audit.47
Rob Myers
rob.myers at gtri.gatech.edu
Mon May 23 18:49:36 UTC 2005
On Mon, 2005-05-23 at 11:31 -0400, Peter Martuccelli wrote:
> Hello,
>
> On Mon, 2005-05-23 at 11:04, Timothy R. Chavez wrote:
> > I believe Peter Martucelli (sp?) moderates the list...
> >
> >
> Yes I do. I cleared the posts this morning. Subscribers to the list
> need to be accepted before they can post.
with auditctl from audit-0.8.2-2 auditctl -D deletes all rules, but not
all watch lists. is there an equivalent to -D to delete all watch
lists? is it possible to make -D also delete watch lists?
for now i added a loop to clear these lists in my auditd init script:
--- /etc/init.d/auditd.orig 2005-05-23 13:34:08.819954823 -0400
+++ /etc/init.d/auditd 2005-05-23 13:41:35.517872333 -0400
@@ -71,6 +71,13 @@ stop(){
killproc $prog
RETVAL=$?
echo
+
+ # remove stale watches
+ for watch in `/sbin/auditctl -l | /bin/grep ^AUDIT_WATCH_LIST
| /bin/awk -Fpath= '{print $2}' | /bin/awk -F, '{print $1}'`
+ do
+ /sbin/auditctl -W ${watch} >/dev/null
+ done
+
rm -f /var/lock/subsys/auditd
return $RETVAL
}
also, i managed to trigger an oops with audit.47, which i have not been
able to repeat. i'll attach it in case it is useful.
and thanks peter, i appear to be all set up.
rob.
-------------- next part --------------
ksymoops 2.4.11 on i686 2.6.9-5.0.3.EL.audit.47smp. Options used
-V (default)
-k /proc/ksyms (default)
-l /proc/modules (default)
-o /lib/modules/2.6.9-5.0.3.EL.audit.47smp/ (default)
-m /boot/System.map-2.6.9-5.0.3.EL.audit.47 (specified)
Error (regular_file): read_ksyms stat /proc/ksyms failed
No modules in ksyms, skipping objects
No ksyms, skipping lsmod
May 23 12:14:13 localhost kernel: CPU 0 irqstacks, hard=c03da000 soft=c03ba000
May 23 12:14:14 localhost kernel: CPU 1 irqstacks, hard=c03db000 soft=c03bb000
May 23 12:17:25 localhost kernel: CPU 0 irqstacks, hard=c03da000 soft=c03ba000
May 23 12:17:25 localhost kernel: CPU 1 irqstacks, hard=c03db000 soft=c03bb000
May 23 12:19:11 localhost kernel: Unable to handle kernel NULL pointer dereference at virtual address 00000000
May 23 12:19:11 localhost kernel: c013bb0d
May 23 12:19:11 localhost kernel: *pde = 1659e001
May 23 12:19:11 localhost kernel: Oops: 0000 [#1]
May 23 12:19:11 localhost kernel: CPU: 0
May 23 12:19:11 localhost kernel: EIP: 0060:[<c013bb0d>] Not tainted VLI
Using defaults from ksymoops -t elf32-i386 -a i386
May 23 12:19:11 localhost kernel: EFLAGS: 00010282 (2.6.9-5.0.3.EL.audit.47smp)
May 23 12:19:11 localhost kernel: eax: ddb7a440 ebx: de72777c ecx: 00000000 edx: ddb7a440
May 23 12:19:11 localhost kernel: esi: dd4bc30c edi: 00000000 ebp: 00000004 esp: d78baee4
May 23 12:19:11 localhost kernel: ds: 007b es: 007b ss: 0068
May 23 12:19:11 localhost kernel: Stack: 00000000 de72777c de72777c 00000004 d78baf58 c0161e50 de72777c 00000001
May 23 12:19:11 localhost kernel: d78baf58 00000004 c01635ac d6106d5c d5ef5000 00000000 d5ef5000 d78baf58
May 23 12:19:11 localhost kernel: c0163a20 b7fb0000 00000000 00000004 000001b6 00000001 c01b916c d78baf58
May 23 12:19:11 localhost kernel: Call Trace:
May 23 12:19:11 localhost kernel: [<c0161e50>] permission+0xf/0x4f
May 23 12:19:11 localhost kernel: [<c01635ac>] may_open+0x53/0x21a
May 23 12:19:11 localhost kernel: [<c0163a20>] open_namei+0x2ad/0x5b5
May 23 12:19:12 localhost kernel: [<c01b916c>] atomic_dec_and_lock+0x20/0x40
May 23 12:19:12 localhost kernel: [<c0156194>] filp_open+0x23/0x3c
May 23 12:19:12 localhost kernel: [<c02c62b5>] __cond_resched+0x14/0x39
May 23 12:19:12 localhost kernel: [<c01b936e>] direct_strncpy_from_user+0x3e/0x5d
May 23 12:19:12 localhost kernel: [<c01564a6>] sys_open+0x31/0x7d
May 23 12:19:12 localhost kernel: [<c02c7c83>] syscall_call+0x7/0xb
May 23 12:19:12 localhost kernel: Code: 85 c0 74 04 85 c5 74 76 c7 04 24 f4 ff ff ff a1 30 e8 31 c0 ba d0 00 00 00 e8 56 85 00 00 85 c0 89 c2 74 5a c7 04 24 00 00 00 00 <83> 3f 00 74 0d 83 7f 38 00 75 07 c7 47 38 01 00 00 00 89 72 08
>>EIP; c013bb0d <print_modules+9/5f> <=====
Trace; c0161e50 <do_truncate+b2/c4>
Trace; c01635ac <remote_llseek+57/197>
Trace; c0163a20 <do_sync_read+5d/c9>
Trace; c01b916c <semctl_nolock+1d5/22b>
Trace; c0156194 <unmap_vma+5/4b>
Trace; c02c62b5 <ip_append_data+65e/771>
Trace; c01b936e <semctl_main+1ac/426>
Trace; c01564a6 <do_munmap+d7/1d2>
Trace; c02c7c83 <ip_setsockopt+57f/945>
This architecture has variable length instructions, decoding before eip
is unreliable, take these instructions with a pinch of salt.
Code; c013bae2 <module_text_address+df/101>
00000000 <_EIP>:
Code; c013bae2 <module_text_address+df/101>
0: 85 c0 test %eax,%eax
Code; c013bae4 <module_text_address+e1/101>
2: 74 04 je 8 <_EIP+0x8>
Code; c013bae6 <module_text_address+e3/101>
4: 85 c5 test %eax,%ebp
Code; c013bae8 <module_text_address+e5/101>
6: 74 76 je 7e <_EIP+0x7e>
Code; c013baea <module_text_address+e7/101>
8: c7 04 24 f4 ff ff ff movl $0xfffffff4,(%esp)
Code; c013baf1 <module_text_address+ee/101>
f: a1 30 e8 31 c0 mov 0xc031e830,%eax
Code; c013baf6 <module_text_address+f3/101>
14: ba d0 00 00 00 mov $0xd0,%edx
Code; c013bafb <module_text_address+f8/101>
19: e8 56 85 00 00 call 8574 <_EIP+0x8574>
Code; c013bb00 <module_text_address+fd/101>
1e: 85 c0 test %eax,%eax
Code; c013bb02 <module_text_address+ff/101>
20: 89 c2 mov %eax,%edx
Code; c013bb04 <print_modules+0/5f>
22: 74 5a je 7e <_EIP+0x7e>
Code; c013bb06 <print_modules+2/5f>
24: c7 04 24 00 00 00 00 movl $0x0,(%esp)
This decode from eip onwards should be reliable
Code; c013bb0d <print_modules+9/5f>
00000000 <_EIP>:
Code; c013bb0d <print_modules+9/5f> <=====
0: 83 3f 00 cmpl $0x0,(%edi) <=====
Code; c013bb10 <print_modules+c/5f>
3: 74 0d je 12 <_EIP+0x12>
Code; c013bb12 <print_modules+e/5f>
5: 83 7f 38 00 cmpl $0x0,0x38(%edi)
Code; c013bb16 <print_modules+12/5f>
9: 75 07 jne 12 <_EIP+0x12>
Code; c013bb18 <print_modules+14/5f>
b: c7 47 38 01 00 00 00 movl $0x1,0x38(%edi)
Code; c013bb1f <print_modules+1b/5f>
12: 89 72 08 mov %esi,0x8(%edx)
1 error issued. Results may not be reliable.
More information about the Linux-audit
mailing list