[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: auditd/auditctl SLED10



I downloaded each of the audit version from 1.1.4 - 1.2.1 and compiled
from the tar balls...the source rpms kept bombing out on dependencies.
As of 1.2.1 with the SLED 10 distro, I was able to get it to tell me
permission denied when the syscall attempted an open
on /var/log/messages from an unpriviledged user.

Thanks everyone...

Lane  

On Fri, 2006-07-21 at 16:35 +0200, Marcus Meissner wrote:
> On Fri, Jul 21, 2006 at 10:31:22AM -0400, Linda Knippers wrote:
> > Lane Williams wrote:
> > > Yeah, I had tried that.  There is an access syscall.  From the looks of
> > > things the audit version that comes with SuSE has a few problems.  I
> > > know in Red Hat it seems to work as I need it to.  SuSE is also using
> > > Apparmor in place of SELinux, or at least they make it appear that way.
> > > The audit deamon also does not support file system watches.
> > 
> > File system watches aren't supported in the upstream kernel until
> > 2.6.18.
> > 
> > > Seems the only success=no returns that I receive are when the file does
> > > not exist.  I may also have to add more to my filter in order to get
> > > what I want.  Unfortunately I am stuck with SuSE and will have to
> > > continue troubleshooting until the patches come out.
> > 
> > If you're using a 2.6.16 kernel and 1.1.3 audit tools, that seems like
> > a mismatch.  There was a 1.1.4 audit package released back in February
> > and the release mail mentions apparmor support.
> > https://www.redhat.com/archives/linux-audit/2006-February/msg00036.html
> 
> We have integrated AppArmor support in our 1.1.3 packages. (The
> stuff we sent upstream for 1.1.4).
> 
> Ciao, Marcus


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]