test patch for new inode filter types

Peter Moody auditd at hda3.com
Thu Nov 17 22:31:36 UTC 2011 

Excellent, thank you!

Cheers,
peter

On Thu, Nov 17, 2011 at 2:23 PM, Eric Paris <eparis at redhat.com> wrote:

> This is NOT full support for the new inode filter constructs I added to
> the policy, but is just enough to test some of it.  I'm hoping someone
> else will write real userspace patches.  One will need to apply the
> kernel patches and then install the new kernel headers (or
> update /usr/include/linux/audit.h by hand) Then apply this patch to
> audit and build a new audit (I found audit build sucks because it will
> build against the system libaudit rather than the one in tree, but you
> can fix this using make DESTDIR=[dir] install, and using the auditctl
> from [dir]/usr/local/sbin/)
>
> This patch supports two types of rules
>
> auditctl -a exit,always -F arch=b64 -S open -F obj_uid=500
>
> Which audits all opens for a uid=500 file.  (the kernel supports gid,
> but this patch doesn't, you can just copy the uid code to make gid work)
>
> This patch also supports
>
> auditctl -a exit,always -C
>
> Which will audit all cases where a process accesses a file in which the
> process uid != file uid.
>
> The kernel is a bit more flexible, it supports process_gid != file_gid.
> The kernel also supports == > <, etc.  This portion of the patch needs
> to do support a better construct for parsing the intent and passing that
> down.  But it seemed like a lot of work on a codebase I'm not familiar
> with and hoped someone familiar could write a text parse for this
> construct.
>
> We should be able to support something like:
> auditctl -a exit,always -F interfield!=uid
>
> I dunno what it should look like.  But like I said, I just slapped -C as
> a way to test process_uid != file_uid, so it should be pretty easy to
> look at that and see how other interactions should work.
>
> -Eric
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20111117/873499bc/attachment.htm>

More information about the Linux-audit mailing list