[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] audit tools: add filterkey support



Here is the userspace patch I used to test the kernel filterkey patch.

I have applied the filterkey patch to audit 1.2.3-1 and am receiving some strange dispatch events. Look at the auid below:

Jun 26 08:42:58 otslab11 user_actions[2559]: type=1300, payload size=283
Jun 26 08:42:58 otslab11 user_actions[2559]: data="audit(1151325777.277:54): arch=40000003 syscall=5 success=yes exit=3 a0=bfea0c58 a1=8000 a2=0 a3=8000 items=1 ppid=2329 pid=2578 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="cat" exe="/bin/cat" subj=user_u:system_r:unconfined_t:s0 key=(null)"
Jun 26 08:42:58 otslab11 user_actions[2559]: type=1307, payload size=38
Jun 26 08:42:58 otslab11 user_actions[2559]: data="audit(1151325777.277:54): cwd="/root""
Jun 26 08:42:58 otslab11 user_actions[2559]: type=1302, payload size=146
Jun 26 08:42:58 otslab11 user_actions[2559]: data="audit(1151325777.277:54): item=0 name="/tmp/test.c" inode=5358299 dev=03:02 mode=0100666 ouid=500 ogid=500 rdev=00:00 obj=user_u:object_r:tmp_t:s0"

I haven't determined how to assign a key to a rule yet (maybe that is part of the problem).

I am using the 2.6.17-1.2293.2.2_FC6.lspp.38.i686 kernel.

Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]