PERFORCE change 155981 for review

Robert Watson rwatson at FreeBSD.org
Sun Jan 11 13:08:09 PST 2009 

http://perforce.freebsd.org/chv.cgi?CH=155981

Change 155981 by rwatson at rwatson_cinnamon on 2009/01/11 21:07:36

	Change a few defaults in audit_control based on personal and
	end-user feedback:
	
	- Warn at 5% free on audit partitions, not 20%, since modern disks
	  are really big but audit trails in the default configuration
	  haven't grown as much.
	
	- Set argv in the policy field -- we don't log AUE_EXECVE by
	  default, but when we do, people almost always want command line
	  arguments, and ask about it quite a bit.
	
	- Do automatically rotate trail at 2mb by default.

Affected files ...

.. //depot/projects/trustedbsd/openbsm/NEWS#29 edit
.. //depot/projects/trustedbsd/openbsm/etc/audit_control#6 edit
.. //depot/projects/trustedbsd/openbsm/man/audit_control.5#21 edit

Differences ...

==== //depot/projects/trustedbsd/openbsm/NEWS#29 (text+ko) ====

@@ -2,6 +2,12 @@
 
 OpenBSM 1.1 beta 1
 
+- Change defaults in audit_control: warn at 5% rather than 20% free for audit
+  partitions, rotate automatically at 2mb, and set the default policy to
+  cnt,argv rather than cnt so that execve(2) arguments are captured if
+  AUE_EXECVE events are audited.  These may provide more usable defaults for
+  many users.
+
 OpenBSM 1.1 alpha 5
 
 - Stub libauditd(3) man page added.
@@ -414,4 +420,4 @@
   to support reloading of kernel event table.
 - Allow comments in /etc/security configuration files.
 
-$P4: //depot/projects/trustedbsd/openbsm/NEWS#28 $
+$P4: //depot/projects/trustedbsd/openbsm/NEWS#29 $

==== //depot/projects/trustedbsd/openbsm/etc/audit_control#6 (text+ko) ====

@@ -1,9 +1,9 @@
 #
-# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#5 $
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#6 $
 #
 dir:/var/audit
 flags:lo
-minfree:20
+minfree:5
 naflags:lo
-policy:cnt
-filesz:0
+policy:cnt,argv
+filesz:2097152

==== //depot/projects/trustedbsd/openbsm/man/audit_control.5#21 (text+ko) ====

@@ -26,7 +26,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#20 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#21 $
 .\"
 .Dd January 4, 2006
 .Dt AUDIT_CONTROL 5
@@ -177,10 +177,10 @@
 .Bd -literal -offset indent
 dir:/var/audit
 flags:lo
-minfree:20
+minfree:5
 naflags:lo
-policy:cnt
-filesz:0
+policy:cnt,argv
+filesz:2097152
 .Ed
 .Pp
 The
@@ -190,9 +190,12 @@
 The
 .Va policy
 parameter specifies that the system should neither fail stop nor suspend
-processes when the audit store fills.
-The trail file will not be automatically rotated by the audit daemon based on
-file size.
+processes when the audit store fills and that command line arguments should
+be audited for
+.Dv AUE_EXECVE
+events.
+The trail file will be automatically rotated by the audit daemon when the
+file size reaches approximately 2MB.
 .Sh FILES
 .Bl -tag -width ".Pa /etc/security/audit_control" -compact
 .It Pa /etc/security/audit_control

More information about the p4-projects mailing list