Please check svn was Re: [PATCH] Have auditctl check the capability...<snip>

Steve Grubb sgrubb at redhat.com
Wed Mar 21 21:36:16 UTC 2012 

On Wednesday, March 21, 2012 03:11:49 PM Peter Moody wrote:
> This is against the 2.2 release.

Thanks. I will apply this with probably a small change or two.

> I wasn't able to get HEAD to compile (issues with mounttab.h that didn't want
> to run down because this is such a small patch).

For anyone not on Fedora, I would appreciate if you test what's in svn even if 
its just a quick build check. I am planning to release a new audit package soon. 
The changelog may look small, but there are thousands of lines of code added or 
modified. Its better to fix the headers before the release than after.

The next audit release has a new feature that I hope everyone will appreciate. 
Ausearch and libauparse now has the ability to interpret the arguments being 
passed to certain syscalls. I did this for a little over 40 syscalls:

 *chmod  
 *chown   
 clock_settime  
 clone  
 creat  
 epoll_ctl  
 getrlimit   
 setrlimit
 fchmod  
 fchmodat  
 fcntl  
 ipc  
 kill  
 mkdir  
 mkdirat  
 mknod  
 mmap  
 mount  
 mprotect  
 open  
 openat  
 personality  
 ptrace  
 recv  
 recvfrom  
 recvmmsg  
 recvmsg  
 rt_sigaction  
 setfsgid  
 setfsuid  
 setgid  
 setregid  
 setresgid  
 setresuid  
 setreuid  
 setuid  
 socket  
 socketcall  
 tgkill  
 tkill  

So, now you get output like this:

type=SYSCALL msg=audit(04/14/2011 20:18:28.953:3) : arch=x86_64 syscall=mmap 
success=yes exit=61440 a0=0xf000 a1=0x502 a2=PROT_READ|PROT_WRITE|PROT_EXEC 
a3=MAP_SHARED|MAP_FIXED items=0 ppid=603 pid=618 auid=unset uid=root gid=root 
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) 
ses=unset comm=vbetool exe=/usr/sbin/vbetool 
subj=system_u:system_r:vbetool_t:s0-s0:c0.c1023 key=(null) 

type=SYSCALL msg=audit(04/14/2011 20:13:34.658:3118) : arch=x86_64 syscall=mount 
success=yes exit=0 a0=0x405b22 a1=0x405469 a2=0x405b22 a3=MS_REC|MS_PRIVATE 
items=1 ppid=3467 pid=3468 auid=sgrubb uid=sgrubb gid=sgrubb euid=root suid=root 
fsuid=root egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=(none) ses=1 comm=fusermount 
exe=/bin/fusermount subj=unconfined_u:unconfined_r:unconfined_t:s0 key=export 

type=SYSCALL msg=audit(05/05/2011 19:01:46.559:205) : arch=x86_64 syscall=openat 
success=no exit=-13(Permission denied) a0=0x5 a1=0xd93660 a2=O_RDONLY|O_NOCTTY|
O_NONBLOCK|O_DIRECTORY a3=0x0 items=1 ppid=3831 pid=3832 auid=sgrubb uid=sgrubb 
gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb 
fsgid=sgrubb tty=pts2 ses=1 comm=find exe=/bin/find 
subj=unconfined_u:unconfined_r:unconfined_t:s0 key=access

The idea is to reduce the need to go digging through header files to see what 
arguments were being passed to some common and/or security related syscalls. In 
the case where a uid/gid was being passed to the syscall, its now interpretted 
to the account name/group name.

-Steve

More information about the Linux-audit mailing list