symlinks in audit dtrace provider don't always provide relevant file uuid

cadets / freebsd-old

FreeBSD src tree http://www.FreeBSD.org/

Other

12 stars 7 forks source link

symlinks in audit dtrace provider don't always provide relevant file uuid #63

Closed amstrnad closed 7 years ago

amstrnad commented 7 years ago

This is not consistent behavior, but frequently when tracing the symlink syscall, the file uuid being linked to is not included.

For example:

{"event": "audit:event:aue_symlink:", "time": 1486489490933072797, "pid": 1150, "ppid": 1149, "tid": 100090, "uid": 0, "exec": "ln", "subjprocuuid": "1fa69d64-ed5d-11e6-bde0-44a8421f8dc6", "subjthruuid": "5fae6a11-ed5a-11e6-bde0-44a8421f8dc6", "upath1": "/usr/home/arun/tc/dtrace-scripts/test", "retval": 0\0}

rwatson commented 7 years ago

It looks like we're missing a call to audit the returned UUID in kern_symlink(9). I am testing a fix and will commit soon (if all goes well). It looks like similar auditing was missing for the system calls mkdir(2) and mknod(2), so I will add it there as well .. but perhaps we are not testing those adequately as we didn't pick up those gaps either?

amstrnad commented 7 years ago

symlink looks better.

I'm not sure what exactly is happening, but when I try to test mkdir, I'm kicked out of my ssh session. I didn't find any useful errors in the logs, but I may not have been looking in the right place.

amstrnad commented 7 years ago

Looks good now.