HowTo Add a New adt_ Event

HowTo Add a New adt_ Event

Overview

 This howto describes how to add a new adt event to libbsm(3LIB) from the developer's point of view. Applies to Nevada sources build 65 and later. The event will be added to libbsm(3LIB) with defined format and fields and documented in bsmrecord(1M) as well.

Process

 Let's add a sample adt event called sample event in application 'My Application' with 1 optional text message to audit class 'application'.

1. Create definition of the new event in $SRC/lib/libbsm/audit_event.txt, eg.:

	6237:AUE_sample_event:sample audit event:ap

1. Create audit record format which the new event will have, in $SRC/lib/libbsm/common/adt.xml and bump index idNo in comments as well, eg.:

	    <event id="AUE_sample_event" header="0" idNo="51" omit="JNI">
		<title>My Application: sample event</title>
		<program>myapp</program>
		<see>myapp(1)</see>
		<entry id="subject">
		    <internal token="subject"/>
		    <external opt="none"/>
		</entry>
		<entry id="message">
		    <internal token="text"/>
		    <external opt="optional" type="char *"/>
		    <comment>event message</comment>
		</entry>
		<entry id="return">
		    <internal token="return"/>
		    <external opt="none"/>
		</entry>
	    </event>
	<!~-- add new events here with the next higher idNo ~-->
	<!~-- Highest idNo is 51, so next is 52, then fix this comment ~-->
	<!~-- end of C Only events ~-->

1. Then make install_h and install in $SRC/lib/libbsm and install in $SRC/cmd/bsmrecord. If you run nightly and bfu newly built system, your new event will be documented in the bsmrecord database automatically:

	bsmrecord -i 6237
	My Application: sample event
	  program     myapp                See myapp(1)
	  event ID    6237                 AUE_sample_event
	  class       ap                   (0x00004000)
	      header
	      subject
	      [text]                       event message
	      return

Full diff of needed changes

diff -r 9c92120b1c02 usr/src/lib/libbsm/audit_event.txt
~--- a/usr/src/lib/libbsm/audit_event.txt	Mon May 07 05:51:14 2007 -0700
+++ b/usr/src/lib/libbsm/audit_event.txt	Wed May 09 05:33:52 2007 -0700
@@ -430,6 +430,7 @@ 6234:AUE_pool_export:export device from 
 6234:AUE_pool_export:export device from pool:ot
 6235:AUE_dladm_create_secobj:create network security object:as,cy
 6236:AUE_dladm_delete_secobj:delete network security object:as,cy
+6237:AUE_sample_event:sample audit event:ap
 #
 # Trusted Extensions events:
 #
diff -r 9c92120b1c02 usr/src/lib/libbsm/common/adt.xml
~--- a/usr/src/lib/libbsm/common/adt.xml	Mon May 07 05:51:14 2007 -0700
+++ b/usr/src/lib/libbsm/common/adt.xml	Wed May 09 05:37:15 2007 -0700
@@ -1114,8 +1114,28 @@ Use is subject to license terms.
	</entry>
     </event>

+    <event id="AUE_sample_event" header="0" idNo="51" omit="JNI">
+    	<title>My Application: sample event</title>
+	<program>myapp</program>
+	<see>myapp(1)</see>
+	<entry id="subject">
+	    <internal token="subject"/>
+	    <external opt="none"/>
+	</entry>
+	<entry id="message">
+	    <internal token="text"/>
+	    <external opt="optional" type="char *"/>
+	    <comment>event message</comment>
+	</entry>
+	<entry id="return">
+	    <internal token="return"/>
+	    <external opt="none"/>
+	</entry>
+    </event>
+
+
 <!~-- add new events here with the next higher idNo ~-->
-<!~-- Highest idNo is 50, so next is 51, then fix this comment ~-->
+<!~-- Highest idNo is 51, so next is 52, then fix this comment ~-->
 <!~-- end of C Only events ~-->

Note

 Note that before adding new audit events, a contract is needed to use adt_* API as per PSARC 2003/397. The API is Project Private.