user message limits
by LC Bruzenak
I know I can go look at the code, however I figured I'd ask here first
about the limits on the user message in both audit_log_user_message and
ausearch.
With audit_log_user_message the maximum length allowed appears to be
around MAX_AUDIT_MESSAGE_LENGTH-100. I think it may depend on the
executable name length (and other stuff auto-pushed into the string)
which is why I say "around".
Even when I get a successful return value (from audit_log_user_message),
I don't get my string back out in "ausearch" unless it is WAY smaller -
~1K or less I think.
Any ideas/thoughts?
This is the latest (1.7.11-2) audit package.
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
11 years, 1 month
AUDIT_SIGNAL_INFO
by Matthew Booth
Under what circumstances will the RHEL 4 kernel generate a message of
type AUDIT_SIGNAL_INFO? My understanding is that it should be sent when
a process sends a signal to the audit daemon, however I have not
observed that. Any ideas?
Thanks,
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
12 years, 4 months
Near Term Audit Road Map
by Steve Grubb
Hi,
With the proposals sent to the list, I wanted to talk about how this might
play out code-wise. With regard to the current code base, I am working on a
1.8 release. This would represent finishing the remote logging app and
nothing more. The 1.8 series would become just an update series just like the
1.0.x series did.
In parallel with finishing remote logging, I would release a 2.0 version.
Patches applied to 1.8 would also be applied to 2.0. A 2.1 release would
signify the completion of remote logging that branch. I would recommend this
branch for all distributions pulling new code in.
The 2.0 branch will also have a couple more changes. I want to split up the
audit source code a little bit. I want to drop the system-config-audit code
and let it become standalone package updated and distributed separately.
I also want to drop all audispd-plugins in the 2.0 branch and have them
released separately. They cause unnecessary build dependencies for the audit
package.
During the work for a 2.2 release, I would also like to pull the audispd
program inside auditd. In the past, I tried to keep auditd lean and single
purpose, but with adding remote logging and kerberos support, we already have
something that is hard to analyze. So, to improve performance and decrease
system load, the audit daemon will also do event dispatching.
Would this proposal impact anyone in a Bad Way?
Thanks,
-Steve
12 years, 4 months
How Audit event triggers in Kernel
by Ashok Kumar J
Dear ALL,
I saw the function audit_send in the netlink.c file. This function is used
to send the audit rules set into kernel. My question is How Audit event
triggers for system call in kernel.
My second question is, After getting the reply packet from the netlink
socket through the function audit_get_reply(). How the audit log format
achieved for system call before storing the audit log.
--
with regards
Ashok Kumar J
13 years, 9 months
Filtering out non-interactive users
by PJB
Hello,
I've recently been working on a number of systems that need to fulfill
auditing requirements for things such as "failed program executions,"
"failed file/directory deletions" and such, and we have been attempting to
use auditd to fulfill these requirements. However we've been having
difficulty filtering out the 'noise' from non-interactive processes since
our requirements only need us to capture these events for real human
users.
In older versions of the audit code, we used the following type of system
call auditing rule which seemed to work pretty well:
-a exit,always -S creat -S open -S openat -S truncate -S ftruncate -F
success=0 -F auid!=-1
Filtering on an 'auid!=-1' seemed to do a very good job of stripping out
system calls from daemon processes and such. However at some point I guess
this was changed because we no longer seem to be able to capture any
system calls at all when we have this filter defined on a rule.
Can someone point me to documentation/examples or help me out with the
proper syntax for setting up rules that will exclude the background
processes? We are using auditd 1.7.4 now and the 'auid' filter above no
longer does the job.
Any help would be very much appreciated! Thanks.
Patrick
13 years, 9 months
audit_send function in netlink socket
by Ashok Kumar J
Dear ALL,
I saw the function audit_send in the file netlink.c. But i did not
get any man pages for this. I want to know the description of this
structure. Thanks all.
--
with regards
Ashok Kumar J
13 years, 9 months
libprelude in RHEL 6
by Joe Nall
I can find libprelude-devel.x86_64 in the RHEL 6 repos, but not libprelude or the i686 versions. Did I miss a rename, repackage or a repo?
joe
13 years, 9 months
questions about auditing on a new RH 6 box
by Tangren, Bill
I have a new VM running RH 6 server. I put some audit.rules in place, and
now I notice that I am getting 11 MB of audit log entries every half hour.
This server has no users or services running. I am trying to use
audit-viewer to determine which of my rules is creating so much log traffic,
but I don't understand the output enough to be able to tell. The version of
audit is 2.0.4-1 (64 bit).
Is this the correct forum to ask this question?
If so, I can provide the audit rules and some of the logs.
---
Bill Tangren
IAM
U.S. Naval Observatory, Washington
13 years, 9 months