Date: Fri, 19 Oct 2007 09:52:34 -0400 (EDT) From: "Andrew R. Reiter" <arr@watson.org> To: Robert Watson <rwatson@FreeBSD.org> Cc: Perforce Change Reviews <perforce@FreeBSD.org> Subject: Re: PERFORCE change 127769 for review Message-ID: <20071019095211.X32470@fledge.watson.org> In-Reply-To: <20071019144713.F29035@fledge.watson.org> References: <200710191100.l9JB06KB005138@repoman.freebsd.org> <20071019075904.F32470@fledge.watson.org> <20071019144713.F29035@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 19 Oct 2007, Robert Watson wrote: > On Fri, 19 Oct 2007, Andrew R. Reiter wrote: > >> Just curious -- how come openbsm removed AU_ class masks; isnt that needed >> for log analysis? or at least *better* log analysis? > > I think these definitions were largely historical -- the class masks are also > defined in /etc/security/audit_class, and customizable for each system they > are installed on. The hard-coded mask definitions below were never used, > with with the exception of AU_NULL (no bits set). Likewise, they probably > shouldn't be used, on the basis that they are compile-time rather than > run-time, and may conflict with run-time settings -- i.e., for hosts where a > different set of classes have been defined. > > Robert N M Watson > Computer Laboratory > University of Cambridge Makes sense. Cheers, Andrew > >> >> Cheers, >> Andrew >> >> -- >> Andrew R. Reiter >> arr@watson.org >> 858 245 3682 >> >> On Fri, 19 Oct 2007, Robert Watson wrote: >> >>> http://perforce.freebsd.org/chv.cgi?CH=127769 >>> >>> Change 127769 by rwatson@rwatson_zoo on 2007/10/19 10:59:33 >>> >>> Integrate OpenBSM changes into audit3 kernel. >>> >>> Affected files ... >>> >>> .. //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#40 integrate >>> >>> Differences ... >>> >>> ==== //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#40 (text+ko) ==== >>> >>> @@ -26,7 +26,7 @@ >>> * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >>> OF >>> * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >>> * >>> - * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#39 $ >>> + * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#40 $ >>> * $FreeBSD: src/sys/bsm/audit.h,v 1.9 2007/07/22 12:28:12 rwatson Exp $ >>> */ >>> >>> @@ -75,44 +75,6 @@ >>> #define AU_DEFAUDITID -1 >>> >>> /* >>> - * Define the masks for the classes of audit events. >>> - */ >>> -#define AU_NULL 0x00000000 >>> -#define AU_FREAD 0x00000001 >>> -#define AU_FWRITE 0x00000002 >>> -#define AU_FACCESS 0x00000004 >>> -#define AU_FMODIFY 0x00000008 >>> -#define AU_FCREATE 0x00000010 >>> -#define AU_FDELETE 0x00000020 >>> -#define AU_CLOSE 0x00000040 >>> -#define AU_PROCESS 0x00000080 >>> -#define AU_NET 0x00000100 >>> -#define AU_IPC 0x00000200 >>> -#define AU_NONAT 0x00000400 >>> -#define AU_ADMIN 0x00000800 >>> -#define AU_LOGIN 0x00001000 >>> -#define AU_TFM 0x00002000 >>> -#define AU_APPL 0x00004000 >>> -#define AU_SETL 0x00008000 >>> -#define AU_IFLOAT 0x00010000 >>> -#define AU_PRIV 0x00020000 >>> -#define AU_MAC_RW 0x00040000 >>> -#define AU_XCONN 0x00080000 >>> -#define AU_XCREATE 0x00100000 >>> -#define AU_XDELETE 0x00200000 >>> -#define AU_XIFLOAT 0x00400000 >>> -#define AU_XPRIVS 0x00800000 >>> -#define AU_XPRIVF 0x01000000 >>> -#define AU_XMOVE 0x02000000 >>> -#define AU_XDACF 0x04000000 >>> -#define AU_XMACF 0x08000000 >>> -#define AU_XSECATTR 0x10000000 >>> -#define AU_IOCTL 0x20000000 >>> -#define AU_EXEC 0x40000000 >>> -#define AU_OTHER 0x80000000 >>> -#define AU_ALL 0xffffffff >>> - >>> -/* >>> * IPC types. >>> */ >>> #define AT_IPC_MSG ((u_char)1) /* Message IPC id. */ >>> >>> >> > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071019095211.X32470>