audit 0.9.13 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- Remove /lib/libaudit.so & .la from audit-libs package
- In auditctl, if syscall not given, default to all
This release sets the syscalls to "all" when none is specified so that rules
for the watch and user list have a chance to work.
Please let me know if there are any problems.
-Steve
20 years, 10 months
audit.70 kernel
by David Woodhouse
* Fri Jun 24 2005 David Woodhouse <dwmw2(a)redhat.com> audit.70
- Potential fix for auditfs_attach_wdata() oops
* Fri Jun 24 2005 David Woodhouse <dwmw2(a)redhat.com> audit.69
- Clean up user filtering method
- Add S390 again
--
dwmw2
20 years, 10 months
audit.66 kernel
by David Woodhouse
Nothing particularly exciting here -- mostly just a few patches cleaned
up for sending them upstream. There's a whole bunch of userspace stuff
in the yum repository too.
* Wed Jun 22 2005 David Woodhouse <dwmw2(a)redhat.com> audit.66
- Revamp backlog wait patch for upstream -- add gfp_mask
- Allow USER_AVC messages when audit_enabled == 0
- Clean up threaded listing of rules and watches
--
dwmw2
20 years, 10 months
audit 0.9.12 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- Add some syslog messages for a couple exits
- Add some unlinks of the pid file in a couple error exits
- Make some options of auditctl not expect a reply
- Update support for user and watch filter lists
This is another bug fix update. Notable in this release is a change to a
couple options that were trying to get a netlink response when clearly they
shouldn't. Some examples were -v & -D. This version also corrects user &
watch list filtering.
Please let me know if there are any problems.
-Steve
20 years, 10 months
audit.68 kernel
by David Woodhouse
* Fri Jun 24 2005 David Woodhouse <dwmw2(a)redhat.com> audit.68
- Fix user filtering to not always return true
--
dwmw2
20 years, 10 months
audit.67 kernel
by David Woodhouse
* Wed Jun 22 2005 David Woodhouse <dwmw2(a)redhat.com> audit.67
- Clean up patches in -mm tree
- Really exempt auditd from being audited. Really. Honest.
- Drop S390 to work round their absence from the build system today.
--
dwmw2
20 years, 10 months
filtering by auid
by Debora Velarde
I just updated my system to kernel.64 and audit 0.9.10.
I am still not able to filter user messages by auid.
Is this still a ToDo? Or should this be working now and something is wrong
in my setup?
Thanks,
debbie
20 years, 10 months
audit messages when there's no audit daemon
by Steve Grubb
Hi,
I spent my weekend researching this:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160929
I think I have a solution for the original "I can't log in" problem. There is
a new one, though. It seems that the user space audit messages go to the
screen after login when they don't have an audit daemon running. This leads
to 4 pam state messages immediately on login, messages when you run a trusted
app like passwd, or whenever hwclock runs. This is not desirable.
Looking at the source code in audit.c, kauditd_thread:
printk(KERN_ERR "%s\n", skb->data + NLMSG_SPACE(0));
Do we need the priority level to be that high or should it be either:
1) user adjustable: all messages types same priority
2) only AVC, USER_AVC, & SE_LINUX_ERR get that level - everything else is
LOG_INFO so that syslog can optionally discard the messages
3) both meaning there are 3 knobs: SE Linux has user adjustable priority, file
system and sycall has a user adjustable priority, and everything else has
another.
I think we've overlooked this minor usability issue. It really is ugly when
there's no audit daemon.
-Steve
20 years, 10 months
auditctl behavior
by Amy Griffis
Hi all,
I just grabbed the latest audit bits today, and noticed that when you
load rules from a file, auditctl outputs an ambiguous message:
# auditctl -R /tmp/rules.txt
No rules
No watches
AUDIT_STATUS: enabled=1 flag=1 pid=2908 rate_limit=0 backlog_limit=256
lost=0 backlog=1
This message should be suppressed, as it implies that the rules have
not been added, when in fact they have.
I'm also seeing an error when deleting rules, although the command is
successful:
# auditctl -D
Error receiving list (Success)
No rules
No watches
Thanks,
Amy
20 years, 10 months
audit 0.9.11 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- Change packet draining to nonblocking
- Interpret id field in ausearch
- Add error message if not able to create log
- Ignore netlink acks when asking for rule & watch list
This is another bug fix release. The intent is to make the audit package
version 1.0 during the weekend. Please give this testing so that we don't
need a 1.0.1 on Tuesday. :)
Thanks,
-Steve
20 years, 10 months
