Problems with auditd -- resolved
Ganbold
ganbold at micom.mng.net
Mon Sep 18 02:40:03 PDT 2006
Robert Watson wrote:
> On Mon, 18 Sep 2006, Ganbold wrote:
>
>> #
>> # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#3 $
>> # $FreeBSD: src/contrib/openbsm/etc/audit_user,v 1.2.2.1 2006/09/02
>> 10:46:00 rwatson Exp $
>> #
>> #root:lo:no
>> root:all:no
>>
>> I'm bit confused here I thought auditd should log all activities, but
>> I don't see any log files. Am I doing something wrong here or my
>> understanding regarding auditd is wrong?
>
> Your configuration looks right to me, and should be generating a
> ridiculous number of audit records. Could you try rebooting and
> logging in again? audit_user entries take effect only as of login,
> similar to /etc/group settings, etc. How are you logging into the
> system?
This is my desktop system and I updated today to latest RELENG_6.
daemon# uname -an
FreeBSD daemon.micom.mng.net 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #6:
Mon Sep 18 12:56:04 ULAST 2006
root at daemon.micom.mng.net:/usr/obj/usr/src/sys/GDAEMON i386
I tried to restart several times auditd using /etc/rc.d/auditd script.
daemon# /etc/rc.d/auditd restart
Trigger sent.
Starting auditd.
daemon# /etc/rc.d/auditd restart
Trigger sent.
auditd already running? (pid=2065).
daemon# /etc/rc.d/auditd restart
Error sending trigger: Operation not supported by device
Starting auditd.
daemon# /etc/rc.d/auditd restart
Trigger sent.
auditd already running? (pid=2095).
daemon# /etc/rc.d/auditd restart
Error sending trigger: Operation not supported by device
Starting auditd.
daemon# /etc/rc.d/auditd restart
Trigger sent.
Starting auditd.
daemon# ps ax | grep audit
10 ?? DL 0:00.00 [audit_worker]
2141 ?? Ss 0:00.01 /usr/sbin/auditd
2143 p3 RV 0:00.00 grep audit (csh)
daemon# ps ax | grep audit
10 ?? DL 0:00.00 [audit_worker]
2141 ?? Ss 0:00.01 /usr/sbin/auditd
Strange, there are still no logs in /var/audit dir :( Even tried to use
your config, no success.
However when I logged on to my desktop from console to itself (ssh -l
tsgan localhost) it starts logging.
But why it is not logging when I'm on console?
>
> On my local RELENG_6 system, with the recent auditctl(2) fix, I'm
> using the following global settings to audit programs run by
> authenticated users:
>
> dir:/var/audit
> flags:lo,+ex
> minfree:20
> naflags:lo
>
> It seems to be working properly. User space login/logout auditing
> won't work in RELENG_6 until the MFC of Christian's recent tweaks to
> pipe preselection, which will occurr in a few days (and hence should
> appear in BETA2).
I see.
thanks,
Ganbold
>
> Robert N M Watson
> Computer Laboratory
> University of Cambridge
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>
>
>
More information about the freebsd-stable
mailing list