Kernel auditing
Craig Dooley
craig at xlnx-x.net
Tue May 18 08:14:50 PDT 2004
If anybody is interested, here is the code I've been working on. It
implements kernel auditing for a couple events, but the framework is
there. Theres still a couple things I might want to change including
- Move all buffer management into one thread. Writing an event would be
sending the event to this thread, and the output would send read events
to this thread. This will let it run lockless (and also without per-cpu
buffers, which aren't bad, but to get that working i think there would
need to be a device for each cpu to remove the token)
- Move the output over to CAPS instead of a character device.
- Audit many more event types, and add support for user programs to send
audit events, much like Solaris BSM (su, login, other priveleged
programs)
- Implement a facility like /dev/auditctl that would allow at a
per-event level specifying what to log and what not to.
- User tools. I want the ability to broadcast over a network, have
secure logging outside a jail, and I think XML output (plain text would be
nice, but I dont want to write the tools to do queries like "find
processed forked from pid X with userid = 0 that used exec").
For now it's been running for about a week with no problems. It can get
pretty large log files, but they will compress with gzip about 5x. To
use, apply the patch. mknod c 7 1 /dev/audit. cat /dev/audit >
auditlog. I want to finish up the event types defined in Posix 1003.1e
before I start doing re-architecturing, but if anybody wants to send me
any suggestions or bugs, please do since this is my first major
piece of kernel code. Thanks
-Craig
--
------------------------------------------------------------------------
Craig Dooley craig at xxxxxxxxxx
------------------------------------------------------------------------
Index: conf/files
===================================================================
RCS file: /home/dcvs/src/sys/conf/files,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -r1.61 -r1.62
--- conf/files 15 May 2004 17:54:12 -0000 1.61
+++ conf/files 18 May 2004 12:02:35 -0000 1.62
@@ -615,6 +615,7 @@
kern/link_elf.c standard
kern/kern_acct.c standard
kern/kern_acl.c standard
+kern/kern_audit.c optional p1003_1e_audit
kern/kern_clock.c standard
kern/kern_conf.c standard
kern/kern_debug.c standard
Index: conf/options
===================================================================
RCS file: /home/dcvs/src/sys/conf/options,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- conf/options 15 May 2004 17:54:12 -0000 1.20
+++ conf/options 18 May 2004 12:02:35 -0000 1.21
@@ -133,6 +133,7 @@
# POSIX kernel options
P1003_1B opt_posix.h
+P1003_1E_AUDIT opt_audit.h
_KPOSIX_PRIORITY_SCHEDULING opt_posix.h
_KPOSIX_VERSION opt_posix.h
Index: i386/conf/LINT
===================================================================
RCS file: /home/dcvs/src/sys/i386/conf/LINT,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- i386/conf/LINT 15 May 2004 17:54:13 -0000 1.29
+++ i386/conf/LINT 18 May 2004 12:02:40 -0000 1.30
@@ -827,6 +827,13 @@
options _KPOSIX_PRIORITY_SCHEDULING
options _KPOSIX_VERSION=199309L
+#####################################################################
+# POSIX P1003.1E
+
+# Auditing support for the POSIX 1003.1e draft standard
+# P1003_1E_AUDIT: Build in auditing support for the kernel
+
+options P1003_1E_AUDIT
�
#####################################################################
# CLOCK OPTIONS
Index: kern/kern_audit.c
===================================================================
RCS file: kern/kern_audit.c
diff -N kern/kern_audit.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ kern/kern_audit.c 18 May 2004 14:44:42 -0000
@@ -0,0 +1,351 @@
+/*-
+ * Copyright (c) 2004 Craig Dooley <craig at xxxxxxxxxx> All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $DragonFly$
+ */
+#include "opt_audit.h"
+
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/conf.h>
+
+#include <sys/audit.h>
+#include <sys/globaldata.h>
+#include <sys/kernel.h>
+#include <sys/malloc.h>
+#include <sys/mpipe.h>
+#include <sys/sysctl.h>
+#include <sys/proc.h>
+#include <sys/uio.h>
+#include <sys/vnode.h>
+
+static int audit_dev_open = 0;
+
+static int audit_enable = 1;
+TUNABLE_INT("kern.audit_enable", &audit_enable);
+SYSCTL_INT(_kern, OID_AUTO, audit_enable, CTLFLAG_RW, &audit_enable,
+ 0, "Enable or disable kernel auditing");
+
+static int audit_percent = 50;
+TUNABLE_INT("kern.audit_flush_percent", &audit_enable);
+SYSCTL_INT(_kern, OID_AUTO, audit_flush_percent, CTLFLAG_RW, &audit_percent,
+ 0, "Percent audit buffer full to flush to disk");
+
+static int audit_buffer_used = 0;
+SYSCTL_INT(_kern, OID_AUTO, audit_buffer_used, CTLFLAG_RD, &audit_buffer_used,
+ 0, "Number of bytes of kernel audit buffer used");
+
+static size_t audit_buffer_size = 1024;
+TUNABLE_INT("kern.audit_buffer_size", &audit_buffer_size);
+SYSCTL_INT(_kern, OID_AUTO, audit_buffer_size, CTLFLAG_RD, &audit_buffer_size,
+ 0, "Size in KBytes of per-CPU kernel auditing buffer");
+
+MALLOC_DEFINE(M_AUDIT, "Audit", "Space for the auditing framework");
+
+static d_open_t auditopen;
+static d_close_t auditclose;
+static d_read_t auditread;
+
+#define CDEV_MAJOR 7 /* Share this with /dev/klog */
+static struct cdevsw audit_cdevsw = {
+ /* name */ "audit",
+ /* maj */ CDEV_MAJOR,
+ /* flags */ 0,
+ /* port */ NULL,
+ /* autoq */ 0,
+
+ /* open */ auditopen,
+ /* close */ auditclose,
+ /* read */ auditread,
+ /* write */ nowrite,
+ /* ioctl */ noioctl,
+ /* poll */ nopoll,
+ /* mmap */ nommap,
+ /* strategy */ nostrategy,
+ /* dump */ nodump,
+ /* psize */ nopsize
+};
+
+static struct audit_buffer audit_buffers[MAXCPU];
+
+static void audit_alloc_buffers(void);
+
+static int
+audit_writetobuf(void *data, int len)
+{
+ globaldata_t gd = mycpu;
+ struct audit_buffer *buf;
+ struct lwkt_tokref tokref;
+
+ buf = &audit_buffers[gd->gd_cpuid];
+
+ if(len > buf->size - buf->len)
+ return ENOMEM;
+
+ lwkt_gettoken(&tokref, &buf->token);
+ if(buf->end + len > buf->buf + buf->size) {
+ /* Wrap */
+ int towrap;
+
+ towrap = (buf->buf + buf->size) - buf->end;
+ memcpy(buf->end, data, towrap);
+ memcpy(buf->buf, data, len - towrap);
+ buf->end = buf->buf + (len - towrap);
+ buf->len += len;
+ } else {
+ memcpy(buf->end, data, len);
+ buf->end += len;
+ buf->len += len;
+ }
+ lwkt_reltoken(&tokref);
+ if(buf->len >= ((audit_buffer_size * 1024 * audit_percent) / 100))
+ wakeup(&audit_buffers);
+
+ audit_buffer_used += len;
+ return 0;
+}
+
+static int
+audit_event(int type, int flags, int size, void *event)
+{
+ struct audit_hdr hdr;
+ globaldata_t gd = mycpu;
+ struct proc *p = curthread->td_proc;
+ if(audit_enable == 0)
+ return 0;
+
+ /*
+ * I don't think this should ever happen unless we start doing
+ * IRQ entry/exit or something not really process auditing
+ * related.
+ */
+ KKASSERT(p != NULL);
+
+ microuptime(&hdr.tv);
+
+ hdr.type = type;
+ hdr.flags = flags;
+ hdr.cpuid = gd->gd_cpuid;
+ hdr.len = size;
+ hdr.pid = p->p_pid;
+
+ audit_writetobuf(&hdr, sizeof(hdr));
+ audit_writetobuf(event, size);
+ return 0;
+}
+
+void
+audit_pipe(int fd1, int fd2)
+{
+ struct aud_pipe_s pipe;
+
+ pipe.readfd = fd1;
+ pipe.writefd = fd2;
+ audit_event(AUDIT_PIPE, 0, sizeof(pipe), &pipe);
+}
+
+void
+audit_access(char *file, int mode)
+{
+ char *buf = malloc(MAXPATHLEN + 8, M_AUDIT, M_WAITOK);
+ int slen;
+
+ memcpy(buf, &mode, sizeof(mode));
+ copyinstr(file, buf + 8, MAXPATHLEN, &slen);
+ memcpy(buf + 4, &slen, sizeof(slen));
+ audit_event(AUDIT_ACCESS, 0, slen + 8, buf);
+ free(buf, M_AUDIT);
+}
+
+void
+audit_open(char *file, int flags, int mode)
+{
+ char *buf = malloc(MAXPATHLEN + 12, M_AUDIT, M_WAITOK);
+ int slen;
+
+ memcpy(buf, &flags, sizeof(flags));
+ memcpy(buf + 4, &mode, sizeof(mode));
+ copyinstr(file, buf + 12, MAXPATHLEN, &slen);
+ memcpy(buf + 8, &slen, sizeof(slen));
+ audit_event(AUDIT_OPEN, 0, slen + 12, buf);
+ free(buf, M_AUDIT);
+}
+
+void
+audit_int(int event, int *data)
+{
+ audit_event(event, 0, sizeof(int), data);
+}
+
+void
+audit_exec(struct image_args *args)
+{
+ audit_event(AUDIT_EXEC, 0, args->endp - args->begin_argv, args->begin_argv);
+}
+
+void
+audit_read(struct read_args *uap)
+{
+ struct aud_read_s read;
+
+ read.fd = uap->fd;
+ read.buf = uap->buf;
+ read.nbytes = uap->nbyte;
+
+ audit_event(AUDIT_READ, 0, sizeof(read), &read);
+}
+
+void
+audit_write(struct write_args *uap)
+{
+ struct aud_read_s read;
+
+ read.fd = uap->fd;
+ read.buf = uap->buf;
+ read.nbytes = uap->nbyte;
+
+ audit_event(AUDIT_WRITE, 0, sizeof(read), &read);
+}
+
+void
+audit_ioctl(struct ioctl_args *uap)
+{
+ struct aud_ioctl_s ioctl;
+
+ ioctl.fd = uap->fd;
+ ioctl.com = uap->com;
+ ioctl.data = uap->data;
+
+ audit_event(AUDIT_IOCTL, 0, sizeof(ioctl), &ioctl);
+}
+
+void
+audit_stat(char *file)
+{
+ char *buf = malloc(MAXPATHLEN + 4, M_AUDIT, M_WAITOK);
+ int slen;
+
+ copyinstr(file, buf + 4, MAXPATHLEN, &slen);
+ memcpy(buf, &slen, sizeof(slen));
+
+ audit_event(AUDIT_STAT, 0, slen + 4, buf);
+ free(buf, M_AUDIT);
+}
+
+static void
+audit_alloc_buffers(void)
+{
+ int i;
+ struct audit_buffer *buf;
+ for(i = 0; i < MAXCPU; i++) {
+ buf = &audit_buffers[i];
+ lwkt_token_init(&buf->token);
+ buf->buf = malloc(audit_buffer_size * 1024, M_AUDIT, M_WAITOK | M_ZERO);
+ buf->size = audit_buffer_size * 1024;
+ buf->start = buf->buf;
+ buf->end = buf->buf;
+ buf->len = 0;
+ }
+ return;
+}
+
+static int
+auditopen(dev_t dev, int flags, int mode, struct thread *td)
+{
+ if(audit_dev_open)
+ return (EBUSY);
+ audit_dev_open = 1;
+
+ return (0);
+}
+
+static int
+auditclose(dev_t dev, int flag, int mode, struct thread *td)
+{
+ audit_dev_open = 0;
+ return (0);
+}
+
+static int
+auditread(dev_t dev, struct uio *uio, int flag)
+{
+ struct lwkt_tokref tokref;
+ struct audit_buffer *buf;
+ int i, l;
+ int error = 0;
+
+ do {
+ for (i = 0; i < MAXCPU; i++) {
+ buf = &audit_buffers[i];
+ if (buf->len > ((audit_buffer_size * 1024 * audit_percent) / 100))
+ break;
+ }
+ if(i == MAXCPU) {
+ if(flag & IO_NDELAY)
+ return EWOULDBLOCK;
+ error = tsleep(&audit_buffers, PCATCH, "audit", 0);
+ if(error)
+ return error;
+ }
+ } while (i == MAXCPU);
+
+ lwkt_gettoken(&tokref, &buf->token);
+ while(uio->uio_resid > 0) {
+ l = min(uio->uio_resid, buf->len);
+ if(l == 0)
+ break;
+ if((buf->buf + buf->size) < buf->start + l) {
+ /* Wrap */
+ l = (buf->buf + buf->size) - buf->start;
+ error = uiomove(buf->start, l, uio);
+ if(error)
+ break;
+ buf->len -= l;
+ buf->start = buf->buf;
+ } else {
+ /* No wrap */
+ error = uiomove(buf->start, l, uio);
+ if(error)
+ break;
+ buf->start += l;
+ buf->len -= l;
+ }
+ audit_buffer_used -= l;
+ }
+ lwkt_reltoken(&tokref);
+
+ return(error);
+}
+
+static void auditinit(void *dummy);
+
+SYSINIT(audit, SI_SUB_AUDIT, SI_ORDER_FIRST, auditinit, NULL);
+
+static void
+auditinit(void *dummy) {
+ audit_alloc_buffers();
+ make_dev(&audit_cdevsw, 1, UID_ROOT, GID_WHEEL, 0600, "audit");
+ printf("Initialized kernel auditing\n");
+ return;
+}
Index: kern/kern_descrip.c
===================================================================
RCS file: /home/dcvs/src/sys/kern/kern_descrip.c,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- kern/kern_descrip.c 13 May 2004 23:49:23 -0000 1.23
+++ kern/kern_descrip.c 18 May 2004 12:02:52 -0000 1.24
@@ -60,12 +60,15 @@
#include <sys/resourcevar.h>
#include <sys/event.h>
#include <sys/kern_syscall.h>
+#include <sys/audit.h>
#include <vm/vm.h>
#include <vm/vm_extern.h>
#include <sys/file2.h>
+#include "opt_audit.h"
+
static MALLOC_DEFINE(M_FILEDESC, "file desc", "Open file descriptor table");
static MALLOC_DEFINE(M_FILEDESC_TO_LEADER, "file desc to leader",
"file desc to leader structures");
@@ -629,6 +632,10 @@
KKASSERT(p);
fdp = p->p_fd;
+#ifdef P1003_1E_AUDIT
+ audit_int(AUDIT_CLOSE, &fd);
+#endif
+
if ((unsigned)fd >= fdp->fd_nfiles ||
(fp = fdp->fd_ofiles[fd]) == NULL)
return (EBADF);
Index: kern/kern_exec.c
===================================================================
RCS file: /home/dcvs/src/sys/kern/kern_exec.c,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- kern/kern_exec.c 13 May 2004 17:40:15 -0000 1.27
+++ kern/kern_exec.c 18 May 2004 12:02:52 -0000 1.28
@@ -52,6 +52,7 @@
#include <sys/vnode.h>
#include <sys/vmmeter.h>
#include <sys/aio.h>
+#include <sys/audit.h>
#include <vm/vm.h>
#include <vm/vm_param.h>
@@ -125,6 +126,10 @@
struct vattr attr;
int (*img_first) (struct image_params *);
+#ifdef P1003_1E_AUDIT
+ audit_exec(args);
+#endif
+
if (debug_execve_args) {
printf("%s()\n", __func__);
print_execve_args(args);
Index: kern/kern_fork.c
===================================================================
RCS file: /home/dcvs/src/sys/kern/kern_fork.c,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- kern/kern_fork.c 24 Apr 2004 04:32:03 -0000 1.24
+++ kern/kern_fork.c 18 May 2004 12:02:52 -0000 1.25
@@ -57,6 +57,7 @@
#include <sys/unistd.h>
#include <sys/jail.h>
#include <sys/caps.h>
+#include <sys/audit.h>
#include <vm/vm.h>
#include <sys/lock.h>
@@ -97,6 +98,9 @@
start_forked_proc(p, p2);
uap->sysmsg_fds[0] = p2->p_pid;
uap->sysmsg_fds[1] = 0;
+#ifdef P1003_1E_AUDIT
+ audit_int(AUDIT_FORK, &p2->p_pid);
+#endif
}
return error;
}
Index: kern/sys_generic.c
===================================================================
RCS file: /home/dcvs/src/sys/kern/sys_generic.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- kern/sys_generic.c 7 Jan 2004 11:04:18 -0000 1.16
+++ kern/sys_generic.c 18 May 2004 12:02:52 -0000 1.17
@@ -37,10 +37,11 @@
*
* @(#)sys_generic.c 8.5 (Berkeley) 1/21/94
* $FreeBSD: src/sys/kern/sys_generic.c,v 1.55.2.10 2001/03/17 10:39:32 peter Exp $
* $DragonFly: src/sys/kern/sys_generic.c,v 1.16 2004/01/07 11:04:18 dillon Exp $
*/
#include "opt_ktrace.h"
+#include "opt_audit.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -117,6 +118,10 @@
error = kern_readv(uap->fd, &auio, 0, &uap->sysmsg_result);
+#ifdef P1003_1E_AUDIT
+ audit_read(uap);
+#endif
+
return(error);
}
@@ -256,6 +261,10 @@
error = kern_writev(uap->fd, &auio, 0, &uap->sysmsg_result);
+#ifdef P1003_1E_AUDIT
+ audit_write(uap);
+#endif
+
return(error);
}
@@ -401,6 +410,10 @@
long align;
} ubuf;
+#ifdef P1003_1E_AUDIT
+ audit_ioctl(uap);
+#endif
+
KKASSERT(p);
fdp = p->p_fd;
if ((u_int)uap->fd >= fdp->fd_nfiles ||
Index: kern/sys_pipe.c
===================================================================
RCS file: /home/dcvs/src/sys/kern/sys_pipe.c,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- kern/sys_pipe.c 13 May 2004 23:49:23 -0000 1.22
+++ kern/sys_pipe.c 18 May 2004 12:02:52 -0000 1.23
@@ -88,6 +88,7 @@
#include <machine/cpufunc.h>
+#include "opt_audit.h"
/*
* interfaces to the outside world
*/
@@ -284,6 +285,10 @@
wpipe->pipe_peer = rpipe;
fdrop(rf, td);
+#ifdef P1003_1E_AUDIT
+ audit_pipe(fd1, fd2);
+#endif
+
return (0);
}
Index: kern/vfs_syscalls.c
===================================================================
RCS file: /home/dcvs/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- kern/vfs_syscalls.c 24 Apr 2004 04:32:03 -0000 1.33
+++ kern/vfs_syscalls.c 18 May 2004 12:02:52 -0000 1.34
@@ -60,6 +60,7 @@
#include <sys/dirent.h>
#include <sys/extattr.h>
#include <sys/kern_syscall.h>
+#include <sys/audit.h>
#include <machine/limits.h>
#include <vfs/union/union.h>
@@ -71,6 +72,8 @@
#include <sys/file2.h>
+#include "opt_audit.h"
+
static int checkvp_chdir (struct vnode *vn, struct thread *td);
static void checkdirs (struct vnode *olddp);
static int chroot_refuse_vdir_fds (struct filedesc *fdp);
@@ -965,6 +968,10 @@
int type, indx, error;
struct flock lf;
+#ifdef P1003_1E_AUDIT
+ audit_open(nd->ni_dirp, oflags, mode);
+#endif
+
if ((oflags & O_ACCMODE) == O_ACCMODE)
return (EINVAL);
flags = FFLAGS(oflags);
@@ -1592,6 +1599,10 @@
struct nameidata nd;
int error;
+#ifdef P1003_1E_AUDIT
+ audit_access(uap->path, uap->flags);
+#endif
+
NDINIT(&nd, NAMEI_LOOKUP, CNP_FOLLOW | CNP_LOCKLEAF | CNP_NOOBJ,
UIO_USERSPACE, uap->path, td);
@@ -1606,6 +1617,10 @@
struct thread *td = curthread;
int error;
+#ifdef P1003_1E_AUDIT
+ audit_stat(nd->ni_dirp);
+#endif
+
error = namei(nd);
if (error)
return (error);
Index: sys/audit.h
===================================================================
RCS file: sys/audit.h
diff -N sys/audit.h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ sys/audit.h 18 May 2004 12:03:07 -0000 1.1
@@ -0,0 +1,100 @@
+/*-
+ * Copyright (c) 2004 Craig Dooley <craig at xxxxxxxxxx> All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $DragonFly$
+ */
+
+#ifndef _SYS_AUDIT_
+#define _SYS_AUDIT_
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/thread.h>
+#include <sys/imgact.h>
+#include <sys/sysproto.h>
+
+enum {
+ AUDIT_OPEN,
+ AUDIT_CLOSE,
+ AUDIT_FORK,
+ AUDIT_EXEC,
+ AUDIT_READ,
+ AUDIT_WRITE,
+ AUDIT_IOCTL,
+ AUDIT_ACCESS,
+ AUDIT_STAT,
+ AUDIT_PIPE,
+ AUDIT_GETUID,
+ AUDIT_SETUID,
+ AUDIT_GETGID,
+ AUDIT_SETGID,
+ AUDIT_SOCKET
+};
+
+struct audit_hdr {
+ u_int16_t type;
+ u_int8_t flags;
+ u_int8_t cpuid;
+ pid_t pid;
+ struct timeval tv;
+ u_int32_t len;
+};
+
+struct aud_pipe_s {
+ int readfd;
+ int writefd;
+};
+
+struct aud_read_s {
+ int fd;
+ void *buf;
+ int nbytes;
+};
+
+struct aud_ioctl_s {
+ int fd;
+ int com;
+ void *data;
+};
+
+struct audit_buffer {
+ lwkt_token token;
+ char *buf;
+ int size;
+ int len;
+ char *start;
+ char *end;
+};
+
+void audit_pipe(int fd1, int fd2);
+void audit_access(char *file, int mode);
+void audit_open(char *file, int flags, int mode);
+void audit_int(int event, int *data);
+void audit_exec(struct image_args *args);
+void audit_read(struct read_args *uap);
+void audit_write(struct write_args *uap);
+void audit_ioctl(struct ioctl_args *uap);
+void audit_stat(char *file);
+
+#endif /* _SYS_AUDIT_ */
Index: sys/kernel.h
===================================================================
RCS file: /home/dcvs/src/sys/sys/kernel.h,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- sys/kernel.h 30 Mar 2004 17:18:58 -0000 1.11
+++ sys/kernel.h 18 May 2004 12:03:07 -0000 1.12
@@ -150,6 +150,7 @@
SI_SUB_MOUNT_ROOT = 0xb400000, /* root mount*/
SI_SUB_SWAP = 0xc000000, /* swap*/
SI_SUB_INTRINSIC_POST = 0xd000000, /* proc 0 cleanup*/
+ SI_SUB_AUDIT = 0xd800000, /* kernel auditing */
SI_SUB_KTHREAD_INIT = 0xe000000, /* init process*/
SI_SUB_KTHREAD_PAGE = 0xe400000, /* pageout daemon*/
SI_SUB_KTHREAD_VM = 0xe800000, /* vm daemon*/
Attachment:
pgp00004.pgp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp00004.pgp
Type: application/octet-stream
Size: 187 bytes
Desc: "Description: PGP signature"
URL: <http://lists.dragonflybsd.org/pipermail/submit/attachments/20040518/78df3c75/attachment-0012.obj>
More information about the Submit
mailing list