# audit(2) system call in jailed processes



## igosha (Jun 29, 2015)

Since it is impossible right now to have audit subsystem working in jails, I checked the source code. sys_audit in audit_syscalls.c in kernel explicitly checks jailed() and returns ENOSYS. Also,  prison_priv_check has "case PRIV_AUDIT_GETAUDIT" commented out. 

The question is: why is it so and what can possibly go wrong if these checks are removed? 

The problem is very simple: I am running multiple jails with sshd(8) servers in there and need to be able to collect audit records from them.


----------



## brueffer@ (Jun 29, 2015)

The short answer is: because no one has put in the time to implement it yet 

The more intricate answer is that, apart from the pure implementation work, there is quite a bit of pondering involved on what the model should be. Some of the questions are mentioned here https://wiki.freebsd.org/TrustedBSDTODO/ (search for "jail and audit").

As for your specific issue, maybe the solution here works for you as well: https://lists.freebsd.org/pipermail/freebsd-stable/2012-March/066615.html


----------



## igosha (Jun 30, 2015)

Well, from what I see in the kernel part it seems to be ready to accept the jailed audit entries, even the jail ID seems to be inserted in the records. The audit(2) call is required for OpenSSH to be able to create its own records.

Also, I don't see any contradiction with anything written in the TODO.
Ssh does write its _own_ data and should be able to create _own_ audit records anyway, there is no way the host OS can create them (since the username, IP, etc from the protocol exists only in the SSHd's context).
I don't need to audit the process actions much, I really need its own audit trail to have a way to go into the subsystem. The same applies to sudo.

What if I just try to create a patch, test that it works in production mode and submit it?


----------

