Re: [PATCH] audit: convert status version to a feature bitmap
On Monday, November 17, 2014 11:09:08 AM Paul Moore wrote:
On Friday, November 14, 2014 10:32:51 PM Richard Guy Briggs wrote:
> On 14/11/13, Steve Grubb wrote:
> > On Thursday, November 13, 2014 08:08:52 PM Richard Guy Briggs wrote:
> > The audit 2.4.1 package has been pushed to everything from F20 ->
> > rawhide.
> > If you don't see any problems, then its safe. But check carefully around
> > the things that you did change. Right now, we only are caring about only
> > one kernel feature, --loginuid-immutable. Check that it still works,
> > auditctl -s.
>
> Here's my output, which I assume looks sane:
Yeah, but how do we know its really selecting the right feature?
> [root@f20 ~]# rpm -q audit
> audit-2.4.1-1.fc20.x86_64
> [root@f20 ~]# auditctl -s
> enabled 1
> flag 1
> pid 307
> rate_limit 0
> backlog_limit 320
> lost 0
> backlog 0
> backlog_wait_time 60000
> loginuid_immutable 0 unlocked
Looks like good output to me, Steve?
I would like it better if the following was tested as root:
auditctl -s
echo "1" > /proc/self/loginuid
auditctl --loginuid-immutable
auditctl -s
echo "2" > /proc/self/loginuid
This was we know that the feature is correctly reported, selected, and
working.
-Steve