On Mon, Mar 12, 2018 at 3:17 AM, Christian Peron <c...@sqrt.ca> wrote:
> Hi Eitan, > > IIRC the short version is the audit related syscalls are currently > disabled in > jails. This means that a jailed process can not set audit configurations > for > themselves (or child processes). This also means things like auditd(8) > wont work. > > However, it is possible for processes in jails to produce audit records. > The processes just need an audit mask. Since audit masks (configurations) > are inherited across forks, you could set a global audit configuration for > the > jail using the following tool (or something like it): > > https://github.com/csjayp/setaudit (I just dropped it on to github) > > We could hack on it to make it more friendly for jails etc.. but this > should > get you going in the right direction. With a bit of work, it could be > possible > to "virtualize" the core audit objects so we could have functional per jail > auditing configurations, but certain care needs to be taken to ensure it > couldn't > override the config in the host (et al). > I suppose this could/should be added to the docs? :) _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
