From owner-freebsd-hackers@FreeBSD.ORG  Thu Oct  4 05:09:47 2007
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D7BAF16A417
	for <freebsd-hackers@freebsd.org>; Thu,  4 Oct 2007 05:09:47 +0000 (UTC)
	(envelope-from dexterclarke@Safe-mail.net)
Received: from tapuz.safe-mail.net (tapuz.safe-mail.net [213.8.161.230])
	by mx1.freebsd.org (Postfix) with ESMTP id 8935213C4B0
	for <freebsd-hackers@freebsd.org>; Thu,  4 Oct 2007 05:09:47 +0000 (UTC)
	(envelope-from dexterclarke@Safe-mail.net)
Received: by tapuz.safe-mail.net with Safe-mail (Exim 4.52) id 1IdID9-0003Nu-Th
	for freebsd-hackers@freebsd.org; Thu, 04 Oct 2007 00:21:19 -0400
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=N1-0105; d=Safe-mail.net;
	b=M3DmaDGrNcVCIc7MYir/EkcZ6ba+PdJWnbLzRFfsa3Y8iQXP6qychg6J3MGMM91J
	5Tbh4IpAsq0kCk5W5dL8TQAAn9JZZgBQ3mJeh+I9cSQ/Cllshwwa4hUqVbYt6r2f
	mw3413f7ze+Ec9Y9X+xPkyQiSWHzuZ0J/Jo0FSV7fKE=;
Received: from pc ([81.86.41.187]) by Safe-mail.net with https
Date: Thu, 4 Oct 2007 00:21:19 -0400
From: dexterclarke@Safe-mail.net
To: freebsd-hackers@freebsd.org
X-SMType: Regular
X-SMRef: N1-_oTpkG9K9c
Message-Id: <N1-_oTpkG9K9c@Safe-mail.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-SMSignature: lT2MqIHYghAcO40PXfKFXgffTyPQENxEsr/REXKKMa8JMXDxXi3zsmL8b/urHY/r
	F4eobUh2RlqfKq25j41OOsnW54Uqsex27ku/YroxJ6yduP4rkrTSlkQY7PIsXe8I
	tz6stE/LWNvKDRai6Bv1RDhiQjDWodXne0bqfgxnM4A=
Subject: audit doesn't seem to be working correctly.
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Oct 2007 05:09:47 -0000

After reading this article:

http://www.regdeveloper.co.uk/2006/11/13/freebsd_security_event_auditing/

I decided to try audit. I edited /etc/security/audit_control
as the article (and the handbook example) shows:

dir:/var/audit
flags:lo,+ex
minfree:20
naflags:lo
policy:cnt
filesz:0

But having restarted auditd, I don't see audit events for
process execution being generated. However, if I do this:

dir:/var/audit
flags:lo
minfree:20
naflags:lo,+ex
policy:cnt
filesz:0

I get audit records for users executing programs. This seems
completely wrong to me. Why are these events being classed as
non-attributable when they're clearly being created by
authenticated users?

I am running 6.2-RELEASE-p7 which is vanilla apart from the
addition of options MAC, AUDIT and VESA.

--
dc