I downloaded each of the audit version from 1.1.4 - 1.2.1 and compiled from the tar balls...the source rpms kept bombing out on dependencies. As of 1.2.1 with the SLED 10 distro, I was able to get it to tell me permission denied when the syscall attempted an open on /var/log/messages from an unpriviledged user.
Thanks everyone... Lane On Fri, 2006-07-21 at 16:35 +0200, Marcus Meissner wrote: > On Fri, Jul 21, 2006 at 10:31:22AM -0400, Linda Knippers wrote: > > Lane Williams wrote: > > > Yeah, I had tried that. There is an access syscall. From the looks of > > > things the audit version that comes with SuSE has a few problems. I > > > know in Red Hat it seems to work as I need it to. SuSE is also using > > > Apparmor in place of SELinux, or at least they make it appear that way. > > > The audit deamon also does not support file system watches. > > > > File system watches aren't supported in the upstream kernel until > > 2.6.18. > > > > > Seems the only success=no returns that I receive are when the file does > > > not exist. I may also have to add more to my filter in order to get > > > what I want. Unfortunately I am stuck with SuSE and will have to > > > continue troubleshooting until the patches come out. > > > > If you're using a 2.6.16 kernel and 1.1.3 audit tools, that seems like > > a mismatch. There was a 1.1.4 audit package released back in February > > and the release mail mentions apparmor support. > > https://www.redhat.com/archives/linux-audit/2006-February/msg00036.html > > We have integrated AppArmor support in our 1.1.3 packages. (The > stuff we sent upstream for 1.1.4). > > Ciao, Marcus -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
