Add support for audit pipe special devices, which allow user space

applications to insert a "tee" in the live audit event stream.  Records
are inserted into a per-clone queue so that user processes can pull
discreet records out of the queue.  Unlike delivery to disk, audit pipes
are "lossy", dropping records in low memory conditions or when the
process falls behind real-time events.  This mechanism is appropriate
for use by live monitoring systems, host-based intrusion detection, etc,
and avoids applications having to dig through active on-disk trails that
are owned by the audit daemon.

Obtained from:	TrustedBSD Project

1 files changed, 13 insertions, 0 deletions

diff --git a/sys/security/audit/audit.c b/sys/security/audit/audit.c
index 96da28c..3ddad11 100644
--- a/sys/security/audit/audit.c
+++ b/sys/security/audit/audit.c
@@ -372,6 +372,14 @@ audit_record_write(struct vnode *vp, struct kaudit_record *ar,
 	 * we ignore errors.
 	 */
 	if (ar->k_ar_commit & AR_COMMIT_USER) {
+		/*
+		 * Try submitting the record to any active audit pipes.
+		 */
+		audit_pipe_submit((void *)ar->k_udata, ar->k_ulen);
+
+		/*
+		 * And to disk.
+		 */
 		ret = vn_rdwr(UIO_WRITE, vp, (void *)ar->k_udata, ar->k_ulen,
 		          (off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, cred, NULL,
 			  NULL, td); 
@@ -407,6 +415,11 @@ audit_record_write(struct vnode *vp, struct kaudit_record *ar,
 		ret = EINVAL;
 		goto out;
 	}
+
+	/*
+	 * Try submitting the record to any active audit pipes.
+	 */
+	audit_pipe_submit((void *)bsm->data, bsm->len);
 	
 	/*
 	 * XXX