From owner-freebsd-security@FreeBSD.ORG  Mon Apr 20 20:17:15 2009
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5E213106564A
	for <freebsd-security@freebsd.org>;
	Mon, 20 Apr 2009 20:17:15 +0000 (UTC)
	(envelope-from ltning@anduin.net)
Received: from mail.anduin.net (mail.anduin.net [213.225.74.249])
	by mx1.freebsd.org (Postfix) with ESMTP id 2205F8FC1B
	for <freebsd-security@freebsd.org>;
	Mon, 20 Apr 2009 20:17:14 +0000 (UTC)
	(envelope-from ltning@anduin.net)
Received: from [212.62.248.148] (helo=[192.168.2.190])
	by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128)
	(Exim 4.69 (FreeBSD)) (envelope-from <ltning@anduin.net>)
	id 1LvzvT-0008R3-EB
	for freebsd-security@freebsd.org; Mon, 20 Apr 2009 22:17:11 +0200
Message-Id: <4BD35D05-473B-46EB-A96F-EA18234FED9D@anduin.net>
From: =?ISO-8859-1?Q?Eirik_=D8verby?= <ltning@anduin.net>
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Mon, 20 Apr 2009 22:17:12 +0200
X-Mailer: Apple Mail (2.930.3)
Subject: Audit(d) and jails
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Apr 2009 20:17:15 -0000

Hi all,

I've been struggling lately to find a way to use the audit  
functionality in any meaningful way while using jails. My original  
idea was running auditd on the host, and thus get audit data for all  
the jails - however this proves impractical as identifying, for  
instance, the path of an executable inside a jail is impossible (it  
shows as //usr/bin/something in the logs). I have also failed to run  
auditd inside the jails, and doing so would somehow reduce its value -  
as the idea is to lock down the host and audit from there.

I see there is a SOC project to make audit jail-aware, but I'm sure  
I've missed something in the current implementation (7.1) as well.  
Could anyone share their experiences on this with me - or am I on the  
wrong track entirely?

Thanks,
/Eirik