PERFORCE change 107302 for review

Robert Watson rwatson at FreeBSD.org
Thu Oct 5 04:56:18 PDT 2006


http://perforce.freebsd.org/chv.cgi?CH=107302

Change 107302 by rwatson at rwatson_fledge on 2006/10/05 11:53:13

	Add some text describing how audit events are associated with users,
	both when and how.
	
	Suggested by:	jmg

Affected files ...

.. //depot/projects/trustedbsd/openbsm/man/audit_user.5#10 edit

Differences ...

==== //depot/projects/trustedbsd/openbsm/man/audit_user.5#10 (text+ko) ====

@@ -25,7 +25,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#9 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#10 $
 .\"
 .Dd February 5, 2006
 .Dt AUDIT_USER 5
@@ -75,6 +75,22 @@
 .Dq Li jdoe ,
 failed file creation events are audited, administrative events are
 audited, and successful file write events are never audited.
+.Sh IMPLEMENTATION NOTES
+Per-user and global audit preselection configuration are evaluated at time of
+login, so users must log out and back in again for audit changes relating to
+preselection to take effect.
+.Pp
+Audit record preselection occurs with respect to the audit identifier
+associated with a process, rather than with respect to the UNIX user or group
+ID.
+The audit identifier is set as part of the user credential context as part of
+login, and typically does not change as a result of running setuid or setgid
+applications, such as
+.Xr su 8 .
+This has the advantage that events that occur after running
+.Xr su 8
+can be audited to the original authenticated user, as required by CAPP, but
+may be surprising if not expected.
 .Sh FILES
 .Bl -tag -width ".Pa /etc/security/audit_user" -compact
 .It Pa /etc/security/audit_user


More information about the trustedbsd-cvs mailing list