[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Basic audit test fails



On Wednesday 22 March 2006 12:17, Steve Brueckner wrote:
> First, it appears I don't have file watch enabled in my kernel. ?Is file
> watch enabled in ?the FC5 kernel, or still only in RHEL?

Only RHEL. There was a conflict with inotify when it was sent upstream. That 
is being reworked and a new patch is nearly ready for upstream submission.

> Second, I tried a basic test to audit files opened by a specific user (per
> the auditctl ?man page) but it doesn't seem to work:

It should work if everything is setup.

> [root localhost ~]# auditctl -a exit,always -S open -F loginuid=600
> audit.log:
> type=CONFIG_CHANGE msg=audit(1142975396.109:6629): auid=4294967295 added an
> audit rule

To use loginuid, you have to make sure that loginuid is actually getting set. 
(The above seems to indicate that iits not.) This is done by the pam_loginuid 
module. Also, look at its man page. You'll need that in login, sshd, or gdm 
pam config.

> type=SELINUX_ERR msg=audit(1142975791.439:6635): SELinux: ?unrecognized
> netlink message ?type=1009 for sclass=49
> type=SYSCALL msg=audit(1142975791.439:6635): arch=40000003 syscall=102
> success=no exit=-22 ?a0=b a1=bfb89970 a2=805a5dc a3=10 items=0 pid=27498
> auid=4294967295 uid=0 gid=0 euid=0 ?suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="auditctl" exe="/sbin/auditctl"
> type=SOCKADDR msg=audit(1142975791.439:6635):
> saddr=100000000000000000000000 type=SOCKETCALL
> msg=audit(1142975791.439:6635): nargs=6 a0=3 a1=bfb8dbec a2=10 a3=0
> ?a4=bfb8fd08 a5=c

If you get this on the command prompt, you don't have a new enough kernel. You 
really want to be using 2.6.13 at a minimum.

> Should this experiment have produced any output to audit.log when the user
> wrote to a ?file? ?If not, why not? ?

Yes, you need to upgrade the kernel and I'd update to audit-1.0.14 if on FC4.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]