ausearch
by David Flatley
When running "ausearch -i", does this read both
the /var/log/audit/audit.log and the rotated log files in the same
directory? Thanks.
David Flatley
"To err is human. To really screw up requires the root password." -UNKNOWN
10 years, 10 months
Architecture of auditd
by Aaron Lewis
Hi I wrote a very simple program to retrieve netlink sockets (audit messages),
But it stuck at recvfrom, am I missing something?
#include <stdio.h>
#include <unistd.h>
#include <assert.h>
#include <string.h>
#include <stdlib.h>
#include <math.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#define ERR_QUIT(a) do { perror(a); exit (1); } while (0);
#ifndef PF_NETLINK
# define PF_NETLINK 16
#endif
char message [10000];
int main (int argc , char **argv)
{
int fd, len;
struct sockaddr_nl nladdr;
socklen_t nladdrlen = sizeof(nladdr);
fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
if (fd < 0)
ERR_QUIT("socket");
len = recvfrom(fd, &message, sizeof(message), 0, (struct
sockaddr*)&nladdr, &nladdrlen);
if (len < 0)
ERR_QUIT("recvfrom");
printf ("Received %d bytes\n", len);
return 0;
}
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
10 years, 10 months
Make the dispatcher run faster?
by Aaron Lewis
Hi,
I've replaced the dispatcher with a self-written one, it only prints
what it sees.
Now I run auditd -f to make it stay foreground, and feed it with a
massive amount of data,
But the dispatcher prints one line for each second. Is there any speed
limitation?
If so, how do I change that
Thanks!
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
10 years, 10 months
Bug in auditing of sys_symlink
by Aaron Lewis
Hi,
Looks like on 2.6.32 kernel there was a bug with sys_symlink,
I'm trying to monitor all symlinks that points to a specific dir, so I added:
-a exit,always -F arch=b64 -S symlink -F success=1 -F dir=/secure
But "ln -s /secure/file /tmp/file" doesn't trigger alert
And "cd /secure; ln -s /bin/ls" does.
So I guess the auditing implementation is somehow incomplete?
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
10 years, 10 months