RE: Linux-audit Digest, Vol 34, Issue 3
by Heidi Racanelli
See you soon, Peggy. Thanks for the directions. hj
-----Original Message-----
From: linux-audit-bounces(a)redhat.com
[mailto:linux-audit-bounces@redhat.com] On Behalf Of
linux-audit-request(a)redhat.com
Sent: Friday, July 06, 2007 11:00 AM
To: linux-audit(a)redhat.com
Subject: Linux-audit Digest, Vol 34, Issue 3
Send Linux-audit mailing list submissions to
linux-audit(a)redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/linux-audit
or, via email, send a message with subject or body 'help' to
linux-audit-request(a)redhat.com
You can reach the person managing the list at
linux-audit-owner(a)redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Linux-audit digest..."
Today's Topics:
1. What, if any, support is there for CentOS 5 (Robert Evans)
----------------------------------------------------------------------
Message: 1
Date: Fri, 06 Jul 2007 11:20:09 -0400
From: Robert Evans <bob.evans(a)jhuapl.edu>
Subject: What, if any, support is there for CentOS 5
To: linux-audit(a)redhat.com
Message-ID: <468E5DA9.8080507(a)jhuapl.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi,
I'm now playing with CentOS 5, and I notice that audit is present, but
is
currently at audit-1.3.1-1.el5.
From the web page, it looks like only Fedora and RedHat are officially
supported. I guess my question is, how or can I get the latest audit
package
for CentOS 5?
Bob Evans
------------------------------
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
End of Linux-audit Digest, Vol 34, Issue 3
******************************************
17 years, 5 months
What, if any, support is there for CentOS 5
by Robert Evans
Hi,
I'm now playing with CentOS 5, and I notice that audit is present, but is
currently at audit-1.3.1-1.el5.
From the web page, it looks like only Fedora and RedHat are officially
supported. I guess my question is, how or can I get the latest audit package
for CentOS 5?
Bob Evans
17 years, 5 months
Decoding arguments passed to system calls
by Darryl Dixon - Winterhouse Consulting
Hi List,
Forgive me if this isn't the correct forum for this, but I'd like to
present a scenario, outline my hypothetical solution to it, and then
solicit for feedback from the list on how to actually achieve it. I have
seen various discussions on the list around this topic (eg
http://www.redhat.com/archives/linux-audit/2005-March/msg00221.html, and
the current "Absolute path names in PATH records" thread), but
they all seemed intertwined with other things, so I am asking here to try
and pin down a firm answer :)
Scenario:
A very large filesystem with potentially millions of files in an ad-hoc,
unordered directory structure. The requirement is to be able to audit any
action on any file in this filesystem (moves, adds, changes, deletes,
etc). In auditfs terms, there is a requirement to have a 'watch' on every
single file (millions of files), and on any new file that is added.
Hypothetical solution:
Clearly, scanning the filesystem with `find` and adding calling auditctl
with the appropriate arguments to generate a watch on every singly file is
totally infeasible (find takes almost an hour to run, and in the meantime
stuff is potentially changing...). Instead, I envision it would make
better sense to simply audit every call to write(), open(), rename(), etc,
and then filter backwards from there with ausearch and a filter based on
the path. On Solaris with BSM, this is possible. My problem is that this
doesn't seem possible with the Linux Audit subsystem, as the arguments to
the system calls are not decoded (eg, the audit records for write()
include only an opaque filehandle and pointer to the written data, etc).
So, in terms of feedback:
1) Am I totally wrong and there's a method of getting this information
already that I have overlooked?
2) Knowing very little about the auditing subsystem, and the kernel
internals in general I envision that decoding the filehandle into a path
is something that would need to be done in the kernel, and is impossible
from userland. Is this the case?
3) How much work do you all estimate that it would actually take to be
able to generate this information? Is it even possible without a major
architectural overhaul of the audit subsystem?
Any and all feedback much appreciated.
many regards,
Darryl Dixon
Winterhouse Consulting Ltd
http://www.winterhouseconsulting.com
17 years, 5 months
Absolute path names in PATH records
by Matthew Booth
I've hit a hurdle trying to do some post processing on audit output
because PATH records contain paths relative to the CWD, rather than the
absolute path. How much effort would likely be involved in making sure
these paths were always absolute?
Thanks,
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
17 years, 5 months
Re: [patch 2/3] audit: rework execve audit
by Andrew Morton
On Wed, 13 Jun 2007 12:03:36 +0200
Peter Zijlstra <a.p.zijlstra(a)chello.nl> wrote:
> +#ifdef CONFIG_AUDITSYSCALL
> + {
> + .ctl_name = CTL_UNNUMBERED,
> + .procname = "audit_argv_kb",
> + .data = &audit_argv_kb,
> + .maxlen = sizeof(int),
> + .mode = 0644,
> + .proc_handler = &proc_dointvec,
> + },
> +#endif
Please document /proc entries in Documentation/filesystems/proc.txt
17 years, 5 months
