After reading this article: http://www.regdeveloper.co.uk/2006/11/13/freebsd_security_event_auditing/
I decided to try audit. I edited /etc/security/audit_control as the article (and the handbook example) shows: dir:/var/audit flags:lo,+ex minfree:20 naflags:lo policy:cnt filesz:0 But having restarted auditd, I don't see audit events for process execution being generated. However, if I do this: dir:/var/audit flags:lo minfree:20 naflags:lo,+ex policy:cnt filesz:0 I get audit records for users executing programs. This seems completely wrong to me. Why are these events being classed as non-attributable when they're clearly being created by authenticated users? I am running 6.2-RELEASE-p7 which is vanilla apart from the addition of options MAC, AUDIT and VESA. -- dc _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
