Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 Sep 2006 11:29:02 +0100 (BST)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        Ganbold <ganbold@micom.mng.net>
Cc:        Joerg Pernfuss <elessar@bsdforen.de>, stable@FreeBSD.org, Cristiano Deana <cristiano.deana@gmail.com>
Subject:   Re: Problems with auditd -- resolved
Message-ID:  <20060918112616.D42104@fledge.watson.org>
In-Reply-To: <450E6C6E.7010702@micom.mng.net>
References:  <20060917091750.T74654@fledge.watson.org> <450E39B4.2000105@micom.mng.net> <20060918101952.R1708@fledge.watson.org> <450E6963.7030902@micom.mng.net> <20060918104446.V1708@fledge.watson.org> <450E6C6E.7010702@micom.mng.net>

next in thread | previous in thread | raw e-mail | index | archive | help

On Mon, 18 Sep 2006, Ganbold wrote:

> Robert Watson wrote:
>> 
>> On Mon, 18 Sep 2006, Ganbold wrote:
>> 
>>> Strange, there are still no logs in /var/audit dir :( Even tried to use 
>>> your config, no success. However when I logged on to my desktop from 
>>> console to itself (ssh -l tsgan localhost) it starts logging. But why it 
>>> is not logging when I'm on console?
>> 
>> Are you using xdm/kdm/gdm/etc or /usr/bin/login?  I'm not sure that the 
>> various GUI login managers associated with X11 ship with BSM support 
>> compiled in by default, although given that they also run on Solaris, it is 
>> likely they support it.
> Ok, I'm using gnome and gnome-terminal, and it is not logging. Probably 
> gnome-terminal is not compiled with BSM support. Auditd logs when I go to 
> console using ctrl+alt+f2 combination from X. Thanks for clarifying this.

Basically, at login, the audit subsystem determins what new audit properties 
are required for the login session and assigns them to the process, which 
consists of both the audit identifier associated with the user, and the 
preselection mask.  Events associated with non-authenticated sessions (which 
is what gdm logins will count as) should still get audited using the 
properties for the global naflags setting, so if you want to audit events 
associated with gdm you can set naflags to include more events.  This will 
also be what audits things like web server activity, so it may result in 
significant numbers of events being audited as part of that also.

We will need to add audit extensions to new login mechanisms, such as 
xdm/kdm/gdm, or enable them if already present but not enabled on FreeBSD by 
default.  OpenSSH, for example, already included BSM support due to Solaris 
and Mac OS X BSM, so we just enabled it by switching a flag in the compile 
(and also fixed a bug in it!).  We should probably talk to the maintainers of 
these ports about investigating creating or enabling BSM support.

Robert N M Watson
Computer Laboratory
University of Cambridge



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060918112616.D42104>