On Wed, Apr 1, 2009 at 12:18 PM, Gary Winiger <gww at eng.sun.com> wrote: >> I thought that should have been clear from the the first example in the >> audit_syslog(5) man page. > > ? ? ? ?If the man page isn't clear, please file a bug report through > ? ? ? ?your sun service account.
the man page is clear, however, I still was not able to log pfexec usage after correcting the audit_control file, the odd thing is that logging commands ran in a profiled shell does work, and the profiled shell uses pfexec internally and doesnt seem to do anything related to auditing itself. Here is what I did: nacho at saturn:/etc/security$ pfexec audit -n nacho at saturn:/etc/security$ pfexec roleadd -s /bin/pfcsh -d /export/home/test -m -P 'Primary Administrator' test 80 blocks nacho at saturn:/etc/security$ pfexec usermod -R root,test nacho UX: usermod: nacho is currently logged in, some changes may not take effect until next login. nacho at saturn:/etc/security$ roles root,test nacho at saturn:/etc/security$ pfexec passwd test New Password: Re-enter new Password: passwd: password successfully changed for test nacho at saturn:/etc/security$ su test Password: saturn% ls audit audit_data audit_user bsmconv dev device_policy kmfpolicy.xml priv_names audit_class audit_event audit_warn bsmunconv device_allocate exec_attr lib prof_attr audit_control audit_startup auth_attr crypt.conf device_maps extra_privs policy.conf spool saturn% exit saturn% nacho at saturn:/etc/security$ pfexec /usr/sbin/praudit audit/localhost/files/200904021 1) 20090402141928.20090402150709.saturn 2) 20090402150709.not_terminated.saturn nacho at saturn:/etc/security$ pfexec /usr/sbin/praudit audit/localhost/files/20090402150709.not_terminated.saturn praudit: Can't assign audit/localhost/files20090402150709.not_terminated.saturn to stdin. nacho at saturn:/etc/security$ cd audit/localhost/files/200904021 1) 20090402141928.20090402150709.saturn 2) 20090402150709.not_terminated.saturn nacho at saturn:/etc/security$ cd audit/localhost/files/ nacho at saturn:/etc/security/audit/localhost/files$ pfexec praudit 20090402150709.not_terminated.saturn file,2009-04-02 12:07:09.644 -03:00,/var/audit/20090402141928.20090402150709.saturn header,69,2,role login,,localhost,2009-04-02 12:10:10.675 -03:00 subject,nacho,test,other,test,other,3623,2852993444,0 0 localhost return,success,0 header,148,2,profile command,,localhost,2009-04-02 12:10:20.753 -03:00 subject,nacho,root,other,test,other,3625,2852993444,0 0 localhost path,/etc/security path,/usr/xpg4/bin/ls cmd,argcnt,0,envcnt,0, process,nacho,root,root,root,root,3625,2852993444,0 0 localhost return,success,0 header,69,2,role logout,,localhost,2009-04-02 12:10:23.703 -03:00 subject,nacho,test,other,test,other,3623,2852993444,0 0 localhost return,success,0 nacho at saturn:/etc/security/audit/localhost/files$ grep audit /etc/syslog.conf audit.notice /var/adm/audit nacho at saturn:/etc/security/audit/localhost/files$ pfexec tail /var/adm/audit Apr 2 09:44:28 saturn audit: [ID 702911 audit.notice] cron-invoke ok session 2502 by root as root:root from unknown proc_uid bin text crontab-job text /usr/sbin/logadm Apr 2 11:21:47 saturn audit: [ID 702911 audit.notice] role login ok session 2852993444 by nacho as root:root from saturn proc_uid bin Apr 2 11:22:11 saturn audit: [ID 702911 audit.notice] role logout ok session 2852993444 by nacho as root:root from saturn proc_uid bin Apr 2 11:24:16 saturn audit: [ID 702911 audit.notice] su ok session 2852993444 by nacho as test:other from saturn proc_uid bin Apr 2 11:24:17 saturn audit: [ID 702911 audit.notice] profile command ok session 2852993444 by nacho as root:other from saturn proc_auid nacho proc_uid root obj /usr/gnu/bin/ls Apr 2 11:24:39 saturn audit: [ID 702911 audit.notice] profile command ok session 2852993444 by nacho as root:other from saturn proc_auid nacho proc_uid root obj /usr/sbin/praudit Apr 2 11:25:56 saturn audit: [ID 702911 audit.notice] su logout ok session 2852993444 by nacho as test:other from saturn proc_uid bin Apr 2 12:10:10 saturn audit: [ID 702911 audit.notice] role login ok session 2852993444 by nacho as test:other from saturn proc_uid bin Apr 2 12:10:20 saturn audit: [ID 702911 audit.notice] profile command ok session 2852993444 by nacho as root:other from saturn proc_auid nacho proc_uid root obj /usr/xpg4/bin/ls Apr 2 12:10:23 saturn audit: [ID 702911 audit.notice] role logout ok session 2852993444 by nacho as test:other from saturn proc_uid bin nacho at saturn:/etc/security/audit/localhost/files$ cd /etc/security nacho at saturn:/etc/security$ grep -v '^#' audit_control dir:/var/audit flags: ua,as,lo minfree:20 naflags: plugin: name=audit_syslog.so; p_flags=all nacho
