Basic audit test fails
Steve Grubb
sgrubb at redhat.com
Wed Mar 22 19:09:23 UTC 2006
On Wednesday 22 March 2006 12:17, Steve Brueckner wrote:
> First, it appears I don't have file watch enabled in my kernel. Is file
> watch enabled in the FC5 kernel, or still only in RHEL?
Only RHEL. There was a conflict with inotify when it was sent upstream. That
is being reworked and a new patch is nearly ready for upstream submission.
> Second, I tried a basic test to audit files opened by a specific user (per
> the auditctl man page) but it doesn't seem to work:
It should work if everything is setup.
> [root at localhost ~]# auditctl -a exit,always -S open -F loginuid=600
> audit.log:
> type=CONFIG_CHANGE msg=audit(1142975396.109:6629): auid=4294967295 added an
> audit rule
To use loginuid, you have to make sure that loginuid is actually getting set.
(The above seems to indicate that iits not.) This is done by the pam_loginuid
module. Also, look at its man page. You'll need that in login, sshd, or gdm
pam config.
> type=SELINUX_ERR msg=audit(1142975791.439:6635): SELinux: unrecognized
> netlink message type=1009 for sclass=49
> type=SYSCALL msg=audit(1142975791.439:6635): arch=40000003 syscall=102
> success=no exit=-22 a0=b a1=bfb89970 a2=805a5dc a3=10 items=0 pid=27498
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="auditctl" exe="/sbin/auditctl"
> type=SOCKADDR msg=audit(1142975791.439:6635):
> saddr=100000000000000000000000 type=SOCKETCALL
> msg=audit(1142975791.439:6635): nargs=6 a0=3 a1=bfb8dbec a2=10 a3=0
> a4=bfb8fd08 a5=c
If you get this on the command prompt, you don't have a new enough kernel. You
really want to be using 2.6.13 at a minimum.
> Should this experiment have produced any output to audit.log when the user
> wrote to a file? If not, why not?
Yes, you need to upgrade the kernel and I'd update to audit-1.0.14 if on FC4.
-Steve
More information about the Linux-audit
mailing list