[PATCH] audit tools: add filterkey support
Steve
m6x at ornl.gov
Mon Jun 26 12:49:07 UTC 2006
> Here is the userspace patch I used to test the kernel filterkey patch.
I have applied the filterkey patch to audit 1.2.3-1 and am receiving
some strange dispatch events. Look at the auid below:
Jun 26 08:42:58 otslab11 user_actions[2559]: type=1300, payload size=283
Jun 26 08:42:58 otslab11 user_actions[2559]:
data="audit(1151325777.277:54): arch=40000003 syscall=5 success=yes
exit=3 a0=bfea0c58 a1=8000 a2=0 a3=8000 items=1 ppid=2329 pid=2578
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 comm="cat" exe="/bin/cat" subj=user_u:system_r:unconfined_t:s0
key=(null)"
Jun 26 08:42:58 otslab11 user_actions[2559]: type=1307, payload size=38
Jun 26 08:42:58 otslab11 user_actions[2559]:
data="audit(1151325777.277:54): cwd="/root""
Jun 26 08:42:58 otslab11 user_actions[2559]: type=1302, payload size=146
Jun 26 08:42:58 otslab11 user_actions[2559]:
data="audit(1151325777.277:54): item=0 name="/tmp/test.c" inode=5358299
dev=03:02 mode=0100666 ouid=500 ogid=500 rdev=00:00
obj=user_u:object_r:tmp_t:s0"
I haven't determined how to assign a key to a rule yet (maybe that is
part of the problem).
I am using the 2.6.17-1.2293.2.2_FC6.lspp.38.i686 kernel.
Steve
More information about the Linux-audit
mailing list