Date: Mon, 30 May 2016 12:40:47 +0200 From: Mateusz Piotrowski <0mp@FreeBSD.org> To: trustedbsd-discuss@freebsd.org Subject: How to record audit logs for only one specified file in FreeBSD? Message-ID: <90547374-D575-48A2-8E72-CE9CFCF5B242@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
Hi,
I participate in Google Summer of Code this year and I work on the audit =
logs conversion from non-BSM formats to the BSM format.
I=E2=80=99ve stumbled upon a problem like this:
On Red Hat Linux I can specify the file I want to record audit logs for =
with this command:
auditctl -a exit,always -F path=3D/tmp/foo.txt -F perm=3Dwar
I cannot figure out how to do a similar thing on FreeBSD. The only way =
I've found to record audit logs for files is to add the fr flag to my =
/etc/security/audit_control file =
(https://www.freebsd.org/doc/en/books/handbook/audit-config.html#event-sel=
ection =
<https://www.freebsd.org/doc/en/books/handbook/audit-config.html#event-sel=
ection>).
Unfortunately, this way doesn't allow me to specify the file.
I suspect that you cannot specify a file to track. You just have to =
record everything and then extract the logs you are interested in.
I=E2=80=99ve posted this question on serverfault.com but I=E2=80=99ve =
not received any help. =
(http://serverfault.com/questions/778510/how-to-record-audit-logs-for-only=
-one-specified-file-in-freebsd =
<http://serverfault.com/questions/778510/how-to-record-audit-logs-for-only=
-one-specified-file-in-freebsd>)
Cheers,
Mateusz Piotrowski=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?90547374-D575-48A2-8E72-CE9CFCF5B242>