Add static configuration file for auditd socket

This file does not need to be dynamically configured. We can just
ensure that the auditd af_unix socket plugin is always enabled.

src/freenas/debian/preinst

@@ -2,6 +2,7 @@
 
 mkdir -p /var/trash
 for file in \
+    /etc/audit/plugins.d/af_unix.conf \
     /etc/nsswitch.conf \
     /usr/lib/netdata/conf.d/python.d.conf \
     /usr/lib/netdata/conf.d/charts.d.conf \

src/freenas/etc/audit/plugins.d/af_unix.conf

@@ -0,0 +1,12 @@
+# This file controls the configuration of the
+# af_unix socket plugin. It simply takes events
+# and writes them to a unix domain socket. This
+# plugin can take 2 arguments, the path for the
+# socket and the socket permissions in octal.
+
+active = yes
+direction = out
+path = builtin_af_unix
+type = builtin
+args = 0600 /var/run/audispd_events
+format = string

src/middlewared/middlewared/etc_files/syslog-ng/conf.d/tnaudit.conf.mako

@@ -78,7 +78,11 @@ ${textwrap.indent(get_db(svc), '  ')}
 
 % if not audit_custom_section(svc, 'log'):
 log {
+% if src == 'SYSTEM':
+  source(tn_auditd_src);
+% else
   source(s_src);
+% endif
   filter(f_tnaudit_${svc.lower()});
   parser(p_tnaudit);
   rewrite(r_rewrite_success);

src/middlewared/middlewared/etc_files/syslog-ng/syslog-ng.conf.mako

@@ -99,6 +99,10 @@ source tn_remote_src_files {
   file("/var/log/zettarepl.log");
 };
 
+source tn_auditd_src {
+  unix-stream("/var/run/syslog-ng/auditd.sock" create-dirs(yes) perm(0600));
+};
+
 ##################
 # filters
 ##################

src/middlewared/middlewared/plugins/audit/utils.py

@@ -6,7 +6,7 @@
 from .schema.common import AuditEventParam
 
 AUDIT_DATASET_PATH = '/audit'
-AUDITED_SERVICES = [('MIDDLEWARE', 0.1), ('SMB', 0.1), ('SUDO', 0.1)]
+AUDITED_SERVICES = [('MIDDLEWARE', 0.1), ('SMB', 0.1), ('SUDO', 0.1), ('SYSTEM', 0.1)]
 AUDIT_TABLE_PREFIX = 'audit_'
 AUDIT_LIFETIME = 7
 AUDIT_DEFAULT_RESERVATION = 0