Re: [RFC][PATCH 3/3] CAPP-compliant file system auditing
On Thu, 2005-03-31 at 12:24 -0600, Timothy R. Chavez wrote:
:: Tools ::
To enable the kernel functionality one will need to download the audit-0.6.9
source tree (http://people.redhat.com/sgrubb/audit/) and apply the attached
patch. Read the README-install file for installation instructions. If the
audit daemon is not running (also included in this package), then audit
records will appear in /var/log/syslog rather then /var/log/audit.log. Use
the "auditctl" tool for inserting, removing, and listing watches.
Note: At the time of writing this e-mail the user space / kernel space
interaction is not yet complete. For instance, I'd eventually like to add
serialization routines to both spaces to pass "watch" structures more easily.
There is also talk about another type of watch listing feature that can list
all the watches present in memory.
This one was also line-wrapped, but I fixed it up by hand. After
rebuilding auditctl, I again tried my trusty test case:
auditctl -e 1
auditctl -w /etc/shadow -p w -k SHADOW
passwd
I'm not sure why yet, but I end up with three different inode numbers
involved in the resulting audit messages, two different ones for the two
auxitem records on the shadow watch (which both have name "shadow"), and
a third inode number listed for both /etc/nshadow and /etc/shadow on the
regular item list collected during pathname resolution. For the watch-
generated ones, I expected the same inode number (since it is a rename
and involves no change); for the regular items, I expected
the /etc/nshadow inode number to correspond with that same inode number
(since it is the file that is renamed to /etc/shadow), with
the /etc/shadow inode number being the original inode number of the old
file. Seems to bear investigation...
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency