From owner-freebsd-questions@FreeBSD.ORG  Wed Dec 23 19:27:33 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E3CA11065676
	for <freebsd-questions@freebsd.org>;
	Wed, 23 Dec 2009 19:27:33 +0000 (UTC) (envelope-from mike@sentex.net)
Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18])
	by mx1.freebsd.org (Postfix) with ESMTP id B22928FC0C
	for <freebsd-questions@freebsd.org>;
	Wed, 23 Dec 2009 19:27:33 +0000 (UTC)
Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27])
	by lava.sentex.ca (8.14.3/8.14.3) with ESMTP id nBNJRWdF067714
	for <freebsd-questions@freebsd.org>;
	Wed, 23 Dec 2009 14:27:32 -0500 (EST) (envelope-from mike@sentex.net)
Message-Id: <200912231927.nBNJRWdF067714@lava.sentex.ca>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Wed, 23 Dec 2009 14:27:25 -0500
To: freebsd-questions@freebsd.org
From: Mike Tancsa <mike@sentex.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: whats in your /etc/security/ files ? (AUDIT subsystem)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Dec 2009 19:27:34 -0000

I am looking at getting more out of the FreeBSD AUDIT system and was 
wondering if anyone has feedback beyond what is in the handbook or 
links to other resources on this topic.

http://bsdmag.org/ had a nice intro article and 
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/audit.html 
is actually pretty complete.  But I was looking for additional 
feedback from folks using it on their servers in production.

What do you find useful to log on large multi user systems ?  What 
about boxes with limited access to just administrators ? Log everything?

How do you manage your audit logs to ensure integrity ?  Do you run 
at a higher secure level and make the file flags uappnd ? Write them 
to an nfs mount on a separate and separately secured system ?

         ---Mike

--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike