Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
DTRACE_AUDIT(4)		 BSD Kernel Interfaces Manual	       DTRACE_AUDIT(4)

NAME
     dtrace_audit -- A DTrace provider for tracing audit(4) events

SYNOPSIS
     audit:event:aue_*:commit(char *eventname, struct audit_record *ar);

     audit:event:aue_*:bsm(char	*eventname, struct audit_record	*ar,
	 const void *, size_t);

     To	compile	this module into the kernel, place the following in your ker-
     nel configuration file:

	   options DTAUDIT

     Alternatively, to load the	module at boot time, place the following line
     in	loader.conf(5):

	   dtaudit_load="YES"

DESCRIPTION
     The DTrace	dtaudit	provider allows	users to trace events in the kernel
     security auditing subsystem, audit(4).  audit(4) provides detailed	log-
     ging of a configurable set	of security-relevant system calls, including
     key arguments (such as file paths)	and return values that are copied
     race-free as the system call proceeds.  The dtaudit provider allows
     DTrace scripts to selectively enable in-kernel audit-record capture for
     system calls, and then access those records in either the in-kernel for-
     mat or BSM	format (audit.log(5)) when the system call completes.  While
     the in-kernel audit record	data structure is subject to change as the
     kernel changes over time, it is a much more friendly interface for	use in
     D scripts than either those available via the DTrace system-call provider
     or	the BSM	trail itself.

   Configuration
     The dtaudit provider relies on audit(4) being compiled into the kernel.
     dtaudit probes become available only once there is	an event-to-name map-
     ping installed in the kernel, normally done by auditd(8) during the boot
     process, if audit is enabled in rc.conf(5):

	   auditd_enable="YES"

     If	dtaudit	probes are required earlier in boot -- for example, in single-
     user mode -- or without enabling audit(4),	they can be preloaded in the
     boot loader by adding this	line to	loader.conf(5).

	   audit_event_load="YES"

   Probes
     The audit:event:aue_*:commit() probes fire	synchronously during system-
     call return, giving access	to two arguments: a char * audit event name,
     and the struct audit_record * in-kernel audit record.  Because the	probe
     fires in system-call return, the user thread has not yet regained con-
     trol, and additional information from the thread and process remains
     available for capture by the script.

     The audit:event:aue_*:bsm() probes	fire asynchonously from	system-call
     return, following BSM conversion and just prior to	being written to disk,
     giving access to four arguments: a	char * audit event name, the struct
     audit_record * in-kernel audit record, a const void * pointer to the con-
     verted BSM	record,	and a size_t for the length of the BSM record.

IMPLEMENTATION NOTES
     When a set	of dtaudit probes are registered, corresponding	in-kernel au-
     dit records will be captured and their probes will	fire regardless	of
     whether the audit(4) subsystem itself would have captured the record for
     the purposes of writing it	to the audit trail, or for delivery to a
     auditpipe(4).  In-kernel audit records allocated only because of enabled
     dtaudit(4)	probes will not	be unnecessarily written to the	audit trail or
     enabled pipes.

SEE ALSO
     dtrace(1),	audit(4), audit.log(5),	loader.conf(5),	rc.conf(5), auditd(8)

HISTORY
     The dtaudit provider first	appeared in FreeBSD 12.0.

AUTHORS
     This software and this manual page	were developed by BAE Systems, the
     University	of Cambridge Computer Laboratory, and Memorial University un-
     der DARPA/AFRL contract (FA8650-15-C-7558)	("CADETS"), as part of the
     DARPA Transparent Computing (TC) research program.	 The dtaudit provider
     and this manual page were written by Robert Watson	<rwatson@FreeBSD.org>.

BUGS
     Because audit(4) maintains	its primary event-to-name mapping database in
     userspace,	that database must be loaded into the kernel before dtaudit
     probes become available.

     dtaudit is	only able to provide access to system-call audit events, not
     the full scope of userspace events, such as those relating	to login,
     password change, and so on.

BSD				April 28, 2019				   BSD

NAME | SYNOPSIS | DESCRIPTION | IMPLEMENTATION NOTES | SEE ALSO | HISTORY | AUTHORS | BUGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=dtaudit&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help