Date: Thu, 30 Mar 2017 09:39:39 +0300 From: Konstantin Belousov <kostikbel@gmail.com> To: Robert Watson <rwatson@FreeBSD.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r316176 - in head/sys: conf modules/dtrace modules/dtrace/dtaudit security/audit Message-ID: <20170330063939.GZ43712@kib.kiev.ua> In-Reply-To: <201703291958.v2TJw0hT049410@repo.freebsd.org> References: <201703291958.v2TJw0hT049410@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 29, 2017 at 07:58:00PM +0000, Robert Watson wrote: > Author: rwatson > Date: Wed Mar 29 19:58:00 2017 > New Revision: 316176 > URL: https://svnweb.freebsd.org/changeset/base/316176 > > Log: > Add an experimental DTrace audit provider, which allows users of DTrace to > instrument security event auditing rather than relying on conventional BSM > trail files or audit pipes: > > - Add a set of per-event 'commit' probes, which provide access to > particular auditable events at the time of commit in system-call return. > These probes gain access to audit data via the in-kernel audit_record > data structure, providing convenient access to system-call arguments and > return values in a single probe. > > - Add a set of per-event 'bsm' probes, which provide access to particular > auditable events at the time of BSM record generation in the audit > worker thread. These probes have access to the in-kernel audit_record > data structure and BSM representation as would be written to a trail > file or audit pipe -- i.e., asynchronously in the audit worker thread. > > DTrace probe arguments consist of the name of the audit event (to support > future mechanisms of instrumenting multiple events via a single probe -- > e.g., using classes), a pointer to the in-kernel audit record, and an > optional pointer to the BSM data and its length. For human convenience, > upper-case audit event names (AUE_...) are converted to lower case in > DTrace. > > DTrace scripts can now cause additional audit-based data to be collected > on system calls, and inspect internal and BSM representations of the data. > They do not affect data captured in the audit trail or audit pipes > configured in the system. auditd(8) must be configured and running in > order to provide a database of event information, as well as other audit > configuration parameters (e.g., to capture command-line arguments or > environmental variables) for the provider to operate. > > Reviewed by: gnn, jonathan, markj > Sponsored by: DARPA, AFRL > MFC after: 3 weeks > Differential Revision: https://reviews.freebsd.org/D10149 On kernels configs which do not have AUDIT option (and no any DTRACE-related options), I get /usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:184:8: error: implicit declaration of function 'au_evnamemap_lookup' is invalid in C99 [-Werror,-Wimplicit-function-declaration] ene = au_evnamemap_lookup(event); ^ /usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:184:6: error: incompatible integer to pointer conversion assigning to 'struct evname_elem *' from 'int' [-Werror,-Wint-conversion] ene = au_evnamemap_lookup(event); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:197:23: error: no member named 'ene_commit_probe_enabled' in 'struct evname_elem' probe_enabled = ene->ene_commit_probe_enabled || ~~~ ^ /usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:198:11: error: no member named 'ene_bsm_probe_enabled' in 'struct evname_elem' ene->ene_bsm_probe_enabled; ~~~ ^ /usr/home/kostik/work/build/bsd/DEV/src/sys/security/audit/audit_dtrace.c:220:35: error: no member named 'k_dtaudit_state' in 'struct kaudit_record' ene = (struct evname_elem *)kar->k_dtaudit_state; ~~~ ^ etc.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170330063939.GZ43712>