file system auditing, zany timezone issues, design document, etc, etc

[Amy Griffis]

Hi Tim,

Timothy R. Chavez wrote:     [Mon Apr 25 2005, 02:27:30PM EDT]
> So yeah... I was asked to wait until after tommorow's meeting to submit
> to LKML, which is just as-well.  That gives you all a little time to
> test it :-) J/K -- But, really, it would be nice if some people just
> tried to patch/install the kernel and play with auditctl -w/-W for a
> couple minutes and respond with yay or nay.

I did some rudimentary testing of the audit.24 kernel and auditd
0.7.1 and found a couple problems:

I wasn't able to list audit rules, although the audit log has entries
that the rules were added, and open syscalls by uid 500 are logged.

# auditctl -a entry,never -S all -F pid=2647
No rules
# auditctl -a entry,always -S open -F uid=500
No rules
# auditctl -l
No rules

Also, I wasn't able to add watches.  I tried a few; here is one
example:

# auditctl -w /etc/shadow -k SHADOW -p w
Error sending watch insert request (Cannot allocate memory)
Error sending rule to kernel

# auditctl -w /etc/shadow -p w
Error sending watch insert request (Invalid argument)
Error sending rule to kernel

Although I haven't looked at the code yet, I suspect a kernel issue,
as I don't see any of this behavior when I boot audit.20 with auditd
0.7.1.

Thanks,
Amy