4:51 p.m.
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit The Changelog is:
- Fixed bug where elf type wasn't being set when given numerically
- Added autrace program (similar to strace)
- Fixed bug when logs = 2 and ROTATE is the action, only 1 log resulted
This release features a new program autrace. It works similar to strace. You
give it a program to execute with parameters and it: clears the audit rules,
generates a rule to audit all syscalls for that program, and executes the
program. When the program ends, it clears the rules.
-Steve
5:20 p.m.
On Wed, Apr 20, 2005 at 05:51:26PM -0400, Steve Grubb wrote:
This release features a new program autrace. It works similar to
strace. You
give it a program to execute with parameters and it: clears the audit rules,
generates a rule to audit all syscalls for that program, and executes the
program. When the program ends, it clears the rules.
Hmm, that sounds rather destructive for a harmless-sounding utility. So
if an admin uses autrace to debug something, that has the side effect of
switching off audit for the entire system?
I would suggest that autrace shouldn't clear out audit rules (except
maybe when run with a --destroy-all-audit-rules switch?), and refuses to
run if audit rules are already installed, to avoid security problems for
sites depending on audit. The admin would need to explicitly clear audit
rules first before using the tool. On a system not using audit, the rule
list would be empty, so it would work as expected.
-Klaus
5:31 p.m.
On Wednesday 20 April 2005 22:20, Klaus Weidner wrote:
On Wed, Apr 20, 2005 at 05:51:26PM -0400, Steve Grubb wrote:
> This release features a new program autrace. It works similar to strace.
> You give it a program to execute with parameters and it: clears the audit
> rules, generates a rule to audit all syscalls for that program, and
> executes the program. When the program ends, it clears the rules.
Hmm, that sounds rather destructive for a harmless-sounding utility. So
if an admin uses autrace to debug something, that has the side effect of
switching off audit for the entire system?
Perhaps we can invent per-process "rulespaces" :-)?
-tim
9:44 p.m.
David,
Steve Grubb wrote: [Wed Apr 20 2005, 05:51:26PM EDT]
I've just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit
Are you planning to put any more updates to the audit daemon in the
yum repository?
Thanks,
Amy
7185
days inactive
7186
days old
linux-audit@lists.linux-audit.osci.io
4 comments
4 participants
participants (4)
-
Amy Griffis -
Klaus Weidner -
Steve Grubb -
Timothy R. Chavez