From owner-freebsd-stable@FreeBSD.ORG Mon Sep 18 10:29:04 2006 Return-Path: X-Original-To: stable@FreeBSD.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E7AB16A417 for ; Mon, 18 Sep 2006 10:29:04 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 733E343D4C for ; Mon, 18 Sep 2006 10:29:03 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id EC9D446B0C; Mon, 18 Sep 2006 06:29:02 -0400 (EDT) Date: Mon, 18 Sep 2006 11:29:02 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Ganbold In-Reply-To: <450E6C6E.7010702@micom.mng.net> Message-ID: <20060918112616.D42104@fledge.watson.org> References: <20060917091750.T74654@fledge.watson.org> <450E39B4.2000105@micom.mng.net> <20060918101952.R1708@fledge.watson.org> <450E6963.7030902@micom.mng.net> <20060918104446.V1708@fledge.watson.org> <450E6C6E.7010702@micom.mng.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Joerg Pernfuss , stable@FreeBSD.org, Cristiano Deana Subject: Re: Problems with auditd -- resolved X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Sep 2006 10:29:04 -0000 On Mon, 18 Sep 2006, Ganbold wrote: > Robert Watson wrote: >> >> On Mon, 18 Sep 2006, Ganbold wrote: >> >>> Strange, there are still no logs in /var/audit dir :( Even tried to use >>> your config, no success. However when I logged on to my desktop from >>> console to itself (ssh -l tsgan localhost) it starts logging. But why it >>> is not logging when I'm on console? >> >> Are you using xdm/kdm/gdm/etc or /usr/bin/login? I'm not sure that the >> various GUI login managers associated with X11 ship with BSM support >> compiled in by default, although given that they also run on Solaris, it is >> likely they support it. > Ok, I'm using gnome and gnome-terminal, and it is not logging. Probably > gnome-terminal is not compiled with BSM support. Auditd logs when I go to > console using ctrl+alt+f2 combination from X. Thanks for clarifying this. Basically, at login, the audit subsystem determins what new audit properties are required for the login session and assigns them to the process, which consists of both the audit identifier associated with the user, and the preselection mask. Events associated with non-authenticated sessions (which is what gdm logins will count as) should still get audited using the properties for the global naflags setting, so if you want to audit events associated with gdm you can set naflags to include more events. This will also be what audits things like web server activity, so it may result in significant numbers of events being audited as part of that also. We will need to add audit extensions to new login mechanisms, such as xdm/kdm/gdm, or enable them if already present but not enabled on FreeBSD by default. OpenSSH, for example, already included BSM support due to Solaris and Mac OS X BSM, so we just enabled it by switching a flag in the compile (and also fixed a bug in it!). We should probably talk to the maintainers of these ports about investigating creating or enabling BSM support. Robert N M Watson Computer Laboratory University of Cambridge