audit.56 merged with audit-2.6.git

Steve Grubb sgrubb at redhat.com
Thu Jun 9 13:54:39 UTC 2005 

On Thursday 09 June 2005 09:21, serue at us.ibm.com wrote:
> How about #defines for arguments to audit_update_watch?  0 and 1, not
> meaningful.

I agree. This would help readability.

> struct watch_transport: member "valid" is unused??

User space is displaying it. What happened to it?

> Now looking at locking.  I assume that you feel confident enough at
> this point about the placement of the update_watch'es and that you
> are catching all meaningful fs events?

What about changes of attributes? chmod, chown, chgrp, chattr, setfacl.

[root at endeavor ~]# /etc/rc.d/init.d/auditd start
Starting auditd:                                           [  OK  ]
[root at endeavor ~]# auditctl -w /var/log/audit/audit.log -k test -p rwea
No rules
AUDIT_WATCH_LIST: dev=3:7, path=/var/log/audit/audit.log, filterkey=test, 
perms=rwea, valid=0
[root at endeavor ~]# ls -l /var/log/audit/audit.log
-rw-rw----  1 root root 381 Jun  9 09:44 /var/log/audit/audit.log
[root at endeavor ~]# chmod 0644 /var/log/audit/audit.log
[root at endeavor ~]# /etc/rc.d/init.d/auditd stop
Stopping auditd:                                           [  OK  ]
[root at endeavor ~]# ausearch -i -m ALL
/var/log/audit/audit.log permissions should be 0660
[root at endeavor ~]# chmod 0660 /var/log/audit/audit.log
[root at endeavor ~]# ausearch -i -m ALL
----
type=DAEMON_START msg=audit(06/09/05 09:44:16.353:485)  auditd start, 
ver=0.9.3  format=raw  auid=sgrubb  auditd pid=3896
----
type=CONFIG_CHANGE msg=audit(06/09/05 09:44:16.557:5004034) : audit_enabled=1 
old=1 by auid=sgrubb
----
type=CONFIG_CHANGE msg=audit(06/09/05 09:44:17.171:5004344) : 
audit_backlog_limit=1024 old=1024 by auid=sgrubb
----
type=CONFIG_CHANGE msg=audit(06/09/05 09:44:24.423:5008663) : auid=sgrubb
----
type=DAEMON_END msg=audit(06/09/05 09:44:48.250:486)  auditd normal halt, 
sending pid=3903 auid=sgrubb  auditd pid=3896


No audit records are generated when I made the file world readable. I suppose 
you could hook the right syscalls, but that would provide way too much info. 
The reason I ask is Table 1 of CAPP,  FMT_MSA.3 says that we should be able 
to audit all modifications to the initial value of security attributes & 
modifications to permissive or restrictive rules. Maybe I misunderstand the 
application of this requirement, but that seems like file permissions.

-Steve

More information about the Linux-audit mailing list