undefined reference to `capng_save_state' - linkink e4rat-collect
by Александр Демидов
Hello
I try to use new applications for me - e4rat
My OS: ArchLinux
I install audit with static libs for resolve building e4rat application
But, in building e4rat-collect, i fetched error:
[ 52%] Linking CXX executable ../e4rat-collect
/usr/lib/gcc/x86_64-pc-linux-gnu/6.2.1/../../../../lib/libaudit.a(libaudit.o):
In function `audit_can_control':
(.text+0x25f6): undefined reference to `capng_save_state'
I see in https://svn.fedorahosted.org/svn/audit/trunk/lib/libaudit.c the
code
int audit_can_control(void)
{
#ifdef HAVE_LIBCAP_NG
void *state = capng_save_state();
But i dont understand, where error. In audit or in e4rat?
If that error - bug in e4rat
(https://wiki.archlinux.org/index.php/E4rat), please tell and i wrote to
developers e4rat, if autdi is clean.
--
С уважением,
Александр Демидов
8 years, 1 month
audit 2.6.7 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Non-active log files should be read only
- In augenrules, restore the selinux context if restorecon is installed
- Update gitignore file and remove ltmain.sh (Richard Guy Briggs)
- Replace Group Separator with whitespace in syslog audispd plugin
- In auditd, check for euid rather than capabilities when local_events = no
- If events are piped from ausearch to audisp-remote, flush queue when done
- In auditctl, correct handling of -F key so that key is not part of value
- In auparse, move static variables to auparse_state_t
This update is probably the last of the 2.6 series. New development will begin
aiming new features towards a future 2.7 release.
This update fixes the file permissions on non-active logs. Augenrules now
restores the selinux context of the rules file. This is only an issue for MLS
systems. The Group Separator used in enriched events has been replaced by a
whitespace character for syslog.
When auditd is run from some containers that does not support audit
collection, it also runs auditd unprivileged. This makes auditd fail so it
switches to doing euid checks for this scenario.
It was also found that the very last record was not being sent when a file was
cat'ed into audisp-remote for remote collection. It now handles this
correctly.
And it was found that a bug was introduced in the 2.6.6 release where support
for multi-keys was fixed. It was also sending the field name into the kernel
when doing syscall rules with keys.
Please let me know if you run across any problems with this release.
-Steve
8 years, 1 month
adding rules after setting rules immutable
by warron.french
While working with RHEL-6 and RHEL-7 systems, and understanding that you
can set rules to immutable by adding *-e 2* to the end of the audit.rules
file(s) I realized something.
If I want to add rules to a system due to new IT Governance, I might have
to reboot every machine that gets the newly added rules.
Is this true, or can I get away with simply executing, on both versions of
RHEL (6 and 7):
augenrules --check
augenrules --load
I ask, because I want to write some puppet code that is smart enough to
ensure the rules are put into place. Do I really have to reboot a server
in the middle of a work day or can I work around it with the use of the
*augenrules* commands as listed above?
Thanks in advance,
--------------------------
Warron French
8 years, 1 month
[GIT PULL] Audit fixes for v4.8
by Paul Moore
Hi Linus,
Two small patches to fix some bugs with the audit-by-executable
functionality we introduced back in v4.3 (both patches are marked for
the stable folks). Please consider these fixes for v4.8.
Thanks,
-Paul
---
The following changes since commit 43761473c254b45883a64441dd0bc85a42f3645c:
audit: fix a double fetch in audit_log_single_execve_arg()
(2016-07-20 14:15:46 -0400)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit stable-4.8
for you to fetch changes up to 5efc244346f9f338765da3d592f7947b0afdc4b5:
audit: fix exe_file access in audit_exe_compare (2016-08-31 16:16:35 -0400)
----------------------------------------------------------------
Mateusz Guzik (2):
mm: introduce get_task_exe_file
audit: fix exe_file access in audit_exe_compare
fs/proc/base.c | 7 +------
include/linux/mm.h | 1 +
kernel/audit_watch.c | 8 +++++---
kernel/fork.c | 23 +++++++++++++++++++++++
4 files changed, 30 insertions(+), 9 deletions(-)
--
paul moore
security @ redhat
8 years, 2 months