From owner-freebsd-hackers@freebsd.org Thu Jun 2 18:47:30 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6AAEAB655C5 for ; Thu, 2 Jun 2016 18:47:30 +0000 (UTC) (envelope-from mpp302@gmail.com) Received: from mail-lf0-f41.google.com (mail-lf0-f41.google.com [209.85.215.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 204411738; Thu, 2 Jun 2016 18:47:29 +0000 (UTC) (envelope-from mpp302@gmail.com) Received: by mail-lf0-f41.google.com with SMTP id k98so40047932lfi.1; Thu, 02 Jun 2016 11:47:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:date:message-id:cc:to:mime-version; bh=0JWi45e7AxC2G2scgt2dAN8JSrjgE14Q7P2Zivqi3B4=; b=D39vkjfvOD7dx1CzL8Nj2a1zCENb2BjZnlA8Mn6mAYL7GVU1udm0StMNB35btbWPtw ajXRbdfdNepwM0FKTOsKEXyBH5j+LpjiC23AOh/NrUjFDVuwOYta2xIXjr+iAm89xzEo 9r43Vd0ZwguajFNi/mc1aDYFSpnbADR/xJZ+yb/Ozj3/GgIsGPLT++TjsDEGAMBp2r/h qj6cx5SPdVXqAuGN2RINYl6bRnbBlodN2mKAx9B3jlQhDSSzDWjODpkfw0VL1hKcZL/U kNr11aPy1KfYfN/TCnl1FNA+PhbBN0+G803pniPyKt+NA10/TVmj1WHwVTxfsiX0eQSp 2sKw== X-Gm-Message-State: ALyK8tJd2xMFDogIOod4qx/Q5M9ynvppPTeRhs4Bh17+vFHBrf8xeqyC3/0KnzTqPhx/Yw== X-Received: by 10.25.77.129 with SMTP id a123mr3914462lfb.3.1464893241763; Thu, 02 Jun 2016 11:47:21 -0700 (PDT) Received: from [192.168.0.15] (87-207-152-10.dynamic.chello.pl. [87.207.152.10]) by smtp.gmail.com with ESMTPSA id nq9sm180354lbc.7.2016.06.02.11.47.20 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 02 Jun 2016 11:47:20 -0700 (PDT) From: Mateusz Piotrowski <0mp@FreeBSD.org> Subject: How does /etc/security/audit_event work? Date: Thu, 2 Jun 2016 20:47:19 +0200 Message-Id: <323FC4BC-C4BB-4090-9C9B-7F1BCC6BCC6B@FreeBSD.org> Cc: Konrad Witaszczyk To: freebsd-hackers@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jun 2016 18:47:30 -0000 Hi, I participate in Google Summer of Code and I am working on a Non-BSM to = BSM audit trails conversion (link below). I=E2=80=99m feeling a little bit stuck. =46rom what I understand this file is generated by audit_kevents.h and = audit_uevent.h from within contrib/openbsm (although I couldn=E2=80=99t = find the audit_uevent.h anywhere except the directory with the FreeBSD = source code; I read the source of audit_uevent.h and I could find any = definitions with a comment =E2=80=9CThese definitions are for FreeBSD").=20= What strikes me is that the audit_event file on my working FreeBSD has = some definitions for Darwin and Solaris and those definitions not always = have a unique value of their eventnum (like the events with = eventnum=3D6171). My questions are: 1. How does /etc/security/audit_event work? 2. How does FreeBSD use this file and choose the right event type?=20 3. Which eventnums of the event types can I use on FreeBSD? Cheers, Mateusz Piotrowski Project=E2=80=99s Wiki: = https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools = PS I misunderstood a lot of things here for sure - sorry about that. = I=E2=80=99ll be grateful if you correct me.