[RFC PATCH] audit: correctly record file names with different path name types

Wed Dec 3 01:54:10 UTC 2014

On 2014/12/3 0:02, Paul Moore wrote:
> 
> First, could you provide the /etc/audit/auditd.conf and /etc/audit/audit.rules 
> files you used for your testing?  I don't understand configuration 
> script/language you used above.

/etc/audit/audit.conf

#
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 2
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 1
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

/etc/audit/audit.rules:

# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page

-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/selinux/ -p wa -k MAC-policy
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -S chown32 -S fchown32 -S lchown32 -F auid!=429496
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F aui
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid!=4294967295 -k
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid!=4294967295 -k a
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid!=4294967295 -k delete
-w /etc/sudoers -p wa -k scope

> 
> Second, I tested the patch against the audit tree's stable-3.18 branch, could 
> you (re)test against 3.18-rcX instead of 3.10.X?  There have been a number of 
> changes to the audit subsystem since 3.10 was released and it would surprise 
> me if the patch I posted has problems on 3.10.X.
> 
>  * git://git.infradead.org/users/pcmoore/audit stable-3.18
> 

Sorry, my testing environment is built on a embedded arm device. Changing
kernel version need lots of changes for device driver which is beyond my
ability.

I wish you could implement my configuration on your environment and test
if it's OK. After that, we can list the changes from 3.10 stable to 3.18
stable.

Thank you again~!

Hu