Date: Sun, 11 Jan 2009 21:08:07 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 155981 for review Message-ID: <200901112108.n0BL87qH068892@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=155981 Change 155981 by rwatson@rwatson_cinnamon on 2009/01/11 21:07:36 Change a few defaults in audit_control based on personal and end-user feedback: - Warn at 5% free on audit partitions, not 20%, since modern disks are really big but audit trails in the default configuration haven't grown as much. - Set argv in the policy field -- we don't log AUE_EXECVE by default, but when we do, people almost always want command line arguments, and ask about it quite a bit. - Do automatically rotate trail at 2mb by default. Affected files ... .. //depot/projects/trustedbsd/openbsm/NEWS#29 edit .. //depot/projects/trustedbsd/openbsm/etc/audit_control#6 edit .. //depot/projects/trustedbsd/openbsm/man/audit_control.5#21 edit Differences ... ==== //depot/projects/trustedbsd/openbsm/NEWS#29 (text+ko) ==== @@ -2,6 +2,12 @@ OpenBSM 1.1 beta 1 +- Change defaults in audit_control: warn at 5% rather than 20% free for audit + partitions, rotate automatically at 2mb, and set the default policy to + cnt,argv rather than cnt so that execve(2) arguments are captured if + AUE_EXECVE events are audited. These may provide more usable defaults for + many users. + OpenBSM 1.1 alpha 5 - Stub libauditd(3) man page added. @@ -414,4 +420,4 @@ to support reloading of kernel event table. - Allow comments in /etc/security configuration files. -$P4: //depot/projects/trustedbsd/openbsm/NEWS#28 $ +$P4: //depot/projects/trustedbsd/openbsm/NEWS#29 $ ==== //depot/projects/trustedbsd/openbsm/etc/audit_control#6 (text+ko) ==== @@ -1,9 +1,9 @@ # -# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#5 $ +# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#6 $ # dir:/var/audit flags:lo -minfree:20 +minfree:5 naflags:lo -policy:cnt -filesz:0 +policy:cnt,argv +filesz:2097152 ==== //depot/projects/trustedbsd/openbsm/man/audit_control.5#21 (text+ko) ==== @@ -26,7 +26,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#20 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#21 $ .\" .Dd January 4, 2006 .Dt AUDIT_CONTROL 5 @@ -177,10 +177,10 @@ .Bd -literal -offset indent dir:/var/audit flags:lo -minfree:20 +minfree:5 naflags:lo -policy:cnt -filesz:0 +policy:cnt,argv +filesz:2097152 .Ed .Pp The @@ -190,9 +190,12 @@ The .Va policy parameter specifies that the system should neither fail stop nor suspend -processes when the audit store fills. -The trail file will not be automatically rotated by the audit daemon based on -file size. +processes when the audit store fills and that command line arguments should +be audited for +.Dv AUE_EXECVE +events. +The trail file will be automatically rotated by the audit daemon when the +file size reaches approximately 2MB. .Sh FILES .Bl -tag -width ".Pa /etc/security/audit_control" -compact .It Pa /etc/security/audit_control
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901112108.n0BL87qH068892>