audit 0.6.11 released
Debora Velarde
dvelarde at us.ibm.com
Tue Apr 19 15:34:51 UTC 2005
When I try this one on my x86_64 system, I am seeing:
# auditctl -a entry,always -F arch=64b -S open
AUDIT_LIST: entry always arch=0 syscall=open
# auditctl -a entry,always -F arch=32b -S open
AUDIT_LIST: entry always arch=0 syscall=open
AUDIT_LIST: entry always arch=0 syscall=open
# auditctl -a entry,always -F arch=32 -S open
AUDIT_LIST: entry always arch=0 syscall=open
AUDIT_LIST: entry always arch=0 syscall=open
AUDIT_LIST: entry always arch=0 syscall=open
And I don't see any audit records generated for syscall=open.
If I do:
# auditctl -a entry,always -S open
then I do see records like:
type=KERNEL msg=audit(1113924447.821:5496854): syscall=2 arch=c000003e
success=yes exit=3 a0=2a9555bf20 a1=0 a2=3920 a3=ffffffd0 items=1 pid=5737
loginuid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm=tail exe=/usr/bin/tail
type=KERNEL msg=audit(1113924447.821:5496854): item=0
name="/lib64/tls/libpthread.so.0" inode=6947034 dev=fd:00 mode=0100755
uid=0 gid=0 rdev=00:00
When I try arch=c000003e, I get:
# auditctl -a entry,always -F arch=c000003e -S open
-F arch=c000003e machine type not found
So I believe auditctl is suposed to work with values like "arch=32b" or
"arch=64b". Is that correct?
-debbie
linux-audit-bounces at redhat.com wrote on 04/18/2005 04:16:46 PM:
> Hello,
> I've just released a new version of the audit daemon. It can be
downloaded
> from http://people.redhat.com/sgrubb/audit The Changelog is:
> - Check log file size on start up
> - Added priority_boost config item
> - Reworked arch support
> - Reworked how run level is changed
> - Make allowances for ECONNREFUSED.
> The program was not checking the logfile size on startup which could make
it
> add a record before deciding to perform the log file size action.
> In order to help solve the lost records problem, I've added a priority
boost
> option to auditd.conf. The default is 3. you should probably check
> you /etc/auditd.conf file to see that you have the new option.
> The arch support has been reworked. Thanks to Debbie Velarde for helping
> gather the syscall tables. Please give this feature a try. I think it
should
> be working (except for "both"). Please report any bugs with this soon and
> I'll release a 0.6.12 to fix any problems.
> The way that the run level is changed was reworked to make SE Linux
policy
> better. It was invoking system() now it does execve().
> People that are rolling their own kernels and not including the audit
system
> were being stopped from logging by pam. I made an exception that if
> ECONNREFUSED is detected during sendto, they are using a modified kernel
and
> we'll bypass logging. ECONNREFUSED means the kernel isn't listening on
the
> audit netlink socket....so I think this exception is safe.
> Please give it some testing and report any problems.
> -Steve
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050419/2a2668bf/attachment.htm>
More information about the Linux-audit
mailing list