PERFORCE change 127769 for review

Robert Watson rwatson at FreeBSD.org
Fri Oct 19 07:04:31 PDT 2007 

On Fri, 19 Oct 2007, Andrew R. Reiter wrote:

> Just curious -- how come openbsm removed AU_ class masks; isnt that needed 
> for log analysis?  or at least *better* log analysis?

I think these definitions were largely historical -- the class masks are also 
defined in /etc/security/audit_class, and customizable for each system they 
are installed on.  The hard-coded mask definitions below were never used, with 
with the exception of AU_NULL (no bits set).  Likewise, they probably 
shouldn't be used, on the basis that they are compile-time rather than 
run-time, and may conflict with run-time settings -- i.e., for hosts where a 
different set of classes have been defined.

Robert N M Watson
Computer Laboratory
University of Cambridge

>
> Cheers,
> Andrew
>
> --
> Andrew R. Reiter
> arr at watson.org
> 858 245 3682
>
> On Fri, 19 Oct 2007, Robert Watson wrote:
>
>> http://perforce.freebsd.org/chv.cgi?CH=127769
>> 
>> Change 127769 by rwatson at rwatson_zoo on 2007/10/19 10:59:33
>>
>> 	Integrate OpenBSM changes into audit3 kernel.
>> 
>> Affected files ...
>> 
>> .. //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#40 integrate
>> 
>> Differences ...
>> 
>> ==== //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#40 (text+ko) ====
>> 
>> @@ -26,7 +26,7 @@
>>  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
>>  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>>  *
>> - * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#39 $
>> + * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#40 $
>>  * $FreeBSD: src/sys/bsm/audit.h,v 1.9 2007/07/22 12:28:12 rwatson Exp $
>>  */
>> 
>> @@ -75,44 +75,6 @@
>> #define	AU_DEFAUDITID	-1
>> 
>> /*
>> - * Define the masks for the classes of audit events.
>> - */
>> -#define	AU_NULL		0x00000000
>> -#define	AU_FREAD	0x00000001
>> -#define	AU_FWRITE	0x00000002
>> -#define	AU_FACCESS	0x00000004
>> -#define	AU_FMODIFY	0x00000008
>> -#define	AU_FCREATE	0x00000010
>> -#define	AU_FDELETE	0x00000020
>> -#define	AU_CLOSE	0x00000040
>> -#define	AU_PROCESS	0x00000080
>> -#define	AU_NET		0x00000100
>> -#define	AU_IPC		0x00000200
>> -#define	AU_NONAT	0x00000400
>> -#define	AU_ADMIN	0x00000800
>> -#define	AU_LOGIN	0x00001000
>> -#define	AU_TFM		0x00002000
>> -#define	AU_APPL		0x00004000
>> -#define	AU_SETL		0x00008000
>> -#define	AU_IFLOAT	0x00010000
>> -#define	AU_PRIV		0x00020000
>> -#define	AU_MAC_RW	0x00040000
>> -#define	AU_XCONN	0x00080000
>> -#define	AU_XCREATE	0x00100000
>> -#define	AU_XDELETE	0x00200000
>> -#define	AU_XIFLOAT	0x00400000
>> -#define	AU_XPRIVS	0x00800000
>> -#define	AU_XPRIVF	0x01000000
>> -#define	AU_XMOVE	0x02000000
>> -#define	AU_XDACF	0x04000000
>> -#define	AU_XMACF	0x08000000
>> -#define	AU_XSECATTR	0x10000000
>> -#define	AU_IOCTL	0x20000000
>> -#define	AU_EXEC		0x40000000
>> -#define	AU_OTHER	0x80000000
>> -#define	AU_ALL		0xffffffff
>> -
>> -/*
>>  * IPC types.
>>  */
>> #define	AT_IPC_MSG	((u_char)1)	/* Message IPC id. */
>> 
>> 
>

More information about the p4-projects mailing list