[RFC][PATCH] (#6) filesystem auditing
Timothy R. Chavez
tinytim at us.ibm.com
Tue Mar 15 18:29:26 UTC 2005
On Tuesday 15 March 2005 12:11 pm, Stephen Smalley wrote:
> On Tue, 2005-03-15 at 11:51 -0600, Timothy R. Chavez wrote:
> > Hmmm,
> >
> > I'm getting this now too:
> >
> > ./auditctl -w /audit/foo
> >
> > Error sending netlink packet (Connection refused)
>
> Hmmm...that isn't what I get. With a patched 2.6.11 kernel and 0.6.7
> auditctl, I see:
>
> # ./auditctl -w /etc/shadow
> Error sending netlink packet (Invalid argument)
>
> Error sending rule to kernel
> # ./auditctl -e 1
> AUDIT_STATUS: enabled=1 flag=1 pid=0 rate_limit=0 backlog_limit=64
> lost=0 backlog=0
>
> I added printks to the kernel audit code, and I see them when I do the
> auditctl -e, but not when I try the auditctl -w, so it seems like it
> isn't even reaching audit_receive(), i.e. malformed netlink packet?
Yeah,
Haha. I forgot I compiled my kernel without audit enabled / audit syscall
enabled, to make sure it compiled.. so :) I'm just dumb and I'm not sure
there's a patch available to correct that.
Anyway, Invalid argument, hmmm. If it's not dying at audit_netlink_ok()
(which will return back an err = -EINVAL), then you should be getting to
audit_receive_watch() -- if you print out the values of
audit_watch->name/filterkey/path from audit_insert_watch, that might clue us
in. I have a feeling that someone how the memset(&watch, 0, sizeof(watch))
that was once in reset_vars() (in auditctl.c) has escaped some how and your
passing in a perm equal to some rediculous value (bigger then 15) because it
was not intialized to 0. Perhaps?
-tim
More information about the Linux-audit
mailing list