auditing users within a jail
Big Lebowski
spankthespam at gmail.com
Mon Mar 12 11:05:30 UTC 2018
On Mon, Mar 12, 2018 at 3:17 AM, Christian Peron <csjp at sqrt.ca> wrote:
> Hi Eitan,
>
> IIRC the short version is the audit related syscalls are currently
> disabled in
> jails. This means that a jailed process can not set audit configurations
> for
> themselves (or child processes). This also means things like auditd(8)
> wont work.
>
> However, it is possible for processes in jails to produce audit records.
> The processes just need an audit mask. Since audit masks (configurations)
> are inherited across forks, you could set a global audit configuration for
> the
> jail using the following tool (or something like it):
>
> https://github.com/csjayp/setaudit (I just dropped it on to github)
>
> We could hack on it to make it more friendly for jails etc.. but this
> should
> get you going in the right direction. With a bit of work, it could be
> possible
> to "virtualize" the core audit objects so we could have functional per jail
> auditing configurations, but certain care needs to be taken to ensure it
> couldn't
> override the config in the host (et al).
>
I suppose this could/should be added to the docs? :)
More information about the freebsd-security
mailing list