From owner-freebsd-audit@FreeBSD.ORG Wed Feb 27 19:35:53 2008 Return-Path: Delivered-To: freebsd-audit@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 85790106566B for ; Wed, 27 Feb 2008 19:35:53 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 466D88FC22 for ; Wed, 27 Feb 2008 19:35:53 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 4F4D446B24; Wed, 27 Feb 2008 14:17:43 -0500 (EST) Date: Wed, 27 Feb 2008 19:17:43 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: sam In-Reply-To: <47BD7337.2020503@gmail.com> Message-ID: <20080227191603.X17238@fledge.watson.org> References: <46C55191.2050205@gmail.com> <20070821145603.L50579@fledge.watson.org> <46CAF217.7040204@gmail.com> <20070821151108.Y53914@fledge.watson.org> <46CAF4E9.2030700@gmail.com> <20070821152327.R53914@fledge.watson.org> <46CBE096.90805@gmail.com> <20070828175313.B90180@fledge.watson.org> <47BD7337.2020503@gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-hackers@freebsd.org, trustedbsd-audit@FreeBSD.org, csjp@FreeBSD.org, freebsd-audit@freebsd.org Subject: Re: OpenBSM & Jails X-BeenThere: freebsd-audit@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: FreeBSD Security Audit List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2008 19:35:53 -0000 On Thu, 21 Feb 2008, sam wrote: > i am using OpenBSM on System with jails > > part of praudit output / action write file in jail > > -------------------------------------------------- > header,176,10,open(2) - write,creat,trunc,0,Thu Feb 21 13:45:06 2008, + 501 > msec,argument,3,0x81ed,mode,argument,2,0x601,flags,path,//site/svn/dev.lineage2.dom/pamm/hooks/post-commit,attribute,755,www,www,88,800911,3234053,subject,lynx,root,wheel,root,wheel,44680,44668,56876,10.15.1.116,return,success,4,trailer,176, > -------------------------------------------------- > > please add jail-identification in output (cat /dev/auditpipe | praudit -lp) Vladimir, I believe Christian has plans to use the Solaris "zone" BSM token to this end, as well as plans to enhance our support for hostid header fields so that when audit trails are aggregated from many sources, they can be processed with awareness of which source they came from. I've added him to the CC line, and he may be able to expand on this. Robert N M Watson Computer Laboratory University of Cambridge