On Sunday 07 May 2006 10:11, Adrian Powell wrote: > I have a Linux system running a 2.6.5 kernel, which cannot be > upgraded to a later release for the time being.
Hi, I think the native linux audit system landed in the 2.6.6 kernel. I think 2.6.14 was the kernel where we finally had things working pretty good for syscall auditing. > I do have the source available, and can patch it if necessary. I wish to run > some kind of system call level auditing/logging for security purposes. I think you will likely have to do quite a bit of work. You can copy kernel/audit.c and kernel/auditsc.c to your old kernel as well as include/linux/audit.h. The problem is going to be adding all the hook functions to the right place. > I have the LaUS package installed with the PAM modules, but this does not > impliment the system call level logging that I require, without a patch. LaUS is a different and incompatible audit system. The userspace piece that you would want is the audit-1.0.14 package. There is a lot of patching of trusted apps, though. > The trouble is that the only patches that I can find are not compatible with > this particular kernel. Same with porting the native linux audit system. You would have to do quiet a bit of sleuthinging around to place all the hooks in the right place. The native audit system also depends quite a bit on netlink, which has been changed a few times during 2.6 lifetime. So, you may run into problems with that, too. > What are my options here ?. I think your options includes a fair amount of porting of something. Its either step up to newer kernel or do backporting. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
