Date: Thu, 2 Jun 2016 20:47:19 +0200 From: Mateusz Piotrowski <0mp@FreeBSD.org> To: freebsd-hackers@freebsd.org Cc: Konrad Witaszczyk <def@freebsd.org> Subject: How does /etc/security/audit_event work? Message-ID: <323FC4BC-C4BB-4090-9C9B-7F1BCC6BCC6B@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
Hi, I participate in Google Summer of Code and I am working on a Non-BSM to = BSM audit trails conversion (link below). I=E2=80=99m feeling a little bit stuck. =46rom what I understand this file is generated by audit_kevents.h and = audit_uevent.h from within contrib/openbsm (although I couldn=E2=80=99t = find the audit_uevent.h anywhere except the directory with the FreeBSD = source code; I read the source of audit_uevent.h and I could find any = definitions with a comment =E2=80=9CThese definitions are for FreeBSD").=20= What strikes me is that the audit_event file on my working FreeBSD has = some definitions for Darwin and Solaris and those definitions not always = have a unique value of their eventnum (like the events with = eventnum=3D6171). My questions are: 1. How does /etc/security/audit_event work? 2. How does FreeBSD use this file and choose the right event type?=20 3. Which eventnums of the event types can I use on FreeBSD? Cheers, Mateusz Piotrowski Project=E2=80=99s Wiki: = https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools = <https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools>; PS I misunderstood a lot of things here for sure - sorry about that. = I=E2=80=99ll be grateful if you correct me.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?323FC4BC-C4BB-4090-9C9B-7F1BCC6BCC6B>