I think I have isolated the problem and I am working on a fix. For now
if you want to experiement with audit you should be able to work around
this bug by adding an entry into /etc/security/audit_user.
Thanks for your report.
On Thu, Oct 04, 2007 at 12:21:19AM -0400, dexterclarke@Safe-mail.net wrote:
> After reading this article:
>
> http://www.regdeveloper.co.uk/2006/11/13/freebsd_security_event_auditing/
>
> I decided to try audit. I edited /etc/security/audit_control
> as the article (and the handbook example) shows:
>
> dir:/var/audit
> flags:lo,+ex
> minfree:20
> naflags:lo
> policy:cnt
> filesz:0
>
> But having restarted auditd, I don't see audit events for
> process execution being generated. However, if I do this:
>
> dir:/var/audit
> flags:lo
> minfree:20
> naflags:lo,+ex
> policy:cnt
> filesz:0
>
> I get audit records for users executing programs. This seems
> completely wrong to me. Why are these events being classed as
> non-attributable when they're clearly being created by
> authenticated users?
>
> I am running 6.2-RELEASE-p7 which is vanilla apart from the
> addition of options MAC, AUDIT and VESA.
>
> --
> dc
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
--
Christian S.J. Peron
csjp@FreeBSD.ORG
FreeBSD Committer
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"