[PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set
by Richard Guy Briggs
Add support for sessionid, sessionid_set (first two patches) and
loginuid_set (and auid_set) (third patch) in user filters. The first
two are directly related to issue "ghak4":
https://github.com/linux-audit/audit-kernel/issues/4
https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
The third is to support a kernel change from 3.10 and 3.19 to avoid
using in-band values to indicate the loginuid is unset.
The last two patches are to add unset flags to sessionid and loginuid
for ausearch and aureport. These two patches are extras and not
required for basic support.
Richard Guy Briggs (5):
Add userspace support for session ID user filter.
Add sessionid_set option from kernel uapi macro AUDIT_SESSIONID_SET
Add user filter option loginuid_set from uapi macro AUDIT_LOGINUID_SET
Add sessionid_set option to ausearch and aureport
Add support for loginuid_set option for event filtering and searches.
trunk/lib/fieldtab.h | 4 ++
trunk/src/aureport-options.c | 4 +-
trunk/src/ausearch-common.h | 1 +
trunk/src/ausearch-match.c | 3 +
trunk/src/ausearch-options.c | 85 +++++++++++++++++++++++++++++++++++++++++-
trunk/src/ausearch-options.h | 1 +
trunk/src/ausearch-parse.c | 30 +++++++-------
7 files changed, 110 insertions(+), 18 deletions(-)
8 years, 4 months
[PATCH] Ignore tags and cscope output files.
by Richard Guy Briggs
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
trunk/.gitignore | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/trunk/.gitignore b/trunk/.gitignore
index ec0aa96..ba296d3 100644
--- a/trunk/.gitignore
+++ b/trunk/.gitignore
@@ -7,7 +7,9 @@ gen_*_h
INSTALL
Makefile
Makefile.in
+tags
TAGS
+cscope.*
/aclocal.m4
/autom4te.cache
/audit*.tar.gz
--
1.7.1
8 years, 4 months
How can I install the latest version of Linux Audit on CentOS 6.8?
by Mateusz Piotrowski
Hello,
I’m trying to update the 2013 version of auditd on a just installed CentOS 6.8-i386.
So far I’ve downloaded audit-userspace from GitHub[1] and I’ve faced a couple of problems:
1. README says that I should consult the README-install file. I cannot see this file. Where is it?
2. I consulted the INSTALL.tmp and since I’ve not got any ./configure file inside my clone I deducted I’ve got to run ./autogen.sh. I was missing some dependencies so I ran `yum install autoconf automake libtool`.
Then I ran `./configure --sbindir=/sbin --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes` but the command failed at this is a part of the log I got (the full log file is available here[2]):
configure: WARNING: unrecognized options: --with-libcap-ng
...
Checking for programs
...
./configure: line 13130: AX_PROG_CC_FOR_BUILD: command not found
...
Checking for header files
...
checking for python... /usr/bin/python
checking for python version... 2.6
checking for python platform... linux2
checking for python script directory... ${prefix}/lib/python2.6/site-packages
checking for python extension module directory... ${exec_prefix}/lib/python2.6/site-packages
configure: error: Python explicitly requested and python headers were not found
Have you got any idea what the problem is?
Is there an easier way to get the latest Linux Audit version on my system?
Cheers!
-m
[1]: https://github.com/linux-audit/audit-userspace <https://github.com/linux-audit/audit-userspace>
[2]: http://pastebin.com/jd7ZSmLV <http://pastebin.com/jd7ZSmLV>
[Logs in a raw txt format]: http://pastebin.com/raw/Jd7ZSmLV <http://pastebin.com/raw/Jd7ZSmLV>
8 years, 4 months
audit 2.6.6 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Interpret ioctlcmd fields
- Fix the permission of the audit logging directory
- Fix timeout in autrace better
- Add gitignore file to ignore generated files if using git (Richard Guy Briggs)
- audit_log_user_comm_message now resolves comm if NULL is passed
- Update syscall table
- Fix multi-key support in auparse which was broke in tty escape bug fix
- Add multi-key support for syscall rules
This is a bug fix release. I didn't want to wait too long after the directory
permission problem was discovered, but I did want to give a little time in
case there was anything else discovered. The main issue fixed in this release
is the audit log directory permissions. If a group was given for log_group in
auditd.conf, the audit daemon gave write permissions on the directory to the
group. This appears to have started in the 2.6.1 release.
The autrace program was timing out too quickly waiting to check rules. It now
uses the select syscall to wait on rules.
The multi-key support that was added for IDS purposes with prelude was found
to have been broken by the tty escape bug fix. In troubleshooting that, I found
that it was not supported on the "new style" audit rules. So, that has been
fixed so that you can put multiple keys on syscall rules. Multiple key support
was fixed, but to do it right meant that the filed type had to change from
AUPARSE_TYPE_ESCAPED to AUPARSE_TYPE_ESCAPED_KEY.
Please let me know if you run across any problems with this release.
-Steve
8 years, 4 months