Date: Sun, 26 Jun 2011 19:38:07 -0400 From: jhell <jhell@DataIX.net> To: Lev Serebryakov <lev@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: How to add new audit class? Message-ID: <20110626233807.GC38064@DataIX.net> In-Reply-To: <1307023935.20110626210326@serebryakov.spb.ru> References: <1307023935.20110626210326@serebryakov.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--PmA2V3Z32TCmWXqI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jun 26, 2011 at 09:03:26PM +0400, Lev Serebryakov wrote: > Hello, Freebsd-security. >=20 > I want to create mixed audit class for ``security-sensible'' events. > For example, I need to audit: >=20 > exec*() syscalls from standard `pc' class, but not wait4() or > fork(), because fork() is not interesting (new process image is > security-sensible, not new process itself) and occurred too often > and create noise. >=20 > connect()/accept() from "nt", but not setsockopt(), for the same > reasons. >=20 > And so on. >=20 > How should I create new system class? What need to be putted into > "classmask" in audit_class(5)? How should I edit audit_event(5) file, > as it seems, that one event could belong only to one class, and I > don't want to remove these events from their natural classes. >=20 Giving some background here I had a similiar type thing I was going through with fcntl etc... for some remote diskless X machines that were logging 1000+ fcntl changes every 5 seconds! "I didn't going with auditing those machines ;) What it came down to though was making good use of auditreduce(1) to get the output you would like to investigate. Good thing the resulting storage files are compressed eh? ;) To sum it up simply it comes down to "...class mask size is fixed in the ABI and difficult to expand" http://lists.freebsd.org/pipermail/freebsd-bugs/2010-December/042542.html Hope this helps some. --PmA2V3Z32TCmWXqI Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJOB8LeAAoJEJBXh4mJ2FR+ROUH/RpiKllFIc3K6ezHsI01KXCx u/CrppxQJmVXsxzuNDqYsG442CqYng0Ngc6kE50dSpxv6qYJPFKxp/DWAMSeyw+N sQJLCclqse2ytTLqKGko+FbLrBFDztsiiGODMaZjuPrhagbhjPkwcgh8/k8bMHaT RmOilP8pVU1XWMSAIpWqJvDt1QQ9AdSg6e06wYkVY4vMKaL9t+14X+KX2RSljVU+ RIwLWnVqsqM+k2WD+HugkrUy3cgBkhEpD0axqQK6peOszA0reVyjXGX5vVr+kLob 5s9rAJ2Bvab6/k9gE+slfNJX3q9U37/J/se9XI2bZHISxN6Eh3TWBqq1Lgkv2DU= =1n+9 -----END PGP SIGNATURE----- --PmA2V3Z32TCmWXqI--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110626233807.GC38064>