[PATCH] audit: clear thread flag for new children
by Tony Jones
From: Tony Jones <tonyj(a)suse.de>
Minor performance enhancement.
Thread flag TIF_SYSCALL_AUDIT is not cleared for new children when audit
context creation has been disabled (auditctl -e0). This can cause new children
forked from a parent created when audit was enabled to not take the fastest
syscall path thru entry.S
Signed-off-by: Tony Jones <tonyj(a)suse.de>
---
kernel/auditsc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -814,8 +814,10 @@ int audit_alloc(struct task_struct *tsk)
struct audit_context *context;
enum audit_state state;
- if (likely(!audit_enabled))
+ if (likely(!audit_enabled)) {
+ clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
return 0; /* Return if not auditing. */
+ }
state = audit_filter_task(tsk);
if (likely(state == AUDIT_DISABLED))
17 years
Fields availability for each record type
by Klaus Heinrich Kiwi
People,
I know this may be a FAQ, but I need to map Linux audit
events/records/fields into a CSV with predefined column meanings,
possibly one event per line. ie.: userid; source; subject; action;
object;
I was thinking in using the python auparse library to do such thing.
Problem is, how can I know what fields each record type will have, and
what records can I expect from a certain event (I know there is no such
thing as event type, but would be good to know what other records are
available when, for example, a LOGIN or USYS_CONFIG record comes in).
Maybe I can accomplish the same thing with ausearch/aureport?
Thanks for any thoughts,
Klaus
17 years
stime(2) auditing on x86_64
by Todd, Charles
I was trying to get my system to pass a System Readiness Review (SRR)
from disa.mil and it would appear that stime(2) is not audited under
x86_64, either in v1.0.15 or v1.2.1 of auditd. I've looked at the
source code and stime(2) only seems to be audited on i386, ppc, and
s390. stime(2) is in my libc (nm /lib/libc.so.6 | grep stime).
Is this on purpose or is there something deeper? The full line of what
DISA expected me to configure is
-a exit,always -S stime -S acct -S reboot -S swapon
A careful observer will note that the CAPP suggested configuration
already captures adjtimex and settimeofday. I just want to pass my
test, but is there overlap here that I should push back on?
Thanks,
Charlie Todd
Ball Aerospace & Technologies Corp.
This message and any enclosures are intended only for the addressee. Please
notify the sender by email if you are not the intended recipient. If you are
not the intended recipient, you may not use, copy, disclose, or distribute this
message or its contents or enclosures to any other person and any such actions
may be unlawful. Ball reserves the right to monitor and review all messages
and enclosures sent to or from this email address.
17 years
which kernel config is required?
by MontyRee
Hello all.
My kernel is 2.6.19 at Centos 4.x.
and I have selected below kernel menu.
[*] Auditing support │ │[*] Enable system-call auditing support
But it seems that auditd doesn't works well.
Which menu should I select to use full audit function?
When I using rpm kernel, it works well.
Thanks in advance.
_________________________________________________________________
확 달라진 MSN 홈페이지, 지금 바로 만나보세요!
http://www.msn.co.kr
17 years
auditspd
by Ameel Kamboh
I was trying to find more information about auditspd and
What it is and what it is used for.
I am trying to evaluate the impact of this as a dispatcher when using
other
3rd part HIDS tools.
Thanks
Ameel Kamboh
17 years
Matt Weale/UK/CSC is out of the office.
by Matt Weale
I will be out of the office starting 19/10/2007 and will not return until
29/10/2007.
In my absence please contact Miguel Blasco or Alistair Doe.
17 years
max size of execve records
by Eric Paris
So I was banging on my new execve audit changes today and realized I
missed something. If the argument is binary/has control characters it
gets logged in hex, which means each char in the execve argument lists
gets turned into 2 characters in the audit message. Thus my current
execve message size of 7500 could be doubled to 15000 in audit_log_hex.
15000 will overflow userspace and that argument be silently dropped and
never written to disk :(
Do we see a problem dropping the execve record size down to 3500? The
downside to this is more overhead since we might be sending more
messages. I wonder though how many programs get exec'd with > 3500
bytes of args. I don't think we'll be flooding the audit system here,
its going to still be rare that we hit arguments of this size but not
unheard of. (it turns out that just building a kernel can generate some
darn large arguments if you build lots and lots of modules)
I really don't want to have to rewrite all of the
audit_log_untrustedstring logic inside the execve audit info just so I
can tell the final size of the audit message. I'd rather just be safe
and send a couple extra records on occasion....
As a side note I have no intention in the future of ever changing this
to be more than 8k just because order 2 allocations in the kernel are
reasonable even on a heavily loaded system, but asking for more than 2
pages can fail. Needless to say, I think when possible userspace needs
to be able to handle these larger netlink messages.
-Eric
17 years
building audit-1.6.x is broken in RHEL5[.x]
by Klaus Heinrich Kiwi
Miloslav,
I'm unable to build audit 1.6.x in RHEL5 or RHEL5 update1 (as of
snap8) using rpmbuild. I'm directing you this report as looks like the
problem lies in the system-config-audit package.
Seems like something is failing to replace @DATADIRNAME@ for 'share'
while intltoolize'ing, even though there's a m4 macro within
m4/gettext.m4 that says:
dnl For backward compatibility. Some Makefiles may be using this.
DATADIRNAME=share
AC_SUBST(DATADIRNAME)
However, rpmbuild --rebuild audit-1.6.1-1.src.rpm fails with:
----------
...
Making install in po
make[1]: Entering directory `/usr/src/redhat/BUILD/audit-1.6.1/system-config-audit/po'
/usr/src/redhat/BUILD/audit-1.6.1/system-config-audit/admin/install-sh -d /var/tmp/audit-1.6.1-root/usr/@DATADIRNAME@/locale
if test -n "cs"; then \
...
installing cs.gmo as /var/tmp/audit-1.6.1-root/usr/@DATADIRNAME(a)/locale/cs/LC_MESSAGES/system-config-audit.mo
...
+ /usr/lib/rpm/redhat/find-lang.sh /var/tmp/audit-1.6.1-root system-config-audit
No translations found for system-config-audit in /var/tmp/audit-1.6.1-root
error: Bad exit status from /var/tmp/rpm-tmp.55808 (%install)
----------
The translation is installed as '.../@DATADIRNAME@/locale/...' and
find-lang.sh tries to find '*/share/locale/*' translations.
Building in Fedora7 works (probably because of updated intltool package
- see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=373643)
I don't understand why the AC_SUBST(DATADIRNAME) macro isn't working and
I'd like to build the package in an unmodified RHEL5 (GA) server. Anyone
have a clue on how to fix this? Isn't it worth fixing it upstream?
btw, why is there a 'Makefile.in.in~' file inside
system-config-audit/po?
Thanks,
Klaus H. Kiwi
17 years
[PATCH 8/8][v2] audisp-racf plugin - building and packaging
by Klaus Heinrich Kiwi
This patch brings the Makefiles and spec files integration. The spec
file builds the policy module for strict, targeted and mls modules,
installing the compiled .pp files
into /usr/share/selinux/{mls,strict,targeted}/racf.pp.
The mechanics for doing this is based on
http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules, but
with a little change on how to get the %{selinux_policyver} variable
(reason: wasn't able to load policy built on RHEL5.1 on RHEL5 GA, even
though the policy version is the same - so we must also track for
package releases).
Using rpm to query the selinux-policy package version inside a spec file
is ugly - I know. Please tell me if you think of a better approach.
Signed-off-by: Klaus Heinrich Kiwi <klausk(a)br.ibm.com>
diff -purN audit-1.6.2/audisp/plugins/Makefile.am audit-1.6.2_racf/audisp/plugins/Makefile.am
--- audit-1.6.2/audisp/plugins/Makefile.am 2007-09-12 14:25:13.000000000 -0300
+++ audit-1.6.2_racf/audisp/plugins/Makefile.am 2007-10-10 10:26:18.000000000 -0300
@@ -22,5 +22,5 @@
CONFIG_CLEAN_FILES = Makefile.in *.loT *.rej *.orig
-SUBDIRS = builtins ids remote
+SUBDIRS = builtins ids remote racf
diff -purN audit-1.6.2/audisp/plugins/racf/Makefile.am audit-1.6.2_racf/audisp/plugins/racf/Makefile.am
--- audit-1.6.2/audisp/plugins/racf/Makefile.am 1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_racf/audisp/plugins/racf/Makefile.am 2007-10-10 10:26:18.000000000 -0300
@@ -0,0 +1,47 @@
+# Makefile.am--
+# Copyright (C) 2007 International Business Machines Corp.
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+# Authors:
+# Klaus Heinrich Kiwi <klausk(a)br.ibm.com>
+#
+
+INCLUDES = -I.. -I${top_srcdir}/lib -I${top_srcdir}/auparse
+CONFIG_CLEAN_FILES = Makefile.in *.rej *.orig
+AUTOMAKE_OPTIONS = no-dependencies
+EXTRA_DIST = racf.conf audisp-racf.conf policy/racf.te policy/racf.fc policy/racf.if \
+ policy/build.sh policy/install.sh
+LIBS = -L${top_srcdir}/auparse -lauparse
+LDADD = -lpthread -lldap -llber
+disp_confdir = $(sysconfdir)/audisp
+plugin_confdir=$(disp_confdir)/plugins.d
+racf_plugin_conf = racf.conf
+racf_disp_conf = audisp-racf.conf
+sbin_PROGRAMS = audisp-racf
+
+noinst_HEADERS = racf-log.h racf-ldap.h racf-config.h racf-queue.h
+audisp_racf_SOURCES = racf-plugin.c racf-log.c racf-ldap.c racf-config.c racf-queue.c
+audisp_racf_CFLAGS = -W -Wall -Wundef -D_GNU_SOURCE
+
+install-data-hook:
+ mkdir -p -m 0750 ${DESTDIR}${plugin_confdir}
+ $(INSTALL_DATA) -D -m 640 ${srcdir}/$(racf_plugin_conf) ${DESTDIR}${disp_confdir}
+ $(INSTALL_DATA) -D -m 640 ${srcdir}/$(racf_disp_conf) ${DESTDIR}${plugin_confdir}
+
+uninstall-hook:
+ rm ${DESTDIR}${plugin_confdir}/$(racf_disp_conf)
+ rm ${DESTDIR}${disp_confdir}/$(racf_plugin_conf)
diff -purN audit-1.6.2/audit.spec audit-1.6.2_racf/audit.spec
--- audit-1.6.2/audit.spec 2007-09-25 08:46:49.000000000 -0300
+++ audit-1.6.2_racf/audit.spec 2007-10-10 10:48:58.000000000 -0300
@@ -1,4 +1,6 @@
%define sca_version 0.4.3
+%define selinux_variants mls strict targeted
+%define selinux_policyver %(rpm -q selinux-policy | sed -e 's,^selinux-policy-\\([^/]*\\)$,\\1,')
Summary: User space tools for 2.6 kernel auditing
Name: audit
@@ -53,18 +55,26 @@ Requires: %{name}-libs = %{version}-%{re
The audit-libs-python package contains the bindings so that libaudit
and libauparse can be used by python.
-##%package -n audispd-plugins
-##Summary: Plugins for the audit event dispatcher
-##License: GPLv2+
-##Group: System Environment/Daemons
-##Requires: %{name} = %{version}-%{release}
-##Requires: %{name}-libs = %{version}-%{release}
-
-##%description -n audispd-plugins
-##The audispd-plugins package provides plugins for the real-time
-##interface to the audit system, audispd. These plugins can do things
-##like relay events to remote machines or analyze events for suspicious
-##behavior.
+%package -n audispd-plugins
+Summary: Plugins for the audit event dispatcher
+License: GPLv2+
+Group: System Environment/Daemons
+BuildRequires: openldap-devel rpm
+BuildRequires: checkpolicy selinux-policy-devel
+Requires: %{name} = %{version}-%{release}
+Requires: %{name}-libs = %{version}-%{release}
+Requires: openldap
+%if "%{selinux_policyver}" != ""
+Requires: selinux-policy >= %{selinux_policyver}
+%endif
+Requires(post): /usr/sbin/semodule /sbin/restorecon
+Requires(postun): /usr/sbin/semodule
+
+%description -n audispd-plugins
+The audispd-plugins package provides plugins for the real-time
+interface to the audit system, audispd. These plugins can do things
+like relay events to remote machines or analyze events for suspicious
+behavior.
%package -n system-config-audit
Summary: Utility for editing audit configuration
@@ -78,12 +88,22 @@ An utility for editing audit configurati
%prep
%setup -q
+mkdir racf-policy
+cp -p audisp/plugins/racf/policy/racf.* racf-policy
%build
(cd system-config-audit; ./autogen.sh)
aclocal && autoconf && autoheader && automake
%configure --sbindir=/sbin --libdir=/%{_lib}
make
+cd racf-policy
+for selinuxvariant in %{selinux_variants}
+do
+ make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
+ mv racf.pp racf.pp.${selinuxvariant}
+ make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
+done
+cd -
%install
rm -rf $RPM_BUILD_ROOT
@@ -94,6 +114,12 @@ mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audi
mkdir -p $RPM_BUILD_ROOT/%{_var}/log/audit
make DESTDIR=$RPM_BUILD_ROOT install
make -C system-config-audit DESTDIR=$RPM_BUILD_ROOT install-fedora
+for selinuxvariant in %{selinux_variants}
+do
+ install -d $RPM_BUILD_ROOT/%{_datadir}/selinux/${selinuxvariant}
+ install -p -m 644 racf-policy/racf.pp.${selinuxvariant} \
+ $RPM_BUILD_ROOT/%{_datadir}/selinux/${selinuxvariant}/racf.pp
+done
mkdir -p $RPM_BUILD_ROOT/%{_libdir}
# This winds up in the wrong place when libtool is involved
@@ -124,13 +150,24 @@ touch -r ./audit.spec $RPM_BUILD_ROOT/et
# Remove the plugin stuff for now
rm -f $RPM_BUILD_ROOT/etc/audisp/plugins.d/au-ids.conf
rm -f $RPM_BUILD_ROOT/etc/audisp/plugins.d/remote.conf
+##rm -f $RPM_BUILD_ROOT/etc/audisp/plugins.d/audisp-racf.conf
+##rm -f $RPM_BUILD_ROOT/etc/audisp/racf.conf
rm -f $RPM_BUILD_ROOT/sbin/audisp-ids
+##rm -f $RPM_BUILD_ROOT/sbin/audisp-racf
%clean
rm -rf $RPM_BUILD_ROOT
%post libs -p /sbin/ldconfig
+%post -n audispd-plugins
+for selinuxvariant in %{selinux_variants}
+do
+ /usr/sbin/semodule -s $selinuxvariant \
+ -i %{_datadir}/selinux/$selinuxvariant/racf.pp &> /dev/null || :
+done
+/sbin/restorecon -F /sbin/audisp-racf /etc/audisp/racf.conf
+
%post
/sbin/chkconfig --add auditd
if [ -f /etc/auditd.conf ]; then
@@ -157,6 +194,14 @@ fi
%postun libs
/sbin/ldconfig 2>/dev/null
+%postun -n audispd-plugins
+if [ $1 -eq 0 ]; then
+ for selinuxvariant in %{selinux_variants}
+ do
+ /usr/sbin/semodule -s $selinuxvariant -r racf &>/dev/null || :
+ done
+fi
+
%postun
if [ $1 -ge 1 ]; then
/sbin/service auditd condrestart > /dev/null 2>&1 || :
@@ -189,8 +234,14 @@ fi
%files
%defattr(-,root,root,-)
%doc README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules init.d/auditd.cron
-%attr(0644,root,root) %{_mandir}/man8/*
-%attr(0644,root,root) %{_mandir}/man5/*
+%attr(0644,root,root) %{_mandir}/man8/audispd.8.gz
+%attr(0644,root,root) %{_mandir}/man8/auditctl.8.gz
+%attr(0644,root,root) %{_mandir}/man8/auditd.8.gz
+%attr(0644,root,root) %{_mandir}/man8/aureport.8.gz
+%attr(0644,root,root) %{_mandir}/man8/ausearch.8.gz
+%attr(0644,root,root) %{_mandir}/man8/autrace.8.gz
+%attr(0644,root,root) %{_mandir}/man5/auditd.conf.5.gz
+%attr(0644,root,root) %{_mandir}/man5/audispd.conf.5.gz
%attr(750,root,root) /sbin/auditctl
%attr(750,root,root) /sbin/auditd
%attr(755,root,root) /sbin/ausearch
@@ -210,11 +261,17 @@ fi
%attr(640,root,root) /etc/audisp/plugins.d/af_unix.conf
%attr(640,root,root) /etc/audisp/plugins.d/syslog.conf
-##%files -n audispd-plugins
-##%defattr(-,root,root,-)
+%files -n audispd-plugins
+%defattr(-,root,root,-)
+%attr(0644,root,root) %{_mandir}/man8/audisp-racf.8.gz
+%attr(0644,root,root) %{_mandir}/man5/racf.conf.5.gz
##%attr(640,root,root) /etc/audisp/plugins.d/au-ids.conf
##%attr(640,root,root) /etc/audisp/plugins.d/remote.conf
+%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/audisp-racf.conf
+%config(noreplace) %attr(640,root,root) /etc/audisp/racf.conf
##%attr(750,root,root) /sbin/audisp-ids
+%attr(750,root,root) /sbin/audisp-racf
+%attr(0755,root,root) %{_datadir}/selinux/*/racf.pp
%files -n system-config-audit -f system-config-audit.lang
%defattr(-,root,root,-)
diff -purN audit-1.6.2/configure.ac audit-1.6.2_racf/configure.ac
--- audit-1.6.2/configure.ac 2007-09-12 14:26:41.000000000 -0300
+++ audit-1.6.2_racf/configure.ac 2007-10-10 10:26:18.000000000 -0300
@@ -109,7 +109,7 @@ if test x$use_apparmor != xno ; then
AC_DEFINE(WITH_APPARMOR,1,[Define if you want to enable AppArmor events.])fi
AC_CONFIG_SUBDIRS([system-config-audit])
-AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/ids/Makefile audisp/plugins/remote/Makefile bindings/Makefile bindings/python/Makefile)
+AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/ids/Makefile audisp/plugins/remote/Makefile audisp/plugins/racf/Makefile bindings/Makefile bindings/python/Makefile)
echo .
echo "
17 years
[PATCH 7/8][v2] audisp-racf plugin - manual pages
by Klaus Heinrich Kiwi
This patch brings the audisp-racf(8) and racf.conf(5) manual pages.
Those also bring some information on how to configure an IBM z/OS server
running ITDS to enable Remote Auditing processing, as well as how to
configure the required @LINUX class.
Signed-off-by: Klaus Heinrich Kiwi <klausk(a)br.ibm.com>
diff -purN audit-1.6.2/docs/audisp-racf.8 audit-1.6.2_racf/docs/audisp-racf.8
--- audit-1.6.2/docs/audisp-racf.8 1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_racf/docs/audisp-racf.8 2007-10-10 10:26:18.000000000 -0300
@@ -0,0 +1,183 @@
+.\" Copyright (c) International Business Machines Corp., 2007
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
+.\" the GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+.\" MA 02111-1307 USA
+.\"
+.\" Changelog:
+.\" 2007-10-06, created by Klaus Heinrich Kiwi <klausk(a)br.ibm.com>
+.\"
+.TH AUDISP-RACF 8 "Oct 2007" "IBM" "System Administration Utilities"
+.SH NAME
+audisp-racf \- audit plugin for remote z/OS RACF auditing
+.SH SYNOPSIS
+.B audisp-racf [
+.I config-file
+.B ]
+.SH DESCRIPTION
+.BR audisp-racf
+is a remote-auditing plugin for the audit subsystem. It should be started by the
+.BR audispd(8)
+daemon and will forward incoming audit events to RACF, via an IBM z/OS server running ITDS with Remote Auditing enabled.
+
+.BR audispd(8)
+must be configured to start the plugin. This is done by a configuration file usually located at
+.I /etc/audisp/plugins.d/audisp-racf.conf
+, but multiple instances can be spawned by other files in
+.I /etc/audisp/plugins.d
+directory (see
+.BR audispd(8) ).
+
+Each instance needs a configuration file, located by default at
+.IR /etc/audisp/racf.conf .
+Check
+.BR racf.conf(5)
+for details about the plugin configuration.
+
+.SH OPTIONS
+.IP config-file
+Use an alternate configuration file instead of
+.IR /etc/audisp/racf.conf .
+
+.SH SIGNALS
+.BR audisp-racf
+reacts to SIGTERM and SIGHUP signals (according to the
+.BR audispd(8)
+spefi):
+.TP
+.B SIGHUP
+Instructs the
+.B audisp-racf
+plugin to re-read it's configuration and flush existing network connections.
+.TP
+.B SIGTERM
+Performs a clean exit.
+.B audisp-racf
+will wait up to 10 seconds if there are queued events to be delivered, dropping any remaining queued events after that time.
+
+.SH IBM z/OS ITDS Server and RACF configuration
+In order to use this plugin, you must have an IBM z/OS v1R8 (or higher) server with IBM Tivoli Directory Server (ITDS) configured for Remote Auditing. For more detailed information about how to configure the z/OS server for Remote Auditing, refer to
+.B z/OS V1R8.0-9.0 Intergrated Security Services Enterprise Identity Mapping (EIM) Guide and Reference
+.RI ( http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/FRAMESET/EIMA1140/CC... ),
+chapter "2.0 - Working with remote services".
+
+.SS Enable ITDS to process Remote Audit requests
+To enable ITSD to process Remote Audit requests, the user ID associated with ITDS must be granted READ access to the IRR.AUDITX FACILITY Class profile (the profile used to protect the R_Auditx service). This user ID can usually be found in the STARTED Class profile for the ITDS started procedure. If the identity associated with ITDS is
+.IR ITDSUSER ,
+the administrator can configure RACF to grant Remote Auditing processing to ITDS with the following TSO commands:
+.TP
+.I TSO Commands: Grant ITDSUSER READ access to IRR.AUDITX FACILITY Class profile
+.nf
+rdefine FACILITY IRR.RAUDITX uacc(none)
+permit IRR.RAUDITX class(FACILITY) id(ITDSUSER) access(READ)
+.fi
+
+.SS Enable user ID to perform Remote Audit requests
+A z/OS user ID is needed for the user of the Remote Audit service. This is the user ID that must be configured in the
+.BR racf.conf(5)
+file. This user needs READ access to FACILITY Class resource IRR.LDAP.REMOTE.AUDIT. If the user ID is
+.IR BINDUSER ,
+the administrator can configure RACF to enable this user to perform Remote Auditing requests with the following TSO commands:
+.TP
+.I TSO Commands: Enable BINDUSER to perform Remote Audit requests
+.nf
+rdefine FACILITY IRR.LDAP.REMOTE.AUDIT uacc(none)
+permit IRR.LDAP.REMOTE.AUDIT class(FACILITY) id(BINDUSER) access(READ)
+.fi
+
+.SS Add @LINUX Class to RACF
+The
+.B audisp-racf
+plugin uses
+.B @LINUX
+as
+.I Class
+and the audit record type (eg.:
+.BR SYSCALL ,
+.BR AVC ,
+.BR PATH ...)
+as
+.IR Resource ,
+so to make sure events are logged, the RACF server must be configured with a Dynamic CDT Class named
+.B @LINUX
+with correct sizes and attributes. The following TSO commands can be used to add this class:
+.TP
+.I TSO Commands: Add @LINUX CDT Class
+.nf
+rdefine cdt @LINUX cdtinfo(posit(493) FIRST(alpha,national,numeric,special) OTHER(alpha,national,numeric,special) RACLIST(REQUIRED) case(asis) generic(allowed) defaultuacc(none) maxlength(246))
+setr classact(cdt)
+setr raclist(cdt)
+setr raclist(cdt) refresh
+setr classact(@LINUX)
+setr raclist(@LINUX)
+setr generic(@LINUX)
+.fi
+
+.SS Add profiles to the @LINUX Class
+Once the CDT Class has been defined, you can add profiles to it, specifying resources (wildcards allowed) to log or ignore. The following are examples:
+.TP
+.I TSO Commands: Log only AVC records (One generic and one discrete profile):
+.nf
+rdefine @LINUX * uacc(none) audit(none(read))
+rdefine @LINUX AVC uacc(none) audit(all(read))
+setr raclist(@LINUX) refresh
+.fi
+
+.TP
+.I TSO Commands: Log everything (One generic profile):
+.nf
+rdefine @LINUX * uacc(none) audit(all(read))
+setr raclist(@LINUX) refresh
+.fi
+
+.P
+Resources always match the single profile with the
+.I best
+match.
+
+There are many other ways to define logging in RACF. Please refer to the server documentation for more details.
+
+.SH ERRORS
+Errors and warnings are reported to syslog (under DAEMON facility). In situations where the event was submitted but the RACF server returned an error condition, the logged message brings a name followed by a human-readable description. Below are some common errors conditions:
+
+.TP
+.B NOTREQ - No logging required
+Resource (audit record type) is not set to be logged in the RACF server - The @LINUX Class profile governing this audit record type is set to ignore. See
+.B IBM z/OS RACF Server configuration
+.TP
+.B UNDETERMINED - Undetermined result
+No profile found for specified resource. There is no @LINUX Class configured or no @LINUX Class profile associated with this audit record type. See
+.B IBM z/OS RACF Server configuration
+.TP
+.B UNAUTHORIZED - The user does not have authority the R_auditx service
+The user ID associated with the ITDS doesn't have READ access to the IRR.AUDITX FACILITY Class profile. See
+.B IBM z/OS RACF Server configuration
+.TP
+.B UNSUF_AUTH - The user has unsuficient authority for the requested function
+The user ID used to perform Remote Audit requests (as configured in
+.BR racf.conf(5) )
+doesn't have access to the IRR.LDAP.REMOTE.AUDIT FACILITY Class profile. See
+.B IBM z/OS RACF Server configuration
+
+.SH BUGS
+The plugin currently does remote auditing in a best-effort basis, and will dischard events in case the RACF server cannot be contacted or if the event submission fails.
+
+.SH FILES
+/etc/audisp/plugins.d/audisp-racf.conf
+/etc/audisp/racf.conf
+.SH "SEE ALSO"
+.BR auditd (8),
+.BR racf.conf (5).
+.SH AUTHOR
+Klaus Heinrich Kiwi <klausk(a)br.ibm.com>
diff -purN audit-1.6.2/docs/Makefile.am audit-1.6.2_racf/docs/Makefile.am
--- audit-1.6.2/docs/Makefile.am 2007-09-18 12:31:41.000000000 -0300
+++ audit-1.6.2_racf/docs/Makefile.am 2007-10-10 10:26:18.000000000 -0300
@@ -46,5 +46,5 @@ auparse_node_compare.3 auparse_reset.3 a
aureport.8 ausearch.8 ausearch_add_item.3 ausearch_add_regex.3 \
ausearch_clear.3 ausearch_next_event.3 ausearch_set_stop.3 \
autrace.8 get_auditfail_action.3 set_aumessage_mode.3 \
-audispd.8 audispd.conf.5
+audispd.8 audispd.conf.5 audisp-racf.8 racf.conf.5
diff -purN audit-1.6.2/docs/racf.conf.5 audit-1.6.2_racf/docs/racf.conf.5
--- audit-1.6.2/docs/racf.conf.5 1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_racf/docs/racf.conf.5 2007-10-10 10:26:18.000000000 -0300
@@ -0,0 +1,69 @@
+.\" Copyright (c) International Business Machines Corp., 2007
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
+.\" the GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+.\" MA 02111-1307 USA
+.\"
+.\" Changelog:
+.\" 2007-10-06, created by Klaus Heinrich Kiwi <klausk(a)br.ibm.com>
+.\"
+.TH RACF.CONF 8 "Oct 2007" "IBM" "System Administration Utilities"
+.SH NAME
+racf.conf \- the audisp-racf plugin configuration file
+.SH DESCRIPTION
+.B racf.conf
+controls the configuration for the
+.BR audisp-racf(8)
+audit plugin. The default location for this file is
+.IR /etc/audisp/racf.conf ,
+however, a different file can be specified as the first argument to the
+.B audisp-racf
+plugin. See
+.BR audisp-racf(8)
+and
+.BR auditd(8) .
+The options available are as follows:
+.TP
+.I server
+This is the IBM z/OS ITDS server hostname or IP address
+.TP
+.I port
+The port number where ITDS is running on the z/OS server. Default is 389 (ldap port)
+.TP
+.I user
+The z/OS user ID which the audisp-racf plugin will use to perform Remote Audit requests. This user needs READ access to FACILITY Class resource IRR.LDAP.REMOTE.AUDIT (See
+.BR audisp-racf(8) ).
+.TP
+.I password
+The password associated the the z/OS user ID configured above.
+.TP
+.I timeout
+The number in seconds that
+.B audisp-racf
+plugin will wait before giving up in connection attemps and event submissions. The default value is 15
+.TP
+.I q_depth
+The
+.B audisp-racf
+plugin will queue inputed events to the maximum of
+.I q_depth
+events while trying to submit those remotely. This can handle burst of events or in case of a slow network connection. However, the
+.B audisp-racf
+plugin will drop events in case the queue is full. The default queue depth is 64 - Increase this value in case you are experiencing event drop due to full queue
+.RB ( audisp-racf
+will log this to syslog).
+.SH "SEE ALSO"
+.BR audisp-racf (8)
+.SH AUTHOR
+Klaus Heinrich Kiwi <klausk(a)br.ibm.com>
17 years