[PATCH] audit: convert status version to a feature bitmap

Richard Guy Briggs rgb at redhat.com
Mon Nov 17 18:08:39 UTC 2014 

On 14/11/17, Steve Grubb wrote:
> On Monday, November 17, 2014 11:09:08 AM Paul Moore wrote:
> > On Friday, November 14, 2014 10:32:51 PM Richard Guy Briggs wrote:
> > > On 14/11/13, Steve Grubb wrote:
> > > > On Thursday, November 13, 2014 08:08:52 PM Richard Guy Briggs wrote:
> > > > The audit 2.4.1 package has been pushed to everything from F20 ->
> > > > rawhide.
> > > > If you don't see any problems, then its safe. But check carefully around
> > > > the things that you did change. Right now, we only are caring about only
> > > > one kernel feature, --loginuid-immutable. Check that it still works,
> > > > auditctl -s.
> > > 
> > > Here's my output, which I assume looks sane:
> 
> Yeah, but how do we know its really selecting the right feature?
> 
> 
> > > [root at f20 ~]# rpm -q audit
> > > audit-2.4.1-1.fc20.x86_64
> > > [root at f20 ~]# auditctl -s
> > > enabled 1
> > > flag 1
> > > pid 307
> > > rate_limit 0
> > > backlog_limit 320
> > > lost 0
> > > backlog 0
> > > backlog_wait_time 60000
> > > loginuid_immutable 0 unlocked
> > 
> > Looks like good output to me, Steve?
> 
> I would like it better if the following was tested as root:
> 
> auditctl -s
> echo "1" > /proc/self/loginuid
> auditctl --loginuid-immutable
> auditctl -s
> echo "2" > /proc/self/loginuid
> 
> This was we know that the feature is correctly reported, selected, and 
> working.

This looks sane: 

[root at f20 ~]# auditctl -s
enabled 1
flag 1
pid 307
rate_limit 0
backlog_limit 320
lost 0
backlog 0
backlog_wait_time 60000
loginuid_immutable 0 unlocked
[root at f20 ~]# echo "1" > /proc/self/loginuid
[root at f20 ~]# auditctl --loginuid-immutable
[root at f20 ~]# auditctl -s
enabled 1
flag 1
pid 307
rate_limit 0
backlog_limit 320
lost 0
backlog 0
backlog_wait_time 60000
loginuid_immutable 1 locked
[root at f20 ~]# echo "2" > /proc/self/loginuid
-bash: echo: write error: Operation not permitted

> -Steve

- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

More information about the Linux-audit mailing list