Date: Mon, 18 Sep 2006 18:39:47 +0900 From: Ganbold <ganbold@micom.mng.net> To: Robert Watson <rwatson@FreeBSD.org> Cc: Joerg Pernfuss <elessar@bsdforen.de>, stable@FreeBSD.org, Cristiano Deana <cristiano.deana@gmail.com> Subject: Re: Problems with auditd -- resolved Message-ID: <450E6963.7030902@micom.mng.net> In-Reply-To: <20060918101952.R1708@fledge.watson.org> References: <20060917091750.T74654@fledge.watson.org> <450E39B4.2000105@micom.mng.net> <20060918101952.R1708@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson wrote: > On Mon, 18 Sep 2006, Ganbold wrote: > >> # >> # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#3 $ >> # $FreeBSD: src/contrib/openbsm/etc/audit_user,v 1.2.2.1 2006/09/02 >> 10:46:00 rwatson Exp $ >> # >> #root:lo:no >> root:all:no >> >> I'm bit confused here I thought auditd should log all activities, but >> I don't see any log files. Am I doing something wrong here or my >> understanding regarding auditd is wrong? > > Your configuration looks right to me, and should be generating a > ridiculous number of audit records. Could you try rebooting and > logging in again? audit_user entries take effect only as of login, > similar to /etc/group settings, etc. How are you logging into the > system? This is my desktop system and I updated today to latest RELENG_6. daemon# uname -an FreeBSD daemon.micom.mng.net 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #6: Mon Sep 18 12:56:04 ULAST 2006 root@daemon.micom.mng.net:/usr/obj/usr/src/sys/GDAEMON i386 I tried to restart several times auditd using /etc/rc.d/auditd script. daemon# /etc/rc.d/auditd restart Trigger sent. Starting auditd. daemon# /etc/rc.d/auditd restart Trigger sent. auditd already running? (pid=2065). daemon# /etc/rc.d/auditd restart Error sending trigger: Operation not supported by device Starting auditd. daemon# /etc/rc.d/auditd restart Trigger sent. auditd already running? (pid=2095). daemon# /etc/rc.d/auditd restart Error sending trigger: Operation not supported by device Starting auditd. daemon# /etc/rc.d/auditd restart Trigger sent. Starting auditd. daemon# ps ax | grep audit 10 ?? DL 0:00.00 [audit_worker] 2141 ?? Ss 0:00.01 /usr/sbin/auditd 2143 p3 RV 0:00.00 grep audit (csh) daemon# ps ax | grep audit 10 ?? DL 0:00.00 [audit_worker] 2141 ?? Ss 0:00.01 /usr/sbin/auditd Strange, there are still no logs in /var/audit dir :( Even tried to use your config, no success. However when I logged on to my desktop from console to itself (ssh -l tsgan localhost) it starts logging. But why it is not logging when I'm on console? > > On my local RELENG_6 system, with the recent auditctl(2) fix, I'm > using the following global settings to audit programs run by > authenticated users: > > dir:/var/audit > flags:lo,+ex > minfree:20 > naflags:lo > > It seems to be working properly. User space login/logout auditing > won't work in RELENG_6 until the MFC of Christian's recent tweaks to > pipe preselection, which will occurr in a few days (and hence should > appear in BETA2). I see. thanks, Ganbold > > Robert N M Watson > Computer Laboratory > University of Cambridge > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?450E6963.7030902>