From owner-p4-projects@FreeBSD.ORG  Sun Jan 11 21:08:08 2009
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 430321065670; Sun, 11 Jan 2009 21:08:08 +0000 (UTC)
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 022ED106566B
	for <perforce@freebsd.org>; Sun, 11 Jan 2009 21:08:08 +0000 (UTC)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id D9EED8FC0C
	for <perforce@freebsd.org>; Sun, 11 Jan 2009 21:08:07 +0000 (UTC)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id n0BL87lS068895
	for <perforce@freebsd.org>; Sun, 11 Jan 2009 21:08:07 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.14.3/8.14.3/Submit) id n0BL87qH068892
	for perforce@freebsd.org; Sun, 11 Jan 2009 21:08:07 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Sun, 11 Jan 2009 21:08:07 GMT
Message-Id: <200901112108.n0BL87qH068892@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 155981 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jan 2009 21:08:09 -0000

http://perforce.freebsd.org/chv.cgi?CH=155981

Change 155981 by rwatson@rwatson_cinnamon on 2009/01/11 21:07:36

	Change a few defaults in audit_control based on personal and
	end-user feedback:
	
	- Warn at 5% free on audit partitions, not 20%, since modern disks
	  are really big but audit trails in the default configuration
	  haven't grown as much.
	
	- Set argv in the policy field -- we don't log AUE_EXECVE by
	  default, but when we do, people almost always want command line
	  arguments, and ask about it quite a bit.
	
	- Do automatically rotate trail at 2mb by default.

Affected files ...

.. //depot/projects/trustedbsd/openbsm/NEWS#29 edit
.. //depot/projects/trustedbsd/openbsm/etc/audit_control#6 edit
.. //depot/projects/trustedbsd/openbsm/man/audit_control.5#21 edit

Differences ...

==== //depot/projects/trustedbsd/openbsm/NEWS#29 (text+ko) ====

@@ -2,6 +2,12 @@
 
 OpenBSM 1.1 beta 1
 
+- Change defaults in audit_control: warn at 5% rather than 20% free for audit
+  partitions, rotate automatically at 2mb, and set the default policy to
+  cnt,argv rather than cnt so that execve(2) arguments are captured if
+  AUE_EXECVE events are audited.  These may provide more usable defaults for
+  many users.
+
 OpenBSM 1.1 alpha 5
 
 - Stub libauditd(3) man page added.
@@ -414,4 +420,4 @@
   to support reloading of kernel event table.
 - Allow comments in /etc/security configuration files.
 
-$P4: //depot/projects/trustedbsd/openbsm/NEWS#28 $
+$P4: //depot/projects/trustedbsd/openbsm/NEWS#29 $

==== //depot/projects/trustedbsd/openbsm/etc/audit_control#6 (text+ko) ====

@@ -1,9 +1,9 @@
 #
-# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#5 $
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#6 $
 #
 dir:/var/audit
 flags:lo
-minfree:20
+minfree:5
 naflags:lo
-policy:cnt
-filesz:0
+policy:cnt,argv
+filesz:2097152

==== //depot/projects/trustedbsd/openbsm/man/audit_control.5#21 (text+ko) ====

@@ -26,7 +26,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#20 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#21 $
 .\"
 .Dd January 4, 2006
 .Dt AUDIT_CONTROL 5
@@ -177,10 +177,10 @@
 .Bd -literal -offset indent
 dir:/var/audit
 flags:lo
-minfree:20
+minfree:5
 naflags:lo
-policy:cnt
-filesz:0
+policy:cnt,argv
+filesz:2097152
 .Ed
 .Pp
 The
@@ -190,9 +190,12 @@
 The
 .Va policy
 parameter specifies that the system should neither fail stop nor suspend
-processes when the audit store fills.
-The trail file will not be automatically rotated by the audit daemon based on
-file size.
+processes when the audit store fills and that command line arguments should
+be audited for
+.Dv AUE_EXECVE
+events.
+The trail file will be automatically rotated by the audit daemon when the
+file size reaches approximately 2MB.
 .Sh FILES
 .Bl -tag -width ".Pa /etc/security/audit_control" -compact
 .It Pa /etc/security/audit_control