Please check svn was Re: [PATCH] Have auditctl check the capability...<snip>
On Wednesday, March 21, 2012 03:11:49 PM Peter Moody wrote:
This is against the 2.2 release.
Thanks. I will apply this with probably a small change or two.
I wasn't able to get HEAD to compile (issues with mounttab.h that
didn't want
to run down because this is such a small patch).
For anyone not on Fedora, I would appreciate if you test what's in svn even if
its just a quick build check. I am planning to release a new audit package soon.
The changelog may look small, but there are thousands of lines of code added or
modified. Its better to fix the headers before the release than after.
The next audit release has a new feature that I hope everyone will appreciate.
Ausearch and libauparse now has the ability to interpret the arguments being
passed to certain syscalls. I did this for a little over 40 syscalls:
*chmod
*chown
clock_settime
clone
creat
epoll_ctl
getrlimit
setrlimit
fchmod
fchmodat
fcntl
ipc
kill
mkdir
mkdirat
mknod
mmap
mount
mprotect
open
openat
personality
ptrace
recv
recvfrom
recvmmsg
recvmsg
rt_sigaction
setfsgid
setfsuid
setgid
setregid
setresgid
setresuid
setreuid
setuid
socket
socketcall
tgkill
tkill
So, now you get output like this:
type=SYSCALL msg=audit(04/14/2011 20:18:28.953:3) : arch=x86_64 syscall=mmap
success=yes exit=61440 a0=0xf000 a1=0x502 a2=PROT_READ|PROT_WRITE|PROT_EXEC
a3=MAP_SHARED|MAP_FIXED items=0 ppid=603 pid=618 auid=unset uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=vbetool exe=/usr/sbin/vbetool
subj=system_u:system_r:vbetool_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(04/14/2011 20:13:34.658:3118) : arch=x86_64 syscall=mount
success=yes exit=0 a0=0x405b22 a1=0x405469 a2=0x405b22 a3=MS_REC|MS_PRIVATE
items=1 ppid=3467 pid=3468 auid=sgrubb uid=sgrubb gid=sgrubb euid=root suid=root
fsuid=root egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=(none) ses=1 comm=fusermount
exe=/bin/fusermount subj=unconfined_u:unconfined_r:unconfined_t:s0 key=export
type=SYSCALL msg=audit(05/05/2011 19:01:46.559:205) : arch=x86_64 syscall=openat
success=no exit=-13(Permission denied) a0=0x5 a1=0xd93660 a2=O_RDONLY|O_NOCTTY|
O_NONBLOCK|O_DIRECTORY a3=0x0 items=1 ppid=3831 pid=3832 auid=sgrubb uid=sgrubb
gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb
fsgid=sgrubb tty=pts2 ses=1 comm=find exe=/bin/find
subj=unconfined_u:unconfined_r:unconfined_t:s0 key=access
The idea is to reduce the need to go digging through header files to see what
arguments were being passed to some common and/or security related syscalls. In
the case where a uid/gid was being passed to the syscall, its now interpretted
to the account name/group name.
-Steve