Date: Wed Mar 29 19:58:00 2017 > New Revision: 316176 > URL: https://svnweb.freebsd.org/changeset/base/316176 > > Log: > Add an experimental DTrace audit provider, which allows users of DTrace to > instrument security event auditing rather than relying on conventional BSM > trail files or audit pipes: > > - Add a set of per-event 'commit' probes, which provide access to > particular auditable events at the time of commit in system-call return. > These probes gain access to audit data via the in-kernel audit_record > data structure, providing convenient access to system-call arguments and > return values in a single probe. > > - Add a set of per-event 'bsm' probes, which provide access to particular > auditable events at the time of BSM record generation in the audit > worker thread. These probes have access to the in-kernel audit_record > data structure and BSM representation as would be written to a trail > file or audit pipe -- i.e., asynchronously in the audit worker thread. > > DTrace probe arguments consist of the name of the audit event (to support > future mechanisms of instrumenting multiple events via a single probe -- > e.g., using classes), a pointer to the in-kernel audit record, and an > optional pointer to the BSM data and its length. For human convenience, > upper-case audit event names (AUE_...) are converted to lower case in > DTrace. > > DTrace scripts can now cause additional audit-based data to be collected > on system calls, and inspect internal and BSM representations of the data. > They do not affect data captured in the audit trail or audit pipes > configured in the system. auditd(8) must be configured and running in > order to provide a database of event information, as well as other audit > configuration parameters (e.g., to capture command-line arguments or > environmental variables) for the provider to operate. > > Reviewed by: gnn, jonathan, markj > Sponsored by: DARPA, AFRL > MFC after: 3 weeks > Differential Revision: https://reviews.freebsd.org/D10149 On kernels configs which do not have AUDIT option (and no any DTRACE-related options), I get /usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:184:8: error: implicit declaration of function 'au_evnamemap_lookup' is invalid in C99 [-Werror,-Wimplicit-function-declaration] ene = au_evnamemap_lookup(event); ^ /usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:184:6: error: incompatible integer to pointer conversion assigning to 'struct evname_elem *' from 'int' [-Werror,-Wint-conversion] ene = au_evnamemap_lookup(event); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:197:23: error: no member named 'ene_commit_probe_enabled' in 'struct evname_elem' probe_enabled = ene->ene_commit_probe_enabled || ~~~ ^ /usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:198:11: error: no member named 'ene_bsm_probe_enabled' in 'struct evname_elem' ene->ene_bsm_probe_enabled; ~~~ ^ /usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:220:35: error: no member named 'k_dtaudit_state' in 'struct kaudit_record' ene = (struct evname_elem *)kar->k_dtaudit_state; ~~~ ^ etc.