Re: Problems with auditd -- resolved


On Mon, 18 Sep 2006, Ganbold wrote:

Robert Watson wrote:

On Mon, 18 Sep 2006, Ganbold wrote:

Strange, there are still no logs in /var/audit dir :( Even tried to use your config, no success. However when I logged on to my desktop from console to itself (ssh -l tsgan localhost) it starts logging. But why it is not logging when I'm on console?

Are you using xdm/kdm/gdm/etc or /usr/bin/login? I'm not sure that the various GUI login managers associated with X11 ship with BSM support compiled in by default, although given that they also run on Solaris, it is likely they support it.
Ok, I'm using gnome and gnome-terminal, and it is not logging. Probably gnome-terminal is not compiled with BSM support. Auditd logs when I go to console using ctrl+alt+f2 combination from X. Thanks for clarifying this.

Basically, at login, the audit subsystem determins what new audit properties are required for the login session and assigns them to the process, which consists of both the audit identifier associated with the user, and the preselection mask. Events associated with non-authenticated sessions (which is what gdm logins will count as) should still get audited using the properties for the global naflags setting, so if you want to audit events associated with gdm you can set naflags to include more events. This will also be what audits things like web server activity, so it may result in significant numbers of events being audited as part of that also.

We will need to add audit extensions to new login mechanisms, such as xdm/kdm/gdm, or enable them if already present but not enabled on FreeBSD by default. OpenSSH, for example, already included BSM support due to Solaris and Mac OS X BSM, so we just enabled it by switching a flag in the compile (and also fixed a bug in it!). We should probably talk to the maintainers of these ports about investigating creating or enabling BSM support.

Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: login as root vs su root
    ... There's something to be said for permitting local logins by root, ... and vastly outweighed by the audit ... It's theoretically possible that under some bizarre circumstances a login as ... without resorting to a direct login as root. ...
    (AIX-L)
  • Re: Help with audit/password needs on Solaris 8
    ... > consecutive unsuccessful attempts to login. ... But the disabling works for "root" as well as any other ... We run a minimal auditing and repeated unsuccessful attempts will ... See the man page on "audit" to learn how to enable, control, and process ...
    (comp.unix.solaris)
  • Re: Sql Profiler trace file converted to a table
    ... 'Login Failed') ... 'SQL Transaction') ... 'CursorPrepare') ... 'Audit Statement GDR') ...
    (microsoft.public.sqlserver.security)
  • Re: SQL profiler question
    ... 'Login Failed') ... 'CursorPrepare') ... 'Data File Auto Grow') ... 'Audit Statement GDR') ...
    (microsoft.public.sqlserver.tools)
  • Re: EventClass translation
    ... 'Login Failed') ... 'SQL Transaction') ... 'CursorPrepare') ... 'Audit Statement GDR') ...
    (microsoft.public.sqlserver.tools)