audit doesn't seem to be working correctly.
Christian S.J. Peron
csjp at FreeBSD.org
Mon Oct 8 11:21:13 PDT 2007
Please try the attached patch:
cp audit.diff /usr/src/sys
patch < audit.diff
Recompile your kernel.
If please report success/failure to me.
On Thu, Oct 04, 2007 at 12:21:19AM -0400, dexterclarke at Safe-mail.net wrote:
> After reading this article:
>
> http://www.regdeveloper.co.uk/2006/11/13/freebsd_security_event_auditing/
>
> I decided to try audit. I edited /etc/security/audit_control
> as the article (and the handbook example) shows:
>
> dir:/var/audit
> flags:lo,+ex
> minfree:20
> naflags:lo
> policy:cnt
> filesz:0
>
> But having restarted auditd, I don't see audit events for
> process execution being generated. However, if I do this:
>
> dir:/var/audit
> flags:lo
> minfree:20
> naflags:lo,+ex
> policy:cnt
> filesz:0
>
> I get audit records for users executing programs. This seems
> completely wrong to me. Why are these events being classed as
> non-attributable when they're clearly being created by
> authenticated users?
>
> I am running 6.2-RELEASE-p7 which is vanilla apart from the
> addition of options MAC, AUDIT and VESA.
>
> --
> dc
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
--
Christian S.J. Peron
csjp at FreeBSD.ORG
FreeBSD Committer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit.diff
Type: text/x-diff
Size: 3994 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20071008/7352d7d6/audit.bin
More information about the freebsd-hackers
mailing list