Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 Sep 2006 18:39:47 +0900
From:      Ganbold <ganbold@micom.mng.net>
To:        Robert Watson <rwatson@FreeBSD.org>
Cc:        Joerg Pernfuss <elessar@bsdforen.de>, stable@FreeBSD.org, Cristiano Deana <cristiano.deana@gmail.com>
Subject:   Re: Problems with auditd -- resolved
Message-ID:  <450E6963.7030902@micom.mng.net>
In-Reply-To: <20060918101952.R1708@fledge.watson.org>
References:  <20060917091750.T74654@fledge.watson.org>	<450E39B4.2000105@micom.mng.net> <20060918101952.R1708@fledge.watson.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson wrote:
> On Mon, 18 Sep 2006, Ganbold wrote:
>
>> #
>> # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#3 $
>> # $FreeBSD: src/contrib/openbsm/etc/audit_user,v 1.2.2.1 2006/09/02 
>> 10:46:00 rwatson Exp $
>> #
>> #root:lo:no
>> root:all:no
>>
>> I'm bit confused here I thought auditd should log all activities, but 
>> I don't see any log files. Am I doing something wrong here or my 
>> understanding regarding auditd is wrong?
>
> Your configuration looks right to me, and should be generating a 
> ridiculous number of audit records.  Could you try rebooting and 
> logging in again? audit_user entries take effect only as of login, 
> similar to /etc/group settings, etc.  How are you logging into the 
> system?
This is my desktop system and I updated today to latest RELENG_6.

daemon# uname -an
FreeBSD daemon.micom.mng.net 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #6: 
Mon Sep 18 12:56:04 ULAST 2006     
root@daemon.micom.mng.net:/usr/obj/usr/src/sys/GDAEMON  i386

I tried to restart several times auditd using /etc/rc.d/auditd script.

daemon# /etc/rc.d/auditd restart
Trigger sent.
Starting auditd.
daemon# /etc/rc.d/auditd restart
Trigger sent.
auditd already running? (pid=2065).
daemon# /etc/rc.d/auditd restart
Error sending trigger: Operation not supported by device
Starting auditd.
daemon# /etc/rc.d/auditd restart
Trigger sent.
auditd already running? (pid=2095).
daemon# /etc/rc.d/auditd restart
Error sending trigger: Operation not supported by device
Starting auditd.
daemon# /etc/rc.d/auditd restart
Trigger sent.
Starting auditd.
daemon# ps ax | grep audit
   10  ??  DL     0:00.00 [audit_worker]
 2141  ??  Ss     0:00.01 /usr/sbin/auditd
 2143  p3  RV     0:00.00 grep audit (csh)
daemon# ps ax | grep audit
   10  ??  DL     0:00.00 [audit_worker]
 2141  ??  Ss     0:00.01 /usr/sbin/auditd

Strange, there are still no logs in /var/audit dir :( Even tried to use 
your config, no success.
However when I logged on to my desktop from console to itself (ssh -l 
tsgan localhost) it starts logging.
But why it is not logging when I'm on console?

>
> On my local RELENG_6 system, with the recent auditctl(2) fix, I'm 
> using the following global settings to audit programs run by 
> authenticated users:
>
>   dir:/var/audit
>   flags:lo,+ex
>   minfree:20
>   naflags:lo
>
> It seems to be working properly.  User space login/logout auditing 
> won't work in RELENG_6 until the MFC of Christian's recent tweaks to 
> pipe preselection, which will occurr in a few days (and hence should 
> appear in BETA2).
I see.

thanks,

Ganbold

>
> Robert N M Watson
> Computer Laboratory
> University of Cambridge
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
>
>
>




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?450E6963.7030902>