Date: Tue, 2 Oct 2018 11:15:37 -0600 From: Alan Somers <asomers@freebsd.org> To: Robert Watson <rwatson@freebsd.org> Cc: src-committers <src-committers@freebsd.org>, svn-src-all <svn-src-all@freebsd.org>, svn-src-head <svn-src-head@freebsd.org> Subject: Re: svn commit: r339085 - head/sys/security/audit Message-ID: <CAOtMX2iq7B=qRGCAsxJLDXuYAQYBS17NnDhRunfwyRu0LB8XuA@mail.gmail.com> In-Reply-To: <201810021558.w92FwHBp025418@repo.freebsd.org> References: <201810021558.w92FwHBp025418@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 2, 2018 at 9:58 AM Robert Watson <rwatson@freebsd.org> wrote: > Author: rwatson > Date: Tue Oct 2 15:58:17 2018 > New Revision: 339085 > URL: https://svnweb.freebsd.org/changeset/base/339085 > > Log: > Rework the logic around quick checks for auditing that take place at > system-call entry and whenever audit arguments or return values are > captured: > > 1. Expose a single global, audit_syscalls_enabled, which controls > whether the audit framework is entered, rather than exposing > components of the policy -- e.g., if the trail is enabled, > suspended, etc. > > 2. Introduce a new function audit_syscalls_enabled_update(), which is > called to update audit_syscalls_enabled whenever an aspect of the > policy changes, so that the value can be updated. > > 3. Remove a check of trail enablement/suspension from audit_new() -- > at the point where this function has been entered, we believe that > system-call auditing is already in force, or we wouldn't get here, > so simply proceed to more expensive policy checks. > > 4. Use an audit-provided global, audit_dtrace_enabled, rather than a > dtaudit-provided global, to provide policy indicating whether > dtaudit would like system calls to be audited. > > 5. Do some minor cosmetic renaming to clarify what various variables > are for. > > These changes collectively arrange it so that traditional audit > (trail, pipes) or the DTrace audit provider can enable system-call > probes without the other configured. Otherwise, dtaudit cannot > capture system-call data without auditd(8) started. > > Reviewed by: gnn > Sponsored by: DARPA, AFRL > Approved by: re (gjb) > Differential Revision: https://reviews.freebsd.org/D17348 > > Modified: > head/sys/security/audit/audit.c > head/sys/security/audit/audit.h > head/sys/security/audit/audit_dtrace.c > head/sys/security/audit/audit_private.h > head/sys/security/audit/audit_syscalls.c > head/sys/security/audit/audit_worker.c > Did you check the logic around audit_proc_coredump too? I think this change will cause AUE_CORE events to be emitted even when auditing is disabled. -Alan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2iq7B=qRGCAsxJLDXuYAQYBS17NnDhRunfwyRu0LB8XuA>