1:27 p.m.
Hello,
First and foremost I want to apologize for the zany timezone issues I've
been having -- probably would have helped to have /etc/localtime, eh?
Having to reconstruct the root filesystem from a lost+found because it's
faster then redoing a gentoo stage1 isn't fun ;-) Anyway, hoping that
that's fixed (and hoping I never have to relive the experience ;-)).
So yeah... I was asked to wait until after tommorow's meeting to submit
to LKML, which is just as-well. That gives you all a little time to
test it :-) J/K -- But, really, it would be nice if some people just
tried to patch/install the kernel and play with auditctl -w/-W for a
couple minutes and respond with yay or nay.
Just to get a bearing of where I'm at and what I'm thinking. I'm hoping
that by the end of next week:
* auditfs RFC on LKML
* FVT testcases will be completed
* intial design document drafted
Perhaps, we could also merge auditfs into BK or git-audit (or whatever
it'll be called) as well by next week.
Thanks.
-tim
2:34 p.m.
Hi Tim,
Timothy R. Chavez wrote: [Mon Apr 25 2005, 02:27:30PM EDT]
So yeah... I was asked to wait until after tommorow's meeting to
submit
to LKML, which is just as-well. That gives you all a little time to
test it :-) J/K -- But, really, it would be nice if some people just
tried to patch/install the kernel and play with auditctl -w/-W for a
couple minutes and respond with yay or nay.
I did some rudimentary testing of the audit.24 kernel and auditd
0.7.1 and found a couple problems:
I wasn't able to list audit rules, although the audit log has entries
that the rules were added, and open syscalls by uid 500 are logged.
# auditctl -a entry,never -S all -F pid=2647
No rules
# auditctl -a entry,always -S open -F uid=500
No rules
# auditctl -l
No rules
Also, I wasn't able to add watches. I tried a few; here is one
example:
# auditctl -w /etc/shadow -k SHADOW -p w
Error sending watch insert request (Cannot allocate memory)
Error sending rule to kernel
# auditctl -w /etc/shadow -p w
Error sending watch insert request (Invalid argument)
Error sending rule to kernel
Although I haven't looked at the code yet, I suspect a kernel issue,
as I don't see any of this behavior when I boot audit.20 with auditd
0.7.1.
Thanks,
Amy
3:39 p.m.
On Tue, 2005-04-26 at 15:34 -0400, Amy Griffis wrote:
Hi Tim,
Timothy R. Chavez wrote: [Mon Apr 25 2005, 02:27:30PM EDT]
> So yeah... I was asked to wait until after tommorow's meeting to submit
> to LKML, which is just as-well. That gives you all a little time to
> test it :-) J/K -- But, really, it would be nice if some people just
> tried to patch/install the kernel and play with auditctl -w/-W for a
> couple minutes and respond with yay or nay.
I did some rudimentary testing of the audit.24 kernel and auditd
0.7.1 and found a couple problems:
I wasn't able to list audit rules, although the audit log has entries
that the rules were added, and open syscalls by uid 500 are logged.
# auditctl -a entry,never -S all -F pid=2647
No rules
# auditctl -a entry,always -S open -F uid=500
No rules
# auditctl -l
No rules
Also, I wasn't able to add watches. I tried a few; here is one
example:
# auditctl -w /etc/shadow -k SHADOW -p w
Error sending watch insert request (Cannot allocate memory)
Error sending rule to kernel
# auditctl -w /etc/shadow -p w
Error sending watch insert request (Invalid argument)
Error sending rule to kernel
Although I haven't looked at the code yet, I suspect a kernel issue,
as I don't see any of this behavior when I boot audit.20 with auditd
0.7.1.
Is the updated user space patch in audit-0.7.1?? I haven't looked to
tell you the truth. I'd imagine it is not, as Steve has told me it
won't be until after he gets a stable package for RHEL 4. Thus,
audit.24 and audit-0.7.1 should be out of sync. Still the error
handling looks quarky (and incorrect), so I need to look into this.
I'll run 2.6.12-rc2-mm1 with audit-0.7.1 your examples. And I will also
run audit.24 with an audit user package that's in sync with it and
report back tommorow with my results.
Thanks for giving it ago.
-tim
Thanks,
Amy
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
6:34 p.m.
Timothy R. Chavez wrote: [Tue Apr 26 2005, 04:39:22PM EDT]
Is the updated user space patch in audit-0.7.1??
No, it's not. I managed to miss that detail. :-) I think that will
explain most if not all of the issues I was seeing.
I'll run 2.6.12-rc2-mm1 with audit-0.7.1 your examples. And I
will
also run audit.24 with an audit user package that's in sync with it
and report back tommorow with my results.
I'll patch and re-test as well.
Thanks,
Amy
10:26 a.m.
On Tue, 2005-04-26 at 19:34 -0400, Amy Griffis wrote:
Timothy R. Chavez wrote: [Tue Apr 26 2005, 04:39:22PM EDT]
> Is the updated user space patch in audit-0.7.1??
No, it's not. I managed to miss that detail. :-) I think that will
explain most if not all of the issues I was seeing.
> I'll run 2.6.12-rc2-mm1 with audit-0.7.1 your examples. And I will
> also run audit.24 with an audit user package that's in sync with it
> and report back tommorow with my results.
I'll patch and re-test as well.
There is actually a bug in the listing feature... I changed around some
things without updating user space and now I've managed to mess it all
up, so I'm in the process of fixing it :) Patches out later today.
-tim
Thanks,
Amy
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
12:49 p.m.
Timothy R. Chavez wrote: [Wed Apr 27 2005, 11:26:27AM EDT]
There is actually a bug in the listing feature... I changed around
some
things without updating user space and now I've managed to mess it all
up, so I'm in the process of fixing it :) Patches out later today.
I re-tested today with the user space patch applied. I thought I
would post my results in case they are different from what you found.
1. -D (delete all rules) doesn't delete any rules
2. identical rules can be added to the rules list, creating
multiple entries of the same rule
The following occur only when we have at least 1 watch on the
watchlist:
1. audit rules are not listed
2. a non-existant rule can be deleted from the rules list, i.e. no
failure message from auditctl, and a log record is generated
saying a rule was removed
I see these bugs with the patched version of both audit-0.6.10 and
audit-0.7.1 running with the audit.24 kernel. I haven't tried the
2.6.12 kernel yet.
Hope this helps.
Amy
6:36 p.m.
I re-tested today with the user space patch applied. I thought I
would post my results in case they are different from what you found.
1. -D (delete all rules) doesn't delete any rules
I see
this problem also.
I'm seeing lots of strange behavior when I updated to this new kernel.
# auditctl -a entry,always -F arch=b32 -S chmod
No rules
# auditctl -l
No rules
# auditctl -D
AUDIT_LIST: entry always a1=4 (0x4) syscall=access
AUDIT_LIST: entry always a1=3 (0x3) syscall=access
AUDIT_LIST: entry never a1=4 (0x4) syscall=access
AUDIT_LIST: entry always syscall=chmod
AUDIT_LIST: entry never syscall=chmod
AUDIT_LIST: entry always arch=3221225534 (0xc000003e) syscall=semget
AUDIT_LIST: entry never arch=3221225534 (0xc000003e) syscall=semget
AUDIT_LIST: entry always arch=3221225534 (0xc000003e) syscall=semget
AUDIT_LIST: entry never arch=3221225534 (0xc000003e) syscall=semget
AUDIT_LIST: entry always arch=3221225534 (0xc000003e) syscall=semget
AUDIT_LIST: entry never arch=3221225534 (0xc000003e) syscall=semget
AUDIT_LIST: entry always syscall=chmod
I see these bugs with the patched version of both audit-0.6.10 and
audit-0.7.1 running with the audit.24 kernel. I haven't tried the
2.6.12 kernel yet.
I am using kernel-2.6.9-5.0.3.EL.audit.24 and audit-0.7.1-1.
I've used audit-0.7.1-1 with kernel-2.6.9-5.0.3.EL.audit.20 and didn't see
this strange behavior.
I wanted to try kernel-2.6.9-5.0.3.EL.audit.23 but when I tried installing
kernel-2.6.9-5.0.3.EL.audit.23,
I got a kernel panic when trying to boot.
Kernel Panic -not syncing: kernel/auditfs.c:439
spin_is_locked on uninitalized spinlock
-debbie
9:15 a.m.
On Wed, 2005-04-27 at 18:36 -0500, Debora Velarde wrote:
> I re-tested today with the user space patch applied. I thought
I
> would post my results in case they are different from what you
found.
> 1. -D (delete all rules) doesn't delete any rules
I see this problem also.
I'm seeing lots of strange behavior when I updated to this new kernel.
# auditctl -a entry,always -F arch=b32 -S chmod
No rules
# auditctl -l
No rules
Yeah, both have to do with a bug in the kernel that I introduced, but
fixed yesterday. To-date there is no Redhat version of the kernel
available. I'll try to get something out today.
# auditctl -D
AUDIT_LIST: entry always a1=4 (0x4) syscall=access
AUDIT_LIST: entry always a1=3 (0x3) syscall=access
AUDIT_LIST: entry never a1=4 (0x4) syscall=access
AUDIT_LIST: entry always syscall=chmod
AUDIT_LIST: entry never syscall=chmod
AUDIT_LIST: entry always arch=3221225534 (0xc000003e) syscall=semget
AUDIT_LIST: entry never arch=3221225534 (0xc000003e) syscall=semget
AUDIT_LIST: entry always arch=3221225534 (0xc000003e) syscall=semget
AUDIT_LIST: entry never arch=3221225534 (0xc000003e) syscall=semget
AUDIT_LIST: entry always arch=3221225534 (0xc000003e) syscall=semget
AUDIT_LIST: entry never arch=3221225534 (0xc000003e) syscall=semget
AUDIT_LIST: entry always syscall=chmod
I'd imagine that whatever listing problem this demonstrates (I've not
done anything with -D so I don't really know what I'm suppose to see),
it's now fixed.. so hopefully all will be well in audit.25
>
> I see these bugs with the patched version of both audit-0.6.10 and
> audit-0.7.1 running with the audit.24 kernel. I haven't tried the
> 2.6.12 kernel yet.
I am using kernel-2.6.9-5.0.3.EL.audit.24 and audit-0.7.1-1.
I've used audit-0.7.1-1 with kernel-2.6.9-5.0.3.EL.audit.20 and didn't
see this strange behavior.
I wanted to try kernel-2.6.9-5.0.3.EL.audit.23 but when I tried
installing kernel-2.6.9-5.0.3.EL.audit.23,
I got a kernel panic when trying to boot.
Kernel Panic -not syncing: kernel/auditfs.c:439
spin_is_locked on uninitalized spinlock
Yep, this was fixed too (audit.24 =))
-debbie
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
7177
days inactive
7180
days old
linux-audit@lists.linux-audit.osci.io
7 comments
3 participants
participants (3)
-
Amy Griffis -
Debora Velarde -
Timothy R. Chavez