Commit Graph

50 Commits

Author SHA1 Message Date
Robert Watson
31214759fa Add AUE_SYSARCH to the list of audit events during BSM conversion to prevent
a console warning.  Eventually, we will capture more arguments for sysarch.

Obtained from:	TrustedBSD Project
MFC after:	3 days
2006-09-17 11:42:40 +00:00
Robert Watson
af8bc757de Add a BSM conversion switch case for AUE_GETCWD, so that a console
warning isn't generated when __getcwd() is invoked.

MFC after:	3 days
Obtained from:	TrustedBSD Project
2006-09-09 10:23:44 +00:00
Robert Watson
4b0b93261a Small style cleanup.
MFC after:	3 days
2006-09-09 10:23:00 +00:00
Robert Watson
f9b1dc578a White space cleanup, no functional change. 2006-09-04 06:06:23 +00:00
Wayne Salamon
ae1078d657 Audit the argv and env vectors passed in on exec:
Add the argument auditing functions for argv and env.
  Add kernel-specific versions of the tokenizer functions for the
  arg and env represented as a char array.
  Implement the AUDIT_ARGV and AUDIT_ARGE audit policy commands to
  enable/disable argv/env auditing.
  Call the argument auditing from the exec system calls.

Obtained from: TrustedBSD Project
Approved by: rwatson (mentor)
2006-09-01 11:45:40 +00:00
Robert Watson
9fe741b895 Allow the user process to query the kernel's notion of a maximum
audit record size at run-time, which can be used by the user
process to size the user space buffer it reads into from the audit
pipe.

Perforce change:	105098
Obtained from:		TrustedBSD Project
2006-08-26 17:59:31 +00:00
Robert Watson
1c4d2797dd Update kernel OpenBSM parts, especially src/sys/bsm, for the OpenBSM
1.0 alpha 9 import.  See the OpenBSM import commit message for a
detailed summary of changes.

Obtained from:  TrustedBSD Project
2006-08-26 08:17:58 +00:00
Robert Watson
568b77a439 Remove $P4$ from this file; other then temporarily P4-local work in
progress the kernel audit code in CVS is considered authoritative.
This will ease $P4$-related merging issues during the CVS loopback.

Obtained from:	TrustedBSD Project
2006-08-25 07:30:23 +00:00
Robert Watson
0fff4cde9d Add kqueue support to audit pipe pseudo-devices.
Obtained from:	TrustedBSD Project
2006-08-24 17:42:38 +00:00
Wayne Salamon
65ee602e0c Audit the remaining parameters to the extattr system calls. Generate
the audit records for those calls.

Obtained from: TrustedBSD Project
Approved by: rwatson (mentor)
2006-07-06 19:33:38 +00:00
Robert Watson
814fe9e98e Correct a number of problems that were previously commented on:
- Correct audit_arg_socketaddr() argument name from so to sa.
- Assert arguments are non-NULL to many argument capture functions
  rather than testing them.  This may trip some bugs.
- Assert the process lock is held when auditing process
  information.
- Test currecord in several more places.
- Test validity of more arguments with kasserts, such as flag
  values when auditing vnode information.

Perforce change:	98825
Obtained from:		TrustedBSD Project
2006-07-03 14:55:55 +00:00
Wayne Salamon
09fac02311 Make the size of the subject32_ex and process32_ex tokens depend on
whether we have an IPv6 address. Write the term ID as 4 or
16 bytes depending on address type. This change matches the recent
OpenBSM change, and what Solaris does.

Obtained from: TrustedBSD Project
Approved by: rwatson (mentor)
2006-06-17 13:53:04 +00:00
Robert Watson
dcd57cfcba Lock process when copying fields from process structure so as to
get a consistent snapshot, as well as get consistent values (i.e.,
that p_comm is properly nul-terminated).

Perforce CID:	98824
Obtained from:	TrustedBSD Project
2006-06-08 21:58:04 +00:00
Robert Watson
ec914adf6b Prefer C to C++ comments per style(9).
Perforce CID:	98826
Obtained from:	TrustedBSD Project
2006-06-08 21:55:39 +00:00
Robert Watson
a7cbec4448 Extract pointer value for mnt_stat from vp after the NULL check, not
before.

Coverity ID:	134394
Found with:	Coverity Prevent (tm)
2006-06-06 08:43:27 +00:00
Robert Watson
714e68b8d2 Remove use of Giant around vn_open() in audit trail setup.
Submitted by:	jhb, wsalamon
Obtained from:	TrustedBSD Project
2006-06-05 22:36:12 +00:00
Robert Watson
7365463843 When generating BSM tokens for mkfifo(), include mode argument.
Submitted by:	wsalamon
Obtained from:	TrustedBSD Project
2006-06-05 16:14:49 +00:00
Robert Watson
5619113c96 When generating the process token, need to check whether the
process was sucessfully audited.  Otherwise, generate the PID
token. This change covers the pid < 0 cases, and pid lookup
failure cases.

Submitted by:	wsalamon
Obtained from:	TrustedBSD Project
2006-06-05 16:12:00 +00:00
Robert Watson
1df6229aea Consistently use audit_free() to free records, rather than
directly invoking uma_zfree().

Perforce change:	96652
Obtained from:		TrustedBSD Project
2006-06-05 15:38:12 +00:00
Robert Watson
e257c20ec1 Introduce support for per-audit pipe preselection independent from the
global audit trail configuration.  This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present).  To implement this:

- Kernel audit records now carry a flag to indicate whether they have
  been selected by the global trail or by the audit pipe subsystem,
  set during record commit, so that this information is available
  after BSM conversion when delivering the BSM to the trail and audit
  pipes in the audit worker thread asynchronously.  Preselection by
  either record target will cause the record to be kept.

- Similar changes to preselection when the audit record is created
  when the system call is entering: consult both the global trail and
  pipes.

- au_preselect() now accepts the class in order to avoid repeatedly
  looking up the mask for each preselection test.

- Define a series of ioctls that allow applications to specify whether
  they want to track the global trail, or program their own
  preselection parameters: they may specify their own flags and naflags
  masks, similar to the global masks of the same name, as well as a set
  of per-auid masks.  They also set a per-pipe mode specifying whether
  they track the global trail, or user their own -- the door is left
  open for future additional modes.  A new ioctl is defined to allow a
  user process to flush the current audit pipe queue, which can be used
  after reprogramming pre-selection to make sure that only records of
  interest are received in future reads.

- Audit pipe data structures are extended to hold the additional fields
  necessary to support preselection.  By default, audit pipes track the
  global trail, so "praudit /dev/auditpipe" will track the global audit
  trail even though praudit doesn't program the audit pipe selection
  model.

- Comment about the complexities of potentially adding partial read
  support to audit pipes.

By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.

Obtained from:	TrustedBSD Project
2006-06-05 14:48:17 +00:00
Robert Watson
b6cd2d9e08 Shorten audit record zone name.
Perforce change:	93598
Obtained from:	TrustedBSD Project
2006-06-05 14:11:28 +00:00
Robert Watson
2ca38be3bf No longer unconditionally drain the audit record queue if there is
not an active audit trail: instead, continue to iterate through
each record in case an audit pipe is interested.

Obtained from:	TrustedBSD Project
2006-06-05 14:09:59 +00:00
Robert Watson
32962122cd Pull BSM conversion logic out of audit_record_write(), as well as
knowledge of user vs. kernel audit records into
audit_worker_process_record().  This largely confines vnode
knowledge to audit_record_write(), but avoids that logic knowing
about BSM as opposed to byte streams.  This will allow us to
improve our ability to support real-time audit stream processing
by audit pipe consumers while auditing is disabled, but this
support is not yet complete.

Obtained from:	TrustedBSD Project
2006-06-05 13:50:02 +00:00
Robert Watson
62bb2e9199 Assert audit mtx in audit_worker_drain().
Break out logic to call audit_record_write() and handle error
conditions into audit_worker_process_record().  This will be the
future home of some logic now present in audit_record_write()
also.

Obtained from:	TrustedBSD Project
2006-06-05 13:46:55 +00:00
Robert Watson
b3ae6323f0 Use struct kaudit_queue instead of a hand-crafted queue type for
audit records in the audit_worker thread.

Obtained from:	TrustedBSD Project
2006-06-05 13:45:05 +00:00
Robert Watson
40c96d7279 Rename audit_cv to audit_worker_cv, as it wakes up the audit
worker.

Rename audit_commit_cv to audit_watermark_cv, since it is there to
wake up threads waiting on hitting the low watermark.  Describe
properly in comment.

Obtained from:	TrustedBSD Project
2006-06-05 13:43:57 +00:00
Robert Watson
4b6d6bcffd Merge OpenBSM 1.0 alpha 6 changes for BSM token creation to
src/sys/security/audit:

- Clarify and clean up AUR_ types to match Solaris.
- Clean up use of host vs. network byte order for IP addresses.
- Remove combined user/kernel implementations of some token creation
  calls, such as au_to_file(), header calls, etc.

Obtained from:	TrustedBSD Project
2006-06-05 13:13:02 +00:00
Christian S.J. Peron
7737a00f64 Check to see if the rootdir is the same as the current working directory.
If it is, and the pathname was relative, do not separate the componenets
with a '/' character.

Obtained from:	TrustedBSD Project
2006-06-01 15:38:30 +00:00
Robert Watson
871499fef5 Merge Perforce change 93581 from TrustedBSD audit3 branch:
Mega-style patch.

Obtained from:	TrustedBSD Project
2006-03-19 17:34:00 +00:00
Robert Watson
08e57af45b Merge Perforce changes 93512, 93514, 93515 from TrustedBSD audit3
branch:

  Integrate audit.c to audit_worker.c, so as to migrate the worker
  thread implementation to its own .c file.

  Populate audit_worker.c using parts now removed from audit.c:

  - Move audit rotation global variables.
  - Move audit_record_write(), audit_worker_rotate(),
    audit_worker_drain(), audit_worker(), audit_rotate_vnode().
  - Create audit_worker_init() from relevant parts of audit_init(),
    which now calls this routine.
  - Recreate audit_free(), which wraps uma_zfree() so that
    audit_record_zone can be static to audit.c.
  - Unstaticize various types and variables relating to the audit
    record queue so that audit_worker can get to them.  We may want
    to wrap these in accessor methods at some point.
  - Move AUDIT_PRINTF() to audit_private.h.

  Addition of audit_worker.c to kernel configuration, missed in
  earlier submit.

Obtained from:	TrustedBSD Project
2006-03-19 16:03:43 +00:00
Robert Watson
059c649508 Merge Perforce change 93570 from TrustedBSD audit3 branch:
Add audit pipe ioctls to query minimum and maximum audit queue
  lengths.

Obtained from:	TrustedBSD Project
2006-03-19 15:39:03 +00:00
Robert Watson
6a4bde1b76 Merge Perforce change 93567 from TrustedBSD audit3 branch:
Bump default queue limit for audit pipes from 32 to 128, since 32 is
  pretty small.

Obtained from:	TrustedBSD Project
2006-03-19 15:38:03 +00:00
Robert Watson
17363e6da7 Merge Perforce change 93568 from TrustedBSD audit3 branch:
Normalize nested include guards.

Obtained from:	TrustedBSD Project
2006-03-19 15:37:04 +00:00
Robert Watson
ed708e1f7f Merge Perforce change 93506 from TrustedBSD audit3 branch:
Add ioctls to audit pipes in order to allow querying of the current
  record queue state, setting of the queue limit, and querying of pipe
  statistics.

Obtained from:	TrustedBSD Project
2006-03-19 15:36:10 +00:00
Robert Watson
1d6941d403 Merge perforce 93507:
Correct comment: this print is now from audit_record_write(), not
  audit_worker().

Obtained from:	TrustedBSD Project
2006-03-18 18:32:12 +00:00
Robert Watson
5ec681997d Merge perforce change 93199:
Change send_trigger() prototype to return an int, so that user
  space callers can tell if the message was successfully placed
  in the trigger queue.  This isn't quite the same as it being
  successfully received, but is close enough that we can generate
  a more useful warning message in audit(8).

Obtained from:	TrustedBSD Project
2006-03-18 18:31:24 +00:00
Robert Watson
69c89e437b Count drops when the first of two pipe mallocs fails.
Obtained from:	TrustedBSD Project
2006-03-04 17:09:17 +00:00
Robert Watson
54205da01b Update src/sys/security/audit for OpenBSM 1.0 alpha 5:
- Include audit_internal.h to get definition of internal audit record
  structures, as it's no longer in audit.h.  Forward declare au_record
  in audit_private.h as not all audit_private.h consumers care about
  it.

- Remove __APPLE__ compatibility bits that are subsumed by configure
  for user space.

- Don't expose in6_addr internals (non-portable, but also cleaner
  looking).

- Avoid nested include of audit.h in audit_private.h.

Obtained from:	TrustedBSD Project
2006-03-04 17:00:55 +00:00
Robert Watson
bad70a881b Add stub AUE_EACCESS entry.
Obtained from:	TrustedBSD Project
2006-02-11 23:55:08 +00:00
Robert Watson
ba7f6690f1 Initialize user process audit ID to AU_DEFAUDITID so that init and
its pre-authentication children are covered by naflags.

Obtained from:	TrustedBSD Project
2006-02-11 23:53:00 +00:00
Robert Watson
a7f18116c2 Acquire vnode lock around call to VOP_GETATTR() in audit_record_write().
In the future, we may want to acquire the lock early in the function and
hold it across calls to vn_rdwr(), etc, to avoid multiple acquires.

Spotted by:	kris (bugmagnet)
Obtained from:	TrustedBSD Project
2006-02-07 23:44:31 +00:00
Robert Watson
860ae58e3f Fix queue drop logic when the queue overflows: decrement queue length.
Obtained from:	TrustedBSD Project
2006-02-07 14:46:26 +00:00
Robert Watson
09daf1c828 Add support for audit pipe special devices, which allow user space
applications to insert a "tee" in the live audit event stream.  Records
are inserted into a per-clone queue so that user processes can pull
discreet records out of the queue.  Unlike delivery to disk, audit pipes
are "lossy", dropping records in low memory conditions or when the
process falls behind real-time events.  This mechanism is appropriate
for use by live monitoring systems, host-based intrusion detection, etc,
and avoids applications having to dig through active on-disk trails that
are owned by the audit daemon.

Obtained from:	TrustedBSD Project
2006-02-06 22:50:39 +00:00
Robert Watson
cba07e4acc Manage audit record memory with the slab allocator, turning
initialization routines into a ctor, tear-down to a dtor, cleaning
up, etc.  This will allow audit records to be allocated from
per-cpu caches.

On recent FreeBSD, dropping the audit_mtx around freeing to UMA is
no longer required (at one point it was possible to acquire Giant
on that path), so a mutex-free thread-local drain is no longer
required.

Obtained from:	TrustedBSD Project
2006-02-06 22:30:54 +00:00
Robert Watson
6e8525ce84 When GC'ing a thread, assert that it has no active audit record.
This should not happen, but with this assert, brueffer and I would
not have spent 45 minutes trying to figure out why he wasn't
seeing audit records with the audit version in CVS.

Obtained from:	TrustedBSD Project
2006-02-05 21:06:09 +00:00
Robert Watson
a02a1efa9f Cast pointers to (uintptr_t) before down-casting to (int). This avoids
an incompatible conversion from a 64-bit pointer to a 32-bit integer on
64-bit platforms.  We will investigate whether Solaris uses a 64-bit
token here, or a new record here, in order to avoid truncating user
pointers that are 64-bit.  However, in the mean time, truncation is fine
as these are rarely/never used fields in audit records.

Obtained from:	TrustedBSD Project
2006-02-04 00:14:06 +00:00
Robert Watson
fac3e318aa Fix INVARIANTS build on amd64; (unsigned unsigned long) != u_int64_t.
Submitted by:	mlaier
2006-02-03 23:50:26 +00:00
Robert Watson
563267dae3 Remove user.h include in audit.h, it is unneeded, and also can cause
build problems for other components that include audit.h.
2006-02-03 15:49:07 +00:00
Robert Watson
911b84b08d Add new fields to process-related data structures:
- td_ar to struct thread, which holds the in-progress audit record during
  a system call.

- p_au to struct proc, which holds per-process audit state, such as the
  audit identifier, audit terminal, and process audit masks.

In the earlier implementation, td_ar was added to the zero'd section of
struct thread.  In order to facilitate merging to RELENG_6, it has been
moved to the end of the data structure, requiring explicit
initalization in the thread constructor.

Much help from:	wsalamon
Obtained from:	TrustedBSD Project
2006-02-02 00:37:05 +00:00
Robert Watson
718c851086 Import kernel audit framework:
- Management of audit state on processes.
- Audit system calls to configure process and system audit state.
- Reliable audit record queue implementation, audit_worker kernel
  thread to asynchronously store records on disk.
- Audit event argument.
- Internal audit data structure -> BSM audit trail conversion library.
- Audit event pre-selection.
- Audit pseudo-device permitting kernel->user upcalls to notify auditd
  of kernel audit events.

Much work by:	wsalamon
Obtained from:	TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00