dtrace_audit — A DTrace provider for tracing audit(4) events

       This  software  and  this manual page were developed by BAE Systems, the University of Cambridge Computer
       Laboratory, and Memorial University under DARPA/AFRL contract (FA8650-15-C-7558) (“CADETS”), as  part  of
       the  DARPA  Transparent  Computing (TC) research program.  The dtaudit provider and this manual page were
       written by Robert Watson <rwatson@FreeBSD.org>.

       Because audit(4) maintains its primary event-to-name mapping database in userspace, that database must be
       loaded into the kernel before dtaudit probes become available.

       dtaudit is only able to provide access to system-call audit events,  not  the  full  scope  of  userspace
       events, such as those relating to login, password change, and so on.

Debian                                           April 28, 2019                                  DTRACE_AUDIT(4)

       The  DTrace  dtaudit  provider  allows  users  to trace events in the kernel security auditing subsystem,
       audit(4).  audit(4) provides detailed logging of a configurable set of  security-relevant  system  calls,
       including  key  arguments  (such as file paths) and return values that are copied race-free as the system
       call proceeds.  The dtaudit provider allows DTrace scripts to selectively enable  in-kernel  audit-record
       capture  for  system  calls,  and  then access those records in either the in-kernel format or BSM format
       (audit.log(5)) when the system call completes.  While  the  in-kernel  audit  record  data  structure  is
       subject  to  change  as  the  kernel changes over time, it is a much more friendly interface for use in D
       scripts than either those available via the DTrace system-call provider or the BSM trail itself.

   Configuration
       The dtaudit provider relies on audit(4) being compiled into the kernel.  dtaudit probes become  available
       only  once  there  is an event-to-name mapping installed in the kernel, normally done by auditd(8) during
       the boot process, if audit is enabled in rc.conf(5):

             auditd_enable="YES"

       If dtaudit probes are required earlier in boot -- for example, in single-user mode -- or without enabling
       audit(4), they can be preloaded in the boot loader by adding this line to loader.conf(5).

             audit_event_load="YES"

   Probes
       The audit:event:aue_*:commit() probes fire synchronously during system-call return, giving access to  two
       arguments:  a char* audit event name, and the structaudit_record* in-kernel audit record.  Because the
       probe fires in system-call return,  the  user  thread  has  not  yet  regained  control,  and  additional
       information from the thread and process remains available for capture by the script.

       The  audit:event:aue_*:bsm()  probes fire asynchonously from system-call return, following BSM conversion
       and just prior to being written to disk, giving access to four arguments: a char* audit event name,  the
       structaudit_record* in-kernel audit record, a constvoid* pointer to the converted BSM record, and a
       size_t for the length of the BSM record.

       The dtaudit provider first appeared in FreeBSD 12.0.

       When a set of dtaudit probes are registered, corresponding in-kernel audit records will be  captured  and
       their probes will fire regardless of whether the audit(4) subsystem itself would have captured the record
       for  the  purposes  of writing it to the audit trail, or for delivery to a auditpipe(4).  In-kernel audit
       records allocated only because of enabled dtaudit(4) probes will not  be  unnecessarily  written  to  the
       audit trail or enabled pipes.

       dtrace_audit — A DTrace provider for tracing audit(4) events

dtrace(1), audit(4), audit.log(5), loader.conf(5), rc.conf(5), auditd(8)

audit:event:aue_*:commit(char*eventname, structaudit_record*ar);

       audit:event:aue_*:bsm(char*eventname, structaudit_record*ar, constvoid*, size_t);

       To compile this module into the kernel, place the following in your kernel configuration file:

             optionsDTAUDIT

       Alternatively, to load the module at boot time, place the following line in loader.conf(5):

             dtaudit_load="YES"