From owner-freebsd-audit@FreeBSD.ORG  Fri Feb  8 10:48:19 2008
Return-Path: <owner-freebsd-audit@FreeBSD.ORG>
Delivered-To: freebsd-audit@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E110216A417
	for <freebsd-audit@freebsd.org>; Fri,  8 Feb 2008 10:48:19 +0000 (UTC)
	(envelope-from samflanker@gmail.com)
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.159])
	by mx1.freebsd.org (Postfix) with ESMTP id 6BF4013C469
	for <freebsd-audit@freebsd.org>; Fri,  8 Feb 2008 10:48:19 +0000 (UTC)
	(envelope-from samflanker@gmail.com)
Received: by fg-out-1718.google.com with SMTP id 16so3055696fgg.35
	for <freebsd-audit@freebsd.org>; Fri, 08 Feb 2008 02:48:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding;
	bh=niNBlgDBkvRnRG85fU4n/4VcRqj0UVV8CXXJgZnQQew=;
	b=ftg6xtjoPO6B70Jh43C48Qicg3487pwJSa+UFYNlSneALGK/M8IFgLZRt9H1suanq6kI2V2PR5BrLHKvmqwr4qCdPzYdbVdHgjJqBX3mYtjrpSJbTXDk/WPrx463JmdaP8zPYfDjuqmTwWEUeuXzWnCbsONYS7tYkhxUjAdS4WY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding;
	b=uoivMytoqpeTO31ZxCqEeDLp6s4qqI/F7Ug6kyN+Be6GeLz+KJ5/8Zcplf0SymZVOfGkjPGOcvGsfGxvZesm1iSEAUN6Cno6phYrZyek+0Y5aIOs0VdW1gyeIwwG3NehUIBfyKHe0t3WucIQ/yXCXUO/uPMQARwvMw4x6QMW2Wg=
Received: by 10.86.25.17 with SMTP id 17mr11549982fgy.15.1202466161649;
	Fri, 08 Feb 2008 02:22:41 -0800 (PST)
Received: from ?192.168.12.166? ( [213.152.137.38])
	by mx.google.com with ESMTPS id l19sm17600143fgb.0.2008.02.08.02.22.39
	(version=SSLv3 cipher=RC4-MD5); Fri, 08 Feb 2008 02:22:40 -0800 (PST)
Message-ID: <47AC2D71.1010405@gmail.com>
Date: Fri, 08 Feb 2008 13:22:41 +0300
From: sam <samflanker@gmail.com>
User-Agent: Thunderbird 2.0.0.4 (Windows/20070604)
MIME-Version: 1.0
To: Robert Watson <rwatson@FreeBSD.org>
References: <46C55191.2050205@gmail.com>
	<20070821145603.L50579@fledge.watson.org>
	<46CAF217.7040204@gmail.com>
	<20070821151108.Y53914@fledge.watson.org>
	<46CAF4E9.2030700@gmail.com>
	<20070821152327.R53914@fledge.watson.org>
	<46CBE096.90805@gmail.com>
	<20070828175313.B90180@fledge.watson.org>
In-Reply-To: <20070828175313.B90180@fledge.watson.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: trustedbsd-audit@FreeBSD.org, freebsd-audit@freebsd.org
Subject: audit (OpenBSM) & cat
X-BeenThere: freebsd-audit@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: FreeBSD Security Audit <freebsd-audit.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-audit>,
	<mailto:freebsd-audit-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-audit>
List-Post: <mailto:freebsd-audit@freebsd.org>
List-Help: <mailto:freebsd-audit-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-audit>,
	<mailto:freebsd-audit-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2008 10:48:20 -0000

hi all

description of trouble situation on system FreeBSD 6.3-RELEASE i386:

open 2 putty console on remote server

console1:
# cat /dev/auditpipe | praudit -l

console2:
# cat >> /var/log/audit_cat.data

console1 (output message):
# cat /dev/auditpipe | praudit -l
header,168,10,open(2) - write,creat,0,Fri Feb  8 12:59:34 2008, + 309 
msec,argument,3,0x1b6,mode,argument,2,0x209,flags,path,/var/log/audit_cat.data,attribute,644,root,admin,72,2732063,10952279,subject,venom,root,wheel,root,wheel,44255,41955,1647,192.168.1.26,return,success,4,trailer,168,

after 30 seconds

console2 (cat waiting user input & user typing message & pusshing 
'Ctrl+d' for deattach ):
# cat >> /var/log/audit_cat.data
abracadabra_message
#

console1 (don`t output message on user action 'adding string 
"abracadabra_message" & deattach'):
# cat /dev/auditpipe | praudit -l
header,168,10,open(2) - write,creat,0,Fri Feb  8 12:59:34 2008, + 309 
msec,argument,3,0x1b6,mode,argument,2,0x209,flags,path,/var/log/audit_cat.data,attribute,644,root,admin,72,2732063,10952279,subject,venom,root,wheel,root,wheel,44255,41955,1647,192.168.1.26,return,success,4,trailer,168,


/dev/auditpipe output data on moment create file descriptor, but don`t 
output message after adding string in file and close file

any solution?


/Vladimir Ermakov



From owner-freebsd-audit@FreeBSD.ORG  Fri Feb  8 12:08:29 2008
Return-Path: <owner-freebsd-audit@FreeBSD.ORG>
Delivered-To: freebsd-audit@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7801C16A420
	for <freebsd-audit@freebsd.org>; Fri,  8 Feb 2008 12:08:29 +0000 (UTC)
	(envelope-from samflanker@gmail.com)
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171])
	by mx1.freebsd.org (Postfix) with ESMTP id EBBFF13C45A
	for <freebsd-audit@freebsd.org>; Fri,  8 Feb 2008 12:08:28 +0000 (UTC)
	(envelope-from samflanker@gmail.com)
Received: by ug-out-1314.google.com with SMTP id y2so1301146uge.37
	for <freebsd-audit@freebsd.org>; Fri, 08 Feb 2008 04:08:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding;
	bh=5XjQH6v67Epmlnak2cOCyrVVdDEtehgxMe04BeHYut0=;
	b=DDWx6rkx5/Q9hPOq42QHAHt2ZE4qoAZ+kNezotFzgi4dXN6cy6sn5LtZqrkTRzvRd9vEIm8hde57RKini1qxA2GNs3TpxfVdgoPFW3mjXXwGG9i2FB/gPWVeyC+QEBCdQh4+ux2MgF7WQwnKwQCXDcy8lKSZLWSQp8IaFEj75NU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding;
	b=nQJk/Bb9C8L1oIYNh01RrBM5rWpsYEm5wR9nh1vdRhoPLFOWjYCKok3a6ICCaO4dCKQPSomnjBPo1AKSW0ql1KeczFA9Z4LfCjgqr/357o5E8yTbxmDWMsjPLyn8MTnL2kZ1jwPZr0hedk8zS7xwf3LVYV72ZrH1zxDtAPWn+CI=
Received: by 10.67.103.12 with SMTP id f12mr5292301ugm.58.1202472507173;
	Fri, 08 Feb 2008 04:08:27 -0800 (PST)
Received: from ?192.168.12.166? ( [213.152.137.38])
	by mx.google.com with ESMTPS id e20sm12987400fga.1.2008.02.08.04.08.25
	(version=SSLv3 cipher=RC4-MD5); Fri, 08 Feb 2008 04:08:25 -0800 (PST)
Message-ID: <47AC463A.4030101@gmail.com>
Date: Fri, 08 Feb 2008 15:08:26 +0300
From: sam <samflanker@gmail.com>
User-Agent: Thunderbird 2.0.0.4 (Windows/20070604)
MIME-Version: 1.0
To: Robert Watson <rwatson@FreeBSD.org>
References: <46C55191.2050205@gmail.com>
	<20070821145603.L50579@fledge.watson.org>
	<46CAF217.7040204@gmail.com>
	<20070821151108.Y53914@fledge.watson.org>
	<46CAF4E9.2030700@gmail.com>
	<20070821152327.R53914@fledge.watson.org>
	<46CBE096.90805@gmail.com>
	<20070828175313.B90180@fledge.watson.org>
	<47AC2D71.1010405@gmail.com>
In-Reply-To: <47AC2D71.1010405@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: trustedbsd-audit@FreeBSD.org, freebsd-audit@freebsd.org
Subject: Re: audit (OpenBSM) & cat
X-BeenThere: freebsd-audit@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: FreeBSD Security Audit <freebsd-audit.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-audit>,
	<mailto:freebsd-audit-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-audit>
List-Post: <mailto:freebsd-audit@freebsd.org>
List-Help: <mailto:freebsd-audit-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-audit>,
	<mailto:freebsd-audit-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2008 12:08:29 -0000

sam wrote:
>
> description of trouble situation on system FreeBSD 6.3-RELEASE i386
>
>
my /etc/security/audit_control

dir:/var/audit
flags:^all
minfree:20
naflags:^all
policy:cnt
filesz:0


/Vladimir Ermakov