audit2-current.tbz2
Ilmar S. Habibulin
ilmar at watson.org
Thu Apr 22 11:43:11 GMT 2004
http://www.watson.org/~ilmar/download/audit2-current.tbz2
One can configure event names, classes, event-to-class mappings,
user classes. auditd is stupid, but it works at least between reboots. I
didn't test an overflow condition. praudit need to be rewritten, but it
works and shows audit records.
unpack archive into /usr subdir. archive consists of src subdir and
audit2-new.diff. you need to patch src with this diff. buildworld and
kernel with KERNELCONF=AUDIT or yours config plus option AUDIT.
login will set all nessessary audit masks from audit_user file.
this implementation is 50% or less complite. Statistic subsystem need to
be done (i do not understand what it is), all kernel settings need to be
revised (it can't set ip address of machine and so on).
A lot of work should be done in userland, maybe libbsm rewrite or at least
extend with record parser. praudit should be rewrite to use this parser.
So do not blame me too hard, i'm working on it ;-)
comments are welcome.
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list