HBSD: add HBSD_LOG_SUID_SGID option
Added HBSD_LOG_SUID_SGID that can be used to audit a strange system behavior.
The option is not added to replace auditd which is more comprehensive,
they is intended to provide a simple analysis can be activated simply and quickly at any time.
The option is disabled by default but they is easily activated via sysctl:
sysctl kern.features.hbsd_log_suid_sgid=1
Then you can analyze the logs in this way:
dmesg | grep SUID
[123] [HBSD INTERNAL] uid=1001 exec /usr/local/bin/sudo (SUID/SGID)
Signed-off-by: Loic <loic.f@hardenedbsd.org>
Reviewed-by: Shawn Webb <shawn.webb@hardenedbsd.org>