xref: /freebsd/share/man/man4/dtrace_audit.4 (revision 6137b5f7b8c183ee8806d79b3f1d8e5e3ddb3df3)
1.\"-
2.\" SPDX-License-Identifier: BSD-2-Clause
3.\"
4.\" Copyright (c) 2019 Robert N. M. Watson
5.\"
6.\" This software was developed by BAE Systems, the University of Cambridge
7.\" Computer Laboratory, and Memorial University under DARPA/AFRL contract
8.\" FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent Computing
9.\" (TC) research program.
10.\"
11.\" Redistribution and use in source and binary forms, with or without
12.\" modification, are permitted provided that the following conditions
13.\" are met:
14.\" 1. Redistributions of source code must retain the above copyright
15.\"    notice, this list of conditions and the following disclaimer.
16.\" 2. Redistributions in binary form must reproduce the above copyright
17.\"    notice, this list of conditions and the following disclaimer in the
18.\"    documentation and/or other materials provided with the distribution.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.Dd April 28, 2019
33.Dt DTRACE_AUDIT 4
34.Os
35.Sh NAME
36.Nm dtrace_audit
37.Nd A DTrace provider for tracing
38.Xr audit 4
39events
40.Sh SYNOPSIS
41.Fn audit:event:aue_*:commit "char *eventname" "struct audit_record *ar"
42.Fn audit:event:aue_*:bsm "char *eventname" "struct audit_record *ar" "const void *" "size_t"
43.Pp
44To compile this module into the kernel, place the following in your kernel
45configuration file:
46.Bd -literal -offset indent
47.Cd "options DTAUDIT"
48.Ed
49.Pp
50Alternatively, to load the module at boot time, place the following line in
51.Xr loader.conf 5 :
52.Bd -literal -offset indent
53dtaudit_load="YES"
54.Ed
55.Sh DESCRIPTION
56The DTrace
57.Nm dtaudit
58provider allows users to trace events in the kernel security auditing
59subsystem,
60.Xr audit 4 .
61.Xr audit 4
62provides detailed logging of a configurable set of security-relevant system
63calls, including key arguments (such as file paths) and return values that are
64copied race-free as the system call proceeds.
65The
66.Nm dtaudit
67provider allows DTrace scripts to selectively enable in-kernel audit-record
68capture for system calls, and then access those records in either the
69in-kernel format or BSM format (\c
70.Xr audit.log 5 )
71when the system call completes.
72While the in-kernel audit record data structure is subject to change as the
73kernel changes over time, it is a much more friendly interface for use in D
74scripts than either those available via the DTrace system-call provider or the
75BSM trail itself.
76.Ss Configuration
77The
78.Nm dtaudit
79provider relies on
80.Xr audit 4
81being compiled into the kernel.
82.Nm dtaudit
83probes become available only once there is an event-to-name mapping installed
84in the kernel, normally done by
85.Xr auditd 8
86during the boot process, if audit is enabled in
87.Xr rc.conf 5 :
88.Bd -literal -offset indent
89auditd_enable="YES"
90.Ed
91.Pp
92If
93.Nm dtaudit
94probes are required earlier in boot -- for example, in single-user mode -- or
95without enabling
96.Xr audit 4 ,
97they can be preloaded in the boot loader by adding this line to
98.Xr loader.conf 5 .
99.Bd -literal -offset indent
100audit_event_load="YES"
101.Ed
102.Ss Probes
103The
104.Fn audit:event:aue_*:commit
105probes fire synchronously during system-call return, giving access to two
106arguments: a
107.Vt char *
108audit event name, and
109the
110.Vt struct audit_record *
111in-kernel audit record.
112Because the probe fires in system-call return, the user thread has not yet
113regained control, and additional information from the thread and process
114remains available for capture by the script.
115.Pp
116The
117.Fn audit:event:aue_*:bsm
118probes fire asynchronously from system-call return, following BSM conversion
119and just prior to being written to disk, giving access to four arguments: a
120.Vt char *
121audit event name, the
122.Vt struct audit_record *
123in-kernel audit record, a
124.Vt const void *
125pointer to the converted BSM record, and a
126.Vt size_t
127for the length of the BSM record.
128.Sh IMPLEMENTATION NOTES
129When a set of
130.Nm dtaudit
131probes are registered, corresponding in-kernel audit records will be captured
132and their probes will fire regardless of whether the
133.Xr audit 4
134subsystem itself would have captured the record for the purposes of writing it
135to the audit trail, or for delivery to a
136.Xr auditpipe 4 .
137In-kernel audit records allocated only because of enabled
138.Xr dtaudit 4
139probes will not be unnecessarily written to the audit trail or enabled pipes.
140.Sh SEE ALSO
141.Xr dtrace 1 ,
142.Xr audit 4 ,
143.Xr audit.log 5 ,
144.Xr loader.conf 5 ,
145.Xr rc.conf 5 ,
146.Xr auditd 8
147.Sh HISTORY
148The
149.Nm dtaudit
150provider first appeared in
151.Fx 12.0 .
152.Sh AUTHORS
153This software and this manual page were developed by BAE Systems, the
154University of Cambridge Computer Laboratory, and Memorial University under
155DARPA/AFRL contract
156.Pq FA8650-15-C-7558
157.Pq Do CADETS Dc ,
158as part of the DARPA Transparent Computing (TC) research program.
159The
160.Nm dtaudit
161provider and this manual page were written by
162.An Robert Watson Aq Mt rwatson@FreeBSD.org .
163.Sh BUGS
164Because
165.Xr audit 4
166maintains its primary event-to-name mapping database in userspace, that
167database must be loaded into the kernel before
168.Nm dtaudit
169probes become available.
170.Pp
171.Nm dtaudit
172is only able to provide access to system-call audit events, not the full
173scope of userspace events, such as those relating to login, password change,
174and so on.
175