Supporting linux-audit in our 2.6 kernel
Steve Grubb
sgrubb at redhat.com
Wed Mar 30 20:12:55 UTC 2005
On Wednesday 30 March 2005 14:43, Joe Porter wrote:
> Obviously there is a mismatch between our userland
> and kernel with respect to supporting linux-audit.
A big one. The 2.6.6 kernel is missing a lot of the code needed by the planned
implementation. You need to apply a lot of patches to get it close to the
2.6.12 kernel's implementation. Offhand, I don't know how tricky that would
be since we've been working with RHEL4 kernels.
> 2. I removed the laus-0.1-65RHEL3 rpm and installed
> the audit-0.5-1 rpm.
Get the latest from rawhide. 0.6.9.
http://mirrors.kernel.org/fedora/core/development/SRPMS/audit-0.6.9-1.src.rpm
> 4. I tried some auditctl commands, but had no clue how to
> test the mix. I have no idea how to configure this and I
> can't find any documentation on the interface.
Rawhide's version is much better. 0.5 doesn't even come close.
> Where can I find documentation?
There's some docs in 0.6.9's package
> How do I do at least a sanity check? (login and passwd file)
You need patched userland utilities. For example, a new pam, at,
glibc-kernheaders, shadow-utils, etc.
> Do I need any kernel patches for 2.6.6 and audit-0.5-1?
Yes. However, I don't think they will be available under RHEL3. Its all aimed
at RHEL4.
> Should I try the audit-0.6.5 and are there any kernel patches needed?
0.6.9
> We have to be ready by Friday.
With this short of a deadline, you might be better off trying it on Fedora
Core 4 test 1 + rawhide updates. You can demonstrate some functionality with
that setup, but we are still developing the filesystem auditing and a few
other pieces. So, even rawhide is not a complete solution.
> Thanks a million for any advice. If we are successful, I'm fairly
> certain this will ship with our product from now on. We'd be glad to
> provide testing feedback to you.
Hope this helps...
-Steve
More information about the Linux-audit
mailing list