Supporting linux-audit in our 2.6 kernel

[Steve Grubb]

On Wednesday 30 March 2005 14:43, Joe Porter wrote:
> Obviously there is a mismatch between our userland
> and kernel with respect to supporting linux-audit.

A big one. The 2.6.6 kernel is missing a lot of the code needed by the planned 
implementation. You need to apply a lot of patches to get it close to the 
2.6.12 kernel's implementation. Offhand, I don't know how tricky that would 
be since we've been working with RHEL4 kernels.
> 2. I removed the laus-0.1-65RHEL3 rpm and installed
>    the audit-0.5-1 rpm.

Get the latest from rawhide. 0.6.9. 
http://mirrors.kernel.org/fedora/core/development/SRPMS/audit-0.6.9-1.src.rpm

> 4. I tried some auditctl commands, but had no clue how to
>    test the mix.  I have no idea how to configure this and I
>    can't find any documentation on the interface.

Rawhide's version is much better. 0.5 doesn't even come close.

> Where can I find documentation?

There's some docs in 0.6.9's package

> How do I do at least a sanity check?  (login and passwd file)

You need patched userland utilities. For example, a new pam, at, 
glibc-kernheaders, shadow-utils, etc.

> Do I need any kernel patches for 2.6.6 and audit-0.5-1?

Yes. However, I don't think they will be available under RHEL3. Its all aimed 
at RHEL4.

> Should I try the audit-0.6.5 and are there any kernel patches needed?

0.6.9

> We have to be ready by Friday.

With this short of a deadline, you might be better off trying it on Fedora 
Core 4 test 1 + rawhide updates. You can demonstrate some functionality with 
that setup, but we are still developing the filesystem auditing and a few 
other pieces. So, even rawhide is not a complete solution.

> Thanks a million for any advice.  If we are successful, I'm fairly
> certain this will ship with our product from now on.  We'd be glad to
> provide testing feedback to you.

Hope this helps...

-Steve