Date: Thu, 4 Oct 2007 00:21:19 -0400 From: dexterclarke@Safe-mail.net To: freebsd-hackers@freebsd.org Subject: audit doesn't seem to be working correctly. Message-ID: <N1-_oTpkG9K9c@Safe-mail.net>
next in thread | raw e-mail | index | archive | help
After reading this article: http://www.regdeveloper.co.uk/2006/11/13/freebsd_security_event_auditing/ I decided to try audit. I edited /etc/security/audit_control as the article (and the handbook example) shows: dir:/var/audit flags:lo,+ex minfree:20 naflags:lo policy:cnt filesz:0 But having restarted auditd, I don't see audit events for process execution being generated. However, if I do this: dir:/var/audit flags:lo minfree:20 naflags:lo,+ex policy:cnt filesz:0 I get audit records for users executing programs. This seems completely wrong to me. Why are these events being classed as non-attributable when they're clearly being created by authenticated users? I am running 6.2-RELEASE-p7 which is vanilla apart from the addition of options MAC, AUDIT and VESA. -- dc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?N1-_oTpkG9K9c>