Problems with auditd -- resolved
Robert Watson
rwatson at FreeBSD.org
Mon Sep 18 02:23:10 PDT 2006
On Mon, 18 Sep 2006, Ganbold wrote:
> #
> # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#3 $
> # $FreeBSD: src/contrib/openbsm/etc/audit_user,v 1.2.2.1 2006/09/02 10:46:00
> rwatson Exp $
> #
> #root:lo:no
> root:all:no
>
> I'm bit confused here I thought auditd should log all activities, but I
> don't see any log files. Am I doing something wrong here or my understanding
> regarding auditd is wrong?
Your configuration looks right to me, and should be generating a ridiculous
number of audit records. Could you try rebooting and logging in again?
audit_user entries take effect only as of login, similar to /etc/group
settings, etc. How are you logging into the system?
On my local RELENG_6 system, with the recent auditctl(2) fix, I'm using the
following global settings to audit programs run by authenticated users:
dir:/var/audit
flags:lo,+ex
minfree:20
naflags:lo
It seems to be working properly. User space login/logout auditing won't work
in RELENG_6 until the MFC of Christian's recent tweaks to pipe preselection,
which will occurr in a few days (and hence should appear in BETA2).
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-stable
mailing list