Re: file system auditing, zany timezone issues, design document, etc, etc
Hi Tim,
Timothy R. Chavez wrote: [Mon Apr 25 2005, 02:27:30PM EDT]
So yeah... I was asked to wait until after tommorow's meeting to
submit
to LKML, which is just as-well. That gives you all a little time to
test it :-) J/K -- But, really, it would be nice if some people just
tried to patch/install the kernel and play with auditctl -w/-W for a
couple minutes and respond with yay or nay.
I did some rudimentary testing of the audit.24 kernel and auditd
0.7.1 and found a couple problems:
I wasn't able to list audit rules, although the audit log has entries
that the rules were added, and open syscalls by uid 500 are logged.
# auditctl -a entry,never -S all -F pid=2647
No rules
# auditctl -a entry,always -S open -F uid=500
No rules
# auditctl -l
No rules
Also, I wasn't able to add watches. I tried a few; here is one
example:
# auditctl -w /etc/shadow -k SHADOW -p w
Error sending watch insert request (Cannot allocate memory)
Error sending rule to kernel
# auditctl -w /etc/shadow -p w
Error sending watch insert request (Invalid argument)
Error sending rule to kernel
Although I haven't looked at the code yet, I suspect a kernel issue,
as I don't see any of this behavior when I boot audit.20 with auditd
0.7.1.
Thanks,
Amy