3:17 p.m.
Hello,
I've discovered another situation where audit is still auditing
itself. When I have audit enabled but I'm not running the daemon, and
add rules like:
# auditctl -a entry,always -S open
# auditctl -a entry,always -S close
Doing something like 'auditctl -l' floods the console with audit
records.
Has anyone else seen this? I'm running the .81 kernel.
Thanks,
Amy
3:26 p.m.
On Friday 29 July 2005 16:17, Amy Griffis wrote:
Doing something like 'auditctl -l' floods the console with
audit
records.
This could be normal depending on your rules and what pid it's reporting. If
it reports the auditd pid, we have a problem. If it reports auditctl's pid,
this might be expected.
-Steve
3:30 p.m.
If there's no auditd running, then I don't think the kernel will know
which process/threads to exclude since its using auditd's pid to decide
that. Even then, wouldn't auditctl's open/close syscalls be audited
with the rules you're using? What would cause them to be excluded?
What do the audit records look like?
-- ljk
Amy Griffis wrote:
Hello,
I've discovered another situation where audit is still auditing
itself. When I have audit enabled but I'm not running the daemon, and
add rules like:
# auditctl -a entry,always -S open
# auditctl -a entry,always -S close
Doing something like 'auditctl -l' floods the console with audit
records.
Has anyone else seen this? I'm running the .81 kernel.
Thanks,
Amy
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
4:12 p.m.
On Fri, Jul 29, 2005 at 04:17:12PM -0400, Amy Griffis wrote:
I've discovered another situation where audit is still auditing
itself. When I have audit enabled but I'm not running the daemon, and
add rules like:
# auditctl -a entry,always -S open
# auditctl -a entry,always -S close
Doing something like 'auditctl -l' floods the console with audit
records.
I wouldn't worry too much about this effect, since unconditionally
auditing all open and close calls is a really bad idea anyway; you'll
usually want "entry,possible" combined with watches instead. So unless it
goes into an infinite loop of audit records triggered by printing audit
records I'd consider this to be an acceptable oddity.
-Klaus
5:17 p.m.
Amy Griffis wrote: [Fri Jul 29 2005, 04:17:12PM EDT]
I've discovered another situation where audit is still auditing
itself.
That was a bad diagnosis. The problem I see is an effect of running
sudo with this rule:
auditctl -a entry,always -S close
Using the following set of rules produces normal-looking behavior,
i.e. no audit record floods.
auditctl -w /usr/bin/sudo -p x
auditctl -a entry,possible -S close
My apologies for the false alarm.
Amy
7085
days inactive
7085
days old
linux-audit@lists.linux-audit.osci.io
5 comments
4 participants
participants (4)
-
Amy Griffis -
Klaus Weidner -
Linda Knippers -
Steve Grubb