diff options
Diffstat (limited to 'static/freebsd/man4/dtrace_audit.4 3.html')
| -rw-r--r-- | static/freebsd/man4/dtrace_audit.4 3.html | 139 |
1 files changed, 139 insertions, 0 deletions
diff --git a/static/freebsd/man4/dtrace_audit.4 3.html b/static/freebsd/man4/dtrace_audit.4 3.html new file mode 100644 index 00000000..60d8245f --- /dev/null +++ b/static/freebsd/man4/dtrace_audit.4 3.html @@ -0,0 +1,139 @@ +<table class="head"> + <tr> + <td class="head-ltitle">DTRACE_AUDIT(4)</td> + <td class="head-vol">Device Drivers Manual</td> + <td class="head-rtitle">DTRACE_AUDIT(4)</td> + </tr> +</table> +<div class="manual-text"> +<section class="Sh"> +<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> +<p class="Pp"><code class="Nm">dtrace_audit</code> — <span class="Nd">A + DTrace provider for tracing <a class="Xr">audit(4)</a> events</span></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1> +<p class="Pp"><code class="Fn">audit:event:aue_*:commit</code>(<var class="Fa" style="white-space: nowrap;">char + *eventname</var>, <var class="Fa" style="white-space: nowrap;">struct + audit_record *ar</var>);</p> +<p class="Pp"><code class="Fn">audit:event:aue_*:bsm</code>(<var class="Fa" style="white-space: nowrap;">char + *eventname</var>, <var class="Fa" style="white-space: nowrap;">struct + audit_record *ar</var>, <var class="Fa" style="white-space: nowrap;">const + void *</var>, + <var class="Fa" style="white-space: nowrap;">size_t</var>);</p> +<p class="Pp">To compile this module into the kernel, place the following in + your kernel configuration file:</p> +<div class="Bd Pp Bd-indent Li"> +<pre><code class="Cd">options DTAUDIT</code></pre> +</div> +<p class="Pp">Alternatively, to load the module at boot time, place the + following line in <a class="Xr">loader.conf(5)</a>:</p> +<div class="Bd Pp Bd-indent Li"> +<pre>dtaudit_load="YES"</pre> +</div> +</section> +<section class="Sh"> +<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> +<p class="Pp">The DTrace <code class="Nm">dtaudit</code> provider allows users + to trace events in the kernel security auditing subsystem, + <a class="Xr">audit(4)</a>. <a class="Xr">audit(4)</a> provides detailed + logging of a configurable set of security-relevant system calls, including + key arguments (such as file paths) and return values that are copied + race-free as the system call proceeds. The <code class="Nm">dtaudit</code> + provider allows DTrace scripts to selectively enable in-kernel audit-record + capture for system calls, and then access those records in either the + in-kernel format or BSM format (<a class="Xr">audit.log(5)</a>) when the + system call completes. While the in-kernel audit record data structure is + subject to change as the kernel changes over time, it is a much more + friendly interface for use in D scripts than either those available via the + DTrace system-call provider or the BSM trail itself.</p> +<section class="Ss"> +<h2 class="Ss" id="Configuration"><a class="permalink" href="#Configuration">Configuration</a></h2> +<p class="Pp">The <code class="Nm">dtaudit</code> provider relies on + <a class="Xr">audit(4)</a> being compiled into the kernel. + <code class="Nm">dtaudit</code> probes become available only once there is + an event-to-name mapping installed in the kernel, normally done by + <a class="Xr">auditd(8)</a> during the boot process, if audit is enabled in + <a class="Xr">rc.conf(5)</a>:</p> +<div class="Bd Pp Bd-indent Li"> +<pre>auditd_enable="YES"</pre> +</div> +<p class="Pp">If <code class="Nm">dtaudit</code> probes are required earlier in + boot -- for example, in single-user mode -- or without enabling + <a class="Xr">audit(4)</a>, they can be preloaded in the boot loader by + adding this line to <a class="Xr">loader.conf(5)</a>.</p> +<div class="Bd Pp Bd-indent Li"> +<pre>audit_event_load="YES"</pre> +</div> +</section> +<section class="Ss"> +<h2 class="Ss" id="Probes"><a class="permalink" href="#Probes">Probes</a></h2> +<p class="Pp">The + <a class="permalink" href="#audit:event:aue_*:commit"><code class="Fn" id="audit:event:aue_*:commit">audit:event:aue_*:commit</code></a>() + probes fire synchronously during system-call return, giving access to two + arguments: a <var class="Vt">char *</var> audit event name, and the + <var class="Vt">struct audit_record *</var> in-kernel audit record. Because + the probe fires in system-call return, the user thread has not yet regained + control, and additional information from the thread and process remains + available for capture by the script.</p> +<p class="Pp" id="audit:event:aue_*:bsm">The + <a class="permalink" href="#audit:event:aue_*:bsm"><code class="Fn">audit:event:aue_*:bsm</code></a>() + probes fire asynchronously from system-call return, following BSM conversion + and just prior to being written to disk, giving access to four arguments: a + <var class="Vt">char *</var> audit event name, the <var class="Vt">struct + audit_record *</var> in-kernel audit record, a <var class="Vt">const void + *</var> pointer to the converted BSM record, and a + <var class="Vt">size_t</var> for the length of the BSM record.</p> +</section> +</section> +<section class="Sh"> +<h1 class="Sh" id="IMPLEMENTATION_NOTES"><a class="permalink" href="#IMPLEMENTATION_NOTES">IMPLEMENTATION + NOTES</a></h1> +<p class="Pp">When a set of <code class="Nm">dtaudit</code> probes are + registered, corresponding in-kernel audit records will be captured and their + probes will fire regardless of whether the <a class="Xr">audit(4)</a> + subsystem itself would have captured the record for the purposes of writing + it to the audit trail, or for delivery to a <a class="Xr">auditpipe(4)</a>. + In-kernel audit records allocated only because of enabled + <a class="Xr">dtaudit(4)</a> probes will not be unnecessarily written to the + audit trail or enabled pipes.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE + ALSO</a></h1> +<p class="Pp"><a class="Xr">dtrace(1)</a>, <a class="Xr">audit(4)</a>, + <a class="Xr">audit.log(5)</a>, <a class="Xr">loader.conf(5)</a>, + <a class="Xr">rc.conf(5)</a>, <a class="Xr">auditd(8)</a></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1> +<p class="Pp">The <code class="Nm">dtaudit</code> provider first appeared in + <span class="Ux">FreeBSD 12.0</span>.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1> +<p class="Pp">This software and this manual page were developed by BAE Systems, + the University of Cambridge Computer Laboratory, and Memorial University + under DARPA/AFRL contract (FA8650-15-C-7558) (“CADETS”), as + part of the DARPA Transparent Computing (TC) research program. The + <code class="Nm">dtaudit</code> provider and this manual page were written + by <span class="An">Robert Watson</span> + <<a class="Mt" href="mailto:rwatson@FreeBSD.org">rwatson@FreeBSD.org</a>>.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="BUGS"><a class="permalink" href="#BUGS">BUGS</a></h1> +<p class="Pp">Because <a class="Xr">audit(4)</a> maintains its primary + event-to-name mapping database in userspace, that database must be loaded + into the kernel before <code class="Nm">dtaudit</code> probes become + available.</p> +<p class="Pp"><code class="Nm">dtaudit</code> is only able to provide access to + system-call audit events, not the full scope of userspace events, such as + those relating to login, password change, and so on.</p> +</section> +</div> +<table class="foot"> + <tr> + <td class="foot-date">April 28, 2019</td> + <td class="foot-os">FreeBSD 15.0</td> + </tr> +</table> |