Re: audit 0.9.12 released

I don't seem to get the filtering on auid to work ... I am attaching a test case so you can see how I am testing this .. I am on kernel.65 and audit 0.9.12 Test strategy: 1- add filter rules for a user 2- add a watch on a file 3- create two temp users (my users have to be in Wheel trusted group in 4- order to ssh into the system .. may not apply to everybody). 5- spawn ssh session user1@localhost and touch the watched file 6- Remove the file(so other user can touch it again) 7- spawn ssh session user2@localhost and touch the watched file 8- stop auditd and copy the audit.log to a temp file (/tmp/loginuid_logs) For Step 1 above, I tried the following scenarios: auditctl -a watch,always -F auid=uid1 auditctl -a watch,never -F auid!=uid1 or auditctl -a watch,always -F auid=uid1 auditctl -a watch,never -F auid=uid2 Neither seems to work .. in the log I still see watch records for open on the watched file generated by both users!! - Loulwa #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/utsname.h> int uid1=580; int uid2=650; char user1[] = "tmp-user1"; char user2[] = "tmp-user2"; char* password = "eal"; char* encryptedpassword = "42VmxaOByKwlA"; static const char* tempname = "/tmp/testXXXXXX\0"; int rc; int fd1, fd2; /* file descriptor */ char script_cmd1[1000], script_cmd2[1000], exec_cmd[1000]; char *filename1, *filename2; int main(int ac, char **av) { char command[256]; system("/etc/rc.d/init.d/auditd stop"); system("rm -f /var/log/audit/audit.log"); system("rm /tmp/loginuid_logs -f"); system("/etc/rc.d/init.d/auditd start"); /* Create expect script file to execute ftp session */ filename1 = (char *) malloc(strlen(tempname)); strcpy(filename1, tempname); if ((fd1 = mkstemp(filename1)) == -1) { printf("File creation error\n"); } filename2 = (char *) malloc(strlen(tempname)); strcpy(filename2, tempname); if ((fd2 = mkstemp(filename2)) == -1) { printf("File creation error\n"); } /* create test users */ sprintf(command, "/usr/sbin/useradd -u %d -m -G wheel -p %s %s",uid1,encryptedpassword,user1); system(command); sprintf(command, "/usr/sbin/useradd -u %d -m -G wheel -p %s %s",uid2,encryptedpassword,user2); system(command); /* insert watches and filters on loginuid "uid1" */ system("auditctl -w /tmp/file1 -k loginuid-key"); sprintf(command, "auditctl -a watch,always -F auid=%d", uid1); system(command); sprintf(command, "auditctl -a watch,never -F auid!=%d", uid1); //sprintf(command, "auditctl -a watch,never -F auid=%d", uid2); system(command); sprintf(script_cmd1, "expect -c \"spawn /usr/bin/ssh %s@localhost \nsleep 1 \nexpect -re \\\"password: \\\" \nsleep 1 \nsend \\\"%s\\r\\n\\\" \nsleep 1 \nexpect -re \\\"> \\\" \nsleep 1 \nsend \\\"touch /tmp/file1\\r\\n\\\" \nsleep 1 \nsend \\\"exit\\\" \nsend_user \\\"exit\\n\\\"\"", user1, password); sprintf(script_cmd2, "expect -c \"spawn /usr/bin/ssh %s@localhost \nsleep 1 \nexpect -re \\\"password: \\\" \nsleep 1 \nsend \\\"%s\\r\\n\\\" \nsleep 1 \nexpect -re \\\"> \\\" \nsleep 1 \nsend \\\"touch /tmp/file1\\r\\n\\\" \nsleep 1 \nsend \\\"exit\\\" \nsend_user \\\"exit\\n\\\"\"", user2, password); write(fd1, script_cmd1, strlen(script_cmd1)); fchmod(fd1, S_IRWXU | S_IRWXG | S_IRWXO); close(fd1); sprintf(exec_cmd, "/bin/sh -f %s", filename1); system(exec_cmd); system("rm -f /tmp/file1"); sleep(1); write(fd2, script_cmd2, strlen(script_cmd2)); fchmod(fd2, S_IRWXU | S_IRWXG | S_IRWXO); close(fd2); sprintf(exec_cmd, "/bin/sh -f %s", filename2); system(exec_cmd); /* Stop auditd to prevent more log entries. */ sleep(2); system("auditctl -W /tmp/file1"); system("/etc/rc.d/init.d/auditd stop"); system("cat /var/log/audit/audit.log >> /tmp/loginuid_logs"); system("rm -f /tmp/file1"); /* cleanup users and files */ if (filename1 != NULL) { unlink(filename1); free(filename1); } if (filename2 != NULL) { unlink(filename2); free(filename2); } sprintf(command, "/usr/sbin/userdel -r %s", user1); system(command); sprintf(command, "/usr/sbin/userdel -r %s", user2); system(command); }