From owner-freebsd-stable@FreeBSD.ORG  Mon Sep 18 09:23:10 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: stable@FreeBSD.org
Delivered-To: freebsd-stable@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0110916A403
	for <stable@FreeBSD.org>; Mon, 18 Sep 2006 09:23:10 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7DF0F43D49
	for <stable@FreeBSD.org>; Mon, 18 Sep 2006 09:23:09 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id 0AAD346CF8;
	Mon, 18 Sep 2006 05:23:09 -0400 (EDT)
Date: Mon, 18 Sep 2006 10:23:08 +0100 (BST)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Ganbold <ganbold@micom.mng.net>
In-Reply-To: <450E39B4.2000105@micom.mng.net>
Message-ID: <20060918101952.R1708@fledge.watson.org>
References: <20060917091750.T74654@fledge.watson.org>
	<450E39B4.2000105@micom.mng.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: Joerg Pernfuss <elessar@bsdforen.de>, stable@FreeBSD.org,
	Cristiano Deana <cristiano.deana@gmail.com>
Subject: Re: Problems with auditd -- resolved
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Sep 2006 09:23:10 -0000

On Mon, 18 Sep 2006, Ganbold wrote:

> #
> # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#3 $
> # $FreeBSD: src/contrib/openbsm/etc/audit_user,v 1.2.2.1 2006/09/02 10:46:00 
> rwatson Exp $
> #
> #root:lo:no
> root:all:no
>
> I'm bit confused here I thought auditd should log all activities, but I 
> don't see any log files. Am I doing something wrong here or my understanding 
> regarding auditd is wrong?

Your configuration looks right to me, and should be generating a ridiculous 
number of audit records.  Could you try rebooting and logging in again? 
audit_user entries take effect only as of login, similar to /etc/group 
settings, etc.  How are you logging into the system?

On my local RELENG_6 system, with the recent auditctl(2) fix, I'm using the 
following global settings to audit programs run by authenticated users:

   dir:/var/audit
   flags:lo,+ex
   minfree:20
   naflags:lo

It seems to be working properly.  User space login/logout auditing won't work 
in RELENG_6 until the MFC of Christian's recent tweaks to pipe preselection, 
which will occurr in a few days (and hence should appear in BETA2).

Robert N M Watson
Computer Laboratory
University of Cambridge