Linux-audit May 2005

linux-audit@lists.linux-audit.osci.io

22 participants
66 discussions

by Timothy R. Chavez

Hello, I see that the latest user space tool which includes the new audit listing mechanism, transport structure, etc is not working with either the audit.28 kernel nor my own linux-2.6.12-rc2-mm1 kernel. this being the case, i'm going to take the time to just synchronize with the user tool on how the transport is being packed and unpacked. i've a good feeling this is the origin of the problem. i'll report back tommorow. -tim

21 years

1
0
0 / 0

Configuration documentation

by Javier Godinez

Anyone, Does anyone know where I can find documentation on how to configure auditd? Any help would be appreciated, I need auditd to log the following events: 1) Failed attempts to access files and programs. 2) Users attempts to deleted files and programs. 3) All administrative actions. 4) All security actions. 5) Successful and unsuccessful use of privileged commands. 6) Application and session initiation. 7) All uses of the chown command. I know these sound kind of vage, but if anyone if familiar with DISA they should know what I am talking about. Initially we were using LaUS under RHEL3, but with RHEL4, we are dead in the water. Again any help would be really appreciated, Javier Godinez

21 years

2
2
0 / 0

audit.28 kernel

by David Woodhouse

Again on ftp://zeniv.uk.linux.org/pub/people/dwmw2/audit/ * Tue May 3 2005 David Woodhouse <dwmw2(a)redhat.com> audit.28 - Drop signal-logging patch in favour of Steve's version. - Fix skb reuse corruption. - Add unrelated serial patch for i686 test box. - Reenable s390/s390x -- dwmw2

21 years

1
0
0 / 0

[RFC] Testcase Scenarios for Auditfs Code

by Loulwa F Salem

These are the testcases I am writing to test the code Tim is providing for the audit filesystem. The testcases will be included in LTP. These cases are meant to cover the CAPP requirements. there is some FVT testing covered as well, but that still needs to be expanded to test the permissions and boundary cases (watch fields lengths, invalid fields ... etc). Please give feedback if you can think of any scenarios that I have not considered, or modifications that I need to implement. Thanks - Loulwa Test 1 : Access watched file by opening it (file already exists) Expected: 1 watch records for file access/open Test 2 : Create a watched file (file created after watch is inserted) Expected: 1 watch records for open() with regards to file creation Test 3 : Create hard link to a watched file and then access it by opening it for read Expected: 1 watch record for open() on original file Test 4 : Create hard link to an unwatched file, watch file, then access hard link by opening it for read Expected: 1 watch record for open() on original file Test 5 : Create hard link to watched file, delete watched file, then access hard link by opening it for read Expected: No watch record Test 6 : Recreate a watched file that has been deleted previously Expected: 1 watch record for unlink() with regards to file deletion Expected: 1 watch record for open() with regards to file recreation Test 7 : Recreate a watched file that has been deleted previously (creating hardlink to it first, so on recreation we are certain we get new inode number) Expected: 1 watch record for unlink() with regards to file deletion Expected: 1 watch record for open() with regards to file recreation Test 8 : Delete a watched file Expected: 1 watch record for file deletion Test 9 : Remove a watched directory Expected: 1 watch record for rmdir() with respect to directory removal Test 10 : copy a watched file to unwatched name (copy out) - access through new name Expected: 1 watch record for original file access/open Expected: No record for accessing through new name Test 11 : copy a file to a watched name (copy in) - access through new name Expected: 1 record for file creation in new name Expected: 1 record for new file access/open Test 12 : Move a watched file out of a watched location and access by opening it for read Expected: 1 watch record for rename() with regards to moving out of a watched location. Expected: No watch record for new file open() Test 13 : Move a watched file into a watched location and access by opening it for read Expected: 1 record for rename() with regards to moving out of a watched location. Expected: 1 watch record for open() in new location Test 14 : Move a directory having a watched file - access file in new location Expected: No watch record

21 years

6
11
0 / 0

Adding a key to syscall rules

by Steve Grubb

Hello, I wanted to bring something up. Currently, we have the ability to add a custom "tag" or key to filesystem auditing rules. I got to thinking that this should also be done for syscall auditing. This way, admins can set a rule with a custom key and search for it later. (I have to write the search code.) Besides being useful, I think this should be done for symmetry between syscall & filesystem auditing as well. -Steve

21 years

2
3
0 / 0

Re: audit syscall information

by Debora Velarde

Hi David, Which kernel version on ftp://ftp.uk.linux.org/pub/people/dwmw2/audit/kernel/ is the first to include the hooks you inserted to correctly log the arguments of the ipc syscalls? Thanks, debbie

21 years

2
6
0 / 0

← Newer
1
2
3
4
5
6
7
Older →

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit May 2005