SuSE 10.1 and linux audit

Fri Aug 11 16:25:11 UTC 2006

Hi,
  Here's the steps I've gone through for making the audit package work
with SuSE 10.1.  If someone wants to point out some really bad things
I've done, feel free.  I suspect that I've cut some corners that aren't
safe, but this seems to work.

  This is a kludgey way to get things done, but it's working for now,
and these steps might help other folks do a better job of getting SuSE
10.1 and the audit utilities to play well together.

  My hope is that by the time I need to go live with the site,
there will be an out-of-the-box solution to the problems.

  I'm using stock 10.1, with the online updates, and Audit 1.2.5.
I install from the downloadable CD-ROM set.

  1) Base install with C/C++ Development, and kernel development. 
     Do the online update as part of the install.  (Is there an easy 
     way to get a snapshot of the updates as an ISO?)

  2) Install 2.6.17.6 kernel source.  I got the tarball from:
  http://linux.softpedia.com/progDownload/Linux-Kernel-Download-1960.html

    Untar, remove the old 'linux' link and create a new symlink
    to the new kernel directory.

  3) make oldconfig; 
    Take all defaults.

  4) edit arch/i386/Makefile, 
    set FDINITRD flag = 1
    There's probably a better way to do this, but this worked.  It
    wasn't necessary 2 weeks ago, and may not be necessary in the future,
    but without that flag the kernel gets built but no initrd is
    constructed, and the kernel won't boot.

  5) Build and install kernel; 
     make; make modules; make install; make modules_install

  6) Reboot to new kernel.

  7) Install swig and python-devel using Yast2

  8) Install the new kernel headers.  I got these from:
http://rpm.pbone.net/index.php3/stat/26/dist/0/size/728548/name/glibc-kernheaders-3.0-45.3.src.rpm

    I extracted the tar bz2 file with rpm2cpio, and then untarred
    that file to install the headers.

    This is one step that I think is very suspect.  I'm not sure where these
    headers are referenced, and which code is using what.

    I've tried building the 2.6.17 kernel with both the original headers
    and the new ones and seen no difference in behavior, but I might have 
    just not done a test that would exercise the trouble spots.

  9) Extract the audit 1.2.5 code.

 10) Rebuild the configure script, configure make and install.  

    I follow the cut/paste instructions in README-install
    autoreconf -fv --install, etc.

 11) Edit /etc/init.d/auditd
     Remove the -n flag that's added for AUDITD_DISABLE_CONTEXTS"
     under the start case.  I don't think the -n option
     is supported in 1.2.5, and when it's there, the output messages
     go to /var/log/messages instead of /var/log/audit/audit.log.

    Add
    /sbin/auditctl -D 
    to the stop method.  This gets rid of
    an interminable set of messages to the screen during halt.

    This is another thing that I think is suspect.  Can a halt
    be aborted once it's reached the K15auditd stage of shutdown?
    If so, this is a security hole that would allow an unprivileged
    user to disable auditing, if not, then it should be fine.

 12) Install my audit.rules - I'm using all of the -a rules from
    the sample capp.rules set.

 13) create /etc/audit and copy /etc/auditd.conf and audit.rules
     to it.  Again, I think this step could be avoided by proper
     use of various compile time flags, but this works.

-- 
.... Clif Flynt ... http://www.cflynt.com ... clif at cflynt.com ...
.. Tcl/Tk: A Developer's Guide (2nd edition) - Morgan Kauffman ..
..13th Annual Tcl/Tk Conference:  Oct 9-13, 2006,  Chicago, IL ..
.............  http://www.tcl.tk/community/tcl2006/  ............