Hello, Freebsd-security.
I want to create mixed audit class for ``security-sensible'' events.
For example, I need to audit:
exec*() syscalls from standard `pc' class, but not wait4() or
fork(), because fork() is not interesting (new process image is
security-sensible, not new process itself) and occurred too often
and create noise.
connect()/accept() from "nt", but not setsockopt(), for the same
reasons.
And so on.
How should I create new system class? What need to be putted into
"classmask" in audit_class(5)? How should I edit audit_event(5) file,
as it seems, that one event could belong only to one class, and I
don't want to remove these events from their natural classes.
--
// Black Lion AKA Lev Serebryakov <l...@freebsd.org>
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
