From owner-freebsd-hackers@FreeBSD.ORG Sun Oct 7 14:58:45 2007 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 055D016A468 for ; Sun, 7 Oct 2007 14:58:45 +0000 (UTC) (envelope-from csjp@sub.vaned.net) Received: from sub.vaned.net (sub.vaned.net [205.200.235.40]) by mx1.freebsd.org (Postfix) with ESMTP id CE8BB13C467 for ; Sun, 7 Oct 2007 14:58:44 +0000 (UTC) (envelope-from csjp@sub.vaned.net) Received: by sub.vaned.net (Postfix, from userid 1001) id 9CEC417391; Sun, 7 Oct 2007 09:38:06 -0500 (CDT) Date: Sun, 7 Oct 2007 09:38:06 -0500 From: "Christian S.J. Peron" To: dexterclarke@Safe-mail.net Message-ID: <20071007143806.GA65868@sub.vaned.net> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-hackers@freebsd.org Subject: Re: audit doesn't seem to be working correctly. X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Oct 2007 14:58:45 -0000 I think I have isolated the problem and I am working on a fix. For now if you want to experiement with audit you should be able to work around this bug by adding an entry into /etc/security/audit_user. Thanks for your report. On Thu, Oct 04, 2007 at 12:21:19AM -0400, dexterclarke@Safe-mail.net wrote: > After reading this article: > > http://www.regdeveloper.co.uk/2006/11/13/freebsd_security_event_auditing/ > > I decided to try audit. I edited /etc/security/audit_control > as the article (and the handbook example) shows: > > dir:/var/audit > flags:lo,+ex > minfree:20 > naflags:lo > policy:cnt > filesz:0 > > But having restarted auditd, I don't see audit events for > process execution being generated. However, if I do this: > > dir:/var/audit > flags:lo > minfree:20 > naflags:lo,+ex > policy:cnt > filesz:0 > > I get audit records for users executing programs. This seems > completely wrong to me. Why are these events being classed as > non-attributable when they're clearly being created by > authenticated users? > > I am running 6.2-RELEASE-p7 which is vanilla apart from the > addition of options MAC, AUDIT and VESA. > > -- > dc > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer