quick update on patch progress
by Timothy R. Chavez
Hello,
I see that the latest user space tool which includes the new audit
listing mechanism, transport structure, etc is not working with either
the audit.28 kernel nor my own linux-2.6.12-rc2-mm1 kernel. this being
the case, i'm going to take the time to just synchronize with the user
tool on how the transport is being packed and unpacked. i've a good
feeling this is the origin of the problem.
i'll report back tommorow.
-tim
19 years, 8 months
Configuration documentation
by Javier Godinez
Anyone,
Does anyone know where I can find documentation on how to configure auditd?
Any help would be appreciated, I need auditd to log the following events:
1) Failed attempts to access files and programs.
2) Users attempts to deleted files and programs.
3) All administrative actions.
4) All security actions.
5) Successful and unsuccessful use of privileged commands.
6) Application and session initiation.
7) All uses of the chown command.
I know these sound kind of vage, but if anyone if familiar with DISA
they should know what I am talking about. Initially we were using LaUS
under RHEL3, but with RHEL4, we are dead in the water.
Again any help would be really appreciated, Javier Godinez
19 years, 8 months
audit.28 kernel
by David Woodhouse
Again on ftp://zeniv.uk.linux.org/pub/people/dwmw2/audit/
* Tue May 3 2005 David Woodhouse <dwmw2(a)redhat.com> audit.28
- Drop signal-logging patch in favour of Steve's version.
- Fix skb reuse corruption.
- Add unrelated serial patch for i686 test box.
- Reenable s390/s390x
--
dwmw2
19 years, 8 months
[RFC] Testcase Scenarios for Auditfs Code
by Loulwa F Salem
These are the testcases I am writing to test the code Tim is providing for
the audit filesystem. The testcases will be included in LTP.
These cases are meant to cover the CAPP requirements. there is some FVT
testing covered as well, but that still needs to be expanded to test the
permissions and boundary cases (watch fields lengths, invalid fields ...
etc).
Please give feedback if you can think of any scenarios that I have not
considered, or modifications that I need to implement.
Thanks
- Loulwa
Test 1 : Access watched file by opening it (file already exists)
Expected: 1 watch records for file access/open
Test 2 : Create a watched file (file created after watch is inserted)
Expected: 1 watch records for open() with regards to file
creation
Test 3 : Create hard link to a watched file and then access it by opening
it for read
Expected: 1 watch record for open() on original file
Test 4 : Create hard link to an unwatched file, watch file, then access
hard link by opening it for read
Expected: 1 watch record for open() on original file
Test 5 : Create hard link to watched file, delete watched file, then
access hard link by opening it for read
Expected: No watch record
Test 6 : Recreate a watched file that has been deleted previously
Expected: 1 watch record for unlink() with regards to file
deletion
Expected: 1 watch record for open() with regards to file
recreation
Test 7 : Recreate a watched file that has been deleted previously
(creating hardlink to it first, so on recreation we are
certain we get new inode number)
Expected: 1 watch record for unlink() with regards to file
deletion
Expected: 1 watch record for open() with regards to file
recreation
Test 8 : Delete a watched file
Expected: 1 watch record for file deletion
Test 9 : Remove a watched directory
Expected: 1 watch record for rmdir() with respect to
directory removal
Test 10 : copy a watched file to unwatched name (copy out) - access
through new name
Expected: 1 watch record for original file access/open
Expected: No record for accessing through new name
Test 11 : copy a file to a watched name (copy in) - access through new
name
Expected: 1 record for file creation in new name
Expected: 1 record for new file access/open
Test 12 : Move a watched file out of a watched location and access by
opening it for read
Expected: 1 watch record for rename() with regards to
moving out of a watched location.
Expected: No watch record for new file open()
Test 13 : Move a watched file into a watched location and access by
opening it for read
Expected: 1 record for rename() with regards to moving out
of a watched location.
Expected: 1 watch record for open() in new location
Test 14 : Move a directory having a watched file - access file in new
location
Expected: No watch record
19 years, 8 months
Adding a key to syscall rules
by Steve Grubb
Hello,
I wanted to bring something up. Currently, we have the ability to add a custom
"tag" or key to filesystem auditing rules. I got to thinking that this should
also be done for syscall auditing. This way, admins can set a rule with a
custom key and search for it later. (I have to write the search code.)
Besides being useful, I think this should be done for symmetry between
syscall & filesystem auditing as well.
-Steve
19 years, 8 months