audit 0.6 release

Fri Jan 7 14:44:02 UTC 2005

I appreciate all the helpful comments on my look at auditd.

To see what I can do now with audit 0.6, I tried one rule similar to
requirements I've mentioned, one failed attempt to trigger an auditd
response, and looked at the output to see the feasibility of filtering
the output:

Using audit-0.6, my single rule is (from /sbin/audtctl -l):

AUDIT_LIST: exit always uid=507 (0x1fb) syscall=unlink

The failed attempt to be logged was:

  % rm /etc/passwd

The two messages generated in audit.log were:

type=KERNEL msg=audit(1105106227.435:12373636): item=0 name=/etc/passwd
\
  inode=5079041 dev=00:00-l inode=3080372 dev=00:00loginuid=-1 \
  uid=507 gid=503 euid=507 suid=507 fsuid=507 egid=503 sgid=503
fsgid=50333gid=503
type=KERNEL msg=audit(1105106227.435:12373636): syscall=10
exit=4294967283 \
  a0=bff86b22 a1=0 a2=80505e4 a3=bff86b22 items=1 pid=6137 loginuid=-1 \
  uid=507 gid=503 euid=507 suid=507 fsuid=507 egid=503 sgid=503
fsgid=503503

Notice that I can get the file name, the system call, and the exit
status of
unlink (but I suspect the print format for the exit code is %u instead
of %d,
thus the apparent large number probably from a negative exit code).

But do there have to be two messages?  Having one would enable easy
querying
(assuming I can parse on exit != 0), otherwise a little more difficult
(can I assume the messages always come in matching, adjacent pairs?).

To sum up, I believe I can write a perl parser to do what I need now
(assuming the exit code is correct), even though the message traffic is
so high.  As autitd's rule capability gets more sophisticated, the
message traffic should decrease immensely.

I also will write a perl script to perform as my manual rule loader
until auditd has its own.

Thanks.

-Tom Browder