Linux audit newbie question (Sorry probably a little boring...)
Adrian Powell
awp at cray.com
Sun May 7 14:46:16 UTC 2006
Steve,
Thanks for the information. If we were able to go for a 2.6.14
kernel at
some point in the future, would you be fairly confident that this syscall
auditing
code would be maintained in the forseeable future ?. It appears that many
of the earlier developers have now moved on to other things from what I can
find.
Who is regarded as the definitive developer of this code these days ?.
Adrian.
----- Original Message -----
From: "Steve Grubb" <sgrubb at redhat.com>
To: <linux-audit at redhat.com>
Cc: "Adrian Powell" <awp at cray.com>
Sent: Monday, May 08, 2006 3:38 PM
Subject: Re: Linux audit newbie question (Sorry probably a little boring...)
> On Sunday 07 May 2006 10:11, Adrian Powell wrote:
>> I have a Linux system running a 2.6.5 kernel, which cannot be
>> upgraded to a later release for the time being.
>
> Hi,
>
> I think the native linux audit system landed in the 2.6.6 kernel. I think
> 2.6.14 was the kernel where we finally had things working pretty good for
> syscall auditing.
>
>> I do have the source available, and can patch it if necessary. I wish to
>> run
>> some kind of system call level auditing/logging for security purposes.
>
> I think you will likely have to do quite a bit of work. You can copy
> kernel/audit.c and kernel/auditsc.c to your old kernel as well as
> include/linux/audit.h. The problem is going to be adding all the hook
> functions to the right place.
>
>> I have the LaUS package installed with the PAM modules, but this does not
>> impliment the system call level logging that I require, without a patch.
>
> LaUS is a different and incompatible audit system. The userspace piece
> that
> you would want is the audit-1.0.14 package. There is a lot of patching of
> trusted apps, though.
>
>> The trouble is that the only patches that I can find are not compatible
>> with
>> this particular kernel.
>
> Same with porting the native linux audit system. You would have to do
> quiet a
> bit of sleuthinging around to place all the hooks in the right place. The
> native audit system also depends quite a bit on netlink, which has been
> changed a few times during 2.6 lifetime. So, you may run into problems
> with
> that, too.
>
>> What are my options here ?.
>
> I think your options includes a fair amount of porting of something. Its
> either step up to newer kernel or do backporting.
>
> -Steve
>
More information about the Linux-audit
mailing list