Main index | Section 4 | Options |
audit:event:aue_*:commit(char *eventname, struct audit_record *ar);
audit:event:aue_*:bsm(char *eventname, struct audit_record *ar, const void *, size_t);
To compile this module into the kernel, place the following in your kernel configuration file:
options DTAUDIT
Alternatively, to load the module at boot time, place the following line in loader.conf(5):
dtaudit_load="YES"
auditd_enable="YES"
If dtaudit probes are required earlier in boot -- for example, in single-user mode -- or without enabling audit(4), they can be preloaded in the boot loader by adding this line to loader.conf(5).
audit_event_load="YES"
The audit:event:aue_*:bsm() probes fire asynchronously from system-call return, following BSM conversion and just prior to being written to disk, giving access to four arguments: a char * audit event name, the struct audit_record * in-kernel audit record, a const void * pointer to the converted BSM record, and a size_t for the length of the BSM record.
dtaudit is only able to provide access to system-call audit events, not the full scope of userspace events, such as those relating to login, password change, and so on.
DTRACE_AUDIT (4) | April 28, 2019 |
Main index | Section 4 | Options |
Please direct any comments about this manual page service to Ben Bullock. Privacy policy.
“ | I have a natural revulsion to any operating system that shows so little planning as to have to named all of its commands after digestive noises (awk, grep, fsck, nroff). | ” |