Linux-audit January 2014

linux-audit@lists.linux-audit.osci.io

27 participants
55 discussions

by David Flatley

When running "ausearch -i", does this read both the /var/log/audit/audit.log and the rotated log files in the same directory? Thanks. David Flatley "To err is human. To really screw up requires the root password." -UNKNOWN

11 years, 6 months

2
1
0 / 0

Architecture of auditd

by Aaron Lewis

Hi I wrote a very simple program to retrieve netlink sockets (audit messages), But it stuck at recvfrom, am I missing something? #include <stdio.h> #include <unistd.h> #include <assert.h> #include <string.h> #include <stdlib.h> #include <math.h> #include <sys/socket.h> #include <linux/netlink.h> #define ERR_QUIT(a) do { perror(a); exit (1); } while (0); #ifndef PF_NETLINK # define PF_NETLINK 16 #endif char message [10000]; int main (int argc , char **argv) { int fd, len; struct sockaddr_nl nladdr; socklen_t nladdrlen = sizeof(nladdr); fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT); if (fd < 0) ERR_QUIT("socket"); len = recvfrom(fd, &message, sizeof(message), 0, (struct sockaddr*)&nladdr, &nladdrlen); if (len < 0) ERR_QUIT("recvfrom"); printf ("Received %d bytes\n", len); return 0; } -- Best Regards, Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com ) Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E

11 years, 6 months

3
2
0 / 0

Make the dispatcher run faster?

by Aaron Lewis

Hi, I've replaced the dispatcher with a self-written one, it only prints what it sees. Now I run auditd -f to make it stay foreground, and feed it with a massive amount of data, But the dispatcher prints one line for each second. Is there any speed limitation? If so, how do I change that Thanks! -- Best Regards, Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com ) Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E

11 years, 6 months

2
1
0 / 0

Use a script as a dispatcher

by Aaron Lewis

Hi, Can I use a perl script as a dispatcher? any examples -- Best Regards, Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com ) Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E

11 years, 6 months

2
1
0 / 0

Bug in auditing of sys_symlink

by Aaron Lewis

Hi, Looks like on 2.6.32 kernel there was a bug with sys_symlink, I'm trying to monitor all symlinks that points to a specific dir, so I added: -a exit,always -F arch=b64 -S symlink -F success=1 -F dir=/secure But "ln -s /secure/file /tmp/file" doesn't trigger alert And "cd /secure; ln -s /bin/ls" does. So I guess the auditing implementation is somehow incomplete? -- Best Regards, Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com ) Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E

11 years, 6 months

2
4
0 / 0

← Newer
1
2
3
4
5
6
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit January 2014