On Mon, 18 Sep 2006, Ganbold wrote:
Robert Watson wrote:
On Mon, 18 Sep 2006, Ganbold wrote:
Strange, there are still no logs in /var/audit dir :( Even tried to use
your config, no success. However when I logged on to my desktop from
console to itself (ssh -l tsgan localhost) it starts logging. But why it
is not logging when I'm on console?
Are you using xdm/kdm/gdm/etc or /usr/bin/login? I'm not sure that the
various GUI login managers associated with X11 ship with BSM support
compiled in by default, although given that they also run on Solaris, it is
likely they support it.
Ok, I'm using gnome and gnome-terminal, and it is not logging. Probably
gnome-terminal is not compiled with BSM support. Auditd logs when I go to
console using ctrl+alt+f2 combination from X. Thanks for clarifying this.
Basically, at login, the audit subsystem determins what new audit properties
are required for the login session and assigns them to the process, which
consists of both the audit identifier associated with the user, and the
preselection mask. Events associated with non-authenticated sessions (which
is what gdm logins will count as) should still get audited using the
properties for the global naflags setting, so if you want to audit events
associated with gdm you can set naflags to include more events. This will
also be what audits things like web server activity, so it may result in
significant numbers of events being audited as part of that also.
We will need to add audit extensions to new login mechanisms, such as
xdm/kdm/gdm, or enable them if already present but not enabled on FreeBSD by
default. OpenSSH, for example, already included BSM support due to Solaris
and Mac OS X BSM, so we just enabled it by switching a flag in the compile
(and also fixed a bug in it!). We should probably talk to the maintainers of
these ports about investigating creating or enabling BSM support.
Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
