Manual Pages  — DTRACE_AUDIT

dtrace_audit – A DTrace provider for tracing audit(4) events

audit:event:aue_*:commit(char *eventname, struct audit_record *ar);

audit:event:aue_*:bsm(char *eventname, struct audit_record *ar, const void *, size_t);

To compile this module into the kernel, place the following in your kernel configuration file:

options DTAUDIT

Alternatively, to load the module at boot time, place the following line in loader.conf(5):

dtaudit_load="YES"

The DTrace dtaudit provider allows users to trace events in the kernel security auditing subsystem, audit(4). audit(4) provides detailed logging of a configurable set of security-relevant system calls, including key arguments (such as file paths) and return values that are copied race-free as the system call proceeds. The dtaudit provider allows DTrace scripts to selectively enable in-kernel audit-record capture for system calls, and then access those records in either the in-kernel format or BSM format ( audit.log(5)) when the system call completes. While the in-kernel audit record data structure is subject to change as the kernel changes over time, it is a much more friendly interface for use in D scripts than either those available via the DTrace system-call provider or the BSM trail itself.

The dtaudit provider relies on audit(4) being compiled into the kernel. dtaudit probes become available only once there is an event-to-name mapping installed in the kernel, normally done by auditd(8) during the boot process, if audit is enabled in rc.conf(5):

auditd_enable="YES"

If dtaudit probes are required earlier in boot -- for example, in single-user mode -- or without enabling audit(4), they can be preloaded in the boot loader by adding this line to loader.conf(5).

audit_event_load="YES"

When a set of dtaudit probes are registered, corresponding in-kernel audit records will be captured and their probes will fire regardless of whether the audit(4) subsystem itself would have captured the record for the purposes of writing it to the audit trail, or for delivery to a auditpipe(4). In-kernel audit records allocated only because of enabled dtaudit(4) probes will not be unnecessarily written to the audit trail or enabled pipes.

dtrace(1), audit(4), audit.log(5), loader.conf(5), rc.conf(5), auditd(8)

Because audit(4) maintains its primary event-to-name mapping database in userspace, that database must be loaded into the kernel before dtaudit probes become available.

dtaudit is only able to provide access to system-call audit events, not the full scope of userspace events, such as those relating to login, password change, and so on.