SuSE 10.1 and linux audit
Hi,
Here's the steps I've gone through for making the audit package work
with SuSE 10.1. If someone wants to point out some really bad things
I've done, feel free. I suspect that I've cut some corners that aren't
safe, but this seems to work.
This is a kludgey way to get things done, but it's working for now,
and these steps might help other folks do a better job of getting SuSE
10.1 and the audit utilities to play well together.
My hope is that by the time I need to go live with the site,
there will be an out-of-the-box solution to the problems.
I'm using stock 10.1, with the online updates, and Audit 1.2.5.
I install from the downloadable CD-ROM set.
1) Base install with C/C++ Development, and kernel development.
Do the online update as part of the install. (Is there an easy
way to get a snapshot of the updates as an ISO?)
2) Install 2.6.17.6 kernel source. I got the tarball from:
http://linux.softpedia.com/progDownload/Linux-Kernel-Download-1960.html
Untar, remove the old 'linux' link and create a new symlink
to the new kernel directory.
3) make oldconfig;
Take all defaults.
4) edit arch/i386/Makefile,
set FDINITRD flag = 1
There's probably a better way to do this, but this worked. It
wasn't necessary 2 weeks ago, and may not be necessary in the future,
but without that flag the kernel gets built but no initrd is
constructed, and the kernel won't boot.
5) Build and install kernel;
make; make modules; make install; make modules_install
6) Reboot to new kernel.
7) Install swig and python-devel using Yast2
8) Install the new kernel headers. I got these from:
http://rpm.pbone.net/index.php3/stat/26/dist/0/size/728548/name/glibc-ker...
I extracted the tar bz2 file with rpm2cpio, and then untarred
that file to install the headers.
This is one step that I think is very suspect. I'm not sure where these
headers are referenced, and which code is using what.
I've tried building the 2.6.17 kernel with both the original headers
and the new ones and seen no difference in behavior, but I might have
just not done a test that would exercise the trouble spots.
9) Extract the audit 1.2.5 code.
10) Rebuild the configure script, configure make and install.
I follow the cut/paste instructions in README-install
autoreconf -fv --install, etc.
11) Edit /etc/init.d/auditd
Remove the -n flag that's added for AUDITD_DISABLE_CONTEXTS"
under the start case. I don't think the -n option
is supported in 1.2.5, and when it's there, the output messages
go to /var/log/messages instead of /var/log/audit/audit.log.
Add
/sbin/auditctl -D
to the stop method. This gets rid of
an interminable set of messages to the screen during halt.
This is another thing that I think is suspect. Can a halt
be aborted once it's reached the K15auditd stage of shutdown?
If so, this is a security hole that would allow an unprivileged
user to disable auditing, if not, then it should be fine.
12) Install my audit.rules - I'm using all of the -a rules from
the sample capp.rules set.
13) create /etc/audit and copy /etc/auditd.conf and audit.rules
to it. Again, I think this step could be avoided by proper
use of various compile time flags, but this works.
--
.... Clif Flynt ... http://www.cflynt.com ... clif(a)cflynt.com ...
.. Tcl/Tk: A Developer's Guide (2nd edition) - Morgan Kauffman ..
..13th Annual Tcl/Tk Conference: Oct 9-13, 2006, Chicago, IL ..
............. http://www.tcl.tk/community/tcl2006/ ............