TrustedBSD status from Oct-Dec 2003
Robert Watson
rwatson at FreeBSD.org
Sun Mar 7 22:44:40 GMT 2004
On Tue, 2 Mar 2004, Ilmar S. Habibulin wrote:
> On Fri, 13 Feb 2004, Robert Watson wrote:
>
> > A partial implementation of Audit appears in the open source Darwin 7
> > kernel tree. You can peruse that at:
> >
> > http://fxr.watson.org/fxr/source/?v=DARWIN7
> >
> > I've done a partial port of the partial implementation to the
> > trustedbsd_audit2 branch, which you can peruse using:
> >
> > http://perforce.freebsd.org/dtb.cgi?FSPC=depot/projects/trustedbsd/audit2&HIDEDEL=NO
>
> I've tried to use both sources and integrate audit2 into mac branch,
> using cut-n-paste technology. But not everything was ported from Darwin
> to FreeBSD. I mean syscall audit mechanism. There are fucntions, that
> should initialize syscall audit record and commit it to some queue or
> storage, but they are not called. If i'm wrong, can you point me where
> should i find calls of audit_syscall_enter() and audit_syscall_exit(). I
> suppose they must be called from trap.c syscall() function for i386
> architecture?
They should be in trap.c, but aren't currently since the work is
incomplete.
> btw - imho, it is the best approach. just mark audited syscall, get any
> info you can get, and sort it out in userland. You needn't modify each
> syscall to make it init audit record, construct it and commit. Only
> syscall()-like functions for each supported architecture should be
> modified.
Agreed. The approach of having the basic audit record preselection,
allocation, and commit in the system call entry and exit code (similar to
ktrace and others) makes a lot of sense to me. Especially since we can
hang the audit data for the system call off the active thread structure
and access it as thread-local data. However, you do need some
modifications to system calls, namei(), etc, to gather the additional
necessary argument data. But this is much less disruptive than have three
or four changes in each system call just to allocate and handle records.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Senior Research Scientist, McAfee Research
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list