audit doesn't seem to be working correctly.
dexterclarke at Safe-mail.net
dexterclarke at Safe-mail.net
Wed Oct 3 22:09:47 PDT 2007
After reading this article:
http://www.regdeveloper.co.uk/2006/11/13/freebsd_security_event_auditing/
I decided to try audit. I edited /etc/security/audit_control
as the article (and the handbook example) shows:
dir:/var/audit
flags:lo,+ex
minfree:20
naflags:lo
policy:cnt
filesz:0
But having restarted auditd, I don't see audit events for
process execution being generated. However, if I do this:
dir:/var/audit
flags:lo
minfree:20
naflags:lo,+ex
policy:cnt
filesz:0
I get audit records for users executing programs. This seems
completely wrong to me. Why are these events being classed as
non-attributable when they're clearly being created by
authenticated users?
I am running 6.2-RELEASE-p7 which is vanilla apart from the
addition of options MAC, AUDIT and VESA.
--
dc
More information about the freebsd-hackers
mailing list