Date: Wed, 29 Jun 2011 19:11:19 +0400 From: Lev Serebryakov <lev@FreeBSD.org> To: freebsd-security@freebsd.org Subject: More questions about audit Message-ID: <15687116.20110629191119@serebryakov.spb.ru>
next in thread | raw e-mail | index | archive | help
Hello, Freebsd-security. I'm grepping all sources for programs, which support audit and found strange thing: find . -name '*.c*' -print | \ grep -v -E '^./(sys|contrib/openbsm|tools/regression)' | \ xargs grep -E "\<(audit|au_)" shows, that only login(1), su(1), id(1) and sshd(1) uses audit. And even sshd(8) raise question: it doesn't call setaudit(2)! Even more, such command doesn't show anything about user login via ssh: auditreduce -m AUE_login /dev/auditpipe0 | praudit Yes, I have "lo" class enabled for all users, and, yes, auditreduce -r USER /dev/auditpipe0 | praudit shows activity after login... What do I do wrong? P.S. Maybe, here is more adequate list for BSM Audit questions? --=20 // Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15687116.20110629191119>