All, Further to the private discussion I've had with Steve Grubb over the past few days, I am attaching a series of 4 patches enabling the AUDIT target, which was first introduced in the .39 version of the kernel, to run on version .35 (or even lower kernel versions, testing & further tweaking permitted).
The reason, which prompted me to adopt this in earlier versions is because I saw huge benefit in using this superb feature - at least on my systems here (it would finally enable me to combine all security-related reporting into one single, secure place/source, without messing about with syslogs spread over various different places) and I couldn't afford to wait until the .39 kernel becomes "official" (in Fedora terms, at least). The feature is deployed and in fully working order on two of my machines here, though I am having trouble producing matches (see below). I have split the patches intentionally so that it is clear to everyone what is happening. All of them are made against the 2.6.35.13-91 source tree as distributed by Fedora (taken directly from the source rpm and dumped into a local git repository, after which I applied all the necessary source files to create the patches). The first 3 patches are more-or-less carbon copy of what was submitted and implemented in the .39 version of the kernel, with one significant exception: xt_AUDIT.c has various #ifdef's added so that it disables IPV6-related stuff if IPV6 is not enabled on the kernel during compilation. This, I was told, was fixed in .37 (and later) versions of the kernel - commit 2ea6d8c4467 (net: Enter net/ipv6/ even if CONFIG_IPV6=n) and it is not necessary in later versions of that kernel. I suspect the last patch is more interesting as it adds SELinux support to the AUDIT target. Typical (raw auditd) output after applying this patch would be something like this: type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=3 len=52 inif=? outif=eth0 obj=system_u:object_r:ssh_client_packet_t:s0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312 proto=6 sport=56150 dport=22 I am, however, unable to get any matching (particularly on SELinux role, subject or user) when using ausearch/aureport (one of the main reasons I wanted to get on this list and seek some advice). Last, but not least, I am no expert in audit(d) and am still learning so go easy on me! :) Mr Dash Four (4): AUDIT: add source files to enable build on 2.6.35.13-91 kernel AUDIT: modify Makefiles to enable build in 2.6.35.13-91 kernel AUDIT: modify Kconfig to enable build in 2.6.35.13-91 kernel AUDIT: add SELinux support include/linux/audit.h | 2 + include/linux/netfilter/Kbuild | 1 + include/linux/netfilter/xt_AUDIT.h | 30 +++++ kernel/audit.c | 2 + net/netfilter/Kconfig | 10 ++ net/netfilter/Makefile | 1 + net/netfilter/xt_AUDIT.c | 249 ++++++++++++++++++++++++++++++++++++ 7 files changed, 295 insertions(+), 0 deletions(-) create mode 100644 include/linux/netfilter/xt_AUDIT.h create mode 100644 net/netfilter/xt_AUDIT.c -- 1.7.3.4 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
