2006-02-06 22:50:39 +00:00
|
|
|
/*-
|
|
|
|
* Copyright (c) 2006 Robert N. M. Watson
|
2009-02-08 15:38:31 +00:00
|
|
|
* Copyright (c) 2008-2009 Apple, Inc.
|
2006-02-06 22:50:39 +00:00
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* This software was developed by Robert Watson for the TrustedBSD Project.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*/
|
|
|
|
|
2008-04-13 22:06:56 +00:00
|
|
|
#include <sys/cdefs.h>
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
|
2006-02-06 22:50:39 +00:00
|
|
|
#include <sys/param.h>
|
|
|
|
#include <sys/condvar.h>
|
|
|
|
#include <sys/conf.h>
|
|
|
|
#include <sys/eventhandler.h>
|
|
|
|
#include <sys/filio.h>
|
|
|
|
#include <sys/kernel.h>
|
|
|
|
#include <sys/lock.h>
|
|
|
|
#include <sys/malloc.h>
|
|
|
|
#include <sys/mutex.h>
|
|
|
|
#include <sys/poll.h>
|
|
|
|
#include <sys/proc.h>
|
|
|
|
#include <sys/queue.h>
|
2008-10-30 21:58:39 +00:00
|
|
|
#include <sys/rwlock.h>
|
2006-02-06 22:50:39 +00:00
|
|
|
#include <sys/selinfo.h>
|
|
|
|
#include <sys/sigio.h>
|
|
|
|
#include <sys/signal.h>
|
|
|
|
#include <sys/signalvar.h>
|
Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped. Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.
This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record. Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush. Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).
MFC after: 2 months
Sponsored by: Apple, Inc.
2008-10-31 14:40:21 +00:00
|
|
|
#include <sys/sx.h>
|
2006-02-06 22:50:39 +00:00
|
|
|
#include <sys/systm.h>
|
|
|
|
#include <sys/uio.h>
|
|
|
|
|
|
|
|
#include <security/audit/audit.h>
|
2006-03-19 15:36:10 +00:00
|
|
|
#include <security/audit/audit_ioctl.h>
|
2006-02-06 22:50:39 +00:00
|
|
|
#include <security/audit/audit_private.h>
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Implementation of a clonable special device providing a live stream of BSM
|
2008-11-02 00:25:48 +00:00
|
|
|
* audit data. Consumers receive a "tee" of the system audit trail by
|
|
|
|
* default, but may also define alternative event selections using ioctls.
|
|
|
|
* This interface provides unreliable but timely access to audit events.
|
|
|
|
* Consumers should be very careful to avoid introducing event cycles.
|
2006-02-06 22:50:39 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Memory types.
|
|
|
|
*/
|
|
|
|
static MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe", "Audit pipes");
|
|
|
|
static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent",
|
|
|
|
"Audit pipe entries and buffers");
|
2007-12-25 13:23:19 +00:00
|
|
|
static MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel",
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
"Audit pipe preselection structure");
|
2006-02-06 22:50:39 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Audit pipe buffer parameters.
|
|
|
|
*/
|
2006-03-19 15:38:03 +00:00
|
|
|
#define AUDIT_PIPE_QLIMIT_DEFAULT (128)
|
2009-02-08 15:38:31 +00:00
|
|
|
#define AUDIT_PIPE_QLIMIT_MIN (1)
|
2006-02-06 22:50:39 +00:00
|
|
|
#define AUDIT_PIPE_QLIMIT_MAX (1024)
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Description of an entry in an audit_pipe.
|
|
|
|
*/
|
|
|
|
struct audit_pipe_entry {
|
|
|
|
void *ape_record;
|
|
|
|
u_int ape_record_len;
|
|
|
|
TAILQ_ENTRY(audit_pipe_entry) ape_queue;
|
|
|
|
};
|
|
|
|
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
/*
|
|
|
|
* Audit pipes allow processes to express "interest" in the set of records
|
|
|
|
* that are delivered via the pipe. They do this in a similar manner to the
|
|
|
|
* mechanism for audit trail configuration, by expressing two global masks,
|
|
|
|
* and optionally expressing per-auid masks. The following data structure is
|
|
|
|
* the per-auid mask description. The global state is stored in the audit
|
|
|
|
* pipe data structure.
|
|
|
|
*
|
|
|
|
* We may want to consider a more space/time-efficient data structure once
|
|
|
|
* usage patterns for per-auid specifications are clear.
|
|
|
|
*/
|
|
|
|
struct audit_pipe_preselect {
|
|
|
|
au_id_t app_auid;
|
|
|
|
au_mask_t app_mask;
|
|
|
|
TAILQ_ENTRY(audit_pipe_preselect) app_list;
|
|
|
|
};
|
|
|
|
|
2006-02-06 22:50:39 +00:00
|
|
|
/*
|
|
|
|
* Description of an individual audit_pipe. Consists largely of a bounded
|
|
|
|
* length queue.
|
|
|
|
*/
|
|
|
|
#define AUDIT_PIPE_ASYNC 0x00000001
|
|
|
|
#define AUDIT_PIPE_NBIO 0x00000002
|
|
|
|
struct audit_pipe {
|
|
|
|
u_int ap_flags;
|
|
|
|
|
|
|
|
struct selinfo ap_selinfo;
|
|
|
|
struct sigio *ap_sigio;
|
|
|
|
|
2008-10-30 21:58:39 +00:00
|
|
|
/*
|
|
|
|
* Per-pipe mutex protecting most fields in this data structure.
|
|
|
|
*/
|
Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped. Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.
This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record. Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush. Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).
MFC after: 2 months
Sponsored by: Apple, Inc.
2008-10-31 14:40:21 +00:00
|
|
|
struct mtx ap_mtx;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Per-pipe sleep lock serializing user-generated reads and flushes.
|
|
|
|
* uiomove() is called to copy out the current head record's data
|
|
|
|
* while the record remains in the queue, so we prevent other threads
|
|
|
|
* from removing it using this lock.
|
|
|
|
*/
|
|
|
|
struct sx ap_sx;
|
2008-10-30 21:58:39 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Condition variable to signal when data has been delivered to a
|
|
|
|
* pipe.
|
|
|
|
*/
|
|
|
|
struct cv ap_cv;
|
|
|
|
|
2008-11-01 21:56:45 +00:00
|
|
|
/*
|
|
|
|
* Various queue-reated variables: qlen and qlimit are a count of
|
|
|
|
* records in the queue; qbyteslen is the number of bytes of data
|
|
|
|
* across all records, and qoffset is the amount read so far of the
|
|
|
|
* first record in the queue. The number of bytes available for
|
|
|
|
* reading in the queue is qbyteslen - qoffset.
|
|
|
|
*/
|
2006-02-06 22:50:39 +00:00
|
|
|
u_int ap_qlen;
|
|
|
|
u_int ap_qlimit;
|
2008-11-01 21:56:45 +00:00
|
|
|
u_int ap_qbyteslen;
|
|
|
|
u_int ap_qoffset;
|
2006-02-06 22:50:39 +00:00
|
|
|
|
2008-11-01 23:05:49 +00:00
|
|
|
/*
|
|
|
|
* Per-pipe operation statistics.
|
|
|
|
*/
|
2006-02-06 22:50:39 +00:00
|
|
|
u_int64_t ap_inserts; /* Records added. */
|
|
|
|
u_int64_t ap_reads; /* Records read. */
|
|
|
|
u_int64_t ap_drops; /* Records dropped. */
|
|
|
|
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
/*
|
|
|
|
* Fields relating to pipe interest: global masks for unmatched
|
|
|
|
* processes (attributable, non-attributable), and a list of specific
|
|
|
|
* interest specifications by auid.
|
|
|
|
*/
|
|
|
|
int ap_preselect_mode;
|
|
|
|
au_mask_t ap_preselect_flags;
|
|
|
|
au_mask_t ap_preselect_naflags;
|
|
|
|
TAILQ_HEAD(, audit_pipe_preselect) ap_preselect_list;
|
|
|
|
|
|
|
|
/*
|
Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped. Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.
This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record. Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush. Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).
MFC after: 2 months
Sponsored by: Apple, Inc.
2008-10-31 14:40:21 +00:00
|
|
|
* Current pending record list. Protected by a combination of ap_mtx
|
|
|
|
* and ap_sx. Note particularly that *both* locks are required to
|
2008-12-31 23:22:45 +00:00
|
|
|
* remove a record from the head of the queue, as an in-progress read
|
|
|
|
* may sleep while copying and therefore cannot hold ap_mtx.
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
*/
|
2006-02-06 22:50:39 +00:00
|
|
|
TAILQ_HEAD(, audit_pipe_entry) ap_queue;
|
|
|
|
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
/*
|
|
|
|
* Global pipe list.
|
|
|
|
*/
|
2006-02-06 22:50:39 +00:00
|
|
|
TAILQ_ENTRY(audit_pipe) ap_list;
|
|
|
|
};
|
|
|
|
|
Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped. Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.
This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record. Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush. Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).
MFC after: 2 months
Sponsored by: Apple, Inc.
2008-10-31 14:40:21 +00:00
|
|
|
#define AUDIT_PIPE_LOCK(ap) mtx_lock(&(ap)->ap_mtx)
|
|
|
|
#define AUDIT_PIPE_LOCK_ASSERT(ap) mtx_assert(&(ap)->ap_mtx, MA_OWNED)
|
|
|
|
#define AUDIT_PIPE_LOCK_DESTROY(ap) mtx_destroy(&(ap)->ap_mtx)
|
|
|
|
#define AUDIT_PIPE_LOCK_INIT(ap) mtx_init(&(ap)->ap_mtx, \
|
|
|
|
"audit_pipe_mtx", NULL, MTX_DEF)
|
|
|
|
#define AUDIT_PIPE_UNLOCK(ap) mtx_unlock(&(ap)->ap_mtx)
|
|
|
|
#define AUDIT_PIPE_MTX(ap) (&(ap)->ap_mtx)
|
|
|
|
|
|
|
|
#define AUDIT_PIPE_SX_LOCK_DESTROY(ap) sx_destroy(&(ap)->ap_sx)
|
|
|
|
#define AUDIT_PIPE_SX_LOCK_INIT(ap) sx_init(&(ap)->ap_sx, "audit_pipe_sx")
|
|
|
|
#define AUDIT_PIPE_SX_XLOCK_ASSERT(ap) sx_assert(&(ap)->ap_sx, SA_XLOCKED)
|
|
|
|
#define AUDIT_PIPE_SX_XLOCK_SIG(ap) sx_xlock_sig(&(ap)->ap_sx)
|
|
|
|
#define AUDIT_PIPE_SX_XUNLOCK(ap) sx_xunlock(&(ap)->ap_sx)
|
2008-10-30 21:58:39 +00:00
|
|
|
|
2006-02-06 22:50:39 +00:00
|
|
|
/*
|
2008-10-30 21:58:39 +00:00
|
|
|
* Global list of audit pipes, rwlock to protect it. Individual record
|
|
|
|
* queues on pipes are protected by per-pipe locks; these locks synchronize
|
|
|
|
* between threads walking the list to deliver to individual pipes and add/
|
|
|
|
* remove of pipes, and are mostly acquired for read.
|
2006-02-06 22:50:39 +00:00
|
|
|
*/
|
|
|
|
static TAILQ_HEAD(, audit_pipe) audit_pipe_list;
|
2008-10-30 21:58:39 +00:00
|
|
|
static struct rwlock audit_pipe_lock;
|
2006-02-06 22:50:39 +00:00
|
|
|
|
2008-10-30 21:58:39 +00:00
|
|
|
#define AUDIT_PIPE_LIST_LOCK_INIT() rw_init(&audit_pipe_lock, \
|
|
|
|
"audit_pipe_list_lock")
|
2014-08-20 16:04:30 +00:00
|
|
|
#define AUDIT_PIPE_LIST_LOCK_DESTROY() rw_destroy(&audit_pipe_lock)
|
2008-10-30 21:58:39 +00:00
|
|
|
#define AUDIT_PIPE_LIST_RLOCK() rw_rlock(&audit_pipe_lock)
|
|
|
|
#define AUDIT_PIPE_LIST_RUNLOCK() rw_runlock(&audit_pipe_lock)
|
|
|
|
#define AUDIT_PIPE_LIST_WLOCK() rw_wlock(&audit_pipe_lock)
|
|
|
|
#define AUDIT_PIPE_LIST_WLOCK_ASSERT() rw_assert(&audit_pipe_lock, \
|
|
|
|
RA_WLOCKED)
|
|
|
|
#define AUDIT_PIPE_LIST_WUNLOCK() rw_wunlock(&audit_pipe_lock)
|
2006-02-06 22:50:39 +00:00
|
|
|
|
|
|
|
/*
|
2014-08-20 16:04:30 +00:00
|
|
|
* Audit pipe device.
|
2006-02-06 22:50:39 +00:00
|
|
|
*/
|
2014-08-20 16:04:30 +00:00
|
|
|
static struct cdev *audit_pipe_dev;
|
|
|
|
|
|
|
|
#define AUDIT_PIPE_NAME "auditpipe"
|
2006-02-06 22:50:39 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Special device methods and definition.
|
|
|
|
*/
|
|
|
|
static d_open_t audit_pipe_open;
|
|
|
|
static d_read_t audit_pipe_read;
|
|
|
|
static d_ioctl_t audit_pipe_ioctl;
|
|
|
|
static d_poll_t audit_pipe_poll;
|
2006-08-24 17:42:38 +00:00
|
|
|
static d_kqfilter_t audit_pipe_kqfilter;
|
2006-02-06 22:50:39 +00:00
|
|
|
|
|
|
|
static struct cdevsw audit_pipe_cdevsw = {
|
|
|
|
.d_version = D_VERSION,
|
|
|
|
.d_open = audit_pipe_open,
|
|
|
|
.d_read = audit_pipe_read,
|
|
|
|
.d_ioctl = audit_pipe_ioctl,
|
|
|
|
.d_poll = audit_pipe_poll,
|
2006-08-24 17:42:38 +00:00
|
|
|
.d_kqfilter = audit_pipe_kqfilter,
|
2006-02-06 22:50:39 +00:00
|
|
|
.d_name = AUDIT_PIPE_NAME,
|
|
|
|
};
|
|
|
|
|
2006-08-24 17:42:38 +00:00
|
|
|
static int audit_pipe_kqread(struct knote *note, long hint);
|
|
|
|
static void audit_pipe_kqdetach(struct knote *note);
|
|
|
|
|
|
|
|
static struct filterops audit_pipe_read_filterops = {
|
|
|
|
.f_isfd = 1,
|
|
|
|
.f_attach = NULL,
|
|
|
|
.f_detach = audit_pipe_kqdetach,
|
|
|
|
.f_event = audit_pipe_kqread,
|
|
|
|
};
|
|
|
|
|
2006-02-06 22:50:39 +00:00
|
|
|
/*
|
|
|
|
* Some global statistics on audit pipes.
|
|
|
|
*/
|
|
|
|
static int audit_pipe_count; /* Current number of pipes. */
|
|
|
|
static u_int64_t audit_pipe_ever; /* Pipes ever allocated. */
|
|
|
|
static u_int64_t audit_pipe_records; /* Records seen. */
|
|
|
|
static u_int64_t audit_pipe_drops; /* Global record drop count. */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Free an audit pipe entry.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
audit_pipe_entry_free(struct audit_pipe_entry *ape)
|
|
|
|
{
|
|
|
|
|
|
|
|
free(ape->ape_record, M_AUDIT_PIPE_ENTRY);
|
|
|
|
free(ape, M_AUDIT_PIPE_ENTRY);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
* Find an audit pipe preselection specification for an auid, if any.
|
|
|
|
*/
|
|
|
|
static struct audit_pipe_preselect *
|
|
|
|
audit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid)
|
|
|
|
{
|
|
|
|
struct audit_pipe_preselect *app;
|
|
|
|
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK_ASSERT(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
|
|
|
|
TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) {
|
|
|
|
if (app->app_auid == auid)
|
|
|
|
return (app);
|
|
|
|
}
|
|
|
|
return (NULL);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Query the per-pipe mask for a specific auid.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
audit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid,
|
|
|
|
au_mask_t *maskp)
|
|
|
|
{
|
|
|
|
struct audit_pipe_preselect *app;
|
|
|
|
int error;
|
|
|
|
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
app = audit_pipe_preselect_find(ap, auid);
|
|
|
|
if (app != NULL) {
|
|
|
|
*maskp = app->app_mask;
|
|
|
|
error = 0;
|
|
|
|
} else
|
|
|
|
error = ENOENT;
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Set the per-pipe mask for a specific auid. Add a new entry if needed;
|
|
|
|
* otherwise, update the current entry.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
audit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask)
|
|
|
|
{
|
|
|
|
struct audit_pipe_preselect *app, *app_new;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Pessimistically assume that the auid doesn't already have a mask
|
|
|
|
* set, and allocate. We will free it if it is unneeded.
|
|
|
|
*/
|
|
|
|
app_new = malloc(sizeof(*app_new), M_AUDIT_PIPE_PRESELECT, M_WAITOK);
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
app = audit_pipe_preselect_find(ap, auid);
|
|
|
|
if (app == NULL) {
|
|
|
|
app = app_new;
|
|
|
|
app_new = NULL;
|
|
|
|
app->app_auid = auid;
|
|
|
|
TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list);
|
|
|
|
}
|
|
|
|
app->app_mask = mask;
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
if (app_new != NULL)
|
|
|
|
free(app_new, M_AUDIT_PIPE_PRESELECT);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Delete a per-auid mask on an audit pipe.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
audit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid)
|
|
|
|
{
|
|
|
|
struct audit_pipe_preselect *app;
|
|
|
|
int error;
|
|
|
|
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
app = audit_pipe_preselect_find(ap, auid);
|
|
|
|
if (app != NULL) {
|
|
|
|
TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list);
|
|
|
|
error = 0;
|
|
|
|
} else
|
|
|
|
error = ENOENT;
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
if (app != NULL)
|
|
|
|
free(app, M_AUDIT_PIPE_PRESELECT);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Delete all per-auid masks on an audit pipe.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
audit_pipe_preselect_flush_locked(struct audit_pipe *ap)
|
|
|
|
{
|
|
|
|
struct audit_pipe_preselect *app;
|
|
|
|
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK_ASSERT(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
|
|
|
|
while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) {
|
|
|
|
TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list);
|
|
|
|
free(app, M_AUDIT_PIPE_PRESELECT);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
audit_pipe_preselect_flush(struct audit_pipe *ap)
|
|
|
|
{
|
|
|
|
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
audit_pipe_preselect_flush_locked(ap);
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
}
|
|
|
|
|
2007-06-01 21:58:59 +00:00
|
|
|
/*-
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
* Determine whether a specific audit pipe matches a record with these
|
|
|
|
* properties. Algorithm is as follows:
|
|
|
|
*
|
|
|
|
* - If the pipe is configured to track the default trail configuration, then
|
|
|
|
* use the results of global preselection matching.
|
|
|
|
* - If not, search for a specifically configured auid entry matching the
|
|
|
|
* event. If an entry is found, use that.
|
|
|
|
* - Otherwise, use the default flags or naflags configured for the pipe.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid,
|
|
|
|
au_event_t event, au_class_t class, int sorf, int trail_preselect)
|
|
|
|
{
|
|
|
|
struct audit_pipe_preselect *app;
|
|
|
|
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK_ASSERT(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
|
|
|
|
switch (ap->ap_preselect_mode) {
|
|
|
|
case AUDITPIPE_PRESELECT_MODE_TRAIL:
|
|
|
|
return (trail_preselect);
|
|
|
|
|
|
|
|
case AUDITPIPE_PRESELECT_MODE_LOCAL:
|
|
|
|
app = audit_pipe_preselect_find(ap, auid);
|
|
|
|
if (app == NULL) {
|
|
|
|
if (auid == AU_DEFAUDITID)
|
|
|
|
return (au_preselect(event, class,
|
|
|
|
&ap->ap_preselect_naflags, sorf));
|
|
|
|
else
|
|
|
|
return (au_preselect(event, class,
|
|
|
|
&ap->ap_preselect_flags, sorf));
|
|
|
|
} else
|
|
|
|
return (au_preselect(event, class, &app->app_mask,
|
|
|
|
sorf));
|
|
|
|
|
|
|
|
default:
|
|
|
|
panic("audit_pipe_preselect_check: mode %d",
|
|
|
|
ap->ap_preselect_mode);
|
|
|
|
}
|
|
|
|
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Determine whether there exists a pipe interested in a record with specific
|
|
|
|
* properties.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class,
|
|
|
|
int sorf, int trail_preselect)
|
|
|
|
{
|
|
|
|
struct audit_pipe *ap;
|
|
|
|
|
2009-01-06 14:15:38 +00:00
|
|
|
/* Lockless read to avoid acquiring the global lock if not needed. */
|
|
|
|
if (TAILQ_EMPTY(&audit_pipe_list))
|
|
|
|
return (0);
|
|
|
|
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LIST_RLOCK();
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
if (audit_pipe_preselect_check(ap, auid, event, class, sorf,
|
|
|
|
trail_preselect)) {
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
|
|
|
AUDIT_PIPE_LIST_RUNLOCK();
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
return (1);
|
|
|
|
}
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
}
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LIST_RUNLOCK();
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Append individual record to a queue -- allocate queue-local buffer, and
|
2008-10-30 23:09:19 +00:00
|
|
|
* add to the queue. If the queue is full or we can't allocate memory, drop
|
|
|
|
* the newest record.
|
2006-02-06 22:50:39 +00:00
|
|
|
*/
|
|
|
|
static void
|
|
|
|
audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len)
|
|
|
|
{
|
2008-10-30 23:09:19 +00:00
|
|
|
struct audit_pipe_entry *ape;
|
2006-02-06 22:50:39 +00:00
|
|
|
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK_ASSERT(ap);
|
2006-02-06 22:50:39 +00:00
|
|
|
|
2008-10-30 23:09:19 +00:00
|
|
|
if (ap->ap_qlen >= ap->ap_qlimit) {
|
|
|
|
ap->ap_drops++;
|
|
|
|
audit_pipe_drops++;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2006-02-06 22:50:39 +00:00
|
|
|
ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO);
|
|
|
|
if (ape == NULL) {
|
|
|
|
ap->ap_drops++;
|
2006-03-04 17:09:17 +00:00
|
|
|
audit_pipe_drops++;
|
2006-02-06 22:50:39 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
ape->ape_record = malloc(record_len, M_AUDIT_PIPE_ENTRY, M_NOWAIT);
|
|
|
|
if (ape->ape_record == NULL) {
|
|
|
|
free(ape, M_AUDIT_PIPE_ENTRY);
|
|
|
|
ap->ap_drops++;
|
|
|
|
audit_pipe_drops++;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
bcopy(record, ape->ape_record, record_len);
|
|
|
|
ape->ape_record_len = record_len;
|
|
|
|
|
|
|
|
TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue);
|
|
|
|
ap->ap_inserts++;
|
|
|
|
ap->ap_qlen++;
|
2008-11-01 21:56:45 +00:00
|
|
|
ap->ap_qbyteslen += ape->ape_record_len;
|
2006-02-06 22:50:39 +00:00
|
|
|
selwakeuppri(&ap->ap_selinfo, PSOCK);
|
2006-08-24 17:42:38 +00:00
|
|
|
KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0);
|
2006-02-06 22:50:39 +00:00
|
|
|
if (ap->ap_flags & AUDIT_PIPE_ASYNC)
|
|
|
|
pgsigio(&ap->ap_sigio, SIGIO, 0);
|
2008-10-30 21:58:39 +00:00
|
|
|
cv_broadcast(&ap->ap_cv);
|
2006-02-06 22:50:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* audit_pipe_submit(): audit_worker submits audit records via this
|
|
|
|
* interface, which arranges for them to be delivered to pipe queues.
|
|
|
|
*/
|
|
|
|
void
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf,
|
|
|
|
int trail_select, void *record, u_int record_len)
|
|
|
|
{
|
|
|
|
struct audit_pipe *ap;
|
|
|
|
|
|
|
|
/*
|
2008-10-30 21:58:39 +00:00
|
|
|
* Lockless read to avoid lock overhead if pipes are not in use.
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
*/
|
|
|
|
if (TAILQ_FIRST(&audit_pipe_list) == NULL)
|
|
|
|
return;
|
|
|
|
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LIST_RLOCK();
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
if (audit_pipe_preselect_check(ap, auid, event, class, sorf,
|
|
|
|
trail_select))
|
|
|
|
audit_pipe_append(ap, record, record_len);
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
}
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LIST_RUNLOCK();
|
|
|
|
|
|
|
|
/* Unlocked increment. */
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
audit_pipe_records++;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* audit_pipe_submit_user(): the same as audit_pipe_submit(), except that
|
|
|
|
* since we don't currently have selection information available, it is
|
|
|
|
* delivered to the pipe unconditionally.
|
|
|
|
*
|
|
|
|
* XXXRW: This is a bug. The BSM check routine for submitting a user record
|
|
|
|
* should parse that information and return it.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
audit_pipe_submit_user(void *record, u_int record_len)
|
2006-02-06 22:50:39 +00:00
|
|
|
{
|
|
|
|
struct audit_pipe *ap;
|
|
|
|
|
|
|
|
/*
|
2008-10-30 21:58:39 +00:00
|
|
|
* Lockless read to avoid lock overhead if pipes are not in use.
|
2006-02-06 22:50:39 +00:00
|
|
|
*/
|
|
|
|
if (TAILQ_FIRST(&audit_pipe_list) == NULL)
|
|
|
|
return;
|
|
|
|
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LIST_RLOCK();
|
|
|
|
TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
|
|
|
|
AUDIT_PIPE_LOCK(ap);
|
2006-02-06 22:50:39 +00:00
|
|
|
audit_pipe_append(ap, record, record_len);
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
|
|
|
}
|
|
|
|
AUDIT_PIPE_LIST_RUNLOCK();
|
|
|
|
|
|
|
|
/* Unlocked increment. */
|
2006-02-06 22:50:39 +00:00
|
|
|
audit_pipe_records++;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Allocate a new audit pipe. Connects the pipe, on success, to the global
|
|
|
|
* list and updates statistics.
|
|
|
|
*/
|
|
|
|
static struct audit_pipe *
|
|
|
|
audit_pipe_alloc(void)
|
|
|
|
{
|
|
|
|
struct audit_pipe *ap;
|
|
|
|
|
|
|
|
ap = malloc(sizeof(*ap), M_AUDIT_PIPE, M_NOWAIT | M_ZERO);
|
|
|
|
if (ap == NULL)
|
|
|
|
return (NULL);
|
|
|
|
ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT;
|
|
|
|
TAILQ_INIT(&ap->ap_queue);
|
2009-06-10 20:59:32 +00:00
|
|
|
knlist_init_mtx(&ap->ap_selinfo.si_note, AUDIT_PIPE_MTX(ap));
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK_INIT(ap);
|
Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped. Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.
This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record. Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush. Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).
MFC after: 2 months
Sponsored by: Apple, Inc.
2008-10-31 14:40:21 +00:00
|
|
|
AUDIT_PIPE_SX_LOCK_INIT(ap);
|
2008-10-30 21:58:39 +00:00
|
|
|
cv_init(&ap->ap_cv, "audit_pipe");
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Default flags, naflags, and auid-specific preselection settings to
|
|
|
|
* 0. Initialize the mode to the global trail so that if praudit(1)
|
|
|
|
* is run on /dev/auditpipe, it sees events associated with the
|
|
|
|
* default trail. Pipe-aware application can clear the flag, set
|
|
|
|
* custom masks, and flush the pipe as needed.
|
|
|
|
*/
|
|
|
|
bzero(&ap->ap_preselect_flags, sizeof(ap->ap_preselect_flags));
|
|
|
|
bzero(&ap->ap_preselect_naflags, sizeof(ap->ap_preselect_naflags));
|
|
|
|
TAILQ_INIT(&ap->ap_preselect_list);
|
|
|
|
ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL;
|
|
|
|
|
2006-08-24 17:42:38 +00:00
|
|
|
/*
|
|
|
|
* Add to global list and update global statistics.
|
|
|
|
*/
|
2014-08-20 16:04:30 +00:00
|
|
|
AUDIT_PIPE_LIST_WLOCK();
|
2006-02-06 22:50:39 +00:00
|
|
|
TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list);
|
|
|
|
audit_pipe_count++;
|
|
|
|
audit_pipe_ever++;
|
2014-08-20 16:04:30 +00:00
|
|
|
AUDIT_PIPE_LIST_WUNLOCK();
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
|
2006-02-06 22:50:39 +00:00
|
|
|
return (ap);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
* Flush all records currently present in an audit pipe; assume mutex is held.
|
2006-02-06 22:50:39 +00:00
|
|
|
*/
|
|
|
|
static void
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
audit_pipe_flush(struct audit_pipe *ap)
|
2006-02-06 22:50:39 +00:00
|
|
|
{
|
|
|
|
struct audit_pipe_entry *ape;
|
|
|
|
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK_ASSERT(ap);
|
2006-02-06 22:50:39 +00:00
|
|
|
|
|
|
|
while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) {
|
|
|
|
TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue);
|
2008-11-01 21:56:45 +00:00
|
|
|
ap->ap_qbyteslen -= ape->ape_record_len;
|
2006-02-06 22:50:39 +00:00
|
|
|
audit_pipe_entry_free(ape);
|
|
|
|
ap->ap_qlen--;
|
|
|
|
}
|
2008-11-01 21:56:45 +00:00
|
|
|
ap->ap_qoffset = 0;
|
|
|
|
|
|
|
|
KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qbyteslen"));
|
|
|
|
KASSERT(ap->ap_qbyteslen == 0, ("audit_pipe_flush: ap_qbyteslen"));
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Free an audit pipe; this means freeing all preselection state and all
|
2008-10-30 21:58:39 +00:00
|
|
|
* records in the pipe. Assumes global write lock and pipe mutex are held to
|
|
|
|
* prevent any new records from being inserted during the free, and that the
|
|
|
|
* audit pipe is still on the global list.
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
*/
|
|
|
|
static void
|
|
|
|
audit_pipe_free(struct audit_pipe *ap)
|
|
|
|
{
|
|
|
|
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LIST_WLOCK_ASSERT();
|
|
|
|
AUDIT_PIPE_LOCK_ASSERT(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
|
|
|
|
audit_pipe_preselect_flush_locked(ap);
|
|
|
|
audit_pipe_flush(ap);
|
2008-10-30 21:58:39 +00:00
|
|
|
cv_destroy(&ap->ap_cv);
|
Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped. Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.
This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record. Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush. Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).
MFC after: 2 months
Sponsored by: Apple, Inc.
2008-10-31 14:40:21 +00:00
|
|
|
AUDIT_PIPE_SX_LOCK_DESTROY(ap);
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK_DESTROY(ap);
|
Fix a deficiency in the selinfo interface:
If a selinfo object is recorded (via selrecord()) and then it is
quickly destroyed, with the waiters missing the opportunity to awake,
at the next iteration they will find the selinfo object destroyed,
causing a PF#.
That happens because the selinfo interface has no way to drain the
waiters before to destroy the registered selinfo object. Also this
race is quite rare to get in practice, because it would require a
selrecord(), a poll request by another thread and a quick destruction
of the selrecord()'ed selinfo object.
Fix this by adding the seldrain() routine which should be called
before to destroy the selinfo objects (in order to avoid such case),
and fix the present cases where it might have already been called.
Sometimes, the context is safe enough to prevent this type of race,
like it happens in device drivers which installs selinfo objects on
poll callbacks. There, the destruction of the selinfo object happens
at driver detach time, when all the filedescriptors should be already
closed, thus there cannot be a race.
For this case, mfi(4) device driver can be set as an example, as it
implements a full correct logic for preventing this from happening.
Sponsored by: Sandvine Incorporated
Reported by: rstone
Tested by: pluknet
Reviewed by: jhb, kib
Approved by: re (bz)
MFC after: 3 weeks
2011-08-25 15:51:54 +00:00
|
|
|
seldrain(&ap->ap_selinfo);
|
2006-08-24 17:42:38 +00:00
|
|
|
knlist_destroy(&ap->ap_selinfo.si_note);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
TAILQ_REMOVE(&audit_pipe_list, ap, ap_list);
|
2006-02-06 22:50:39 +00:00
|
|
|
free(ap, M_AUDIT_PIPE);
|
|
|
|
audit_pipe_count--;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2014-08-20 16:04:30 +00:00
|
|
|
audit_pipe_dtor(void *arg)
|
2006-02-06 22:50:39 +00:00
|
|
|
{
|
2014-08-20 16:04:30 +00:00
|
|
|
struct audit_pipe *ap;
|
2006-02-06 22:50:39 +00:00
|
|
|
|
2014-08-20 16:04:30 +00:00
|
|
|
ap = arg;
|
2016-01-13 14:02:07 +00:00
|
|
|
funsetown(&ap->ap_sigio);
|
2014-08-20 16:04:30 +00:00
|
|
|
AUDIT_PIPE_LIST_WLOCK();
|
|
|
|
AUDIT_PIPE_LOCK(ap);
|
|
|
|
audit_pipe_free(ap);
|
|
|
|
AUDIT_PIPE_LIST_WUNLOCK();
|
2006-02-06 22:50:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2006-11-06 13:42:10 +00:00
|
|
|
* Audit pipe open method. Explicit privilege check isn't used as this
|
|
|
|
* allows file permissions on the special device to be used to grant audit
|
|
|
|
* review access. Those file permissions should be managed carefully.
|
2006-02-06 22:50:39 +00:00
|
|
|
*/
|
|
|
|
static int
|
|
|
|
audit_pipe_open(struct cdev *dev, int oflags, int devtype, struct thread *td)
|
|
|
|
{
|
|
|
|
struct audit_pipe *ap;
|
2014-08-20 16:04:30 +00:00
|
|
|
int error;
|
2006-02-06 22:50:39 +00:00
|
|
|
|
2014-08-20 16:04:30 +00:00
|
|
|
ap = audit_pipe_alloc();
|
2016-01-13 14:02:07 +00:00
|
|
|
if (ap == NULL)
|
2014-08-20 16:04:30 +00:00
|
|
|
return (ENOMEM);
|
2006-02-06 22:50:39 +00:00
|
|
|
fsetown(td->td_proc->p_pid, &ap->ap_sigio);
|
2014-08-20 16:04:30 +00:00
|
|
|
error = devfs_set_cdevpriv(ap, audit_pipe_dtor);
|
|
|
|
if (error != 0)
|
2016-01-13 14:02:07 +00:00
|
|
|
audit_pipe_dtor(ap);
|
|
|
|
return (error);
|
2006-02-06 22:50:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2006-03-19 15:36:10 +00:00
|
|
|
* Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer
|
|
|
|
* commands.
|
2006-02-06 22:50:39 +00:00
|
|
|
*/
|
|
|
|
static int
|
|
|
|
audit_pipe_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag,
|
|
|
|
struct thread *td)
|
|
|
|
{
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
struct auditpipe_ioctl_preselect *aip;
|
2006-02-06 22:50:39 +00:00
|
|
|
struct audit_pipe *ap;
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
au_mask_t *maskp;
|
|
|
|
int error, mode;
|
|
|
|
au_id_t auid;
|
2006-02-06 22:50:39 +00:00
|
|
|
|
2014-08-20 16:04:30 +00:00
|
|
|
error = devfs_get_cdevpriv((void **)&ap);
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Audit pipe ioctls: first come standard device node ioctls, then
|
|
|
|
* manipulation of pipe settings, and finally, statistics query
|
|
|
|
* ioctls.
|
|
|
|
*/
|
2006-02-06 22:50:39 +00:00
|
|
|
switch (cmd) {
|
|
|
|
case FIONBIO:
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
2006-02-06 22:50:39 +00:00
|
|
|
if (*(int *)data)
|
|
|
|
ap->ap_flags |= AUDIT_PIPE_NBIO;
|
|
|
|
else
|
|
|
|
ap->ap_flags &= ~AUDIT_PIPE_NBIO;
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
2006-02-06 22:50:39 +00:00
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case FIONREAD:
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
2008-11-01 21:56:45 +00:00
|
|
|
*(int *)data = ap->ap_qbyteslen - ap->ap_qoffset;
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
2006-02-06 22:50:39 +00:00
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case FIOASYNC:
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
2006-02-06 22:50:39 +00:00
|
|
|
if (*(int *)data)
|
|
|
|
ap->ap_flags |= AUDIT_PIPE_ASYNC;
|
|
|
|
else
|
|
|
|
ap->ap_flags &= ~AUDIT_PIPE_ASYNC;
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
2006-02-06 22:50:39 +00:00
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case FIOSETOWN:
|
|
|
|
error = fsetown(*(int *)data, &ap->ap_sigio);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case FIOGETOWN:
|
|
|
|
*(int *)data = fgetown(&ap->ap_sigio);
|
|
|
|
error = 0;
|
2006-03-19 15:36:10 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_GET_QLEN:
|
|
|
|
*(u_int *)data = ap->ap_qlen;
|
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_GET_QLIMIT:
|
|
|
|
*(u_int *)data = ap->ap_qlimit;
|
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_SET_QLIMIT:
|
|
|
|
/* Lockless integer write. */
|
2018-07-23 16:56:49 +00:00
|
|
|
if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN &&
|
2006-03-19 15:36:10 +00:00
|
|
|
*(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) {
|
|
|
|
ap->ap_qlimit = *(u_int *)data;
|
|
|
|
error = 0;
|
|
|
|
} else
|
|
|
|
error = EINVAL;
|
|
|
|
break;
|
|
|
|
|
2006-03-19 15:39:03 +00:00
|
|
|
case AUDITPIPE_GET_QLIMIT_MIN:
|
|
|
|
*(u_int *)data = AUDIT_PIPE_QLIMIT_MIN;
|
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_GET_QLIMIT_MAX:
|
|
|
|
*(u_int *)data = AUDIT_PIPE_QLIMIT_MAX;
|
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
case AUDITPIPE_GET_PRESELECT_FLAGS:
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
maskp = (au_mask_t *)data;
|
|
|
|
*maskp = ap->ap_preselect_flags;
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_SET_PRESELECT_FLAGS:
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
maskp = (au_mask_t *)data;
|
|
|
|
ap->ap_preselect_flags = *maskp;
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_GET_PRESELECT_NAFLAGS:
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
maskp = (au_mask_t *)data;
|
|
|
|
*maskp = ap->ap_preselect_naflags;
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_SET_PRESELECT_NAFLAGS:
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
maskp = (au_mask_t *)data;
|
|
|
|
ap->ap_preselect_naflags = *maskp;
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_GET_PRESELECT_AUID:
|
|
|
|
aip = (struct auditpipe_ioctl_preselect *)data;
|
|
|
|
error = audit_pipe_preselect_get(ap, aip->aip_auid,
|
|
|
|
&aip->aip_mask);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_SET_PRESELECT_AUID:
|
|
|
|
aip = (struct auditpipe_ioctl_preselect *)data;
|
|
|
|
audit_pipe_preselect_set(ap, aip->aip_auid, aip->aip_mask);
|
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_DELETE_PRESELECT_AUID:
|
|
|
|
auid = *(au_id_t *)data;
|
|
|
|
error = audit_pipe_preselect_delete(ap, auid);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_FLUSH_PRESELECT_AUID:
|
|
|
|
audit_pipe_preselect_flush(ap);
|
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_GET_PRESELECT_MODE:
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
*(int *)data = ap->ap_preselect_mode;
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_SET_PRESELECT_MODE:
|
|
|
|
mode = *(int *)data;
|
|
|
|
switch (mode) {
|
|
|
|
case AUDITPIPE_PRESELECT_MODE_TRAIL:
|
|
|
|
case AUDITPIPE_PRESELECT_MODE_LOCAL:
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
ap->ap_preselect_mode = mode;
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
error = EINVAL;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_FLUSH:
|
Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped. Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.
This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record. Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush. Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).
MFC after: 2 months
Sponsored by: Apple, Inc.
2008-10-31 14:40:21 +00:00
|
|
|
if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0)
|
|
|
|
return (EINTR);
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
audit_pipe_flush(ap);
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped. Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.
This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record. Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush. Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).
MFC after: 2 months
Sponsored by: Apple, Inc.
2008-10-31 14:40:21 +00:00
|
|
|
AUDIT_PIPE_SX_XUNLOCK(ap);
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
2006-08-26 17:59:31 +00:00
|
|
|
case AUDITPIPE_GET_MAXAUDITDATA:
|
|
|
|
*(u_int *)data = MAXAUDITDATA;
|
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
2006-03-19 15:36:10 +00:00
|
|
|
case AUDITPIPE_GET_INSERTS:
|
|
|
|
*(u_int *)data = ap->ap_inserts;
|
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_GET_READS:
|
|
|
|
*(u_int *)data = ap->ap_reads;
|
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_GET_DROPS:
|
|
|
|
*(u_int *)data = ap->ap_drops;
|
|
|
|
error = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUDITPIPE_GET_TRUNCATES:
|
2008-10-31 15:11:01 +00:00
|
|
|
*(u_int *)data = 0;
|
2006-03-19 15:36:10 +00:00
|
|
|
error = 0;
|
|
|
|
break;
|
2006-02-06 22:50:39 +00:00
|
|
|
|
|
|
|
default:
|
|
|
|
error = ENOTTY;
|
|
|
|
}
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2008-11-01 21:16:09 +00:00
|
|
|
* Audit pipe read. Read one or more partial or complete records to user
|
|
|
|
* memory.
|
2006-02-06 22:50:39 +00:00
|
|
|
*/
|
|
|
|
static int
|
|
|
|
audit_pipe_read(struct cdev *dev, struct uio *uio, int flag)
|
|
|
|
{
|
|
|
|
struct audit_pipe_entry *ape;
|
|
|
|
struct audit_pipe *ap;
|
Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped. Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.
This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record. Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush. Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).
MFC after: 2 months
Sponsored by: Apple, Inc.
2008-10-31 14:40:21 +00:00
|
|
|
u_int toread;
|
2006-02-06 22:50:39 +00:00
|
|
|
int error;
|
|
|
|
|
2014-08-20 16:04:30 +00:00
|
|
|
error = devfs_get_cdevpriv((void **)&ap);
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
2008-10-30 21:58:39 +00:00
|
|
|
|
Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped. Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.
This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record. Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush. Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).
MFC after: 2 months
Sponsored by: Apple, Inc.
2008-10-31 14:40:21 +00:00
|
|
|
/*
|
|
|
|
* We hold an sx(9) lock over read and flush because we rely on the
|
|
|
|
* stability of a record in the queue during uiomove(9).
|
|
|
|
*/
|
|
|
|
if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0)
|
|
|
|
return (EINTR);
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped. Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.
This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record. Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush. Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).
MFC after: 2 months
Sponsored by: Apple, Inc.
2008-10-31 14:40:21 +00:00
|
|
|
while (TAILQ_EMPTY(&ap->ap_queue)) {
|
|
|
|
if (ap->ap_flags & AUDIT_PIPE_NBIO) {
|
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
|
|
|
AUDIT_PIPE_SX_XUNLOCK(ap);
|
|
|
|
return (EAGAIN);
|
2006-02-06 22:50:39 +00:00
|
|
|
}
|
Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped. Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.
This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record. Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush. Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).
MFC after: 2 months
Sponsored by: Apple, Inc.
2008-10-31 14:40:21 +00:00
|
|
|
error = cv_wait_sig(&ap->ap_cv, AUDIT_PIPE_MTX(ap));
|
|
|
|
if (error) {
|
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
|
|
|
AUDIT_PIPE_SX_XUNLOCK(ap);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Copy as many remaining bytes from the current record to userspace
|
2008-11-01 21:16:09 +00:00
|
|
|
* as we can. Keep processing records until we run out of records in
|
|
|
|
* the queue, or until the user buffer runs out of space.
|
Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped. Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.
This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record. Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush. Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).
MFC after: 2 months
Sponsored by: Apple, Inc.
2008-10-31 14:40:21 +00:00
|
|
|
*
|
|
|
|
* Note: we rely on the SX lock to maintain ape's stability here.
|
|
|
|
*/
|
2007-10-27 22:28:01 +00:00
|
|
|
ap->ap_reads++;
|
2008-11-01 21:16:09 +00:00
|
|
|
while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL &&
|
|
|
|
uio->uio_resid > 0) {
|
|
|
|
AUDIT_PIPE_LOCK_ASSERT(ap);
|
2006-02-06 22:50:39 +00:00
|
|
|
|
2008-11-01 21:56:45 +00:00
|
|
|
KASSERT(ape->ape_record_len > ap->ap_qoffset,
|
|
|
|
("audit_pipe_read: record_len > qoffset (1)"));
|
|
|
|
toread = MIN(ape->ape_record_len - ap->ap_qoffset,
|
2008-11-01 21:16:09 +00:00
|
|
|
uio->uio_resid);
|
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
2008-11-01 21:56:45 +00:00
|
|
|
error = uiomove((char *)ape->ape_record + ap->ap_qoffset,
|
|
|
|
toread, uio);
|
2008-11-01 21:16:09 +00:00
|
|
|
if (error) {
|
|
|
|
AUDIT_PIPE_SX_XUNLOCK(ap);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If the copy succeeded, update book-keeping, and if no
|
|
|
|
* bytes remain in the current record, free it.
|
|
|
|
*/
|
|
|
|
AUDIT_PIPE_LOCK(ap);
|
|
|
|
KASSERT(TAILQ_FIRST(&ap->ap_queue) == ape,
|
|
|
|
("audit_pipe_read: queue out of sync after uiomove"));
|
2008-11-01 21:56:45 +00:00
|
|
|
ap->ap_qoffset += toread;
|
|
|
|
KASSERT(ape->ape_record_len >= ap->ap_qoffset,
|
|
|
|
("audit_pipe_read: record_len >= qoffset (2)"));
|
|
|
|
if (ap->ap_qoffset == ape->ape_record_len) {
|
2008-11-01 21:16:09 +00:00
|
|
|
TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue);
|
2008-11-01 21:56:45 +00:00
|
|
|
ap->ap_qbyteslen -= ape->ape_record_len;
|
2008-11-01 21:16:09 +00:00
|
|
|
audit_pipe_entry_free(ape);
|
|
|
|
ap->ap_qlen--;
|
2008-11-01 21:56:45 +00:00
|
|
|
ap->ap_qoffset = 0;
|
2008-11-01 21:16:09 +00:00
|
|
|
}
|
|
|
|
}
|
Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped. Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.
This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record. Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush. Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).
MFC after: 2 months
Sponsored by: Apple, Inc.
2008-10-31 14:40:21 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
|
|
|
AUDIT_PIPE_SX_XUNLOCK(ap);
|
2008-11-01 21:16:09 +00:00
|
|
|
return (0);
|
2006-02-06 22:50:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Audit pipe poll.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
audit_pipe_poll(struct cdev *dev, int events, struct thread *td)
|
|
|
|
{
|
|
|
|
struct audit_pipe *ap;
|
2014-08-20 16:04:30 +00:00
|
|
|
int error, revents;
|
2006-02-06 22:50:39 +00:00
|
|
|
|
|
|
|
revents = 0;
|
2014-08-20 16:04:30 +00:00
|
|
|
error = devfs_get_cdevpriv((void **)&ap);
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
2006-02-06 22:50:39 +00:00
|
|
|
if (events & (POLLIN | POLLRDNORM)) {
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
2006-02-06 22:50:39 +00:00
|
|
|
if (TAILQ_FIRST(&ap->ap_queue) != NULL)
|
|
|
|
revents |= events & (POLLIN | POLLRDNORM);
|
|
|
|
else
|
|
|
|
selrecord(td, &ap->ap_selinfo);
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
2006-02-06 22:50:39 +00:00
|
|
|
}
|
|
|
|
return (revents);
|
|
|
|
}
|
|
|
|
|
2006-08-24 17:42:38 +00:00
|
|
|
/*
|
|
|
|
* Audit pipe kqfilter.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
audit_pipe_kqfilter(struct cdev *dev, struct knote *kn)
|
|
|
|
{
|
|
|
|
struct audit_pipe *ap;
|
2014-08-20 16:04:30 +00:00
|
|
|
int error;
|
2006-08-24 17:42:38 +00:00
|
|
|
|
2014-08-20 16:04:30 +00:00
|
|
|
error = devfs_get_cdevpriv((void **)&ap);
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
2006-08-24 17:42:38 +00:00
|
|
|
if (kn->kn_filter != EVFILT_READ)
|
|
|
|
return (EINVAL);
|
|
|
|
|
|
|
|
kn->kn_fop = &audit_pipe_read_filterops;
|
|
|
|
kn->kn_hook = ap;
|
|
|
|
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
2006-08-24 17:42:38 +00:00
|
|
|
knlist_add(&ap->ap_selinfo.si_note, kn, 1);
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
2006-08-24 17:42:38 +00:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Return true if there are records available for reading on the pipe.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
audit_pipe_kqread(struct knote *kn, long hint)
|
|
|
|
{
|
|
|
|
struct audit_pipe *ap;
|
|
|
|
|
|
|
|
ap = (struct audit_pipe *)kn->kn_hook;
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK_ASSERT(ap);
|
|
|
|
|
2006-08-24 17:42:38 +00:00
|
|
|
if (ap->ap_qlen != 0) {
|
2008-11-01 21:56:45 +00:00
|
|
|
kn->kn_data = ap->ap_qbyteslen - ap->ap_qoffset;
|
2006-08-24 17:42:38 +00:00
|
|
|
return (1);
|
|
|
|
} else {
|
|
|
|
kn->kn_data = 0;
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Detach kqueue state from audit pipe.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
audit_pipe_kqdetach(struct knote *kn)
|
|
|
|
{
|
|
|
|
struct audit_pipe *ap;
|
|
|
|
|
|
|
|
ap = (struct audit_pipe *)kn->kn_hook;
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LOCK(ap);
|
2006-08-24 17:42:38 +00:00
|
|
|
knlist_remove(&ap->ap_selinfo.si_note, kn, 1);
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_UNLOCK(ap);
|
2006-08-24 17:42:38 +00:00
|
|
|
}
|
|
|
|
|
2006-02-06 22:50:39 +00:00
|
|
|
/*
|
|
|
|
* Initialize the audit pipe system.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
audit_pipe_init(void *unused)
|
|
|
|
{
|
|
|
|
|
|
|
|
TAILQ_INIT(&audit_pipe_list);
|
2008-10-30 21:58:39 +00:00
|
|
|
AUDIT_PIPE_LIST_LOCK_INIT();
|
2014-08-20 16:04:30 +00:00
|
|
|
audit_pipe_dev = make_dev(&audit_pipe_cdevsw, 0, UID_ROOT,
|
|
|
|
GID_WHEEL, 0600, "%s", AUDIT_PIPE_NAME);
|
|
|
|
if (audit_pipe_dev == NULL) {
|
|
|
|
AUDIT_PIPE_LIST_LOCK_DESTROY();
|
|
|
|
panic("Can't initialize audit pipe subsystem");
|
|
|
|
}
|
2006-02-06 22:50:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
SYSINIT(audit_pipe_init, SI_SUB_DRIVERS, SI_ORDER_MIDDLE, audit_pipe_init,
|
|
|
|
NULL);
|