1:56 p.m.
On Wednesday 11 October 2006 07:49, Boyce, Kevin P. (Melbourne, FL)
wrote:
> I can install the deb files and the audit daemon runs, but it has trouble
> parsing the audit.rules file. The error I am getting is "Error sending
> insert watch request (Invalid Argument)."
This is not a parsing error...its worse. The audit 1.0.x series was
developed
to compliment the RHEL4 kernel. At the time, it was envisioned that the
technique used for watches would be accepted upstream. It was rejected due to
some overlap with inotify, so the watch system was re-written. The audit
1.2.x series has the code for the new system. Watches were not accepted
upstream until the 2.6.18 kernel.
> I have a requirement to use these two kernel versions, and
unfortunately
> can't use redhat, fedora, or their kernel binaries.
They you are limited to inode based auditing. Or maybe if you put the
things
you have to watch onto one partition, you can use devmajor and minor. I'd try
to move to a 2.6.18 kernel with the latest audit package.
-Steve
Steve,
If I'm reading this correctly, you're telling me that the 1.0.14 auditd that ships
with RHEL4u3 is immature, at best. Does this mean that I will never get support for the
dispatcher directive in /etc/auditd.conf? I was hoping to use the development Snare
scripts that Leigh put together, mainly for a unified, centralization of our audit trails,
but it doesn't work if the dispatcher support option is missing.
I understand that file watching will not be an auditable event and that I'll have to
filter out a lot of false positives. I just want to get centralized auditing working
without have to script a bunch of it myself.
Thanks!
Charlie Todd
Ball Aerospace & Technologies Corp.
ctodd- at -ball -com
8:19 a.m.
New subject: Audit-1.0.14
On Thursday 09 November 2006 14:56, Todd, Charles wrote:
If I'm reading this correctly, you're telling me that the
1.0.14 auditd
that ships with RHEL4u3 is immature, at best.
No, you are misparsing the problem...he is trying to use that version of audit
with plain vanilla linux kernels. When paired with our kernel all is well.
Does this mean that I will never get support for the dispatcher
directive
in /etc/auditd.conf?
I just about have 1.0.15 finished and it will have the dispatcher interface +
some backported code around the time start/end directives and various
bugfixes discovered during the LSPP work for RHEL5.
I was hoping to use the development Snare scripts that Leigh put
together,
mainly for a unified, centralization of our audit trails, but it doesn't
work if the dispatcher support option is missing.
U5 it should be there.
-Steve
10:17 p.m.
New subject: Audit-1.0.14
Thanks Steve. I do actually have a ticket open with RedHat to make this available for
pre-U5 versions, so you may have to pass off to the QC team. We've had enough fun
getting the 2.6.9-42 kernel to not break out-of tree kernel modules for commercial
packages. If I have to build audit 1.0.15 to be compatible with u3 I'll try to do
that.
Thanks for your time and help,
Charlie Todd
Ball Aerospace & Technologies Corp.
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Mon 11/13/2006 9:19 AM
To: linux-audit(a)redhat.com
Cc: Todd, Charles
Subject: Re: Audit-1.0.14
On Thursday 09 November 2006 14:56, Todd, Charles wrote:
If I'm reading this correctly, you're telling me that the
1.0.14 auditd
that ships with RHEL4u3 is immature, at best.
No, you are misparsing the problem...he is trying to use that version of audit
with plain vanilla linux kernels. When paired with our kernel all is well.
Does this mean that I will never get support for the dispatcher
directive
in /etc/auditd.conf?
I just about have 1.0.15 finished and it will have the dispatcher interface +
some backported code around the time start/end directives and various
bugfixes discovered during the LSPP work for RHEL5.
I was hoping to use the development Snare scripts that Leigh put
together,
mainly for a unified, centralization of our audit trails, but it doesn't
work if the dispatcher support option is missing.
U5 it should be there.
-Steve
6707
days inactive
6712
days old
linux-audit@lists.linux-audit.osci.io
2 comments
2 participants
participants (2)
-
Steve Grubb -
Todd, Charles