audit doesn't seem to be working correctly.

Christian S.J. Peron csjp at FreeBSD.org
Mon Oct 8 11:21:13 PDT 2007


Please try the attached patch:

cp audit.diff /usr/src/sys
patch < audit.diff

Recompile your kernel.

If please report success/failure to me.

On Thu, Oct 04, 2007 at 12:21:19AM -0400, dexterclarke at Safe-mail.net wrote:
> After reading this article:
> 
> http://www.regdeveloper.co.uk/2006/11/13/freebsd_security_event_auditing/
> 
> I decided to try audit. I edited /etc/security/audit_control
> as the article (and the handbook example) shows:
> 
> dir:/var/audit
> flags:lo,+ex
> minfree:20
> naflags:lo
> policy:cnt
> filesz:0
> 
> But having restarted auditd, I don't see audit events for
> process execution being generated. However, if I do this:
> 
> dir:/var/audit
> flags:lo
> minfree:20
> naflags:lo,+ex
> policy:cnt
> filesz:0
> 
> I get audit records for users executing programs. This seems
> completely wrong to me. Why are these events being classed as
> non-attributable when they're clearly being created by
> authenticated users?
> 
> I am running 6.2-RELEASE-p7 which is vanilla apart from the
> addition of options MAC, AUDIT and VESA.
> 
> --
> dc
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"

-- 
Christian S.J. Peron
csjp at FreeBSD.ORG
FreeBSD Committer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit.diff
Type: text/x-diff
Size: 3994 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20071008/7352d7d6/audit.bin


More information about the freebsd-hackers mailing list