Date: Mon, 18 Sep 2006 11:29:02 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Ganbold <ganbold@micom.mng.net> Cc: Joerg Pernfuss <elessar@bsdforen.de>, stable@FreeBSD.org, Cristiano Deana <cristiano.deana@gmail.com> Subject: Re: Problems with auditd -- resolved Message-ID: <20060918112616.D42104@fledge.watson.org> In-Reply-To: <450E6C6E.7010702@micom.mng.net> References: <20060917091750.T74654@fledge.watson.org> <450E39B4.2000105@micom.mng.net> <20060918101952.R1708@fledge.watson.org> <450E6963.7030902@micom.mng.net> <20060918104446.V1708@fledge.watson.org> <450E6C6E.7010702@micom.mng.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 18 Sep 2006, Ganbold wrote: > Robert Watson wrote: >> >> On Mon, 18 Sep 2006, Ganbold wrote: >> >>> Strange, there are still no logs in /var/audit dir :( Even tried to use >>> your config, no success. However when I logged on to my desktop from >>> console to itself (ssh -l tsgan localhost) it starts logging. But why it >>> is not logging when I'm on console? >> >> Are you using xdm/kdm/gdm/etc or /usr/bin/login? I'm not sure that the >> various GUI login managers associated with X11 ship with BSM support >> compiled in by default, although given that they also run on Solaris, it is >> likely they support it. > Ok, I'm using gnome and gnome-terminal, and it is not logging. Probably > gnome-terminal is not compiled with BSM support. Auditd logs when I go to > console using ctrl+alt+f2 combination from X. Thanks for clarifying this. Basically, at login, the audit subsystem determins what new audit properties are required for the login session and assigns them to the process, which consists of both the audit identifier associated with the user, and the preselection mask. Events associated with non-authenticated sessions (which is what gdm logins will count as) should still get audited using the properties for the global naflags setting, so if you want to audit events associated with gdm you can set naflags to include more events. This will also be what audits things like web server activity, so it may result in significant numbers of events being audited as part of that also. We will need to add audit extensions to new login mechanisms, such as xdm/kdm/gdm, or enable them if already present but not enabled on FreeBSD by default. OpenSSH, for example, already included BSM support due to Solaris and Mac OS X BSM, so we just enabled it by switching a flag in the compile (and also fixed a bug in it!). We should probably talk to the maintainers of these ports about investigating creating or enabling BSM support. Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060918112616.D42104>