search for: audit_control

Greetings, In order to use solaris's BSM (Basic security module) also called c2 audit, which logs specific kernel calls depending on your audit_control, I would need to use login(1) to log users exec calls and whatnot because Portable OpenSSH does not have <bsm/audit.h> support, now that would mean I would have to enable Uselogin in sshd_config in order for that to work. I am running openssh's latest portable version on Solaris 7 core i...

...'t seem to log anything except login messages. The only thing I've modified in config is the root user specification in audit_users. Now it looks like this: root:lo,ex,fw,fc:no However nor ex, non fw or fc messages doesn't get into the log. Furthermore, deleting lo from audit_users and audit_control doesn't stop login messages logging. Is it possible that some other kernel options interfere with AUDIT (e.g. MAC)? Thanks! -- Stanislav Sedov ST4096-RIPE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 1...

A few weeks back Robert Watson announced the merge of these features from 7 back into 6-STABLE. I hadn't seen any updates and was curious as to the status. Us 6-STABLE users are curious to test it out. Thanks. --A

...some way to control the capabilities assigned to the container processes. With lxc-tools, I can specify a configuration option, lxc.cap.drop, which causes the container processes to drop the specified privileges. My libvirt containers seem to run with cap_sys_module,cap_sys_boot,cap_sys_time,cap_audit_control,cap_mac_admin which is rather more permissive than I'd like. In particular, cap_sys_boot allows a container to reboot the host machine. I am running libvirt-0.9.2 from squeeze-backports on debian squeeze. Cheers, -C-

So I'm exploring AUDIT and have this in /etc/security/audit_control: dir:/var/audit flags:lo,fd minfree:20 naflags:lo policy:cnt filesz:0 I tell auditd to reread the config file with audit -s but no file deletion events are logged. I change the config file to: dir:/var/audit flags:lo minfree:20 naflags:lo,fd policy:cnt filesz:0 I type audit -s and am immediate...

So I'm exploring AUDIT and have this in /etc/security/audit_control: dir:/var/audit flags:lo,fd minfree:20 naflags:lo policy:cnt filesz:0 I tell auditd to reread the config file with audit -s but no file deletion events are logged. I change the config file to: dir:/var/audit flags:lo minfree:20 naflags:lo,fd policy:cnt filesz:0 I type audit -s and am immediate...

...nstalled as part of recent RELENG_6 and 6.2-BETA2 are also pretty complete, and include more detailed reference information. The audit(4) man page has a good set of cross-references to various commands (audit(8), auditd(8), praudit(8), auditreduce(8)), as well as the audit configuration files (audit_control(5), audit_user(5), etc). Remember that audit support in 6.2-RELEASE will be considered experimental, and has a number of known limitations (such as not fully auditing all non-native FreeBSD system call interfaces, and not auditing all userland administrative events of interest), but it should b...

...sm/config/config.h.in U src/contrib/openbsm/config/config.sub U src/contrib/openbsm/config/depcomp U src/contrib/openbsm/config/install-sh U src/contrib/openbsm/config/ltmain.sh U src/contrib/openbsm/config/missing U src/contrib/openbsm/etc/audit_class U src/contrib/openbsm/etc/audit_control U src/contrib/openbsm/etc/audit_event N src/contrib/openbsm/etc/audit_filter U src/contrib/openbsm/etc/audit_user U src/contrib/openbsm/etc/audit_warn U src/contrib/openbsm/libbsm/Makefile.am U src/contrib/openbsm/libbsm/Makefile.in U src/contrib/openbsm/libbsm/au_class.3 U...

On a rather full customer web server, I am trying to track down whose web site script is trying to make outbound network connections when they should not be. In /etc/security/audit_control, I added to the flags line dir:/var/audit flags:lo,aa,-nt minfree:5 to log failed network connection. When I try an make an outbound connection to something that is blocked in pf, it seems to sometimes work. eg. from the command line, if I manually try via telnet 8.8.8.8 25 pf shows 17:03:23.5...

Greetings, I've been looking for a proper way to to track down user's activity inside the shell as I'm helping my colleague to configure a web hosting and shell hosting server. Someone have referred me to this article -- http://bsdtips.utcorp.net/mediawiki/index.php/Snoop which is using 'watch' commands to view user's activity once they logged in to the server I found