Date: Thu, 2 Jun 2016 20:47:19 +0200 From: Mateusz Piotrowski <0mp@FreeBSD.org> To: freebsd-hackers@freebsd.org Cc: Konrad Witaszczyk <def@freebsd.org> Subject: How does /etc/security/audit_event work? Message-ID: <323FC4BC-C4BB-4090-9C9B-7F1BCC6BCC6B@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
Hi, I participate in Google Summer of Code and I am working on a Non-BSM to BSM audit trails conversion (link below). I’m feeling a little bit stuck. From what I understand this file is generated by audit_kevents.h and audit_uevent.h from within contrib/openbsm (although I couldn’t find the audit_uevent.h anywhere except the directory with the FreeBSD source code; I read the source of audit_uevent.h and I could find any definitions with a comment “These definitions are for FreeBSD"). What strikes me is that the audit_event file on my working FreeBSD has some definitions for Darwin and Solaris and those definitions not always have a unique value of their eventnum (like the events with eventnum=6171). My questions are: 1. How does /etc/security/audit_event work? 2. How does FreeBSD use this file and choose the right event type? 3. Which eventnums of the event types can I use on FreeBSD? Cheers, Mateusz Piotrowski Project’s Wiki: https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools <https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools>; PS I misunderstood a lot of things here for sure - sorry about that. I’ll be grateful if you correct me.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?323FC4BC-C4BB-4090-9C9B-7F1BCC6BCC6B>