Excellent, thank you!
This is NOT full support for the new inode filter constructs I added to
the policy, but is just enough to test some of it. I'm hoping someone
else will write real userspace patches. One will need to apply the
kernel patches and then install the new kernel headers (or
update /usr/include/linux/audit.h by hand) Then apply this patch to
audit and build a new audit (I found audit build sucks because it will
build against the system libaudit rather than the one in tree, but you
can fix this using make DESTDIR=[dir] install, and using the auditctl
from [dir]/usr/local/sbin/)
This patch supports two types of rules
auditctl -a exit,always -F arch=b64 -S open -F obj_uid=500
Which audits all opens for a uid=500 file. (the kernel supports gid,
but this patch doesn't, you can just copy the uid code to make gid work)
This patch also supports
auditctl -a exit,always -C
Which will audit all cases where a process accesses a file in which the
process uid != file uid.
The kernel is a bit more flexible, it supports process_gid != file_gid.
The kernel also supports == > <, etc. This portion of the patch needs
to do support a better construct for parsing the intent and passing that
down. But it seemed like a lot of work on a codebase I'm not familiar
with and hoped someone familiar could write a text parse for this
construct.
We should be able to support something like:
auditctl -a exit,always -F interfield!=uid
I dunno what it should look like. But like I said, I just slapped -C as
a way to test process_uid != file_uid, so it should be pretty easy to
look at that and see how other interactions should work.
-Eric
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit