No 'host:' field in default audit_control file
| Originator: | ihmccreery | ||
| Number: | rdar://9817001 | Date Originated: | 21-Jul-2011 03:44 PM |
| Status: | Open | Resolved: | |
| Product: | Mac OS X | Product Version: | 10K540 |
| Classification: | Security | Reproducible: | Always |
21-Jul-2011 03:44 PM Anne McCreery:
Summary: The default audit_control file included in /etc/security/ does not contain a 'host:' field as it should according to the man pages. /var/log/system.log gets an error and the file cannot be read properly.
Steps to Reproduce: Do 'su audit -s'. Check /var/log/system.log. Look for an error:
auditd[1450]: audit_control(5) may be missing 'host:' field
Additionally, changing any settings below where 'host:' should be (in particular the 'naflags:' field) does not yield changed results in audit trails. Thus it seems the audit_control file is not getting read correctly.
Expected Results: audit_control(5) is read in its entirety and configures the auditing system correctly, and rotates the audit logs.
Actual Results: audit_control(5) is not read correctly and the audition system is not configured correctly, though the audit logs are rotated.
Regression: N/A
Notes: This bug was found while attempting to configure the OS X audit system for performance benchmarking, as part of a survey of auditing systems on several platforms. This research is being done by Benjamin Kuperman (advisor), Luke Lovett (student), and Isaac McCreery (student) at Oberlin College Computer Science as part of the Oberlin Summer Research Institute.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!