From owner-freebsd-security@FreeBSD.ORG  Wed Jun 29 15:11:24 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 89DCB1065670
	for <freebsd-security@freebsd.org>;
	Wed, 29 Jun 2011 15:11:24 +0000 (UTC) (envelope-from lev@FreeBSD.org)
Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru
	[IPv6:2a01:4f8:131:60a2::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 52BDE8FC13
	for <freebsd-security@freebsd.org>;
	Wed, 29 Jun 2011 15:11:24 +0000 (UTC)
Received: from lion.home.serebryakov.spb.ru (unknown
	[IPv6:2001:470:923f:1:6c18:a9f5:6840:825])
	(Authenticated sender: lev@serebryakov.spb.ru)
	by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 9616A4AC1C
	for <freebsd-security@freebsd.org>;
	Wed, 29 Jun 2011 19:11:23 +0400 (MSD)
Date: Wed, 29 Jun 2011 19:11:19 +0400
From: Lev Serebryakov <lev@FreeBSD.org>
X-Priority: 3 (Normal)
Message-ID: <15687116.20110629191119@serebryakov.spb.ru>
To: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1251
Content-Transfer-Encoding: quoted-printable
Subject: More questions about audit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2011 15:11:24 -0000

Hello, Freebsd-security.

 I'm grepping all sources for programs, which support audit and found
strange thing:

 find . -name '*.c*' -print | \
   grep -v -E '^./(sys|contrib/openbsm|tools/regression)' | \
   xargs grep -E "\<(audit|au_)"

 shows, that only login(1), su(1), id(1) and sshd(1) uses audit. And
 even sshd(8) raise question: it doesn't call setaudit(2)!

 Even more, such command doesn't show anything about user login via
 ssh:

 auditreduce -m AUE_login /dev/auditpipe0 | praudit

 Yes, I have "lo" class enabled for all users, and, yes,

 auditreduce -r USER /dev/auditpipe0 | praudit

 shows activity after login...

 What do I do wrong?


P.S. Maybe, here is more adequate list for BSM Audit questions?

--=20
// Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>