diff options
author | rwatson <rwatson@FreeBSD.org> | 2008-12-28 22:40:42 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2008-12-28 22:40:42 +0000 |
commit | 0c86a1e4f3fbe31c24bb9609b2df551fd777428b (patch) | |
tree | 8026680e57e152bff629fb5733fa531adc5dd323 /etc | |
parent | 208cf4160e79a64866887cc5f89f964cc899f97e (diff) | |
download | FreeBSD-src-0c86a1e4f3fbe31c24bb9609b2df551fd777428b.zip FreeBSD-src-0c86a1e4f3fbe31c24bb9609b2df551fd777428b.tar.gz |
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/audit_event | 127 |
1 files changed, 108 insertions, 19 deletions
diff --git a/etc/audit_event b/etc/audit_event index 9b528f1..577d92a 100644 --- a/etc/audit_event +++ b/etc/audit_event @@ -1,5 +1,5 @@ # -# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#30 $ +# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#34 $ # # The mapping between event identifiers and values is also hard-coded in # audit_kevents.h and audit_uevents.h, so changes must occur in both places, @@ -7,6 +7,20 @@ # those changes. It is advisable not to change the numbering or naming of # kernel audit events. # +# Allocation of BSM event identifier ranges: +# +# 0 Reserved and invalid +# 1 - 2047 Reserved for Solaris kernel events +# 2048 - 5999 Reserved and unallocated +# 6000 - 9999 Reserved for Solaris user events +# 10000 - 32767 Reserved and unallocated +# 32768 - 65535 Available for third party applications +# +# Of the third party range, OpenBSM allocates from the following ranges: +# +# 43000 - 44999 Reserved for OpenBSM kernel events +# 45000 - 46999 Reserved for OpenBSM application events +# 0:AUE_NULL:indir system call:no 1:AUE_EXIT:exit(2):pc 2:AUE_FORK:fork(2):pc @@ -185,6 +199,7 @@ 205:AUE_SETGID:setgid(2):pc 206:AUE_READL:readl(2):no 207:AUE_READVL:readvl(2):no +208:AUE_FSTAT:fstat(2):fa 209:AUE_DUP2:dup2(2):no 210:AUE_MMAP:mmap(2):no 211:AUE_AUDIT:audit(2):ot @@ -534,33 +549,107 @@ 43187:AUE_CAP_GETRIGHTS:cap_getrights(2):fm 43188:AUE_CAP_ENTER:cap_enter(2):pc 43189:AUE_CAP_GETMODE:cap_getmode(2):pc +43190:AUE_POSIX_SPAWN:posix_spawn(2):pc +43191:AUE_FSGETPATH:fsgetpath(2):ot # -# User space system events. +# Solaris userspace events. # +6144:AUE_at_create:at-create atjob:ad +6145:AUE_at_delete:at-delete atjob (at or atrm):ad +6146:AUE_at_perm:at-permission:no +6147:AUE_cron_invoke:cron-invoke:ad +6148:AUE_crontab_create:crontab-crontab created:ad +6149:AUE_crontab_delete:crontab-crontab deleted:ad +6150:AUE_crontab_perm:crontab-permission:no +6151:AUE_inetd_connect:inetd connection:na 6152:AUE_login:login - local:lo 6153:AUE_logout:logout - local:lo +6154:AUE_telnet:login - telnet:lo +6155:AUE_rlogin:login - rlogin:lo +6156:AUE_mountd_mount:mount:na +6157:AUE_mountd_umount:unmount:na +6158:AUE_rshd:rsh access:lo 6159:AUE_su:su(1):lo 6160:AUE_halt:system halt:ad +6161:AUE_reboot:system reboot:ad +6162:AUE_rexecd:rexecd:lo +6163:AUE_passwd:passwd:lo +6164:AUE_rexd:rexd:lo +6165:AUE_ftpd:ftp access:lo +6166:AUE_init:init:lo +6167:AUE_uadmin:uadmin:no 6168:AUE_shutdown:system shutdown:ad -6171:AUE_audit_startup:audit startup:ad -6172:AUE_audit_shutdown:audit shutdown:ad +6168:AUE_poweroff:system poweroff:ad +6170:AUE_crontab_mod:crontab-modify:ad +6171:AUE_ftpd_logout:ftp logout:lo +6172:AUE_ssh:login - ssh:lo +6173:AUE_role_login:role login:lo +6180:AUE_prof_cmd: profile command:ad +6181:AUE_filesystem_add:add filesystem:ad +6182:AUE_filesystem_delete:delete filesystem:ad +6183:AUE_filesystem_modify:modify filesystem:ad +6200:AUE_allocate_succ:allocate-device success:ot +6201:AUE_allocate_fail:allocate-device failure:ot +6202:AUE_deallocate_succ:deallocate-device success:ot +6203:AUE_deallocate_fail:deallocate-device failure:ot +6204:AUE_listdevice_succ:allocate-list devices success:ot +6205:AUE_listdevice_fail:allocate-list devices failure:ot 6207:AUE_create_user:create user:ad 6208:AUE_modify_user:modify user:ad 6209:AUE_delete_user:delete user:ad 6210:AUE_disable_user:disable user:ad -6211:AUE_enable_user::ad -6300:AUE_sudo:sudo(1):ad -6501:AUE_modify_password:modify password:ad -6511:AUE_create_group:create group:ad -6512:AUE_delete_group:delete group:ad -6513:AUE_modify_group:modify group:ad -6514:AUE_add_to_group:add to group:ad -6515:AUE_remove_from_group:remove from group:ad -6521:AUE_revoke_obj:revoke object priv:fm -6600:AUE_lw_login:loginwindow login:lo -6601:AUE_lw_logout:loginwindow logout:lo -7000:AUE_auth_user:user authentication:ad -7001:AUE_ssconn:SecSrvr connection setup:ad -7002:AUE_ssauthorize:SecSrvr AuthEngine:ad -7003:AUE_ssauthint:SecSrvr authinternal mech:ad +6211:AUE_enable_user:enable users:ad +6212:AUE_newgrp_login:newgrp login:lo +6213:AUE_admin_authenticate:admin login:lo +6214:AUE_kadmind_auth:authenticated kadmind request:ua +6215:AUE_kadmind_unauth:unauthenticated kadmind req:ua +6216:AUE_krb5kdc_as_req:kdc authentication svc request:ap +6217:AUE_krb5kdc_tgs_req:kdc tkt-grant svc request:ap +6218:AUE_krb5kdc_tgs_req_2ndtktmm:kdc tgs 2ndtkt mismtch:ap +6219:AUE_krb5kdc_tgs_req_alt_tgt:kdc tgs issue alt tgt:ap +# +# Historic Darwin use of low event numbering space, which collided with the +# Solaris event space. Now obsoleted and new, higher, event numbers assigned +# to make it easier to interpret Solaris events using the OpenBSM tools. +# +6171:AUE_DARWIN_audit_startup:audit startup:ad +6172:AUE_DARWIN_audit_shutdown:audit shutdown:ad +6300:AUE_DARWIN_sudo:sudo(1):ad +6501:AUE_DARWIN_modify_password:modify password:ad +6511:AUE_DARWIN_create_group:create group:ad +6512:AUE_DARWIN_delete_group:delete group:ad +6513:AUE_DARWIN_modify_group:modify group:ad +6514:AUE_DARWIN_add_to_group:add to group:ad +6515:AUE_DARWIN_remove_from_group:remove from group:ad +6521:AUE_DARWIN_revoke_obj:revoke object priv:fm +6600:AUE_DARWIN_lw_login:loginwindow login:lo +6601:AUE_DARWIN_lw_logout:loginwindow logout:lo +7000:AUE_DARWIN_auth_user:user authentication:ad +7001:AUE_DARWIN_ssconn:SecSrvr connection setup:ad +7002:AUE_DARWIN_ssauthorize:SecSrvr AuthEngine:ad +7003:AUE_DARWIN_ssauthint:SecSrvr authinternal mech:ad +# +# Historic/third-party application allocations of event identifiers. +# 32800:AUE_openssh:OpenSSH login:lo +# +# OpenBSM-managed application event space. +# +45000:AUE_audit_startup:audit startup:ad +45001:AUE_audit_shutdown:audit shutdown:ad +45014:AUE_modify_password:modify password:ad +45015:AUE_create_group:create group:ad +45016:AUE_delete_group:delete group:ad +45017:AUE_modify_group:modify group:ad +45018:AUE_add_to_group:add to group:ad +45019:AUE_remove_from_group:remove from group:ad +45020:AUE_revoke_obj:revoke object priv:fm +45021:AUE_lw_login:loginwindow login:lo +45022:AUE_lw_logout:loginwindow logout:lo +45023:AUE_auth_user:user authentication:ad +45024:AUE_ssconn:SecSrvr connection setup:ad +45025:AUE_ssauthorize:SecSrvr AuthEngine:ad +45026:AUE_ssauthint:SecSrvr authinternal mech:ad +45027:AUE_calife:Calife:ad +45028:AUE_sudo:sudo(1):ad +45029:AUE_audit_recovery:audit crash recovery:ad |