Date: Mon, 18 Sep 2006 10:23:08 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Ganbold <ganbold@micom.mng.net> Cc: Joerg Pernfuss <elessar@bsdforen.de>, stable@FreeBSD.org, Cristiano Deana <cristiano.deana@gmail.com> Subject: Re: Problems with auditd -- resolved Message-ID: <20060918101952.R1708@fledge.watson.org> In-Reply-To: <450E39B4.2000105@micom.mng.net> References: <20060917091750.T74654@fledge.watson.org> <450E39B4.2000105@micom.mng.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 18 Sep 2006, Ganbold wrote: > # > # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#3 $ > # $FreeBSD: src/contrib/openbsm/etc/audit_user,v 1.2.2.1 2006/09/02 10:46:00 > rwatson Exp $ > # > #root:lo:no > root:all:no > > I'm bit confused here I thought auditd should log all activities, but I > don't see any log files. Am I doing something wrong here or my understanding > regarding auditd is wrong? Your configuration looks right to me, and should be generating a ridiculous number of audit records. Could you try rebooting and logging in again? audit_user entries take effect only as of login, similar to /etc/group settings, etc. How are you logging into the system? On my local RELENG_6 system, with the recent auditctl(2) fix, I'm using the following global settings to audit programs run by authenticated users: dir:/var/audit flags:lo,+ex minfree:20 naflags:lo It seems to be working properly. User space login/logout auditing won't work in RELENG_6 until the MFC of Christian's recent tweaks to pipe preselection, which will occurr in a few days (and hence should appear in BETA2). Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060918101952.R1708>