Improvement for Distributed Audit Project

jhell jhell at
Mon Aug 9 19:38:32 UTC 2010

On 08/09/2010 13:24, Janne Snabb wrote:
> On Thu, 29 Jul 2010, Sergio Ligregni wrote:
>>   /*
>>    * We have these posibilities, only the first one is allowed
>>    * 20100619223115.20100619223131 20100619223131.not_terminated
>>    * current
>>    */
>>   if (strlen(path) == 29 && path[14] == '.' && isdigit(path[15])) {
>>     /* XXX To improve this checking later */
>>     return 1;
>>   }
> Please note that the file names have an addiitional suffix in case
> "host" is defined in /etc/security/audit_control.

Also note that auditd(8) complains to syslog that 'host:' is not set
correctly in audit_control(5) currently.

This may serve as a warning but it gets on your nerves after a while
when you look at it like a error when you first see it. Since it deals
with the audit system first glance of the warning sends error alerts off
in your head.

messages.0:Jun  4 19:47:15 disbatch auditd[1666]: audit_control(5) may
be missing 'host:' field

Is there some way that this could be silenced without actually adding
'host:' to audit_control(5) ?

Maybe a possibility to just add 'host:localhost' to the default
configuration of audit_control(5) ?

If localhost would be an option and logging audits to a remote machine
comes into play then would it be wise to ignore distribution of
localhost from the receiving machine ?




More information about the freebsd-hackers mailing list