The kernel DTrace audit provider (dtaudit) relies on auditd(8) to
load /etc/security/audit_event to provide a list of audit event-number <->
name mappings. However, this occurs too late for anonymous tracing. With
this change, adding 'audit_event_load="YES"' to /boot/loader.conf will cause
the boot loader to preload the file, and then the kernel audit code will
parse it to register an initial set of audit event-number<->name mappings.
Those mappings can later be updated by auditd(8) if the configuration file
changes.
Details
Details
Used in the CADETS tracing environment at Cambridge. Graeme Jenkinson (Cambridge) and Domagoj Stolfa (Cambridge) have also reviewed this patch.
Diff Detail
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Passed - Unit
No Test Coverage - Build Status
Buildable 18578 Build 18273: arc lint + arc unit
Event Timeline
Comment Actions
This is a DTrace feature that allows a D script to be compiled and installed following reboot. The script attaches and runs from the point of DTrace initialisation (presumably loaded by the boot loader?), and a later userspace dtrace(1) session can attach to it and dump trace state. The DTrace audit provider allows DTrace scripts to attach to (and inspect) audit events as they fire, using per-event probes. The probe list requires that audit_event have been parsed and passed into the kernel, which of course doesn't happen until quite a lot later in the boot. With this change, the DTrace audit provider has access to that event list from the point of audit-subsystem initialisation, so all the probes are created then. Which means that anonymous DTrace scripts can attach to and use them prior to the start of any user process.
Comment Actions
I don't see anything wrong with this review. However, since you're modifying the boot loader you should check with @imp.
Comment Actions
Address comments from markj.
Shift position of defaults/loader.conf settings, adjust style around array
dereference.