Re: SELinux for auditing
On Thursday 01 February 2007 09:59, Stephen Smalley wrote:
> Assuming current generation of audit code...
>
> auditctl -a exit,always -F perm=w -F obj_type=sbin_t -k executables
Hmmm...on FC6, that yields an error from auditctl:
key option needs a watch or syscall given prior to it
Ooops, that should be:
auditctl -a exit,always -F perm=w -F obj_type=bin_t -F key=executable
Dropping the -k option avoids the error message, but overwriting a
bin_t
file doesn't generate any audit message. Similarly, adding a -S open
avoids the error message while retaining the -k, but overwriting a bin_t
file doesn't generate any audit message. Not sure where the problem
lies there.
OK, we should look into this.
Also, he mentioned RHEL 4 as his platform, so I would tend to think
that
his kernel and auditctl wouldn't support this anyway.
If so, it won't.
So he may be limited to using auditallow statements in policy, which
is
certainly legitimate use of them (although I understand your goal of
centralizing audit configuration).
Well, not just centralizing configuration, but that its actually fit for its
purpose. :)
-Steve