file system auditing, zany timezone issues, design document, etc, etc

Timothy R. Chavez tinytim at us.ibm.com
Thu Apr 28 14:15:35 UTC 2005 

On Wed, 2005-04-27 at 18:36 -0500, Debora Velarde wrote:
> > I re-tested today with the user space patch applied.  I thought I
> > would post my results in case they are different from what you
> found.
> 
> > 1. -D (delete all rules) doesn't delete any rules
> I see this problem also.  
> 
> I'm seeing lots of strange behavior when I updated to this new kernel.
> 
> # auditctl -a entry,always -F arch=b32 -S chmod
> No rules
> # auditctl -l
> No rules

Yeah, both have to do with a bug in the kernel that I introduced, but
fixed yesterday.  To-date there is no Redhat version of the kernel
available.  I'll try to get something out today.

> # auditctl -D
> AUDIT_LIST: entry always a1=4 (0x4) syscall=access
> AUDIT_LIST: entry always a1=3 (0x3) syscall=access
> AUDIT_LIST: entry never a1=4 (0x4) syscall=access
> AUDIT_LIST: entry always syscall=chmod
> AUDIT_LIST: entry never syscall=chmod
> AUDIT_LIST: entry always arch=3221225534 (0xc000003e) syscall=semget
> AUDIT_LIST: entry never arch=3221225534 (0xc000003e) syscall=semget
> AUDIT_LIST: entry always arch=3221225534 (0xc000003e) syscall=semget
> AUDIT_LIST: entry never arch=3221225534 (0xc000003e) syscall=semget
> AUDIT_LIST: entry always arch=3221225534 (0xc000003e) syscall=semget
> AUDIT_LIST: entry never arch=3221225534 (0xc000003e) syscall=semget
> AUDIT_LIST: entry always syscall=chmod

I'd imagine that whatever listing problem this demonstrates (I've not
done anything with -D so I don't really know what I'm suppose to see),
it's now fixed.. so hopefully all will be well in audit.25

> 
> > 
> > I see these bugs with the patched version of both audit-0.6.10 and
> > audit-0.7.1 running with the audit.24 kernel.  I haven't tried the
> > 2.6.12 kernel yet.
> I am using kernel-2.6.9-5.0.3.EL.audit.24 and audit-0.7.1-1.  
> I've used audit-0.7.1-1 with kernel-2.6.9-5.0.3.EL.audit.20 and didn't
> see this strange behavior.
> I wanted to try kernel-2.6.9-5.0.3.EL.audit.23 but when I tried
> installing kernel-2.6.9-5.0.3.EL.audit.23,
> I got a kernel panic when trying to boot.
> Kernel Panic -not syncing: kernel/auditfs.c:439
> spin_is_locked on uninitalized spinlock

Yep, this was fixed too (audit.24 =))

> 
> -debbie
> 
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list