How to add new audit class?
jhell
jhell at DataIX.net
Mon Jun 27 00:02:46 UTC 2011
On Sun, Jun 26, 2011 at 09:03:26PM +0400, Lev Serebryakov wrote:
> Hello, Freebsd-security.
>
> I want to create mixed audit class for ``security-sensible'' events.
> For example, I need to audit:
>
> exec*() syscalls from standard `pc' class, but not wait4() or
> fork(), because fork() is not interesting (new process image is
> security-sensible, not new process itself) and occurred too often
> and create noise.
>
> connect()/accept() from "nt", but not setsockopt(), for the same
> reasons.
>
> And so on.
>
> How should I create new system class? What need to be putted into
> "classmask" in audit_class(5)? How should I edit audit_event(5) file,
> as it seems, that one event could belong only to one class, and I
> don't want to remove these events from their natural classes.
>
Giving some background here I had a similiar type thing I was going
through with fcntl etc... for some remote diskless X machines that were
logging 1000+ fcntl changes every 5 seconds! "I didn't going with
auditing those machines ;) What it came down to though was making good
use of auditreduce(1) to get the output you would like to investigate.
Good thing the resulting storage files are compressed eh? ;)
To sum it up simply it comes down to "...class mask size is fixed in the
ABI and difficult to expand"
http://lists.freebsd.org/pipermail/freebsd-bugs/2010-December/042542.html
Hope this helps some.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 522 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110627/168f1547/attachment.pgp
More information about the freebsd-security
mailing list