Date: Mon, 09 Aug 2010 15:38:27 -0400 From: jhell <jhell@dataix.net> Cc: freebsd-hackers@freebsd.org Subject: Re: Improvement for Distributed Audit Project Message-ID: <4C605933.5010309@dataix.net> In-Reply-To: <alpine.BSF.2.00.1008091719150.96753@tiktik.epipe.com> References: <AANLkTi=ntPn67hcR8Sa9bT2cu64u-Gr5LMZMbKjy9EFH@mail.gmail.com> <alpine.BSF.2.00.1008091719150.96753@tiktik.epipe.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/09/2010 13:24, Janne Snabb wrote:
> On Thu, 29 Jul 2010, Sergio Ligregni wrote:
>
>> /*
>> * We have these posibilities, only the first one is allowed
>> * 20100619223115.20100619223131 20100619223131.not_terminated
>> * current
>> */
>> if (strlen(path) == 29 && path[14] == '.' && isdigit(path[15])) {
>> /* XXX To improve this checking later */
>> return 1;
>> }
>
> Please note that the file names have an addiitional suffix in case
> "host" is defined in /etc/security/audit_control.
>
Also note that auditd(8) complains to syslog that 'host:' is not set
correctly in audit_control(5) currently.
This may serve as a warning but it gets on your nerves after a while
when you look at it like a error when you first see it. Since it deals
with the audit system first glance of the warning sends error alerts off
in your head.
messages.0:Jun 4 19:47:15 disbatch auditd[1666]: audit_control(5) may
be missing 'host:' field
Is there some way that this could be silenced without actually adding
'host:' to audit_control(5) ?
Maybe a possibility to just add 'host:localhost' to the default
configuration of audit_control(5) ?
If localhost would be an option and logging audits to a remote machine
comes into play then would it be wise to ignore distribution of
localhost from the receiving machine ?
Regards,
--
jhell,v
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C605933.5010309>