file system auditing, zany timezone issues, design document, etc, etc
Timothy R. Chavez
tinytim at us.ibm.com
Tue Apr 26 20:39:22 UTC 2005
On Tue, 2005-04-26 at 15:34 -0400, Amy Griffis wrote:
> Hi Tim,
>
> Timothy R. Chavez wrote: [Mon Apr 25 2005, 02:27:30PM EDT]
> > So yeah... I was asked to wait until after tommorow's meeting to submit
> > to LKML, which is just as-well. That gives you all a little time to
> > test it :-) J/K -- But, really, it would be nice if some people just
> > tried to patch/install the kernel and play with auditctl -w/-W for a
> > couple minutes and respond with yay or nay.
>
> I did some rudimentary testing of the audit.24 kernel and auditd
> 0.7.1 and found a couple problems:
>
> I wasn't able to list audit rules, although the audit log has entries
> that the rules were added, and open syscalls by uid 500 are logged.
>
> # auditctl -a entry,never -S all -F pid=2647
> No rules
> # auditctl -a entry,always -S open -F uid=500
> No rules
> # auditctl -l
> No rules
>
> Also, I wasn't able to add watches. I tried a few; here is one
> example:
>
> # auditctl -w /etc/shadow -k SHADOW -p w
> Error sending watch insert request (Cannot allocate memory)
> Error sending rule to kernel
>
> # auditctl -w /etc/shadow -p w
> Error sending watch insert request (Invalid argument)
> Error sending rule to kernel
>
> Although I haven't looked at the code yet, I suspect a kernel issue,
> as I don't see any of this behavior when I boot audit.20 with auditd
> 0.7.1.
Is the updated user space patch in audit-0.7.1?? I haven't looked to
tell you the truth. I'd imagine it is not, as Steve has told me it
won't be until after he gets a stable package for RHEL 4. Thus,
audit.24 and audit-0.7.1 should be out of sync. Still the error
handling looks quarky (and incorrect), so I need to look into this.
I'll run 2.6.12-rc2-mm1 with audit-0.7.1 your examples. And I will also
run audit.24 with an audit user package that's in sync with it and
report back tommorow with my results.
Thanks for giving it ago.
-tim
> Thanks,
> Amy
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
>
More information about the Linux-audit
mailing list