audit rules file and Defense Security Service
by Kirkwood, David A
Does anyone have an audit rules file and / or ausearch script that has
satisfied
A DSS is Professional for accreditation? I need to get a system
accredited ASAP
And if somebody already went through the hoops, I would appreciate some
help.
I know many sites use snare for logging, but I have been told that this
is no longer acceptable for
New systems as it doesn't provide the proper granularity. I'm used
RHEL4, audit 1.0.14.
All help is appreciated.
David A. Kirkwood
18 years
[2.6 patch] kernel/audit.c: remove unused exports
by Adrian Bunk
This patch removes the following unused EXPORT_SYMBOL's:
- audit_log_start
- audit_log_end
- audit_log_format
- audit_log
Signed-off-by: Adrian Bunk <bunk(a)stusta.de>
---
This patch was already sent on:
- 20 Apr 2006
--- linux-2.6.17-rc1-mm3-full/kernel/audit.c.old 2006-04-20 22:38:17.000000000 +0200
+++ linux-2.6.17-rc1-mm3-full/kernel/audit.c 2006-04-20 22:40:03.000000000 +0200
@@ -1092,7 +1092,3 @@
}
}
-EXPORT_SYMBOL(audit_log_start);
-EXPORT_SYMBOL(audit_log_end);
-EXPORT_SYMBOL(audit_log_format);
-EXPORT_SYMBOL(audit_log);
18 years
audit 1.3.1 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- Fix a couple parsing problems (#217952)
- Add tgkill to S390* syscall tables (#218484)
- Fix error messages in ausearch/aureport command options
Please let me know if there are any problems with this release.
-Steve
18 years
[PATCH 1/1] disable ipsec auditing in lspp 56 kernel
by Joy Latten
Eric,
Here is a patch built against the lspp56 kernel to include
the ability to disable auditing in ipsec.
It is equivalent to the one I sent out for 2.6.19-rc6 kernel.
Sorry for the confusion. I hope this helps.
Regards,
Joy
diff -urpN linux-2.6.18.ppc64.orig/include/net/xfrm.h linux-2.6.18.ppc64.est/include/net/xfrm.h
--- linux-2.6.18.ppc64.orig/include/net/xfrm.h 2006-12-01 17:24:29.000000000 -0600
+++ linux-2.6.18.ppc64.est/include/net/xfrm.h 2006-12-01 17:40:25.000000000 -0600
@@ -379,8 +379,12 @@ struct xfrm_audit
uid_t loginuid;
u32 secid;
};
+#ifdef CONFIG_AUDITSYSCALL
void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
struct xfrm_policy *xp, struct xfrm_state *x);
+#else
+#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0)
+#endif /* CONFIG_AUDITSYSCALL */
static inline void xfrm_pol_hold(struct xfrm_policy *policy)
{
diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_policy.c linux-2.6.18.ppc64.est/net/xfrm/xfrm_policy.c
--- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_policy.c 2006-12-01 17:25:22.000000000 -0600
+++ linux-2.6.18.ppc64.est/net/xfrm/xfrm_policy.c 2006-12-01 17:40:03.000000000 -0600
@@ -1370,6 +1370,7 @@ int xfrm_bundle_ok(struct xfrm_policy *p
EXPORT_SYMBOL(xfrm_bundle_ok);
+#ifdef CONFIG_AUDITSYSCALL
/* Audit addition and deletion of SAs and ipsec policy */
void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
@@ -1479,6 +1480,7 @@ void xfrm_audit_log(uid_t auid, u32 sid,
}
EXPORT_SYMBOL(xfrm_audit_log);
+#endif /* CONFIG_AUDITSYSCALL */
int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
{
18 years
[PATCH 1/1] fix several things in ipsec audit
by Joy Latten
Steve, if this looks ok to you I will send to netdev.
I compiled and tested with and without CONFIG_AUDITSYSCALL.
-------------------------------------------------------------
This patch disables auditing in ipsec when CONFIG_AUDITSYSCALL
is disabled in the kernel.
This patch also includes a bug fix for xfrm_state.c as a result of original
ipsec audit patch.
Regards,
Joy
diff -urpN linux-2.6.18-patch/include/net/xfrm.h linux-2.6.18-patch.2/include/net/xfrm.h
--- linux-2.6.18-patch/include/net/xfrm.h 2006-11-27 12:29:11.000000000 -0600
+++ linux-2.6.18-patch.2/include/net/xfrm.h 2006-11-28 13:26:49.000000000 -0600
@@ -395,8 +395,13 @@ struct xfrm_audit
uid_t loginuid;
u32 secid;
};
-void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
+
+#ifdef CONFIG_AUDITSYSCALL
+extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
struct xfrm_policy *xp, struct xfrm_state *x);
+#else
+#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0)
+#endif /* CONFIG_AUDITSYSCALL */
static inline void xfrm_pol_hold(struct xfrm_policy *policy)
{
diff -urpN linux-2.6.18-patch/net/xfrm/xfrm_policy.c linux-2.6.18-patch.2/net/xfrm/xfrm_policy.c
--- linux-2.6.18-patch/net/xfrm/xfrm_policy.c 2006-11-27 12:29:33.000000000 -0600
+++ linux-2.6.18-patch.2/net/xfrm/xfrm_policy.c 2006-11-28 14:51:09.000000000 -0600
@@ -1955,6 +1955,7 @@ int xfrm_bundle_ok(struct xfrm_policy *p
EXPORT_SYMBOL(xfrm_bundle_ok);
+#ifdef CONFIG_AUDITSYSCALL
/* Audit addition and deletion of SAs and ipsec policy */
void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
@@ -2063,6 +2064,7 @@ void xfrm_audit_log(uid_t auid, u32 sid,
}
EXPORT_SYMBOL(xfrm_audit_log);
+#endif /* CONFIG_AUDITSYSCALL */
int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
{
diff -urpN linux-2.6.18-patch/net/xfrm/xfrm_state.c linux-2.6.18-patch.2/net/xfrm/xfrm_state.c
--- linux-2.6.18-patch/net/xfrm/xfrm_state.c 2006-11-27 12:29:33.000000000 -0600
+++ linux-2.6.18-patch.2/net/xfrm/xfrm_state.c 2006-11-28 12:58:56.000000000 -0600
@@ -407,7 +407,6 @@ restart:
xfrm_state_hold(x);
spin_unlock_bh(&xfrm_state_lock);
- xfrm_state_delete(x);
err = xfrm_state_delete(x);
xfrm_audit_log(audit_info->loginuid,
audit_info->secid,
18 years
