Date: Mon, 18 Nov 2019 22:59:24 +0000 From: Rahul Gopi <rahul_gopi@hotmail.com> To: "trustedbsd-discuss@freebsd.org" <trustedbsd-discuss@freebsd.org> Subject: Help enabling au_to_socket_ex for openbsm network events Message-ID: <BY5PR08MB6280053BC93EA34797D607A0E34D0@BY5PR08MB6280.namprd08.prod.outlook.com> In-Reply-To: <BY5PR08MB6280208DAD9312B14AEEC6FDE34D0@BY5PR08MB6280.namprd08.prod.outlook.com> References: <BY5PR08MB6280208DAD9312B14AEEC6FDE34D0@BY5PR08MB6280.namprd08.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
We are looking to enable creating of expanded socket type events in macos bsm. Saw support for au_to_socket_ex in source but not sure how to enable this for openbsm via audit_event, audit_control et configuration files. Greatly appreciate any help in this regard.
Platform MacOS , 10.14
from man audit.log
The ``expanded socket'' token contains information about IPv4 and IPv6 sockets. A
``expanded socket'' token can be created using au_to_socket_ex(3).
Field Bytes Description
Token ID 1 byte Token ID
Socket domain 2 bytes Socket domain
Socket type 2 bytes Socket type
Address type 2 byte Address type (IPv4/IPv6)
Local port 2 bytes Local port
Local IP address 4/16 bytes Local IP address
Remote port 2 bytes Remote port
Remote IP address 4/16 bytes Remote IP address
Thanks and regards
Rahul
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BY5PR08MB6280053BC93EA34797D607A0E34D0>