Linux audit newbie question (Sorry probably a little boring...)
Steve Grubb
sgrubb at redhat.com
Mon May 8 14:38:03 UTC 2006
On Sunday 07 May 2006 10:11, Adrian Powell wrote:
> I have a Linux system running a 2.6.5 kernel, which cannot be
> upgraded to a later release for the time being.
Hi,
I think the native linux audit system landed in the 2.6.6 kernel. I think
2.6.14 was the kernel where we finally had things working pretty good for
syscall auditing.
> I do have the source available, and can patch it if necessary. I wish to run
> some kind of system call level auditing/logging for security purposes.
I think you will likely have to do quite a bit of work. You can copy
kernel/audit.c and kernel/auditsc.c to your old kernel as well as
include/linux/audit.h. The problem is going to be adding all the hook
functions to the right place.
> I have the LaUS package installed with the PAM modules, but this does not
> impliment the system call level logging that I require, without a patch.
LaUS is a different and incompatible audit system. The userspace piece that
you would want is the audit-1.0.14 package. There is a lot of patching of
trusted apps, though.
> The trouble is that the only patches that I can find are not compatible with
> this particular kernel.
Same with porting the native linux audit system. You would have to do quiet a
bit of sleuthinging around to place all the hooks in the right place. The
native audit system also depends quite a bit on netlink, which has been
changed a few times during 2.6 lifetime. So, you may run into problems with
that, too.
> What are my options here ?.
I think your options includes a fair amount of porting of something. Its
either step up to newer kernel or do backporting.
-Steve
More information about the Linux-audit
mailing list