Hello, Freebsd-security. I'm trying to use audit, and has some problems. First one is impossiblity to create custom event class, and second one I hit is with auditreduce(1) auditreduce doesn't filter events by date (-b/-a/-d options with any arguments produces empty output), it doesn't merge files properly and doesn't pick up files automagically, as Solaris' one does. It doesn't have -C/-M/-O functionality of Solaris' one, too. So, proper merging of audit trial files seems to be impossible :( I could try to fix & extend auditreduce(1), but does somebdy but me need it? Does somebody use audit on FreeBSD on production systems? -- // Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>
On 29 juin 2011, at 12:59, Lev Serebryakov wrote:> auditreduce doesn't filter events by date (-b/-a/-d options with any > arguments produces empty output), it doesn't merge files properly and > doesn't pick up files automagically, as Solaris' one does. It doesn't > have -C/-M/-O functionality of Solaris' one, too. So, proper merging > of audit trial files seems to be impossible :( > > I could try to fix & extend auditreduce(1), but does somebdy but me > need it? > > Does somebody use audit on FreeBSD on production systems?I do, almost (I've not finished my settup, but I'm auditing a production server). May be you'll find this interesting: http://forums.freebsd.org/showthread.php?t=23716#9 patpro
On Jun 29, 2011, at 5:59 AM, Lev Serebryakov wrote:> Hello, Freebsd-security. > > I'm trying to use audit, and has some problems. First one is > impossiblity to create custom event class, and second one I hit is > with auditreduce(1) > > auditreduce doesn't filter events by date (-b/-a/-d options with any > arguments produces empty output), it doesn't merge files properly and > doesn't pick up files automagically, as Solaris' one does. It doesn't > have -C/-M/-O functionality of Solaris' one, too. So, proper merging > of audit trial files seems to be impossible :( > > I could try to fix & extend auditreduce(1), but does somebdy but me > need it? > > Does somebody use audit on FreeBSD on production systems?FYI, a better place to discuss this would be the trustedbsd-audit mailing list. There are quite of few people that use OpenBSM in production on FreeBSD and Mac OS X that hang out on that list usually. Regards, -stacey.
On Wed, 29 Jun 2011, Stacey Son wrote:>> I'm trying to use audit, and has some problems. First one is impossiblity >> to create custom event class, and second one I hit is with auditreduce(1) >> >> auditreduce doesn't filter events by date (-b/-a/-d options with any >> arguments produces empty output), it doesn't merge files properly and >> doesn't pick up files automagically, as Solaris' one does. It doesn't have >> -C/-M/-O functionality of Solaris' one, too. So, proper merging of audit >> trial files seems to be impossible :( >> >> I could try to fix & extend auditreduce(1), but does somebdy but me need >> it? >> >> Does somebody use audit on FreeBSD on production systems? > > FYI, a better place to discuss this would be the trustedbsd-audit mailing > list. There are quite of few people that use OpenBSM in production on > FreeBSD and Mac OS X that hang out on that list usually.Hi Lev: Just catching up on back e-mail, and bumped into this thread. Did you file PRs for these bugs? As Stacey mentions, the trustedbsd-audit mailing list is where most discussion of OpenBSM takes place. It's generally pretty quiet, but there are quite a few people using audit in production, and I'm sure they'd appreciate bug reports (and even fixes!). Robert