diff options
Diffstat (limited to 'static/freebsd/man4/dtrace_audit.4 3.html')
| -rw-r--r-- | static/freebsd/man4/dtrace_audit.4 3.html | 139 |
1 files changed, 0 insertions, 139 deletions
diff --git a/static/freebsd/man4/dtrace_audit.4 3.html b/static/freebsd/man4/dtrace_audit.4 3.html deleted file mode 100644 index 60d8245f..00000000 --- a/static/freebsd/man4/dtrace_audit.4 3.html +++ /dev/null @@ -1,139 +0,0 @@ -<table class="head"> - <tr> - <td class="head-ltitle">DTRACE_AUDIT(4)</td> - <td class="head-vol">Device Drivers Manual</td> - <td class="head-rtitle">DTRACE_AUDIT(4)</td> - </tr> -</table> -<div class="manual-text"> -<section class="Sh"> -<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> -<p class="Pp"><code class="Nm">dtrace_audit</code> — <span class="Nd">A - DTrace provider for tracing <a class="Xr">audit(4)</a> events</span></p> -</section> -<section class="Sh"> -<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1> -<p class="Pp"><code class="Fn">audit:event:aue_*:commit</code>(<var class="Fa" style="white-space: nowrap;">char - *eventname</var>, <var class="Fa" style="white-space: nowrap;">struct - audit_record *ar</var>);</p> -<p class="Pp"><code class="Fn">audit:event:aue_*:bsm</code>(<var class="Fa" style="white-space: nowrap;">char - *eventname</var>, <var class="Fa" style="white-space: nowrap;">struct - audit_record *ar</var>, <var class="Fa" style="white-space: nowrap;">const - void *</var>, - <var class="Fa" style="white-space: nowrap;">size_t</var>);</p> -<p class="Pp">To compile this module into the kernel, place the following in - your kernel configuration file:</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Cd">options DTAUDIT</code></pre> -</div> -<p class="Pp">Alternatively, to load the module at boot time, place the - following line in <a class="Xr">loader.conf(5)</a>:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>dtaudit_load="YES"</pre> -</div> -</section> -<section class="Sh"> -<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> -<p class="Pp">The DTrace <code class="Nm">dtaudit</code> provider allows users - to trace events in the kernel security auditing subsystem, - <a class="Xr">audit(4)</a>. <a class="Xr">audit(4)</a> provides detailed - logging of a configurable set of security-relevant system calls, including - key arguments (such as file paths) and return values that are copied - race-free as the system call proceeds. The <code class="Nm">dtaudit</code> - provider allows DTrace scripts to selectively enable in-kernel audit-record - capture for system calls, and then access those records in either the - in-kernel format or BSM format (<a class="Xr">audit.log(5)</a>) when the - system call completes. While the in-kernel audit record data structure is - subject to change as the kernel changes over time, it is a much more - friendly interface for use in D scripts than either those available via the - DTrace system-call provider or the BSM trail itself.</p> -<section class="Ss"> -<h2 class="Ss" id="Configuration"><a class="permalink" href="#Configuration">Configuration</a></h2> -<p class="Pp">The <code class="Nm">dtaudit</code> provider relies on - <a class="Xr">audit(4)</a> being compiled into the kernel. - <code class="Nm">dtaudit</code> probes become available only once there is - an event-to-name mapping installed in the kernel, normally done by - <a class="Xr">auditd(8)</a> during the boot process, if audit is enabled in - <a class="Xr">rc.conf(5)</a>:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>auditd_enable="YES"</pre> -</div> -<p class="Pp">If <code class="Nm">dtaudit</code> probes are required earlier in - boot -- for example, in single-user mode -- or without enabling - <a class="Xr">audit(4)</a>, they can be preloaded in the boot loader by - adding this line to <a class="Xr">loader.conf(5)</a>.</p> -<div class="Bd Pp Bd-indent Li"> -<pre>audit_event_load="YES"</pre> -</div> -</section> -<section class="Ss"> -<h2 class="Ss" id="Probes"><a class="permalink" href="#Probes">Probes</a></h2> -<p class="Pp">The - <a class="permalink" href="#audit:event:aue_*:commit"><code class="Fn" id="audit:event:aue_*:commit">audit:event:aue_*:commit</code></a>() - probes fire synchronously during system-call return, giving access to two - arguments: a <var class="Vt">char *</var> audit event name, and the - <var class="Vt">struct audit_record *</var> in-kernel audit record. Because - the probe fires in system-call return, the user thread has not yet regained - control, and additional information from the thread and process remains - available for capture by the script.</p> -<p class="Pp" id="audit:event:aue_*:bsm">The - <a class="permalink" href="#audit:event:aue_*:bsm"><code class="Fn">audit:event:aue_*:bsm</code></a>() - probes fire asynchronously from system-call return, following BSM conversion - and just prior to being written to disk, giving access to four arguments: a - <var class="Vt">char *</var> audit event name, the <var class="Vt">struct - audit_record *</var> in-kernel audit record, a <var class="Vt">const void - *</var> pointer to the converted BSM record, and a - <var class="Vt">size_t</var> for the length of the BSM record.</p> -</section> -</section> -<section class="Sh"> -<h1 class="Sh" id="IMPLEMENTATION_NOTES"><a class="permalink" href="#IMPLEMENTATION_NOTES">IMPLEMENTATION - NOTES</a></h1> -<p class="Pp">When a set of <code class="Nm">dtaudit</code> probes are - registered, corresponding in-kernel audit records will be captured and their - probes will fire regardless of whether the <a class="Xr">audit(4)</a> - subsystem itself would have captured the record for the purposes of writing - it to the audit trail, or for delivery to a <a class="Xr">auditpipe(4)</a>. - In-kernel audit records allocated only because of enabled - <a class="Xr">dtaudit(4)</a> probes will not be unnecessarily written to the - audit trail or enabled pipes.</p> -</section> -<section class="Sh"> -<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE - ALSO</a></h1> -<p class="Pp"><a class="Xr">dtrace(1)</a>, <a class="Xr">audit(4)</a>, - <a class="Xr">audit.log(5)</a>, <a class="Xr">loader.conf(5)</a>, - <a class="Xr">rc.conf(5)</a>, <a class="Xr">auditd(8)</a></p> -</section> -<section class="Sh"> -<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1> -<p class="Pp">The <code class="Nm">dtaudit</code> provider first appeared in - <span class="Ux">FreeBSD 12.0</span>.</p> -</section> -<section class="Sh"> -<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1> -<p class="Pp">This software and this manual page were developed by BAE Systems, - the University of Cambridge Computer Laboratory, and Memorial University - under DARPA/AFRL contract (FA8650-15-C-7558) (“CADETS”), as - part of the DARPA Transparent Computing (TC) research program. The - <code class="Nm">dtaudit</code> provider and this manual page were written - by <span class="An">Robert Watson</span> - <<a class="Mt" href="mailto:rwatson@FreeBSD.org">rwatson@FreeBSD.org</a>>.</p> -</section> -<section class="Sh"> -<h1 class="Sh" id="BUGS"><a class="permalink" href="#BUGS">BUGS</a></h1> -<p class="Pp">Because <a class="Xr">audit(4)</a> maintains its primary - event-to-name mapping database in userspace, that database must be loaded - into the kernel before <code class="Nm">dtaudit</code> probes become - available.</p> -<p class="Pp"><code class="Nm">dtaudit</code> is only able to provide access to - system-call audit events, not the full scope of userspace events, such as - those relating to login, password change, and so on.</p> -</section> -</div> -<table class="foot"> - <tr> - <td class="foot-date">April 28, 2019</td> - <td class="foot-os">FreeBSD 15.0</td> - </tr> -</table> |