From owner-freebsd-hackers@FreeBSD.ORG Mon Aug 9 19:38:32 2010 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ACFB21065674 for ; Mon, 9 Aug 2010 19:38:32 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id 383658FC14 for ; Mon, 9 Aug 2010 19:38:31 +0000 (UTC) Received: by ewy26 with SMTP id 26so4168510ewy.13 for ; Mon, 09 Aug 2010 12:38:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=/qT7qAO5o5+FpDdJa0Whwkm/bhY/XxVrRwmv6Ar6UxQ=; b=mb3kaGd+/r5pyE1jnQ87NaL+B/tS+MnDUsXSTHu6RppL2Qt8maGvbXziiegOBV+QbN sNXyKDmkxXdHg2aIoUEZ7rmUHeL4SEmySpKuIgCAmHQkEwQLB9F9vRhlwrasQT/ufYBh xETVtDuH0gFx/fdZeEEdWGBgGASp/fOn2IGLU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=YYZZ5nno3E3+4aa++NqHCIt2b8TY/PB0usRVTHMHBbAv9O0sD/x+6EJFr0L+0Q7pOA rknwC7igh3ZwoOTaKESyDsm3+58+RgJPx29rYBc7O5eSmRkFy9sThBpEmSrFtmhb78zh d/tKFULLXTixDXGOzZEGpZJZyKDfeBRLHztlc= Received: by 10.213.19.74 with SMTP id z10mr12542878eba.37.1281382711096; Mon, 09 Aug 2010 12:38:31 -0700 (PDT) Received: from centel.dataix.local (adsl-99-19-46-227.dsl.klmzmi.sbcglobal.net [99.19.46.227]) by mx.google.com with ESMTPS id a48sm8361861eei.19.2010.08.09.12.38.29 (version=SSLv3 cipher=RC4-MD5); Mon, 09 Aug 2010 12:38:29 -0700 (PDT) Sender: "J. Hellenthal" Message-ID: <4C605933.5010309@dataix.net> Date: Mon, 09 Aug 2010 15:38:27 -0400 From: jhell User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.2.8) Gecko/20100806 Lightning/1.0b1 Thunderbird MIME-Version: 1.0 CC: freebsd-hackers@freebsd.org References: In-Reply-To: X-Enigmail-Version: 1.1.2 OpenPGP: id=89D8547E Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Improvement for Distributed Audit Project X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Aug 2010 19:38:32 -0000 On 08/09/2010 13:24, Janne Snabb wrote: > On Thu, 29 Jul 2010, Sergio Ligregni wrote: > >> /* >> * We have these posibilities, only the first one is allowed >> * 20100619223115.20100619223131 20100619223131.not_terminated >> * current >> */ >> if (strlen(path) == 29 && path[14] == '.' && isdigit(path[15])) { >> /* XXX To improve this checking later */ >> return 1; >> } > > Please note that the file names have an addiitional suffix in case > "host" is defined in /etc/security/audit_control. > Also note that auditd(8) complains to syslog that 'host:' is not set correctly in audit_control(5) currently. This may serve as a warning but it gets on your nerves after a while when you look at it like a error when you first see it. Since it deals with the audit system first glance of the warning sends error alerts off in your head. messages.0:Jun 4 19:47:15 disbatch auditd[1666]: audit_control(5) may be missing 'host:' field Is there some way that this could be silenced without actually adding 'host:' to audit_control(5) ? Maybe a possibility to just add 'host:localhost' to the default configuration of audit_control(5) ? If localhost would be an option and logging audits to a remote machine comes into play then would it be wise to ignore distribution of localhost from the receiving machine ? Regards, -- jhell,v