Re: How to add new audit class?
--PmA2V3Z32TCmWXqI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Jun 26, 2011 at 09:03:26PM +0400, Lev Serebryakov wrote:
> Hello, Freebsd-security.
>=20
> I want to create mixed audit class for ``security-sensible'' events.
> For example, I need to audit:
>=20
> exec*() syscalls from standard `pc' class, but not wait4() or
> fork(), because fork() is not interesting (new process image is
> security-sensible, not new process itself) and occurred too often
> and create noise.
>=20
> connect()/accept() from "nt", but not setsockopt(), for the same
> reasons.
>=20
> And so on.
>=20
> How should I create new system class? What need to be putted into
> "classmask" in audit_class(5)? How should I edit audit_event(5) file,
> as it seems, that one event could belong only to one class, and I
> don't want to remove these events from their natural classes.
>=20
Giving some background here I had a similiar type thing I was going
through with fcntl etc... for some remote diskless X machines that were
logging 1000+ fcntl changes every 5 seconds! "I didn't going with
auditing those machines ;) What it came down to though was making good
use of auditreduce(1) to get the output you would like to investigate.
Good thing the resulting storage files are compressed eh? ;)
To sum it up simply it comes down to "...class mask size is fixed in the
ABI and difficult to expand"
http://lists.freebsd.org/pipermail/freebsd-bugs/2010-December/042542.html
Hope this helps some.
--PmA2V3Z32TCmWXqI
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (FreeBSD)
Comment: http://bit.ly/0x89D8547E
iQEcBAEBAgAGBQJOB8LeAAoJEJBXh4mJ2FR+ROUH/RpiKllFIc3K6ezHsI01KXCx
u/CrppxQJmVXsxzuNDqYsG442CqYng0Ngc6kE50dSpxv6qYJPFKxp/DWAMSeyw+N
sQJLCclqse2ytTLqKGko+FbLrBFDztsiiGODMaZjuPrhagbhjPkwcgh8/k8bMHaT
RmOilP8pVU1XWMSAIpWqJvDt1QQ9AdSg6e06wYkVY4vMKaL9t+14X+KX2RSljVU+
RIwLWnVqsqM+k2WD+HugkrUy3cgBkhEpD0axqQK6peOszA0reVyjXGX5vVr+kLob
5s9rAJ2Bvab6/k9gE+slfNJX3q9U37/J/se9XI2bZHISxN6Eh3TWBqq1Lgkv2DU=
=1n+9
-----END PGP SIGNATURE-----
--PmA2V3Z32TCmWXqI--
討論串 (同標題文章)