Basic audit test fails

[Steve Grubb]

On Wednesday 22 March 2006 12:17, Steve Brueckner wrote:
> First, it appears I don't have file watch enabled in my kernel.  Is file
> watch enabled in  the FC5 kernel, or still only in RHEL?

Only RHEL. There was a conflict with inotify when it was sent upstream. That 
is being reworked and a new patch is nearly ready for upstream submission.

> Second, I tried a basic test to audit files opened by a specific user (per
> the auditctl  man page) but it doesn't seem to work:

It should work if everything is setup.

> [root at localhost ~]# auditctl -a exit,always -S open -F loginuid=600
> audit.log:
> type=CONFIG_CHANGE msg=audit(1142975396.109:6629): auid=4294967295 added an
> audit rule

To use loginuid, you have to make sure that loginuid is actually getting set. 
(The above seems to indicate that iits not.) This is done by the pam_loginuid 
module. Also, look at its man page. You'll need that in login, sshd, or gdm 
pam config.

> type=SELINUX_ERR msg=audit(1142975791.439:6635): SELinux:  unrecognized
> netlink message  type=1009 for sclass=49
> type=SYSCALL msg=audit(1142975791.439:6635): arch=40000003 syscall=102
> success=no exit=-22  a0=b a1=bfb89970 a2=805a5dc a3=10 items=0 pid=27498
> auid=4294967295 uid=0 gid=0 euid=0  suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="auditctl" exe="/sbin/auditctl"
> type=SOCKADDR msg=audit(1142975791.439:6635):
> saddr=100000000000000000000000 type=SOCKETCALL
> msg=audit(1142975791.439:6635): nargs=6 a0=3 a1=bfb8dbec a2=10 a3=0
>  a4=bfb8fd08 a5=c

If you get this on the command prompt, you don't have a new enough kernel. You 
really want to be using 2.6.13 at a minimum.

> Should this experiment have produced any output to audit.log when the user
> wrote to a  file?  If not, why not?  

Yes, you need to upgrade the kernel and I'd update to audit-1.0.14 if on FC4.

-Steve