From owner-p4-projects@FreeBSD.ORG Thu Oct 5 11:54:12 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 2D96316A415; Thu, 5 Oct 2006 11:54:12 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D382B16A40F for ; Thu, 5 Oct 2006 11:54:11 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 99B0A43D49 for ; Thu, 5 Oct 2006 11:54:11 +0000 (GMT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k95BsBZe036683 for ; Thu, 5 Oct 2006 11:54:11 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k95BsBtn036674 for perforce@freebsd.org; Thu, 5 Oct 2006 11:54:11 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Thu, 5 Oct 2006 11:54:11 GMT Message-Id: <200610051154.k95BsBtn036674@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Cc: Subject: PERFORCE change 107302 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Oct 2006 11:54:12 -0000 http://perforce.freebsd.org/chv.cgi?CH=107302 Change 107302 by rwatson@rwatson_fledge on 2006/10/05 11:53:13 Add some text describing how audit events are associated with users, both when and how. Suggested by: jmg Affected files ... .. //depot/projects/trustedbsd/openbsm/man/audit_user.5#10 edit Differences ... ==== //depot/projects/trustedbsd/openbsm/man/audit_user.5#10 (text+ko) ==== @@ -25,7 +25,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#9 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#10 $ .\" .Dd February 5, 2006 .Dt AUDIT_USER 5 @@ -75,6 +75,22 @@ .Dq Li jdoe , failed file creation events are audited, administrative events are audited, and successful file write events are never audited. +.Sh IMPLEMENTATION NOTES +Per-user and global audit preselection configuration are evaluated at time of +login, so users must log out and back in again for audit changes relating to +preselection to take effect. +.Pp +Audit record preselection occurs with respect to the audit identifier +associated with a process, rather than with respect to the UNIX user or group +ID. +The audit identifier is set as part of the user credential context as part of +login, and typically does not change as a result of running setuid or setgid +applications, such as +.Xr su 8 . +This has the advantage that events that occur after running +.Xr su 8 +can be audited to the original authenticated user, as required by CAPP, but +may be surprising if not expected. .Sh FILES .Bl -tag -width ".Pa /etc/security/audit_user" -compact .It Pa /etc/security/audit_user