Why are audit events apparently non-attributable?



So I'm exploring AUDIT and have this in /etc/security/audit_control:

dir:/var/audit
flags:lo,fd
minfree:20
naflags:lo
policy:cnt
filesz:0

I tell auditd to reread the config file with audit -s but no file
deletion events are logged.

I change the config file to:

dir:/var/audit
flags:lo
minfree:20
naflags:lo,fd
policy:cnt
filesz:0

I type audit -s and am immediately flooded with 20 kilobytes worth
of audit records about file deletions.

What I don't understand is why these file deletions are non-attributable?
Surely if I sit there touching and removing files, the events should be
very cleary attributed to me? Even more strange is that the events look
like this:

header,130,10,unlink(2),0,Sat Sep 29 20:48:46 2007, + 957 msec
path,/var/tmp/vi.recover/vi.zhcey0
attribute,600,root,wheel,126,24774,98340
subject,-1,root,wheel,root,wheel,78355,0,0,0.0.0.0
return,success,0
trailer,130

To me, that looks like the event was attributed to 'root', so why does
it only appear when using 'naflags' ie. non attributable events?

Perhaps I misunderstand something fundamental.

--
dc
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Why are most audit events apparently non-attributable?
    ... I tell auditd to reread the config file with audit -s but no file ... I type audit -s and am immediately flooded with 20 kilobytes worth ... What I don't understand is why these file deletions are non-attributable? ...
    (FreeBSD-Security)
  • Re: Auditing file deletion
    ... You won't have to wade through the tonnes of audit logs, but have to set filters to watch the activity you care about. ... The problem is that hundreds of other Object Access events get logged, not just the file and directory deletions. ... regarding this in the security event log. ... Default Domain Controllers Policy. ...
    (microsoft.public.windows.server.sbs)
  • Re: 2.6.11-rc5-mm1
    ... > on the .config file, let alone if you try them on another architecture. ... > would be nice to receive less such patches, ... The ia64 audit bit is likely my fault from the audit header detangle. ... send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)
  • Re: Open Table with Button on form
    ... You can protect ... (lock, disable) ... You can not allow deletions. ... audit that keeps track of edits. ...
    (microsoft.public.access.formscoding)
  • Re: Auditing user logins and logouts
    ... so a read audit of it is almost useless. ... you hadn't realised it is possible to use both bin mode and stream mode ... I have set the auditing config file as follows: ...
    (AIX-L)