From samflanker at gmail.com Fri Feb 8 02:48:20 2008 From: samflanker at gmail.com (sam) Date: Fri Feb 8 02:48:23 2008 Subject: audit (OpenBSM) & cat In-Reply-To: <20070828175313.B90180@fledge.watson.org> References: <46C55191.2050205@gmail.com> <20070821145603.L50579@fledge.watson.org> <46CAF217.7040204@gmail.com> <20070821151108.Y53914@fledge.watson.org> <46CAF4E9.2030700@gmail.com> <20070821152327.R53914@fledge.watson.org> <46CBE096.90805@gmail.com> <20070828175313.B90180@fledge.watson.org> Message-ID: <47AC2D71.1010405@gmail.com> hi all description of trouble situation on system FreeBSD 6.3-RELEASE i386: open 2 putty console on remote server console1: # cat /dev/auditpipe | praudit -l console2: # cat >> /var/log/audit_cat.data console1 (output message): # cat /dev/auditpipe | praudit -l header,168,10,open(2) - write,creat,0,Fri Feb 8 12:59:34 2008, + 309 msec,argument,3,0x1b6,mode,argument,2,0x209,flags,path,/var/log/audit_cat.data,attribute,644,root,admin,72,2732063,10952279,subject,venom,root,wheel,root,wheel,44255,41955,1647,192.168.1.26,return,success,4,trailer,168, after 30 seconds console2 (cat waiting user input & user typing message & pusshing 'Ctrl+d' for deattach ): # cat >> /var/log/audit_cat.data abracadabra_message # console1 (don`t output message on user action 'adding string "abracadabra_message" & deattach'): # cat /dev/auditpipe | praudit -l header,168,10,open(2) - write,creat,0,Fri Feb 8 12:59:34 2008, + 309 msec,argument,3,0x1b6,mode,argument,2,0x209,flags,path,/var/log/audit_cat.data,attribute,644,root,admin,72,2732063,10952279,subject,venom,root,wheel,root,wheel,44255,41955,1647,192.168.1.26,return,success,4,trailer,168, /dev/auditpipe output data on moment create file descriptor, but don`t output message after adding string in file and close file any solution? /Vladimir Ermakov From samflanker at gmail.com Fri Feb 8 04:08:29 2008 From: samflanker at gmail.com (sam) Date: Fri Feb 8 04:08:40 2008 Subject: audit (OpenBSM) & cat In-Reply-To: <47AC2D71.1010405@gmail.com> References: <46C55191.2050205@gmail.com> <20070821145603.L50579@fledge.watson.org> <46CAF217.7040204@gmail.com> <20070821151108.Y53914@fledge.watson.org> <46CAF4E9.2030700@gmail.com> <20070821152327.R53914@fledge.watson.org> <46CBE096.90805@gmail.com> <20070828175313.B90180@fledge.watson.org> <47AC2D71.1010405@gmail.com> Message-ID: <47AC463A.4030101@gmail.com> sam wrote: > > description of trouble situation on system FreeBSD 6.3-RELEASE i386 > > my /etc/security/audit_control dir:/var/audit flags:^all minfree:20 naflags:^all policy:cnt filesz:0 /Vladimir Ermakov From hribekt at joho-iwate.or.jp Mon Feb 18 20:44:24 2008 From: hribekt at joho-iwate.or.jp (hribekt@joho-iwate.or.jp) Date: Mon Feb 18 20:44:25 2008 Subject: While thousands complain, you can benefit from an all-covering solution. Message-ID: <47BA5EAE.7000004@md.scn-net.ne.jp> Stay man even when drunk! http://mouitz.quickwant.com From samflanker at gmail.com Thu Feb 21 12:48:59 2008 From: samflanker at gmail.com (sam) Date: Thu Feb 21 12:49:09 2008 Subject: OpenBSM & Jails In-Reply-To: <20070828175313.B90180@fledge.watson.org> References: <46C55191.2050205@gmail.com> <20070821145603.L50579@fledge.watson.org> <46CAF217.7040204@gmail.com> <20070821151108.Y53914@fledge.watson.org> <46CAF4E9.2030700@gmail.com> <20070821152327.R53914@fledge.watson.org> <46CBE096.90805@gmail.com> <20070828175313.B90180@fledge.watson.org> Message-ID: <47BD7337.2020503@gmail.com> hello i am using OpenBSM on System with jails part of praudit output / action write file in jail -------------------------------------------------- header,176,10,open(2) - write,creat,trunc,0,Thu Feb 21 13:45:06 2008, + 501 msec,argument,3,0x81ed,mode,argument,2,0x601,flags,path,//site/svn/dev.lineage2.dom/pamm/hooks/post-commit,attribute,755,www,www,88,800911,3234053,subject,lynx,root,wheel,root,wheel,44680,44668,56876,10.15.1.116,return,success,4,trailer,176, -------------------------------------------------- please add jail-identification in output (cat /dev/auditpipe | praudit -lp) /Vladimir Ermakov From rwatson at FreeBSD.org Wed Feb 27 19:35:53 2008 From: rwatson at FreeBSD.org (Robert Watson) Date: Wed Feb 27 19:35:59 2008 Subject: OpenBSM & Jails In-Reply-To: <47BD7337.2020503@gmail.com> References: <46C55191.2050205@gmail.com> <20070821145603.L50579@fledge.watson.org> <46CAF217.7040204@gmail.com> <20070821151108.Y53914@fledge.watson.org> <46CAF4E9.2030700@gmail.com> <20070821152327.R53914@fledge.watson.org> <46CBE096.90805@gmail.com> <20070828175313.B90180@fledge.watson.org> <47BD7337.2020503@gmail.com> Message-ID: <20080227191603.X17238@fledge.watson.org> On Thu, 21 Feb 2008, sam wrote: > i am using OpenBSM on System with jails > > part of praudit output / action write file in jail > > -------------------------------------------------- > header,176,10,open(2) - write,creat,trunc,0,Thu Feb 21 13:45:06 2008, + 501 > msec,argument,3,0x81ed,mode,argument,2,0x601,flags,path,//site/svn/dev.lineage2.dom/pamm/hooks/post-commit,attribute,755,www,www,88,800911,3234053,subject,lynx,root,wheel,root,wheel,44680,44668,56876,10.15.1.116,return,success,4,trailer,176, > -------------------------------------------------- > > please add jail-identification in output (cat /dev/auditpipe | praudit -lp) Vladimir, I believe Christian has plans to use the Solaris "zone" BSM token to this end, as well as plans to enhance our support for hostid header fields so that when audit trails are aggregated from many sources, they can be processed with awareness of which source they came from. I've added him to the CC line, and he may be able to expand on this. Robert N M Watson Computer Laboratory University of Cambridge