How does /etc/security/audit_event work?
Mateusz Piotrowski
0mp at FreeBSD.org
Thu Jun 2 18:47:30 UTC 2016
Hi,
I participate in Google Summer of Code and I am working on a Non-BSM to BSM audit trails conversion (link below).
I’m feeling a little bit stuck.
From what I understand this file is generated by audit_kevents.h and audit_uevent.h from within contrib/openbsm (although I couldn’t find the audit_uevent.h anywhere except the directory with the FreeBSD source code; I read the source of audit_uevent.h and I could find any definitions with a comment “These definitions are for FreeBSD").
What strikes me is that the audit_event file on my working FreeBSD has some definitions for Darwin and Solaris and those definitions not always have a unique value of their eventnum (like the events with eventnum=6171).
My questions are:
1. How does /etc/security/audit_event work?
2. How does FreeBSD use this file and choose the right event type?
3. Which eventnums of the event types can I use on FreeBSD?
Cheers,
Mateusz Piotrowski
Project’s Wiki: https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools <https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools>
PS I misunderstood a lot of things here for sure - sorry about that. I’ll be grateful if you correct me.
More information about the freebsd-hackers
mailing list