Improvement for Distributed Audit Project
jhell
jhell at dataix.net
Mon Aug 9 19:38:32 UTC 2010
On 08/09/2010 13:24, Janne Snabb wrote:
> On Thu, 29 Jul 2010, Sergio Ligregni wrote:
>
>> /*
>> * We have these posibilities, only the first one is allowed
>> * 20100619223115.20100619223131 20100619223131.not_terminated
>> * current
>> */
>> if (strlen(path) == 29 && path[14] == '.' && isdigit(path[15])) {
>> /* XXX To improve this checking later */
>> return 1;
>> }
>
> Please note that the file names have an addiitional suffix in case
> "host" is defined in /etc/security/audit_control.
>
Also note that auditd(8) complains to syslog that 'host:' is not set
correctly in audit_control(5) currently.
This may serve as a warning but it gets on your nerves after a while
when you look at it like a error when you first see it. Since it deals
with the audit system first glance of the warning sends error alerts off
in your head.
messages.0:Jun 4 19:47:15 disbatch auditd[1666]: audit_control(5) may
be missing 'host:' field
Is there some way that this could be silenced without actually adding
'host:' to audit_control(5) ?
Maybe a possibility to just add 'host:localhost' to the default
configuration of audit_control(5) ?
If localhost would be an option and logging audits to a remote machine
comes into play then would it be wise to ignore distribution of
localhost from the receiving machine ?
Regards,
--
jhell,v
More information about the freebsd-hackers
mailing list