)Hi all, I am fairly new to using the auditd framework. I'd like to set up some basic auditing for one of my FreeBSD boxes.
The setup is fairly simple: - host - has "eax" and "root" - bastion jail - has "bastion" and "root" I have the following audit_user file: root:lo:no,ad:no,aa,+fd,+ex bastion:ex,fw,fm,fc,fd,pc,nt,ip,ad,lo:no,aa audit_control: dir:/var/audit dist:on flags:lo,aa minfree:5 naflags:lo,aa policy:cnt,argv filesz:2M expire-after:10M The auditd service is running on the host (as pid 68828) however running "praudit /dev/auditpipe" shows no output when accessing the bastion user on the jail. This makes sense, however trying to run auditd in the jail shows this error: root@bastion:~ # /usr/sbin/auditd -d auditd[27548]: starting... auditd[27548]: Error opening trigger messaging mechanism I know I'm doing something wrong but the overall configuration confuses me. (a) What do I need to do to get auditing of the bastion user from (a1) within the jail and (a2) from the host (b) Is the auditing setup above reasonable? Am I missing obvious events or capturing things which utterly routine? (c) Why does praudit /dev/auditpipe show nothing but "praudit /var/audit/current" show some events? Thanks! -- Eitan Adler _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
