Date: Fri, 19 Oct 2007 14:48:53 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: "Andrew R. Reiter" <arr@watson.org> Cc: Perforce Change Reviews <perforce@freebsd.org> Subject: Re: PERFORCE change 127769 for review Message-ID: <20071019144713.F29035@fledge.watson.org> In-Reply-To: <20071019075904.F32470@fledge.watson.org> References: <200710191100.l9JB06KB005138@repoman.freebsd.org> <20071019075904.F32470@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 19 Oct 2007, Andrew R. Reiter wrote: > Just curious -- how come openbsm removed AU_ class masks; isnt that needed > for log analysis? or at least *better* log analysis? I think these definitions were largely historical -- the class masks are also defined in /etc/security/audit_class, and customizable for each system they are installed on. The hard-coded mask definitions below were never used, with with the exception of AU_NULL (no bits set). Likewise, they probably shouldn't be used, on the basis that they are compile-time rather than run-time, and may conflict with run-time settings -- i.e., for hosts where a different set of classes have been defined. Robert N M Watson Computer Laboratory University of Cambridge > > Cheers, > Andrew > > -- > Andrew R. Reiter > arr@watson.org > 858 245 3682 > > On Fri, 19 Oct 2007, Robert Watson wrote: > >> http://perforce.freebsd.org/chv.cgi?CH=127769 >> >> Change 127769 by rwatson@rwatson_zoo on 2007/10/19 10:59:33 >> >> Integrate OpenBSM changes into audit3 kernel. >> >> Affected files ... >> >> .. //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#40 integrate >> >> Differences ... >> >> ==== //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#40 (text+ko) ==== >> >> @@ -26,7 +26,7 @@ >> * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF >> * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> * >> - * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#39 $ >> + * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#40 $ >> * $FreeBSD: src/sys/bsm/audit.h,v 1.9 2007/07/22 12:28:12 rwatson Exp $ >> */ >> >> @@ -75,44 +75,6 @@ >> #define AU_DEFAUDITID -1 >> >> /* >> - * Define the masks for the classes of audit events. >> - */ >> -#define AU_NULL 0x00000000 >> -#define AU_FREAD 0x00000001 >> -#define AU_FWRITE 0x00000002 >> -#define AU_FACCESS 0x00000004 >> -#define AU_FMODIFY 0x00000008 >> -#define AU_FCREATE 0x00000010 >> -#define AU_FDELETE 0x00000020 >> -#define AU_CLOSE 0x00000040 >> -#define AU_PROCESS 0x00000080 >> -#define AU_NET 0x00000100 >> -#define AU_IPC 0x00000200 >> -#define AU_NONAT 0x00000400 >> -#define AU_ADMIN 0x00000800 >> -#define AU_LOGIN 0x00001000 >> -#define AU_TFM 0x00002000 >> -#define AU_APPL 0x00004000 >> -#define AU_SETL 0x00008000 >> -#define AU_IFLOAT 0x00010000 >> -#define AU_PRIV 0x00020000 >> -#define AU_MAC_RW 0x00040000 >> -#define AU_XCONN 0x00080000 >> -#define AU_XCREATE 0x00100000 >> -#define AU_XDELETE 0x00200000 >> -#define AU_XIFLOAT 0x00400000 >> -#define AU_XPRIVS 0x00800000 >> -#define AU_XPRIVF 0x01000000 >> -#define AU_XMOVE 0x02000000 >> -#define AU_XDACF 0x04000000 >> -#define AU_XMACF 0x08000000 >> -#define AU_XSECATTR 0x10000000 >> -#define AU_IOCTL 0x20000000 >> -#define AU_EXEC 0x40000000 >> -#define AU_OTHER 0x80000000 >> -#define AU_ALL 0xffffffff >> - >> -/* >> * IPC types. >> */ >> #define AT_IPC_MSG ((u_char)1) /* Message IPC id. */ >> >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071019144713.F29035>