HomeFreeBSD

The kernel DTrace audit provider (dtaudit) relies on auditd(8) to load

Description

The kernel DTrace audit provider (dtaudit) relies on auditd(8) to load
/etc/security/audit_event to provide a list of audit event-number <->
name mappings. However, this occurs too late for anonymous tracing.
With this change, adding 'audit_event_load="YES"' to /boot/loader.conf
will cause the boot loader to preload the file, and then the kernel
audit code will parse it to register an initial set of audit event-number
<-> name mappings. Those mappings can later be updated by auditd(8) if
the configuration file changes.

Reviewed by: gnn, asomers, markj, allanjude
Discussed with: jhb
Approved by: re (kib)
MFC after: 1 week
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D16589

Details

Committed
rwatsonSep 3 2018, 2:26 PM
Reviewer
gnn
Differential Revision
D16589: Allow anonymous DTrace audit-provider tracing by preloading audit event file.
Parents
rS338442: MFC r338406:
Branches
Unknown
Tags
Unknown