auditd/auditctl SLED10
Lane Williams
lane.williams at jhuapl.edu
Fri Jul 21 20:49:24 UTC 2006
I downloaded each of the audit version from 1.1.4 - 1.2.1 and compiled
from the tar balls...the source rpms kept bombing out on dependencies.
As of 1.2.1 with the SLED 10 distro, I was able to get it to tell me
permission denied when the syscall attempted an open
on /var/log/messages from an unpriviledged user.
Thanks everyone...
Lane
On Fri, 2006-07-21 at 16:35 +0200, Marcus Meissner wrote:
> On Fri, Jul 21, 2006 at 10:31:22AM -0400, Linda Knippers wrote:
> > Lane Williams wrote:
> > > Yeah, I had tried that. There is an access syscall. From the looks of
> > > things the audit version that comes with SuSE has a few problems. I
> > > know in Red Hat it seems to work as I need it to. SuSE is also using
> > > Apparmor in place of SELinux, or at least they make it appear that way.
> > > The audit deamon also does not support file system watches.
> >
> > File system watches aren't supported in the upstream kernel until
> > 2.6.18.
> >
> > > Seems the only success=no returns that I receive are when the file does
> > > not exist. I may also have to add more to my filter in order to get
> > > what I want. Unfortunately I am stuck with SuSE and will have to
> > > continue troubleshooting until the patches come out.
> >
> > If you're using a 2.6.16 kernel and 1.1.3 audit tools, that seems like
> > a mismatch. There was a 1.1.4 audit package released back in February
> > and the release mail mentions apparmor support.
> > https://www.redhat.com/archives/linux-audit/2006-February/msg00036.html
>
> We have integrated AppArmor support in our 1.1.3 packages. (The
> stuff we sent upstream for 1.1.4).
>
> Ciao, Marcus
More information about the Linux-audit
mailing list