SELinux for auditing
Steve Grubb
sgrubb at redhat.com
Thu Feb 1 15:40:48 UTC 2007
On Thursday 01 February 2007 09:59, Stephen Smalley wrote:
> > Assuming current generation of audit code...
> >
> > auditctl -a exit,always -F perm=w -F obj_type=sbin_t -k executables
>
> Hmmm...on FC6, that yields an error from auditctl:
> key option needs a watch or syscall given prior to it
Ooops, that should be:
auditctl -a exit,always -F perm=w -F obj_type=bin_t -F key=executable
> Dropping the -k option avoids the error message, but overwriting a bin_t
> file doesn't generate any audit message. Similarly, adding a -S open
> avoids the error message while retaining the -k, but overwriting a bin_t
> file doesn't generate any audit message. Not sure where the problem
> lies there.
OK, we should look into this.
> Also, he mentioned RHEL 4 as his platform, so I would tend to think that
> his kernel and auditctl wouldn't support this anyway.
If so, it won't.
> So he may be limited to using auditallow statements in policy, which is
> certainly legitimate use of them (although I understand your goal of
> centralizing audit configuration).
Well, not just centralizing configuration, but that its actually fit for its
purpose. :)
-Steve
More information about the Linux-audit
mailing list