Logrotate and Audit Log Rotation
by Paul Whitney
On RHEL 6 I am able to use the logrotate facility and compress logs using bzip2. However, when I try to use a similar method on RHEL 5, the auditd service fails to restart after the logrotate service rotates and compresses the rotated log file.
I found a post by Steve Grubb posted on 29 JUN 2011:
"Logrotate should not directly rotate the audit logs. I don't supply a logrotate
configuration, but if I did it would call service auditd rotate so that auditd performs
the action. The audit daemon has to fulfill certain service guarantees that logrotate
does not care about. For example, if the audit disk partition gets full, auditd can
take the system down. Logrotate never will. So, you have to let auditd do its own
thing or you will have some issues."
Is this still the case?
Paul M. Whitney
paul.whitney(a)icloud.com
11 years, 11 months
[PATCH] audit: fix auditfilter kernel-doc warning
by Randy Dunlap
From: Randy Dunlap <rdunlap(a)infradead.org>
Fix new kernel-doc warning in auditfilter.c:
Warning(kernel/auditfilter.c:1157): Excess function parameter 'uid' description in 'audit_receive_filter'
Signed-off-by: Randy Dunlap <rdunlap(a)infradead.org>
Cc: Al Viro <viro(a)zeniv.linux.org.uk>
Cc: Eric Paris <eparis(a)redhat.com>
Cc: linux-audit(a)redhat.com (subscribers-only)
---
kernel/auditfilter.c | 1 -
1 file changed, 1 deletion(-)
--- lnx-37-rc4.orig/kernel/auditfilter.c
+++ lnx-37-rc4/kernel/auditfilter.c
@@ -1144,7 +1144,6 @@ static void audit_log_rule_change(kuid_t
* audit_receive_filter - apply all rules to the specified message type
* @type: audit message type
* @pid: target pid for netlink audit messages
- * @uid: target uid for netlink audit messages
* @seq: netlink audit message sequence (serial) number
* @data: payload data
* @datasz: size of payload data
11 years, 12 months
Patch to fix cross-compiling
by George McCollister
I've created a patch against your SVN trunk which uses
ax_cc_for_build.m4 to provide CC_FOR_BUILD which is then used in
auparse/Makefile.am and lib/Makefile.am to build the utilities that run
on the build machine.
I was able to use this patch to cross-compile audit for my ARM platform.
I'm still in the process of testing audit on the ARM platform.
Comments, questions and critiques welcome.
Regards,
George McCollister
11 years, 12 months
[PATCH] audit: armv6l added to machintab for Raspberry Pi
by Nathaniel Husted
This patch was created to add the armv6l (Raspberry Pi) platform to
audit. Without the patch auditctl errors that it cannot find the
machine type whenever loading the rules file. This patch was tested on
a physical raspberry pi board. The environment was the latest Raspbian
distribution and the latest audit from the SVN. Upon the loading of
the rules file, I was able to test the clone, execve, and fork system
calls using a back patch for the Raspberry Pi kernel (they're still on
3.2).
Signed-off-by: Nathaniel Husted <nhusted(a)gmail.com>
---
diff --git a/lib/machinetab.h b/lib/machinetab.h
index 378db6e..60509c4 100644
--- a/lib/machinetab.h
+++ b/lib/machinetab.h
@@ -37,4 +37,5 @@ _S(MACH_ALPHA, "alpha" )
_S(MACH_ARMEB, "armeb" )
_S(MACH_ARMEB, "armv5tejl")
_S(MACH_ARMEB, "armv7l")
+_S(MACH_ARMEB, "armv6l")
#endif
11 years, 12 months
[PATCH 0/5] Build time disabling of auditd network listener
by Tyler Hicks
Hello Steve - This is a patch set that allows --disable-listener to be passed
to the configure script to disable the auditd network listener code at build
time. The reasoning is that a large number of users do not need centralized
audit logging and removing the network listening code from a root-owned auditd
process is appealing from a security perspective.
The existing implementation clearly does not initialize the listener when
tcp_listen_port is undefined in auditd.conf, but I still think there is value
in not having the listening code present in all auditd installations.
The first three patches in the set are refactoring patches to move nearly all of
the listening code into auditd-listen.c in order to minimize the number of
ifdefs that would need to be scattered throughout C source files. The fourth
patch is an optional cleanup patch. The last patch introduces the
--disable-listener option.
The auditd listener code is still enabled by default so that existing distro
packaging recipes will not need to be updated.
I look forward to your feedback. Thanks!
Tyler
11 years, 12 months