Date: Sun, 7 Oct 2007 09:38:06 -0500 From: "Christian S.J. Peron" <csjp@FreeBSD.org> To: dexterclarke@Safe-mail.net Cc: freebsd-hackers@freebsd.org Subject: Re: audit doesn't seem to be working correctly. Message-ID: <20071007143806.GA65868@sub.vaned.net> In-Reply-To: <N1-_oTpkG9K9c@Safe-mail.net> References: <N1-_oTpkG9K9c@Safe-mail.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I think I have isolated the problem and I am working on a fix. For now if you want to experiement with audit you should be able to work around this bug by adding an entry into /etc/security/audit_user. Thanks for your report. On Thu, Oct 04, 2007 at 12:21:19AM -0400, dexterclarke@Safe-mail.net wrote: > After reading this article: > > http://www.regdeveloper.co.uk/2006/11/13/freebsd_security_event_auditing/ > > I decided to try audit. I edited /etc/security/audit_control > as the article (and the handbook example) shows: > > dir:/var/audit > flags:lo,+ex > minfree:20 > naflags:lo > policy:cnt > filesz:0 > > But having restarted auditd, I don't see audit events for > process execution being generated. However, if I do this: > > dir:/var/audit > flags:lo > minfree:20 > naflags:lo,+ex > policy:cnt > filesz:0 > > I get audit records for users executing programs. This seems > completely wrong to me. Why are these events being classed as > non-attributable when they're clearly being created by > authenticated users? > > I am running 6.2-RELEASE-p7 which is vanilla apart from the > addition of options MAC, AUDIT and VESA. > > -- > dc > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071007143806.GA65868>