Date: Mon, 30 May 2016 12:40:47 +0200 From: Mateusz Piotrowski <0mp@FreeBSD.org> To: trustedbsd-discuss@freebsd.org Subject: How to record audit logs for only one specified file in FreeBSD? Message-ID: <90547374-D575-48A2-8E72-CE9CFCF5B242@FreeBSD.org>
index | next in thread | raw e-mail
Hi,
I participate in Google Summer of Code this year and I work on the audit logs conversion from non-BSM formats to the BSM format.
I’ve stumbled upon a problem like this:
On Red Hat Linux I can specify the file I want to record audit logs for with this command:
auditctl -a exit,always -F path=/tmp/foo.txt -F perm=war
I cannot figure out how to do a similar thing on FreeBSD. The only way I've found to record audit logs for files is to add the fr flag to my /etc/security/audit_control file (https://www.freebsd.org/doc/en/books/handbook/audit-config.html#event-selection <https://www.freebsd.org/doc/en/books/handbook/audit-config.html#event-selection>).
Unfortunately, this way doesn't allow me to specify the file.
I suspect that you cannot specify a file to track. You just have to record everything and then extract the logs you are interested in.
I’ve posted this question on serverfault.com but I’ve not received any help. (http://serverfault.com/questions/778510/how-to-record-audit-logs-for-only-one-specified-file-in-freebsd <http://serverfault.com/questions/778510/how-to-record-audit-logs-for-only-one-specified-file-in-freebsd>)
Cheers,
Mateusz Piotrowski
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?90547374-D575-48A2-8E72-CE9CFCF5B242>