PERFORCE change 63849 for review
Robert Watson
rwatson at FreeBSD.org
Wed Oct 27 21:34:11 GMT 2004
On Wed, 27 Oct 2004, Andrew R. Reiter wrote:
> :Change 63849 by rwatson at rwatson_tislabs on 2004/10/27 21:25:02
> :
> : Use the per-process system call vector rather than the global
> : vector, in order to permit auditing based on per-vector audit
> : event types, which may not match the global ones. E.g., the
> : FreeBSD system call number for open() is not the same as the
> : Linux one.
>
> Thanks
Someone will now need to walk each of the system call tables in the kernel
and insert audit event type mappings similar to the ones present in
syscalls.master for the main system call table. Probably the most
significant up-front are the FreeBSD 32-bit compat system call table used
for 64-bit FeeBSD systems (compat/freebsd32), and the Linux ABI system
call table (compat/linux). In doing so, we need to make sure that audit
calls in the system calls gather the same arguments needed for the native
ones, etc. In many cases it will "just work" since the Linux calls are
very thin wrappers around the same calls for FreeBSD; in some cases, more
work will be needed. In a few cases there will be system calls/services
not present in Solaris/Darwin/FreeBSD that we'll have to assign new event
types for.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Principal Research Scientist, McAfee Research
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list