Excellent, thank you! Cheers, peter
On Thu, Nov 17, 2011 at 2:23 PM, Eric Paris <[email protected]> wrote: > This is NOT full support for the new inode filter constructs I added to > the policy, but is just enough to test some of it. I'm hoping someone > else will write real userspace patches. One will need to apply the > kernel patches and then install the new kernel headers (or > update /usr/include/linux/audit.h by hand) Then apply this patch to > audit and build a new audit (I found audit build sucks because it will > build against the system libaudit rather than the one in tree, but you > can fix this using make DESTDIR=[dir] install, and using the auditctl > from [dir]/usr/local/sbin/) > > This patch supports two types of rules > > auditctl -a exit,always -F arch=b64 -S open -F obj_uid=500 > > Which audits all opens for a uid=500 file. (the kernel supports gid, > but this patch doesn't, you can just copy the uid code to make gid work) > > This patch also supports > > auditctl -a exit,always -C > > Which will audit all cases where a process accesses a file in which the > process uid != file uid. > > The kernel is a bit more flexible, it supports process_gid != file_gid. > The kernel also supports == > <, etc. This portion of the patch needs > to do support a better construct for parsing the intent and passing that > down. But it seemed like a lot of work on a codebase I'm not familiar > with and hoped someone familiar could write a text parse for this > construct. > > We should be able to support something like: > auditctl -a exit,always -F interfield!=uid > > I dunno what it should look like. But like I said, I just slapped -C as > a way to test process_uid != file_uid, so it should be pretty easy to > look at that and see how other interactions should work. > > -Eric > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
