Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 26 Oct 2007 01:23:07 +0000 (UTC)
From:      "Christian S.J. Peron" <csjp@FreeBSD.org>
To:        src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   cvs commit: src/sys/kern kern_sig.c src/sys/security/audit audit.c audit.h audit_bsm.c
Message-ID:  <200710260123.l9Q1N7rv019068@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help 
csjp        2007-10-26 01:23:07 UTC

  FreeBSD src repository

  Modified files:
    sys/kern             kern_sig.c 
    sys/security/audit   audit.c audit.h audit_bsm.c 
  Log:
  Implement AUE_CORE, which adds process core dump support into the kernel.
  This change introduces audit_proc_coredump() which is called by coredump(9)
  to create an audit record for the coredump event.  When a process
  dumps a core, it could be security relevant.  It could be an indicator that
  a stack within the process has been overflowed with an incorrectly constructed
  malicious payload or a number of other events.
  
  The record that is generated looks like this:
  
  header,111,10,process dumped core,0,Thu Oct 25 19:36:29 2007, + 179 msec
  argument,0,0xb,signal
  path,/usr/home/csjp/test.core
  subject,csjp,csjp,staff,csjp,staff,1101,1095,50457,10.37.129.2
  return,success,1
  trailer,111
  
  - We allocate a completely new record to make sure we arent clobbering
    the audit data associated with the syscall that produced the core
    (assuming the core is being generated in response to SIGABRT  and not
    an invalid memory access).
  - Shuffle around expand_name() so we can use the coredump name at the very
    beginning of the coredump call.  Make sure we free the storage referenced
    by "name" if we need to bail out early.
  - Audit both successful and failed coredump creation efforts
  
  Obtained from:  TrustedBSD Project
  Reviewed by:    rwatson
  MFC after:      1 month
  
  Revision  Changes    Path
  1.351     +27 -6     src/sys/kern/kern_sig.c
  1.34      +48 -0     src/sys/security/audit/audit.c
  1.15      +1 -0      src/sys/security/audit/audit.h
  1.22      +8 -0      src/sys/security/audit/audit_bsm.c

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200710260123.l9Q1N7rv019068>