Rework the logic around quick checks for auditing that take place at


Rework the logic around quick checks for auditing that take place at
system-call entry and whenever audit arguments or return values are

  1. Expose a single global, audit_syscalls_enabled, which controls whether the audit framework is entered, rather than exposing components of the policy -- e.g., if the trail is enabled, suspended, etc.
  1. Introduce a new function audit_syscalls_enabled_update(), which is called to update audit_syscalls_enabled whenever an aspect of the policy changes, so that the value can be updated.
  1. Remove a check of trail enablement/suspension from audit_new() -- at the point where this function has been entered, we believe that system-call auditing is already in force, or we wouldn't get here, so simply proceed to more expensive policy checks.
  1. Use an audit-provided global, audit_dtrace_enabled, rather than a dtaudit-provided global, to provide policy indicating whether dtaudit would like system calls to be audited.
  1. Do some minor cosmetic renaming to clarify what various variables are for.

These changes collectively arrange it so that traditional audit
(trail, pipes) or the DTrace audit provider can enable system-call
probes without the other configured. Otherwise, dtaudit cannot
capture system-call data without auditd(8) started.

Reviewed by: gnn
Sponsored by: DARPA, AFRL
Approved by: re (gjb)
Differential Revision: https://reviews.freebsd.org/D17348


rwatsonOct 2 2018, 3:58 PM
Differential Revision
D17348: Allow DTrace audit provider probes to fire even if auditd(8) isn't running.
rS339084: MFC r334360, r334362, r334388, r334395