How to record audit logs for only one specified file in FreeBSD?
Mateusz Piotrowski
0mp at FreeBSD.org
Mon May 30 11:07:05 UTC 2016
Hi,
I participate in Google Summer of Code this year and I work on the audit logs conversion from non-BSM formats to the BSM format.
I’ve stumbled upon a problem like this:
On Red Hat Linux I can specify the file I want to record audit logs for with this command:
auditctl -a exit,always -F path=/tmp/foo.txt -F perm=war
I cannot figure out how to do a similar thing on FreeBSD. The only way I've found to record audit logs for files is to add the fr flag to my /etc/security/audit_control file (https://www.freebsd.org/doc/en/books/handbook/audit-config.html#event-selection <https://www.freebsd.org/doc/en/books/handbook/audit-config.html#event-selection>).
Unfortunately, this way doesn't allow me to specify the file.
I suspect that you cannot specify a file to track. You just have to record everything and then extract the logs you are interested in.
I’ve posted this question on serverfault.com but I’ve not received any help. (http://serverfault.com/questions/778510/how-to-record-audit-logs-for-only-one-specified-file-in-freebsd <http://serverfault.com/questions/778510/how-to-record-audit-logs-for-only-one-specified-file-in-freebsd>)
Cheers,
Mateusz Piotrowski
More information about the trustedbsd-discuss
mailing list