event loss with dispatcher?
by Klaus Heinrich Kiwi
Hi,
I'm trying to debug a potential problem with the dispatcher mechanism
in version 1.6.2. Long story short, I saw that some records were being
missed in the remote system (using the audisp-racf plugin), couldn't
find anything wrong with the code, so I enabled the syslog plugin,
trying to match the the syslog with the audit log output - At least in
my system, they are not matching.
In cases where there are more than one record per event, (eg. SYSCALL,
CWD, PATH), the majority of times only the syscall record is sent to the
syslog.. in rare cases I could see the path or the cwd record as well.
The impression that this would be a timing issue increased when I tried
to debug the daemon itself, placing a breakpoint in the
distribute_event() and/or dispatch_event() functions - in that case, I
could see all records going through, both in the execution path as in
the syslog.
Later also placed some debugging hooks in the process_inbound_event() in
the dispatcher code, and saw that records were already missing at that
point.
The lossy/lossless setting for the dispatcher queue doesn't appear to
affect this behavior. My tests involves a filesystem watch - when
triggered, only 3 records are generated (so not anywhere near the 128K
buffer size)
My env: RHEL 5 GA on s390x (sorry - no other box available for testing
at this time) with audit 1.6.2 (built from src.rpm as downloaded from
Steve's website).
Steve, btw, can you hold the audisp-racf merge a little bit? Found some
issues with selinux policy, the mapping to the remote system and believe
it or not, the plugin name itself :(
Thanks,
-Klaus Kiwi
16 years, 11 months
audit 1.6.4 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- fchmod of log file was on wrong variable
- Allow use of errno strings for exit codes in audit rules
This release fixes a major bug that got introduced in the last release. The
code that fixes a permission problem was using the wrong variable. It happens
that the result was applied to /dev/null instead of the audit log. If you had
selinux in enforcing mode - nothing happened, for everyone else.../dev/null
probably got messed up. Oopsie.
This release also lets you express audit rules with slightly more readable
exits codes. This means you can now do things like:
auditctl -a always,exit -S open -F exit=-EPERM
Please let me know if you run across any problems with this release.
-Steve
16 years, 11 months
Is there a rule for auditing all processes' syscall info?
by Marius.bao
Hi all,
We can use a rule to audit one specific process's all syscall info,
eg: auditctl -a entry,always -S all -F pid=1005, it will log process 1005's
syscall info. Is there a rule available to audit all processes' syscall
info?
Thanks in advance.
16 years, 11 months
audit 1.6.3 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- Add kernel release string to DEAMON_START events
- Log warning if audit event from kernel is too big
- Fix keep_logs when num_logs option disabled (#325561)
- Auditd commandline option to decide whether to enable kernel auditing on
startup (Tony Jones)
- Fix auparse to handle node fields for syscall records
- Updates for auparse to uninterpret text search values (Miloslav Trmac)
- Update system-config-audit to version 0.4.5 (Miloslav Trmac)
- Add keyword week-ago to aureport & ausearch start/end times
- Fix audit log permissions on rotate. If group is root 0400, otherwise 0440
- Get "make check" working for auparse
- Add RACF zos remote audispd plugin (Klaus Kiwi)
- Add event queue overflow action to audispd
- Make sure we are reading right amount of pipe in audispd
Please let me know if you run across any problems with this release.
-Steve
16 years, 12 months
auditing for RHEL ES4
by Bill Tangren
I'm running RHEL ES 4 servers, and am having difficulty with aureport. I'm
using audit version 1.0.15-3, the one that comes with the OS. The problem
is that I need daily reports, and it is not doing it. The reports always
cover the entire range of available logs (sometimes gigabytes of data).
The reports can take a LONG time to compile, and it doesn't give me the
daily snapshot I need. I'm thinking of installing the latest tarball and
compiling, as I understand more recent versions of aureport have
implemented time limits. [I've emailed this list before about this.]
My question now is, is it possible to uninstall the prepackaged audit and
audit-lib, and install the latest from source, without seriously hosing my
system?
TIA,
--
Bill Tangren
U.S. Naval Observatory
17 years
Using Linux Audit to Audit / Log All Oracle Related Activity
by Mathew Brown
Hi,
I was wondering if the Linux Audit Daemon could be used to address the
issue of Oracle auditing. Has anyone investigated this possibility?
Ideally, I would like to audit all network (listener) as well as all
local access (an Oracle DBA running sqlplus directly on the machine).
Any ideas? Thanks for your help.
--
Mathew Brown
mathewbrown(a)fastmail.fm
--
http://www.fastmail.fm - Or how I learned to stop worrying and
love email again
17 years
[PATCH 0/2] XFRM auditing patch rebased
by Paul Moore
Based on the net-2.6.25 tree from about an hour ago. The first patch was
dropped because it is already applied.
--
paul moore
linux security @ hp
17 years
[PATCH 0/3] XFRM audit fixes/additions for net-2.6.25
by Paul Moore
Three patches backed against net-2.6.25 from today. Some of the audit
messages are a little difficult to test by their nature but I've verified
that I'm still able to send/receive IPsec protected traffic with the patches
applied.
The first patch was posted before but David decided it best to split the
patch so some parts could be pulled into 2.6.24; the patch was split and
the 2.6.24 bits were accepted (the SPI byteorder fix) so patch #1 in the
series is what is left for 2.6.25.
The second patch was posted before as an RFC patch without anyone complaining
too loudly. Eric Paris made some suggestions about better handling of the
"op=" audit field and I've tried to take that into account with this patch.
The final patch is the audit replay counter overflow issue fix that has been
talked about on netdev. This sounded like the best course of action from the
discussion but if I'm wrong, just drop this patch and I'll cook up something
else to solve the problem.
Thanks.
--
paul moore
linux security @ hp
17 years
Re: Linux-audit Digest, Vol 39, Issue 16
by Marius.bao
I downloaded the source package yesterday, but the make processing went
wrong, the error message is as follows:
Makefile:43: /usr/share/selinux/devel/Makefile: No such file or directory
make[3]: *** No rule to make target `/usr/share/selinux/devel/Makefile'.
Stop.
make[3]: Leaving directory
`/home/paul/Develop/audit/audit-test/trustedprograms/tests/policy'
make[2]: *** [subdirs] Error 2
make[2]: Leaving directory
`/home/paul/Develop/audit/audit-test/trustedprograms/tests'
make[1]: *** [subdirs] Error 2
make[1]: Leaving directory
`/home/paul/Develop/audit/audit-test/trustedprograms'
make: *** [subdirs] Error 2
I'm running Fedora Core 7
2007/12/20, linux-audit-request(a)redhat.com <linux-audit-request(a)redhat.com>:
>
> Send Linux-audit mailing list submissions to
> linux-audit(a)redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/linux-audit
> or, via email, send a message with subject or body 'help' to
> linux-audit-request(a)redhat.com
>
> You can reach the person managing the list at
> linux-audit-owner(a)redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Linux-audit digest..."
>
>
> Today's Topics:
>
> 1. New Version of Certification Test Suite (Jon Wallace)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 18 Dec 2007 15:22:32 -0500
> From: Jon Wallace <jon.wallace(a)hp.com>
> Subject: New Version of Certification Test Suite
> To: linux-audit(a)redhat.com
> Message-ID: <200712181522.32224.jon.wallace(a)hp.com>
> Content-Type: text/plain; charset="us-ascii"
>
> HP has posted an updated version of the audit-test suite for the audit and
> MLS
> portions of CAPP/LSPP/RBACPP certification on RHEL5.1.
> http://sourceforge.net/projects/audit-test/
>
> The suite is available as a tarball, a source rpm, and as a noarch
> rpm which will install files into /usr/local/eal4_testing/audit-test.
> There are 3 README files which describe how to run the tests, how to
> develop tests, and how to configure the test server for network tests.
>
> These tests are known to pass on RHEL5.1 plus the updated packages listed
> in our security target in both CAPP mode (optional targeted policy) and
> LSPP mode (mls policy) on x86_64 and ia64 architectures. Code exists for
> other architectures but no other architectures have been tested with this
> version of the test suite. The updated tests fix failures that were due
> to
> changes in some of the pam audit records.
>
> We would appreciate feedback as well as patches through the
> sourceforge project trackers if you use and update the suite.
> We are especially interested in hearing from people running the
> tests on other distros, with or without SELinux.
>
> Thanks,
> Jon
>
>
>
> ------------------------------
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
> End of Linux-audit Digest, Vol 39, Issue 16
> *******************************************
>
17 years
