summaryrefslogtreecommitdiffstats
path: root/sys/security/audit/audit_ioctl.h
Commit message (Collapse)AuthorAgeFilesLines
* Don't expose #ifdef NOTYET parts to userspace via audit_ioctl.h, justrwatson2007-04-291-3/+0
| | | | | | | remove them, since the functionality they are associated with isn't there yet. MFC after: 3 days
* Allow the user process to query the kernel's notion of a maximumrwatson2006-08-261-0/+1
| | | | | | | | | audit record size at run-time, which can be used by the user process to size the user space buffer it reads into from the audit pipe. Perforce change: 105098 Obtained from: TrustedBSD Project
* Introduce support for per-audit pipe preselection independent from therwatson2006-06-051-0/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | global audit trail configuration. This allows applications consuming audit trails to specify parameters for which audit records are of interest, including selecting records not required by the global trail. Allowing application interest specification without changing the global configuration allows intrusion detection systems to run without interfering with global auditing or each other (if multiple are present). To implement this: - Kernel audit records now carry a flag to indicate whether they have been selected by the global trail or by the audit pipe subsystem, set during record commit, so that this information is available after BSM conversion when delivering the BSM to the trail and audit pipes in the audit worker thread asynchronously. Preselection by either record target will cause the record to be kept. - Similar changes to preselection when the audit record is created when the system call is entering: consult both the global trail and pipes. - au_preselect() now accepts the class in order to avoid repeatedly looking up the mask for each preselection test. - Define a series of ioctls that allow applications to specify whether they want to track the global trail, or program their own preselection parameters: they may specify their own flags and naflags masks, similar to the global masks of the same name, as well as a set of per-auid masks. They also set a per-pipe mode specifying whether they track the global trail, or user their own -- the door is left open for future additional modes. A new ioctl is defined to allow a user process to flush the current audit pipe queue, which can be used after reprogramming pre-selection to make sure that only records of interest are received in future reads. - Audit pipe data structures are extended to hold the additional fields necessary to support preselection. By default, audit pipes track the global trail, so "praudit /dev/auditpipe" will track the global audit trail even though praudit doesn't program the audit pipe selection model. - Comment about the complexities of potentially adding partial read support to audit pipes. By using a set of ioctls, applications can select which records are of interest, and toggle the preselection mode. Obtained from: TrustedBSD Project
* Merge Perforce change 93581 from TrustedBSD audit3 branch:rwatson2006-03-191-1/+1
| | | | | | Mega-style patch. Obtained from: TrustedBSD Project
* Merge Perforce change 93506 from TrustedBSD audit3 branch:rwatson2006-03-191-0/+53
Add ioctls to audit pipes in order to allow querying of the current record queue state, setting of the queue limit, and querying of pipe statistics. Obtained from: TrustedBSD Project
OpenPOWER on IntegriCloud