Hello,
I'm running a FreeBSD 8.2 amd64 web server. Everything is working great, but I need to enable auditd to scrutinize a few things about the server security. It appears that the 8.2 GENERIC kernel already includes "option AUDIT", so I've just modified /etc/security/audit_user, /etc/security/audit_control and launched auditd:
All other files are set to their default values. According to this definition, auditd should log events for www that match "file creation", "file deletion", "execution", "process", and the default "login/out" and "authentication/authorization". In fact, it logs nothing about the user www.
[cmd=]praudit /var/audit/current[/cmd] returns only "lo" events for users accessing the server via ssh.
Did I miss something obvious?
I'm running a FreeBSD 8.2 amd64 web server. Everything is working great, but I need to enable auditd to scrutinize a few things about the server security. It appears that the 8.2 GENERIC kernel already includes "option AUDIT", so I've just modified /etc/security/audit_user, /etc/security/audit_control and launched auditd:
Code:
# cat /etc/security/audit_user
root:lo,ex,pc:no
www:fc,fd,ex,pc:no
Code:
# cat /etc/security/audit_control
host:my.host.tld
dir:/var/audit
flags:lo,aa
minfree:5
naflags:lo,aa
policy:cnt,argv,arge
filesz:10M
expire-after:50M
All other files are set to their default values. According to this definition, auditd should log events for www that match "file creation", "file deletion", "execution", "process", and the default "login/out" and "authentication/authorization". In fact, it logs nothing about the user www.
[cmd=]praudit /var/audit/current[/cmd] returns only "lo" events for users accessing the server via ssh.
Did I miss something obvious?