[PATCH 0/4] AUDIT: enable build on 2.6.35.13-91 (or earlier) kernels
Mr Dash Four
mr.dash.four at googlemail.com
Wed May 25 23:42:42 UTC 2011
All,
Further to the private discussion I've had with Steve Grubb over the past few days, I am attaching a series of 4 patches enabling the AUDIT target, which was first introduced in the .39 version of the kernel, to run on version .35 (or even lower kernel versions, testing & further tweaking permitted).
The reason, which prompted me to adopt this in earlier versions is because I saw huge benefit in using this superb feature - at least on my systems here (it would finally enable me to combine all security-related reporting into one single, secure place/source, without messing about with syslogs spread over various different places) and I couldn't afford to wait until the .39 kernel becomes "official" (in Fedora terms, at least). The feature is deployed and in fully working order on two of my machines here, though I am having trouble producing matches (see below).
I have split the patches intentionally so that it is clear to everyone what is happening. All of them are made against the 2.6.35.13-91 source tree as distributed by Fedora (taken directly from the source rpm and dumped into a local git repository, after which I applied all the necessary source files to create the patches).
The first 3 patches are more-or-less carbon copy of what was submitted and implemented in the .39 version of the kernel, with one significant exception: xt_AUDIT.c has various #ifdef's added so that it disables IPV6-related stuff if IPV6 is not enabled on the kernel during compilation. This, I was told, was fixed in .37 (and later) versions of the kernel - commit 2ea6d8c4467 (net: Enter net/ipv6/ even if CONFIG_IPV6=n) and it is not necessary in later versions of that kernel.
I suspect the last patch is more interesting as it adds SELinux support to the AUDIT target. Typical (raw auditd) output after applying this patch would be something like this:
type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=3 len=52 inif=? outif=eth0 obj=system_u:object_r:ssh_client_packet_t:s0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312 proto=6 sport=56150 dport=22
I am, however, unable to get any matching (particularly on SELinux role, subject or user) when using ausearch/aureport (one of the main reasons I wanted to get on this list and seek some advice).
Last, but not least, I am no expert in audit(d) and am still learning so go easy on me! :)
Mr Dash Four (4):
AUDIT: add source files to enable build on 2.6.35.13-91 kernel
AUDIT: modify Makefiles to enable build in 2.6.35.13-91 kernel
AUDIT: modify Kconfig to enable build in 2.6.35.13-91 kernel
AUDIT: add SELinux support
include/linux/audit.h | 2 +
include/linux/netfilter/Kbuild | 1 +
include/linux/netfilter/xt_AUDIT.h | 30 +++++
kernel/audit.c | 2 +
net/netfilter/Kconfig | 10 ++
net/netfilter/Makefile | 1 +
net/netfilter/xt_AUDIT.c | 249 ++++++++++++++++++++++++++++++++++++
7 files changed, 295 insertions(+), 0 deletions(-)
create mode 100644 include/linux/netfilter/xt_AUDIT.h
create mode 100644 net/netfilter/xt_AUDIT.c
--
1.7.3.4
More information about the Linux-audit
mailing list