From owner-freebsd-hackers@freebsd.org Fri Oct 7 14:49:21 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5E271C04F58 for ; Fri, 7 Oct 2016 14:49:21 +0000 (UTC) (envelope-from mpp302@gmail.com) Received: from mail-lf0-f48.google.com (mail-lf0-f48.google.com [209.85.215.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E3506D24 for ; Fri, 7 Oct 2016 14:49:20 +0000 (UTC) (envelope-from mpp302@gmail.com) Received: by mail-lf0-f48.google.com with SMTP id l131so43041324lfl.2 for ; Fri, 07 Oct 2016 07:49:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=4tCn6KoQA0yK/SM9obP/OzxW8aQvUrl6CEGlKbDMdWw=; b=lNjythslwhNwXCCeLIS4RzQ+q4/6SQc+R0Pel50z8vwIxLzaS9iB+Zr0cL6aju6Vwj DbIqbjB2lehoVaieRFaV7y4JU2nzhmxZoR5OYHIjwHLX/88EWnV7/Ko/KgA2OQbBRD4O I7qKu0dVck4vh/gzhSjrlQBtSPgo67mlKNCp/F1vw37VJ2ukoVXSmvXVs/ZtvwkFNlbz oomKULPXW8HyO1SM27jhVLOhcoIMZW0laHs5iGaQDSxCZEWa9ecpOnImsl+8yTv3gA8S n5TLVW8K/bCJdhekJhGu9zAM7kpHK3T9Qnq2pgn2hEAqY3V4tXQPTWPM3KFVvejznss7 2xRQ== X-Gm-Message-State: AA6/9Rmp+QyADEubYhDn8+0++5Mgv6feH2iYANbjzRqVntZWYhVjHIn2gmdvictiaRTpMA== X-Received: by 10.25.206.138 with SMTP id e132mr8563060lfg.39.1475845698652; Fri, 07 Oct 2016 06:08:18 -0700 (PDT) Received: from [192.168.0.15] (87-207-152-10.dynamic.chello.pl. [87.207.152.10]) by smtp.gmail.com with ESMTPSA id u18sm3537868lja.11.2016.10.07.06.08.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 07 Oct 2016 06:08:17 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\)) Subject: Re: Using Audit Framework and praudit From: Mateusz Piotrowski <0mp@FreeBSD.org> In-Reply-To: Date: Fri, 7 Oct 2016 15:08:15 +0200 Cc: mokhi Content-Transfer-Encoding: 7bit Message-Id: <543F6C07-9472-4B3C-8697-CD5AE1F17725@FreeBSD.org> References: To: freebsd-hackers@freebsd.org X-Mailer: Apple Mail (2.3226) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2016 14:49:21 -0000 Hi, On 7 Oct 2016, at 11:26, mokhi wrote: > I saw audit_control(5) and the handbook entry for audit. > > My `/etc/security/audit_control` and `/etc/security/audit_user` is > pasted on [1] and [2] > I guess my changes (flags:all) should make it auditing all events on > success and fails. > Would you please explain me my misunderstanding if there's any? > > [1] https://0x.co/7PE6HC > [2] https://0x.co/AZ7ZTH Sorry, I misunderstood your question - I thought you were asking about /dev/auditpipe. To be clear: - praudit is just a tool to print the audit trail files in a human readable format. It has nothing to do with the events you log. - /dev/auditpipe allows you monitor what is being logged in real-time. You may use it like this: `praudit /dev/auditpipe`. - auditd is an audit log management daemon. If you change configuration files in /etc/security then you should restart the daemon. If you modify /etc/security/audit_user specifically, you have to log in and log out (see audit_user(5)). This is how to change /etc/security/audit_control to audit everything you can: dir:/var/audit dist:off flags:all minfree:5 naflags:all policy:cnt,argv,arge,seq, filesz:2M expire-after:10M Then if I start auditd and begin monitoring what's being audited with praudit /dev/auditpipe, I get a constant stream of audit events which really slows my system. Does it help you? Cheers, -m