file system auditing, zany timezone issues, design document, etc, etc

Timothy R. Chavez tinytim at us.ibm.com
Tue Apr 26 20:39:22 UTC 2005


On Tue, 2005-04-26 at 15:34 -0400, Amy Griffis wrote:
> Hi Tim,
> 
> Timothy R. Chavez wrote:     [Mon Apr 25 2005, 02:27:30PM EDT]
> > So yeah... I was asked to wait until after tommorow's meeting to submit
> > to LKML, which is just as-well.  That gives you all a little time to
> > test it :-) J/K -- But, really, it would be nice if some people just
> > tried to patch/install the kernel and play with auditctl -w/-W for a
> > couple minutes and respond with yay or nay.
> 
> I did some rudimentary testing of the audit.24 kernel and auditd
> 0.7.1 and found a couple problems:
> 
> I wasn't able to list audit rules, although the audit log has entries
> that the rules were added, and open syscalls by uid 500 are logged.
> 
> # auditctl -a entry,never -S all -F pid=2647
> No rules
> # auditctl -a entry,always -S open -F uid=500
> No rules
> # auditctl -l
> No rules
> 
> Also, I wasn't able to add watches.  I tried a few; here is one
> example:
> 
> # auditctl -w /etc/shadow -k SHADOW -p w
> Error sending watch insert request (Cannot allocate memory)
> Error sending rule to kernel
> 
> # auditctl -w /etc/shadow -p w
> Error sending watch insert request (Invalid argument)
> Error sending rule to kernel
> 
> Although I haven't looked at the code yet, I suspect a kernel issue,
> as I don't see any of this behavior when I boot audit.20 with auditd
> 0.7.1.

Is the updated user space patch in audit-0.7.1?? I haven't looked to
tell you the truth.  I'd imagine it is not, as Steve has told me it
won't be until after he gets a stable package for RHEL 4.  Thus,
audit.24 and audit-0.7.1 should be out of sync.  Still the error
handling looks quarky (and incorrect), so I need to look into this.

I'll run 2.6.12-rc2-mm1 with audit-0.7.1 your examples.  And I will also
run audit.24 with an audit user package that's in sync with it and
report back tommorow with my results.

Thanks for giving it ago.

-tim

> Thanks,
> Amy
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
> 




More information about the Linux-audit mailing list