Lists

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

[Fed-Talk] Custom BSM audit class?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fed-Talk] Custom BSM audit class?

Subject: [Fed-Talk] Custom BSM audit class?
From: Todd Heberlein <email@hidden>
Date: Wed, 21 Nov 2012 19:45:43 -0800

Has anyone succeeded in using custom BSM event classes for Mac OS X?  I tried it today, but got the big fail.


I'm trying to exclude fcnt(), close(), and ioctl() events for both vmbob and root (this is what dominates the vmware-vmx process's audit data. Here are the changes I made:

To audit_class I added the line:

0x00010000:nq:net squared exclusions for VMware


To audit_event I changed the following lines:

30:AUE_FCNTL:fcntl(2):fm,nq
112:AUE_CLOSE:close(2):cl,nq
158:AUE_IOCTL:ioctl(2):io,nq


audit_user is set to:

root:lo:no,nq
vmbob::nq


But I am still getting a ton of fcnt(), close(), and ioctl() events for both vmbob and root.


Any pointers are appreciated,

Todd

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

Prev by Date: Re: [Fed-Talk] CACs and DoD certs on Macs
Next by Date: Re: [Fed-Talk] CACs and DoD certs on Macs
Previous by thread: [Fed-Talk] Fwd: OpenBSM new addition: auditdistd.
Next by thread: [Fed-Talk] When off doesn't mean off (Server App's website)
Index(es):
- Date
- Thread