How to add new audit class?
Lev Serebryakov
lev at FreeBSD.org
Sun Jun 26 17:03:30 UTC 2011
Hello, Freebsd-security.
I want to create mixed audit class for ``security-sensible'' events.
For example, I need to audit:
exec*() syscalls from standard `pc' class, but not wait4() or
fork(), because fork() is not interesting (new process image is
security-sensible, not new process itself) and occurred too often
and create noise.
connect()/accept() from "nt", but not setsockopt(), for the same
reasons.
And so on.
How should I create new system class? What need to be putted into
"classmask" in audit_class(5)? How should I edit audit_event(5) file,
as it seems, that one event could belong only to one class, and I
don't want to remove these events from their natural classes.
--
// Black Lion AKA Lev Serebryakov <lev at FreeBSD.org>
More information about the freebsd-security
mailing list