Re: file system auditing, zany timezone issues, design document, etc, etc

Hi Tim, Timothy R. Chavez wrote: [Mon Apr 25 2005, 02:27:30PM EDT] > So yeah... I was asked to wait until after tommorow's meeting to submit > to LKML, which is just as-well. That gives you all a little time to > test it :-) J/K -- But, really, it would be nice if some people just > tried to patch/install the kernel and play with auditctl -w/-W for a > couple minutes and respond with yay or nay. I did some rudimentary testing of the audit.24 kernel and auditd 0.7.1 and found a couple problems: I wasn't able to list audit rules, although the audit log has entries that the rules were added, and open syscalls by uid 500 are logged. # auditctl -a entry,never -S all -F pid=2647 No rules # auditctl -a entry,always -S open -F uid=500 No rules # auditctl -l No rules Also, I wasn't able to add watches. I tried a few; here is one example: # auditctl -w /etc/shadow -k SHADOW -p w Error sending watch insert request (Cannot allocate memory) Error sending rule to kernel # auditctl -w /etc/shadow -p w Error sending watch insert request (Invalid argument) Error sending rule to kernel Although I haven't looked at the code yet, I suspect a kernel issue, as I don't see any of this behavior when I boot audit.20 with auditd 0.7.1.

Thanks, Amy -- Linux-audit mailing list Linux-audit(a)redhat.com http://www.redhat.com/mailman/listinfo/linux-audit