audit doesn't seem to be working correctly.

dexterclarke at Safe-mail.net dexterclarke at Safe-mail.net
Wed Oct 3 22:09:47 PDT 2007


After reading this article:

http://www.regdeveloper.co.uk/2006/11/13/freebsd_security_event_auditing/

I decided to try audit. I edited /etc/security/audit_control
as the article (and the handbook example) shows:

dir:/var/audit
flags:lo,+ex
minfree:20
naflags:lo
policy:cnt
filesz:0

But having restarted auditd, I don't see audit events for
process execution being generated. However, if I do this:

dir:/var/audit
flags:lo
minfree:20
naflags:lo,+ex
policy:cnt
filesz:0

I get audit records for users executing programs. This seems
completely wrong to me. Why are these events being classed as
non-attributable when they're clearly being created by
authenticated users?

I am running 6.2-RELEASE-p7 which is vanilla apart from the
addition of options MAC, AUDIT and VESA.

--
dc


More information about the freebsd-hackers mailing list