From owner-freebsd-stable@FreeBSD.ORG  Fri Mar  2 16:02:59 2012
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 85D94106566B
	for <stable@freebsd.org>; Fri,  2 Mar 2012 16:02:59 +0000 (UTC)
	(envelope-from mamalos@eng.auth.gr)
Received: from vergina.eng.auth.gr (vergina.eng.auth.gr [155.207.18.1])
	by mx1.freebsd.org (Postfix) with ESMTP id E76E28FC16
	for <stable@freebsd.org>; Fri,  2 Mar 2012 16:02:58 +0000 (UTC)
Received: from mamalacation.ee.auth.gr (mamalacation.ee.auth.gr
	[155.207.33.29]) (authenticated bits=0)
	by vergina.eng.auth.gr (8.14.4/8.14.3) with ESMTP id q22FckQO021467
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <stable@freebsd.org>; Fri, 2 Mar 2012 17:38:46 +0200 (EET)
	(envelope-from mamalos@eng.auth.gr)
Message-ID: <4F50E986.5040406@eng.auth.gr>
Date: Fri, 02 Mar 2012 17:38:46 +0200
From: George Mamalakis <mamalos@eng.auth.gr>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:10.0.2) Gecko/20120217 Thunderbird/10.0.2
MIME-Version: 1.0
To: stable@freebsd.org
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7
	(vergina.eng.auth.gr [192.168.18.7]);
	Fri, 02 Mar 2012 17:38:46 +0200 (EET)
Cc: 
Subject: audit in jail
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Mar 2012 16:02:59 -0000

Hello everybody,

has anyone started auditd inside a jail successfully? I allowed audit 
and auditpipe from devfs inside the jails (I have confirmed their 
existence in the jails as well...:-) ), but when I run auditd I am 
getting this  message in my logs:

Mar  2 15:20:29 myhost auditd[89494]: auditd_prevent_audit() could not 
set active audit session state: Function not implemented
Mar  2 15:20:29 myhost mamalos: audit warning: nostart

I googled it, but didn't find much. I checked the code and after some 
searching, I found that the problem was occurring when the setaudit 
system call is being called. I checked the code of audit_syscalls and 
found that:

584:         if (jailed(td->td_ucred))
585:                 return (ENOSYS);

in the sys_setaudit() context...which is somewhat clear as to what it 
means :-).

Is there anything I have omitted, or is it that clear that audit does 
not run in jails? And if so, are there any thoughts on implementing in 
the near future?

Thank you all for your help and time in advance.

-- 
George Mamalakis

IT and Security Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379