File watches supported in Audit 1.1.5 on Fedora Core 5?
Steve Grubb
sgrubb at redhat.com
Tue Jun 20 02:08:55 UTC 2006
On Monday 19 June 2006 20:52, Jonathan Abbey wrote:
> It appears that, contrary to the man pages in the audit RPM, file watches
> are not supported.
The file system watches in 1.1.5 are the kind that the RHEL4 kernel is
expecting. We had trouble merging the patches into the kernel.org kernel and
had to spend a long time rewriting the subsystem.
> Likewise, many of the example rules in
> /usr/share/doc/audit-1.1.5/sample.rules, such as
>
> # Auditing failed opens
> -a entry,always -S open -F success!=0
>
> seem to be out of step with the actual rules supported by
> /sbin/auditctl and/or the kernel. (I get the sensible 'Field success
> cannot be checked at syscall entry' message).
Right, so you just move the rule to the exit filter.
> Would the latest FC5 kernels support inotify-based file watches with a
> more recent version of the Audit user tools?
The file system watches are scheduled to land in the 2.6.18 kernel. We have a
test kernel that you can test with in the mean time:
http://people.redhat.com/sgrubb/files/lspp/
> Is there any up-to-date documentation that would serve me better than
> that in the /usr/share/doc/audit-1.1.5 directory on FC5? I don't see
> any on Steve Grubb's Audit page.
This mail list is a good place to ask. We have not done much in terms of
tutorials or HOWTOs because half the audit system has been missing from
common kernels. The 1.2.x series audit packages is reworked to fit the file
system audit code that goes with the 2.6.18 kernel. I will push that into
Fedora Core 5 when 2.6.18 starts into the rc phase. So, if you want to
experiment, install a lspp kernel and build a 1.2.x audit package for fc5.
You should be set.
-Steve
More information about the Linux-audit
mailing list