From owner-freebsd-hackers@FreeBSD.ORG Sat Oct 13 08:45:44 2007 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1540316A41A; Sat, 13 Oct 2007 08:45:44 +0000 (UTC) (envelope-from dexterclarke@Safe-mail.net) Received: from tapuz.safe-mail.net (tapuz.safe-mail.net [213.8.161.230]) by mx1.freebsd.org (Postfix) with ESMTP id C55EF13C45A; Sat, 13 Oct 2007 08:45:43 +0000 (UTC) (envelope-from dexterclarke@Safe-mail.net) Received: by tapuz.safe-mail.net with Safe-mail (Exim 4.52) id 1Igccu-0000xy-2a; Sat, 13 Oct 2007 04:45:40 -0400 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=N1-0105; d=Safe-mail.net; b=e4/l6WMPQF7gxTRfd/d3RQJm0kA97QtJi9MlhXg9SVgPkfM5/KvLGRMYSpmIe6M0 FJUCpia87UbeWof4gk1lIpQzDbdxHNV6aXaExvi7t35Vynxv43m2bzgBGMTnfrII ksoNzIWI2WaL60ma0qBKoILefFSo+AtJeby+mlVhoRE=; Received: from pc ([81.86.41.187]) by Safe-mail.net with https Date: Sat, 13 Oct 2007 04:45:39 -0400 From: dexterclarke@Safe-mail.net To: csjp@FreeBSD.org X-SMType: Regular X-SMRef: N1-sOkB2VH_MQ Message-Id: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-SMSignature: uTKuyEzO+6KrNokIp3pcVBwW8t9+mST46zL3kAUUmOCOHCqagWmpzaJEGaZ5Q7zI yxRpDd9791LVRAabZRNj0YdCq1fAFymc6q8Fv0y2bW5kVsWM/9X9Ti/0v5yc0whZ Zcxol+eF07jjc6jFGeaX1wjmT/26YGTRaZozlbxJhbI= Cc: freebsd-hackers@freebsd.org Subject: Re: audit doesn't seem to be working correctly. X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Oct 2007 08:45:44 -0000 > Well, > > The problem that I thought was there, wasn't actually there, > which is why I said to ignore the patch :) > > I've tried to reproduce the problems you are seeing but > I have not been able to. > > So far I've tried on -CURRENT and RELENG_6. We are aware > of some issues on RELENG_6_2 specifically with !i386 > architectures (i.e. amd64, sparc64 etc). > > Is it possible you can send me: > > (1) The output to uname -a > (2) Your /etc/security directory > (3) How are you logging in to this machine, SSH? Telnet? > > (3) is important because the login program will be responsible > for setting up the audit ID and preselection masks. > > Hopefully with this information, we can get to the bottom of this. > I've been without connectivity for a few days but am now back, with good news. I believe that the problem was actually down to the fact that the user being audited had not logged out and in again after the audit settings changed. I think this is just a documentation bug - the audit docs never mention explicitly that the login program handles preselection. It seems to be working properly now that the system has been rebooted (forcing new logins for all users). -- dc