If Python is configured with --enable-loadable-sqlite-extensions, it is possible to load third party SQLite extensions (shared libraries/DLL’s) via the sqlite3 extension module. When enabled, the sqlite3.Connection.enable_load_extension() class method will enable the loading of third party extensions via SQL queries, using the SQL function load_extension(). It also enables loading extension via C, using the sqlite3.Connection.load_extension() class method.

Suggesting to add the following audit event names to respectively the sqlite3.Connection.enable_load_extension() and sqlite3.Connection.load_extension() methods:
- sqlite3.enable_load_extension
- sqlite3.load_extension

Ref.
- https://discuss.python.org/t/should-we-audit-enabling-loading-of-sqlite3-extensions-shared-libraries/8124
- https://www.sqlite.org/loadext.html
- https://docs.python.org/3/library/sqlite3.html#sqlite3.Connection.enable_load_extension

Left some minor suggestions on the PR, but wanted to copy this comment here as well:

I wonder if it's worth returning the connection object when it's created (through a new event in module.c) and then reference it in these events? That can then correlate these (and other) events with the file - we do this already for sockets.

After some thought, I think it's probably not worth it for these ones. The important information is in the extension being loaded, and it doesn't really relate to the connection at all. However, if we wanted to add it later, we couldn't. So might be worth doing now?

Good question. sqlite3_load_extension() loads an extension into a database connection, so it would make sense to also pass the connection object. I'd say we do it; it's a small change, and as you say: if we wanted to add it later, we couldn't.

Ref.
- http://www.sqlite.org/c3ref/load_extension.html

Something like the attached patch, if I understand you correctly?

Maybe it's better to send the event only if the connection succeeded:

diff --git a/Modules/_sqlite/module.c b/Modules/_sqlite/module.c
index 8dbfa7b38a..0220978cf2 100644
--- a/Modules/_sqlite/module.c
+++ b/Modules/_sqlite/module.c
@@ -97,6 +97,12 @@ static PyObject* module_connect(PyObject* self, PyObject* args, PyObject*
 
     result = PyObject_Call(factory, args, kwargs);
 
+    if (result) {
+        if (PySys_Audit("sqlite3.connected", "O", self) < 0) {
+            return -1;
+        }
+    }
+
     return result;
 }

Yeah, along those lines. I believe the event is ".../result" in other places, just to be clear that it's not a function with that name.

Also, don't forget to clean up when returning early from the connected event. We don't want to leak the connection object if the hook raises an error.

Ah, yes thanks for the heads up! I'll update the PR.

New changeset 7244c0060dc3ef909f34b0791c3e7490b0340d5e by Erlend Egeberg Aasland in branch 'master':
bpo-43762: Add audit events for loading of sqlite3 extensions (GH-25246)
https://github.com/python/cpython/commit/7244c0060dc3ef909f34b0791c3e7490b0340d5e

Thanks for the PR!