[RFC][PATCH 3/3] CAPP-compliant file system auditing
Stephen Smalley
sds at tycho.nsa.gov
Thu Mar 31 21:02:01 UTC 2005
On Thu, 2005-03-31 at 12:24 -0600, Timothy R. Chavez wrote:
> :: Tools ::
>
> To enable the kernel functionality one will need to download the audit-0.6.9
> source tree (http://people.redhat.com/sgrubb/audit/) and apply the attached
> patch. Read the README-install file for installation instructions. If the
> audit daemon is not running (also included in this package), then audit
> records will appear in /var/log/syslog rather then /var/log/audit.log. Use
> the "auditctl" tool for inserting, removing, and listing watches.
>
> Note: At the time of writing this e-mail the user space / kernel space
> interaction is not yet complete. For instance, I'd eventually like to add
> serialization routines to both spaces to pass "watch" structures more easily.
> There is also talk about another type of watch listing feature that can list
> all the watches present in memory.
This one was also line-wrapped, but I fixed it up by hand. After
rebuilding auditctl, I again tried my trusty test case:
auditctl -e 1
auditctl -w /etc/shadow -p w -k SHADOW
passwd
I'm not sure why yet, but I end up with three different inode numbers
involved in the resulting audit messages, two different ones for the two
auxitem records on the shadow watch (which both have name "shadow"), and
a third inode number listed for both /etc/nshadow and /etc/shadow on the
regular item list collected during pathname resolution. For the watch-
generated ones, I expected the same inode number (since it is a rename
and involves no change); for the regular items, I expected
the /etc/nshadow inode number to correspond with that same inode number
(since it is the file that is renamed to /etc/shadow), with
the /etc/shadow inode number being the original inode number of the old
file. Seems to bear investigation...
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list