xref: /freebsd/share/man/man4/dtrace_audit.4 (revision fab66680b3df4792fb0d3d13b2c9cdd88538d3d2)
1.\"-
2.\" SPDX-License-Identifier: BSD-2-Clause
3.\"
4.\" Copyright (c) 2019 Robert N. M. Watson
5.\"
6.\" This software was developed by BAE Systems, the University of Cambridge
7.\" Computer Laboratory, and Memorial University under DARPA/AFRL contract
8.\" FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent Computing
9.\" (TC) research program.
10.\"
11.\" Redistribution and use in source and binary forms, with or without
12.\" modification, are permitted provided that the following conditions
13.\" are met:
14.\" 1. Redistributions of source code must retain the above copyright
15.\"    notice, this list of conditions and the following disclaimer.
16.\" 2. Redistributions in binary form must reproduce the above copyright
17.\"    notice, this list of conditions and the following disclaimer in the
18.\"    documentation and/or other materials provided with the distribution.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" $FreeBSD$
33.\"
34.Dd April 28, 2019
35.Dt DTRACE_AUDIT 4
36.Os
37.Sh NAME
38.Nm dtrace_audit
39.Nd A DTrace provider for tracing
40.Xr audit 4
41events
42.Sh SYNOPSIS
43.Pp
44.Fn audit:event:aue_*:commit "char *eventname" "struct audit_record *ar"
45.Fn audit:event:aue_*:bsm "char *eventname" "struct audit_record *ar" "const void *" "size_t"
46.Pp
47To compile this module into the kernel, place the following in your kernel
48configuration file:
49.Pp
50.Bd -literal -offset indent
51.Cd "options DTAUDIT"
52.Ed
53.Pp
54Alternatively, to load the module at boot time, place the following line in
55.Xr loader.conf 5 :
56.Bd -literal -offset indent
57dtaudit_load="YES"
58.Ed
59.Sh DESCRIPTION
60The DTrace
61.Nm dtaudit
62provider allows users to trace events in the kernel security auditing
63subsystem,
64.Xr audit 4 .
65.Xr audit 4
66provides detailed logging of a configurable set of security-relevant system
67calls, including key arguments (such as file paths) and return values that are
68copied race-free as the system call proceeds.
69The
70.Nm dtaudit
71provider allows DTrace scripts to selectively enable in-kernel audit-record
72capture for system calls, and then access those records in either the
73in-kernel format or BSM format (\c
74.Xr audit.log 5 )
75when the system call completes.
76While the in-kernel audit record data structure is subject to change as the
77kernel changes over time, it is a much more friendly interface for use in D
78scripts than either those available via the DTrace system-call provider or the
79BSM trail itself.
80.Ss Configuration
81The
82.Nm dtaudit
83provider relies on
84.Xr audit 4
85being compiled into the kernel.
86.Nm dtaudit
87probes become available only once there is an event-to-name mapping installed
88in the kernel, normally done by
89.Xr auditd 8
90during the boot process, if audit is enabled in
91.Xr rc.conf 5 :
92.Bd -literal -offset indent
93auditd_enable="YES"
94.Ed
95.Pp
96If
97.Nm dtaudit
98probes are required earlier in boot -- for example, in single-user mode -- or
99without enabling
100.Xr audit 4 ,
101they can be preloaded in the boot loader by adding this line to
102.Xr loader.conf 5 .
103.Bd -literal -offset indent
104audit_event_load="YES"
105.Ed
106.Ss Probes
107The
108.Fn audit:event:aue_*:commit
109probes fire synchronously during system-call return, giving access to two
110arguments: a
111.Vt char *
112audit event name, and
113the
114.Vt struct audit_record *
115in-kernel audit record.
116Because the probe fires in system-call return, the user thread has not yet
117regained control, and additional information from the thread and process
118remains available for capture by the script.
119.Pp
120The
121.Fn audit:event:aue_*:bsm
122probes fire asynchonously from system-call return, following BSM conversion
123and just prior to being written to disk, giving access to four arguments: a
124.Vt char *
125audit event name, the
126.Vt struct audit_record *
127in-kernel audit record, a
128.Vt const void *
129pointer to the converted BSM record, and a
130.Vt size_t
131for the length of the BSM record.
132.Sh IMPLEMENTATION NOTES
133When a set of
134.Nm dtaudit
135probes are registered, corresponding in-kernel audit records will be captured
136and their probes will fire regardless of whether the
137.Xr audit 4
138subsystem itself would have captured the record for the purposes of writing it
139to the audit trail, or for delivery to a
140.Xr auditpipe 4 .
141In-kernel audit records allocated only because of enabled
142.Xr dtaudit 4
143probes will not be unnecessarily written to the audit trail or enabled pipes.
144.Sh SEE ALSO
145.Xr dtrace 1 ,
146.Xr audit 4 ,
147.Xr audit.log 5 ,
148.Xr loader.conf 5 ,
149.Xr rc.conf 5 ,
150.Xr auditd 8
151.Sh HISTORY
152The
153.Nm dtaudit
154provider first appeared in
155.Fx 12.0 .
156.Sh AUTHORS
157This software and this manual page were developed by BAE Systems, the
158University of Cambridge Computer Laboratory, and Memorial University under
159DARPA/AFRL contract
160.Pq FA8650-15-C-7558
161.Pq Do CADETS Dc ,
162as part of the DARPA Transparent Computing (TC) research program.
163The
164.Nm dtaudit
165provider and this manual page were written by
166.An Robert Watson Aq Mt rwatson@FreeBSD.org .
167.Sh BUGS
168Because
169.Xr audit 4
170maintains its primary event-to-name mapping database in userspace, that
171database must be loaded into the kernel before
172.Nm dtaudit
173probes become available.
174.Pp
175.Nm dtaudit
176is only able to provide access to system-call audit events, not the full
177scope of userspace events, such as those relating to login, password change,
178and so on.
179