Audit(d) and jails
Eirik Øverby
ltning at anduin.net
Mon Apr 20 20:17:15 UTC 2009
Hi all,
I've been struggling lately to find a way to use the audit
functionality in any meaningful way while using jails. My original
idea was running auditd on the host, and thus get audit data for all
the jails - however this proves impractical as identifying, for
instance, the path of an executable inside a jail is impossible (it
shows as //usr/bin/something in the logs). I have also failed to run
auditd inside the jails, and doing so would somehow reduce its value -
as the idea is to lock down the host and audit from there.
I see there is a SOC project to make audit jail-aware, but I'm sure
I've missed something in the current implementation (7.1) as well.
Could anyone share their experiences on this with me - or am I on the
wrong track entirely?
Thanks,
/Eirik
More information about the freebsd-security
mailing list