# Custom Auditd Classes



## Alexander Thaller (Aug 12, 2015)

Hi I'm currently implementing system auditing with auditd(8) and was wondering if I can create a custom audit_class(5).

I want to have something like the fm (file attribute modify) class without the open and flock events.

I tried to create a new class with a new bitmap (I used 0x00000009 instead of 0x00000008) and added the events I wanted to audit_event(5) I'm still getting the open/flock events written out.

When I change the bitmap to something like 0x00000015 I get different kinds of events written to the trail.

So what can I do to only get certain events from an audit_class(5).


----------



## junovitch@ (Aug 13, 2015)

A 0x00000009 bitmask would just flip the bit for both "file read" (0x00000001) and "file attribute modify" (0x00000008) simultaneously.  If you wanted your own class it would have to be between application and ioctl events.  See /etc/security/audit_class to see more details.  Looking at /etc/security/audit_event this seems like it might be quite an undertaking since the kernel has to talk the same language as the auditing system.  The simplest solution seems like it would be to filter logs after the fact with auditreduce(1).


----------



## Alexander Thaller (Aug 13, 2015)

It works fine after using a different bitmask (0x01000000). Thanks for the info.


----------

