diff options
| author | rwatson <rwatson@FreeBSD.org> | 2006-06-05 14:48:17 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2006-06-05 14:48:17 +0000 |
| commit | 4f317e157608e1b894810563738d4706ca17a07e (patch) | |
| tree | 299259998d5bd315eb95c846662bd4113c0913bf /sys/security/audit/audit_private.h | |
| parent | a5b858d3fd9e18072e6c667da827f7fa363e5707 (diff) | |
| download | FreeBSD-src-4f317e157608e1b894810563738d4706ca17a07e.zip FreeBSD-src-4f317e157608e1b894810563738d4706ca17a07e.tar.gz | |
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/security/audit/audit_private.h')
| -rw-r--r-- | sys/security/audit/audit_private.h | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/sys/security/audit/audit_private.h b/sys/security/audit/audit_private.h index 543bb60..2dc61ec 100644 --- a/sys/security/audit/audit_private.h +++ b/sys/security/audit/audit_private.h @@ -84,11 +84,16 @@ extern int audit_fail_stop; #define BSM_NOAUDIT 2 /* - * Defines for the kernel audit record k_ar_commit field. + * Defines for the kernel audit record k_ar_commit field. Flags are set to + * indicate what sort of record it is, and which preselection mechanism + * selected it. */ #define AR_COMMIT_KERNEL 0x00000001U #define AR_COMMIT_USER 0x00000010U +#define AR_PRESELECT_TRAIL 0x00001000U +#define AR_PRESELECT_PIPE 0x00002000U + /* * Audit data is generated as a stream of struct audit_record structures, * linked by struct kaudit_record, and contain storage for possible audit so @@ -296,7 +301,8 @@ token_t *kau_to_socket(struct socket_au_info *soi); /* * audit_klib prototypes */ -int au_preselect(au_event_t event, au_mask_t *mask_p, int sorf); +int au_preselect(au_event_t event, au_class_t class, + au_mask_t *mask_p, int sorf); au_event_t flags_and_error_to_openevent(int oflags, int error); void au_evclassmap_init(void); void au_evclassmap_insert(au_event_t event, au_class_t class); @@ -327,6 +333,10 @@ void audit_worker_init(void); /* * Audit pipe functions. */ -void audit_pipe_submit(void *record, u_int record_len); +int audit_pipe_preselect(au_id_t auid, au_event_t event, + au_class_t class, int sorf, int trail_select); +void audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, + int sorf, int trail_select, void *record, u_int record_len); +void audit_pipe_submit_user(void *record, u_int record_len); #endif /* ! _SECURITY_AUDIT_PRIVATE_H_ */ |
