3b657094d5
system-call entry and whenever audit arguments or return values are captured: 1. Expose a single global, audit_syscalls_enabled, which controls whether the audit framework is entered, rather than exposing components of the policy -- e.g., if the trail is enabled, suspended, etc. 2. Introduce a new function audit_syscalls_enabled_update(), which is called to update audit_syscalls_enabled whenever an aspect of the policy changes, so that the value can be updated. 3. Remove a check of trail enablement/suspension from audit_new() -- at the point where this function has been entered, we believe that system-call auditing is already in force, or we wouldn't get here, so simply proceed to more expensive policy checks. 4. Use an audit-provided global, audit_dtrace_enabled, rather than a dtaudit-provided global, to provide policy indicating whether dtaudit would like system calls to be audited. 5. Do some minor cosmetic renaming to clarify what various variables are for. These changes collectively arrange it so that traditional audit (trail, pipes) or the DTrace audit provider can enable system-call probes without the other configured. Otherwise, dtaudit cannot capture system-call data without auditd(8) started. Reviewed by: gnn Sponsored by: DARPA, AFRL Approved by: re (gjb) Differential Revision: https://reviews.freebsd.org/D17348 |
||
---|---|---|
.. | ||
audit | ||
mac | ||
mac_biba | ||
mac_bsdextended | ||
mac_ifoff | ||
mac_lomac | ||
mac_mls | ||
mac_none | ||
mac_ntpd | ||
mac_partition | ||
mac_portacl | ||
mac_seeotheruids | ||
mac_stub | ||
mac_test | ||
mac_veriexec |