auditing users within a jail
Eitan Adler
lists at eitanadler.com
Sun Mar 11 09:12:25 UTC 2018
)Hi all,
I am fairly new to using the auditd framework. I'd like to set up some
basic auditing for one of my FreeBSD boxes.
The setup is fairly simple:
- host - has "eax" and "root"
- bastion jail - has "bastion" and "root"
I have the following audit_user file:
root:lo:no,ad:no,aa,+fd,+ex
bastion:ex,fw,fm,fc,fd,pc,nt,ip,ad,lo:no,aa
audit_control:
dir:/var/audit
dist:on
flags:lo,aa
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:10M
The auditd service is running on the host (as pid 68828) however
running "praudit /dev/auditpipe" shows no output when accessing the
bastion user on the jail. This makes sense, however trying to run
auditd in the jail shows this error:
root at bastion:~ # /usr/sbin/auditd -d
auditd[27548]: starting...
auditd[27548]: Error opening trigger messaging mechanism
I know I'm doing something wrong but the overall configuration confuses me.
(a) What do I need to do to get auditing of the bastion user from (a1)
within the jail and (a2) from the host
(b) Is the auditing setup above reasonable? Am I missing obvious
events or capturing things which utterly routine?
(c) Why does praudit /dev/auditpipe show nothing but "praudit
/var/audit/current" show some events?
Thanks!
--
Eitan Adler
More information about the freebsd-security
mailing list