Resolving syscall numbers
by Steve
This may not be appropriate for this list, if it isn't I apologize and
you may ignore it.
Is there an quick way to resolve the syscall number that auditd returns
within a message to a syscall name? (ie. 5->open)?
I am programming in C, if that helps.
Thanks,
Steve
18 years, 6 months
Possibly wrong audit messages
by Glauber de Oliveira Costa
Hi,
I'm in a FC5 box, and tryied to shoot an setsebool command as
secadm_r:SystemHigh (mls policy)
Instead of an audit message identifying the set operation, I'm getting 81 AVC
messages (81 is the number of booleans present in /selinux/booleans/)
indicating a success. Such a large number of messages makes the correct
information hard to find, IMHO. This does not seem to be the right behaviour
to me.
A typical message looks like this:
type=AVC msg=audit(1149411239.670:6462): avc: granted { setbool }
for pid=3460 comm="setsebool" scontext=root:secadm_r:secadm_t:s15:c0.c255
tcontext=system_u:object_r:security_t:s15:c0.c255 tclass=security
If this is really the expected behaviour, sorry for the bogus report.
--
"Free as in Freedom"
Glauber de Oliveira Costa
18 years, 6 months
[PATCH git] fix warning in kernel/auditsc.c
by Amy Griffis
kernel/auditsc.c: In function `audit_log_exit':
kernel/auditsc.c:763: warning: long int format, size_t arg (arg 4)
This fix applies to lspp.b18 commit
ba54d013e0c8ef00868e6d7f95cbf3b53c6db2e0
"Audit of POSIX Message Queue Syscalls v.2".
Signed-off-by: Amy Griffis <amy.griffis(a)hp.com>
---
kernel/auditsc.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
28050ade86939aff80c1b674f7e2f67724f5c472
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4858bdd..8503401 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -757,7 +757,7 @@ static void audit_log_exit(struct audit_
case AUDIT_MQ_SENDRECV: {
struct audit_aux_data_mq_sendrecv *axi = (void *)aux;
audit_log_format(ab,
- "mqdes=%d msg_len=%ld msg_prio=%u "
+ "mqdes=%d msg_len=%zd msg_prio=%u "
"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
axi->mqdes, axi->msg_len, axi->msg_prio,
axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec);
--
1.3.0
18 years, 6 months
[PATCH git] fix warning for !CONFIG_AUDITSYSCALL
by Amy Griffis
kernel/audit.c: In function `audit_init':
kernel/audit.c:693: warning: unused variable `i'
This fix applies to lspp.b18 commit
74457481a11b6283cecdfbaa6ec644e2edc1c8ef
"updated filesystem auditing patches..."
Signed-off-by: Amy Griffis <amy.griffis(a)hp.com>
---
kernel/audit.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
237e71cf9daa9b8f7651550a3da6bf7fb6eb8c0e
diff --git a/kernel/audit.c b/kernel/audit.c
index c12e2ae..0fbf1c1 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -690,7 +690,9 @@ #endif
/* Initialize audit support at boot time. */
static int __init audit_init(void)
{
+#ifdef CONFIG_AUDITSYSCALL
int i;
+#endif
printk(KERN_INFO "audit: initializing netlink socket (%s)\n",
audit_default ? "enabled" : "disabled");
--
1.3.0
18 years, 6 months
[PATCH git] fix build for !CONFIG_AUDITSYSCALL
by Amy Griffis
kernel/built-in.o: In function `audit_update_watch':
include/asm/current.h:9: undefined reference to `audit_filter_inodes'
include/asm/current.h:9: undefined reference to `audit_set_auditable'
This fix applies to lspp.b18 commit
54e10ac15f9176a2d86c9068fccbdb400b0b58df
"fix missing records when watched files removed".
Signed-off-by: Amy Griffis <amy.griffis(a)hp.com>
---
kernel/audit.h | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
4182d90fde19384226e4798efcad4b3a92dce03d
diff --git a/kernel/audit.h b/kernel/audit.h
index f337845..58fa44c 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -126,9 +126,6 @@ extern void audit_free_parent(struct ino
extern void audit_handle_ievent(struct inotify_watch *, u32, u32, u32,
const char *, struct inode *);
extern int selinux_audit_rule_update(void);
-extern enum audit_state audit_filter_inodes(struct task_struct *,
- struct audit_context *);
-extern void audit_set_auditable(struct audit_context *);
#ifdef CONFIG_AUDITSYSCALL
extern void __audit_signal_info(int sig, struct task_struct *t);
@@ -137,6 +134,11 @@ static inline void audit_signal_info(int
if (unlikely(audit_pid && t->tgid == audit_pid))
__audit_signal_info(sig, t);
}
+extern enum audit_state audit_filter_inodes(struct task_struct *,
+ struct audit_context *);
+extern void audit_set_auditable(struct audit_context *);
#else
#define audit_signal_info(s,t)
+#define audit_filter_inodes(t,c) AUDIT_DISABLED
+#define audit_set_auditable(c)
#endif
--
1.3.0
18 years, 6 months
audit-current git
by Robert Giles
Howdy folks - this isn't really an audit related question, but where do
all the [PATCH git] fixes end up after being posted to the list?
I'm looking at http://www.kernel.org/git/, and the last change to the
"audit-current" git tree was four weeks ago (but there have been quite a
few [PATCH git] postings to the list since then).
Also - the "audit-current" that's up there now (based on 2.6.17-rc3) works
great on SuSE 10.1 + audit-1.2.2 with filesystem watches (THANKS!!!).
-----------------------------------------------------------
Robert Giles Group System Administrator
SPD/ARL:UT (512) 835-3077 � Fax (512) 490-4244
18 years, 6 months
Monitoring events
by Steve
I have the program adding rules to Audit now. Thank you for your help.
I also have my program monitoring the output from auditd (via the
dispatch option in auditd.conf).
Ideally, I would like to only capture (or parse) events pertaining to
rules I have created (since other system processes are using auditd as
well). Is there's any kind of identifier that ties events to rules?
Thank you again,
Steve
18 years, 6 months
watching files/directories with audit the contains turkish characters in file/directory name
by Evren Kalayciklioglu
I want to monitor some specific file with audit. These
files' names mostly includes Turkish characters. When
i tried the program, for including Turkish characters,
log for these files is unreadable. I can change all
these files' names but my boss does not accept this.
He wants to watch with Turkish characters and the
output file is correct and readable for Turkish
according to him.
So, i am thinking to change the source if there is
definite character codes. what i want to do that
change the valid character code to unicode UTF-8 or
add unicode UTF-8.
Is it possible? or not? If it is possible, which file
is interested what i want to do in source code?
Thanks a lot.
Evren Kalayciklioglu
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
18 years, 6 months
Adding rules
by Steve
I am attempting to create a c program that can add rules to the audit
sub-system and monitor the resulting events. I have read through the
code in libaudit.h, audit.h, audit.c, and auditsc.c as well as several
man pages pertaining to audit and extended searching of the web.
I am trying to add a rule using audit_add_rule() so audit will "watch" a
file. The first problem is that there doesn't seem to be an appropriate
field under the "Rule Fields" section of audit.h. The second is that
the value must be an integer...
I have succeeded in adding the rule from the command-line using auditctl.
I would appreciate any help you can offer,
Steve
I am using: audit-1.2.3-1 and glibc-kernheaders-3.0-37
18 years, 6 months
cups userspace -- trusted programs?
by Michael C Thompson
Hey all,
I'm wondering if the intent of the cups userspace tools are to be
trusted programs? Specifically I'm curious about cupsaccept, cupsreject,
cupsenable and cupsdisable. The reason I ask is because if they are
supposed to be trusted programs, they don't generate unique audit
messages like other programs.
Personally, I think these tools should generate messages since they are
a source for leaking information, and therefore should be restricted to
administrators.
Thanks,
Mike
18 years, 6 months
