Date: Sun, 26 Jun 2011 21:03:26 +0400 From: Lev Serebryakov <lev@FreeBSD.org> To: freebsd-security@freebsd.org Subject: How to add new audit class? Message-ID: <1307023935.20110626210326@serebryakov.spb.ru>
next in thread | raw e-mail | index | archive | help
Hello, Freebsd-security.
I want to create mixed audit class for ``security-sensible'' events.
For example, I need to audit:
exec*() syscalls from standard `pc' class, but not wait4() or
fork(), because fork() is not interesting (new process image is
security-sensible, not new process itself) and occurred too often
and create noise.
connect()/accept() from "nt", but not setsockopt(), for the same
reasons.
And so on.
How should I create new system class? What need to be putted into
"classmask" in audit_class(5)? How should I edit audit_event(5) file,
as it seems, that one event could belong only to one class, and I
don't want to remove these events from their natural classes.
--
// Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1307023935.20110626210326>