log messages
by Bill Tangren
When I restart my auditd daemon, I get a number of messages in
/var/log/messages that look like this:
Nov 2 10:27:25 charon kernel: audit(1194013645.793:6808): auid=500
removed an audit rule
What does this mean? Does it mean that some of my rules in
/etc/audit.rules are improper, and the server is removing them?
TIA,
Bill Tangren
17 years, 2 months
(no subject)
by Bill Tangren
I am running audit-1.0.15-3.EL4 on a RHEL ES 4 system, fully patched. I am
trying to learn the meaning of the output of aureport. For example, if I
want to look at failed events, could you tell me what the following means?
That is, how do I know from this what is failing, and why?
[root@doggett ~]# /sbin/aureport -e --failed -ts yesterday 00:00:00 -te
today 00:00:00
Event Report
===========================
# date time event type auid
===========================
1. 11/01/2007 12:00:00 AM 5844794 SYSCALL -1
TIA,
Bill Tangren
17 years, 2 months
learning aureport
by Bill Tangren
I am running audit-1.0.15-3.EL4 on a RHEL ES 4 system, fully patched. I am
trying to learn the meaning of the output of aureport. For example, if I
want to look at failed events, could you tell me what the following means?
That is, how do I know from this what is failing, and why?
[root@doggett ~]# /sbin/aureport -e --failed -ts yesterday 00:00:00 -te
today 00:00:00
Event Report
===========================
# date time event type auid
===========================
1. 11/01/2007 12:00:00 AM 5844794 SYSCALL -1
TIA,
Bill Tangren
***sorry for the blank subject***
17 years, 2 months
[PATCH] audit: clear thread flag for new children
by Tony Jones
From: Tony Jones <tonyj(a)suse.de>
Minor performance enhancement.
Thread flag TIF_SYSCALL_AUDIT is not cleared for new children when audit
context creation has been disabled (auditctl -e0). This can cause new children
forked from a parent created when audit was enabled to not take the fastest
syscall path thru entry.S
Signed-off-by: Tony Jones <tonyj(a)suse.de>
---
kernel/auditsc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -814,8 +814,10 @@ int audit_alloc(struct task_struct *tsk)
struct audit_context *context;
enum audit_state state;
- if (likely(!audit_enabled))
+ if (likely(!audit_enabled)) {
+ clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
return 0; /* Return if not auditing. */
+ }
state = audit_filter_task(tsk);
if (likely(state == AUDIT_DISABLED))
17 years, 2 months
