On Wednesday, March 21, 2012 03:11:49 PM Peter Moody wrote: > This is against the 2.2 release.
Thanks. I will apply this with probably a small change or two. > I wasn't able to get HEAD to compile (issues with mounttab.h that didn't want > to run down because this is such a small patch). For anyone not on Fedora, I would appreciate if you test what's in svn even if its just a quick build check. I am planning to release a new audit package soon. The changelog may look small, but there are thousands of lines of code added or modified. Its better to fix the headers before the release than after. The next audit release has a new feature that I hope everyone will appreciate. Ausearch and libauparse now has the ability to interpret the arguments being passed to certain syscalls. I did this for a little over 40 syscalls: *chmod *chown clock_settime clone creat epoll_ctl getrlimit setrlimit fchmod fchmodat fcntl ipc kill mkdir mkdirat mknod mmap mount mprotect open openat personality ptrace recv recvfrom recvmmsg recvmsg rt_sigaction setfsgid setfsuid setgid setregid setresgid setresuid setreuid setuid socket socketcall tgkill tkill So, now you get output like this: type=SYSCALL msg=audit(04/14/2011 20:18:28.953:3) : arch=x86_64 syscall=mmap success=yes exit=61440 a0=0xf000 a1=0x502 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_SHARED|MAP_FIXED items=0 ppid=603 pid=618 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=vbetool exe=/usr/sbin/vbetool subj=system_u:system_r:vbetool_t:s0-s0:c0.c1023 key=(null) type=SYSCALL msg=audit(04/14/2011 20:13:34.658:3118) : arch=x86_64 syscall=mount success=yes exit=0 a0=0x405b22 a1=0x405469 a2=0x405b22 a3=MS_REC|MS_PRIVATE items=1 ppid=3467 pid=3468 auid=sgrubb uid=sgrubb gid=sgrubb euid=root suid=root fsuid=root egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=(none) ses=1 comm=fusermount exe=/bin/fusermount subj=unconfined_u:unconfined_r:unconfined_t:s0 key=export type=SYSCALL msg=audit(05/05/2011 19:01:46.559:205) : arch=x86_64 syscall=openat success=no exit=-13(Permission denied) a0=0x5 a1=0xd93660 a2=O_RDONLY|O_NOCTTY| O_NONBLOCK|O_DIRECTORY a3=0x0 items=1 ppid=3831 pid=3832 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts2 ses=1 comm=find exe=/bin/find subj=unconfined_u:unconfined_r:unconfined_t:s0 key=access The idea is to reduce the need to go digging through header files to see what arguments were being passed to some common and/or security related syscalls. In the case where a uid/gid was being passed to the syscall, its now interpretted to the account name/group name. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
