d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4de8a3e010
freebsd-skq/sys
History
rwatson 4f317e1576 Introduce support for per-audit pipe preselection independent from the 
global audit trail configuration.  This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present).  To implement this:

- Kernel audit records now carry a flag to indicate whether they have
  been selected by the global trail or by the audit pipe subsystem,
  set during record commit, so that this information is available
  after BSM conversion when delivering the BSM to the trail and audit
  pipes in the audit worker thread asynchronously.  Preselection by
  either record target will cause the record to be kept.

- Similar changes to preselection when the audit record is created
  when the system call is entering: consult both the global trail and
  pipes.

- au_preselect() now accepts the class in order to avoid repeatedly
  looking up the mask for each preselection test.

- Define a series of ioctls that allow applications to specify whether
  they want to track the global trail, or program their own
  preselection parameters: they may specify their own flags and naflags
  masks, similar to the global masks of the same name, as well as a set
  of per-auid masks.  They also set a per-pipe mode specifying whether
  they track the global trail, or user their own -- the door is left
  open for future additional modes.  A new ioctl is defined to allow a
  user process to flush the current audit pipe queue, which can be used
  after reprogramming pre-selection to make sure that only records of
  interest are received in future reads.

- Audit pipe data structures are extended to hold the additional fields
  necessary to support preselection.  By default, audit pipes track the
  global trail, so "praudit /dev/auditpipe" will track the global audit
  trail even though praudit doesn't program the audit pipe selection
  model.

- Comment about the complexities of potentially adding partial read
  support to audit pipes.

By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.

Obtained from:	TrustedBSD Project
2006-06-05 14:48:17 +00:00
..
amd64 After much discussion with mjacob and scottl, change bus_dmamem_alloc so 2006-06-01 04:49:29 +00:00
arm Don't #error if no CPU is defined but we're not compiling the kernel. 2006-06-02 09:39:06 +00:00
boot Increment the disk block offset after writing, not before. This 2006-05-31 09:05:49 +00:00
bsm Merge OpenBSM 1.0 alpha 6 version of audit_record.h to src/sys: 2006-06-05 13:00:52 +00:00
cam Handle some of the inquiry flags that have come into 2006-05-30 22:44:00 +00:00
coda Since DELAY() was moved, most <machine/clock.h> #includes have been 2006-05-16 14:37:58 +00:00
compat As far as I can tell, the correct CPU family for amd64 (which Linux calls 2006-06-02 13:01:25 +00:00
conf Note that KTR_ENTRIES must be a power of two. 2006-06-03 23:30:16 +00:00
contrib Since DELAY() was moved, most <machine/clock.h> #includes have been 2006-05-16 14:37:58 +00:00
crypto padlock(4) doesn't support explicitly provided keys yet. 2006-04-20 06:31:44 +00:00
ddb Use __LP64__ rather than the PTR64 hack. 2006-05-11 21:59:55 +00:00
dev Fix a number of cases where ugen would panic, especially when the 2006-06-05 14:44:39 +00:00
doc Add a disclaimer regarding public/internal functions to every subsystem for 2006-05-28 15:25:18 +00:00
fs mount_msdosfs.c: 2006-06-01 02:25:00 +00:00
gdb Convert to new console api 2006-05-26 13:54:27 +00:00
geom Fix unaligned memory accesses on Alpha and possible other platforms. 2006-06-04 20:26:13 +00:00
gnu Include "xfs_macros.h" to fix tinderbox build breakage. 2006-06-01 20:51:59 +00:00
i4b Since DELAY() was moved, most <machine/clock.h> #includes have been 2006-05-16 14:37:58 +00:00
i386 MFamd64 2006-06-05 06:08:21 +00:00
ia64 EISA bus ia64 systems don't exist in reality. I'm told they may exist in 2006-06-02 04:46:26 +00:00
isa Remove various bits of conditional Alpha code and fixup a few comments. 2006-05-12 05:04:46 +00:00
isofs/cd9660 Remove calls to vfs_export() for exporting a filesystem for NFS mounting 2006-05-26 00:32:21 +00:00
kern Audit command, uid arguments for quotactl(). 2006-06-05 13:34:23 +00:00
libkern First pass at removing Alpha kernel support. 2006-05-11 22:25:28 +00:00
modules Dike out WARNS from kernel module makefiles. Kernels and modules 2006-05-30 09:38:54 +00:00
net Back out previous two commits, this caused some problems in the namespace 2006-06-03 18:48:14 +00:00
net80211 Fix the following bpf(4) race condition which can result in a panic: 2006-06-02 19:59:33 +00:00
netatalk White space consistency with kasserts. Minor style tweaks. 2006-04-01 16:54:37 +00:00
netatm Chance protocol switch method pru_detach() so that it returns void 2006-04-01 15:42:02 +00:00
netgraph add missed calls to bpf_peers_present 2006-06-02 23:14:40 +00:00
netinet Push acquisition of pcbinfo lock out of tcp_usr_attach() into 2006-06-04 09:31:34 +00:00
netinet6 Avoid spurious release of an rtentry. 2006-05-23 00:32:22 +00:00
netipsec Change '#if INET' and '#if INET6' to '#ifdef INET' and '#ifdef INET6'. 2006-06-04 19:32:32 +00:00
netipx Make this compile without INVARIANTS. 2006-04-11 23:15:47 +00:00
netkey In raw and raw-derived socket types, maintain and enforce invariant that 2006-04-01 15:55:44 +00:00
netnatm style(9) treatment following fixups. 2006-04-23 16:33:56 +00:00
netncp In ncp_sysctl_connstat(), the SLIST_FOREACH() logic to check 'error' 2006-01-14 11:40:32 +00:00
netsmb Retire NETSMBCRYPTO as a kernel option and make its functionality 2006-03-05 22:52:17 +00:00
nfs
nfs4client While reviewing NFS client for another PR, noticed this omission in the 2006-05-24 15:56:36 +00:00
nfsclient Kris Kennaway found that for '/' NFS mounts, the MPSAFE mount flag was 2006-05-30 20:32:44 +00:00
nfsserver Temporary workaround to prevent leak of Giant from nfsd when calling 2006-06-05 14:48:02 +00:00
opencrypto Use newly added functions to simplify the code. 2006-06-04 22:17:25 +00:00
pc98 MFi386: revisions 1.627, 1.628 and 1.629. 2006-06-05 11:53:36 +00:00
pccard I don't believe these are used at all, and can be safely removed 2006-01-15 06:49:28 +00:00
pci Move SiS 760 to where it belongs. 2006-05-30 18:41:26 +00:00
posix4 Don't allow non-root user to set a scheduler policy, otherwise this could 2006-05-21 00:40:38 +00:00
powerpc Since DELAY() was moved, most <machine/clock.h> #includes have been 2006-05-16 14:37:58 +00:00
rpc Fix up some cut-n-paste damage and some out-of-date comments. 2006-01-20 15:20:41 +00:00
security Introduce support for per-audit pipe preselection independent from the 2006-06-05 14:48:17 +00:00
sparc64 MFalpha/amd64/arm/ia64 2006-05-29 06:12:01 +00:00
sys Bah, fix fat finger in last. Invert the ~ on MTX_FLAGMASK as it's 2006-06-03 21:11:33 +00:00
tools - Add two checks for syntax errors 2006-05-30 21:13:28 +00:00
ufs Check the sectorsize of the underlying disk before trying to 2006-06-03 21:20:37 +00:00
vm Fix minidumps to include pages allocated via pmap_map on amd64. 2006-05-31 22:55:23 +00:00
Makefile o Add net80211/ to cscope dir list. 2006-05-29 19:29:41 +00:00