On Wed, Mar 21, 2012 at 2:36 PM, Steve Grubb <[email protected]> wrote: > On Wednesday, March 21, 2012 03:11:49 PM Peter Moody wrote: >> This is against the 2.2 release. > > Thanks. I will apply this with probably a small change or two. > >> I wasn't able to get HEAD to compile (issues with mounttab.h that didn't want >> to run down because this is such a small patch). > > For anyone not on Fedora, I would appreciate if you test what's in svn even if > its just a quick build check. I am planning to release a new audit package > soon. > The changelog may look small, but there are thousands of lines of code added > or > modified. Its better to fix the headers before the release than after.
ubuntu lucid (10.04, admittedly a little old): lib/gen_tables.c is missing an include for linux/fs.h src/ausearch-report.c is missing includes for linux/fs.h and limits.h refuses to build w/o these includes. builds and appears to work correctly when they're added. > The next audit release has a new feature that I hope everyone will appreciate. > Ausearch and libauparse now has the ability to interpret the arguments being > passed to certain syscalls. I did this for a little over 40 syscalls: > So, now you get output like this: > > type=SYSCALL msg=audit(04/14/2011 20:18:28.953:3) : arch=x86_64 syscall=mmap > success=yes exit=61440 a0=0xf000 a1=0x502 a2=PROT_READ|PROT_WRITE|PROT_EXEC > a3=MAP_SHARED|MAP_FIXED items=0 ppid=603 pid=618 auid=unset uid=root gid=root > euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) > ses=unset comm=vbetool exe=/usr/sbin/vbetool > subj=system_u:system_r:vbetool_t:s0-s0:c0.c1023 key=(null) > > type=SYSCALL msg=audit(04/14/2011 20:13:34.658:3118) : arch=x86_64 > syscall=mount > success=yes exit=0 a0=0x405b22 a1=0x405469 a2=0x405b22 a3=MS_REC|MS_PRIVATE > items=1 ppid=3467 pid=3468 auid=sgrubb uid=sgrubb gid=sgrubb euid=root > suid=root > fsuid=root egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=(none) ses=1 > comm=fusermount > exe=/bin/fusermount subj=unconfined_u:unconfined_r:unconfined_t:s0 key=export > > type=SYSCALL msg=audit(05/05/2011 19:01:46.559:205) : arch=x86_64 > syscall=openat > success=no exit=-13(Permission denied) a0=0x5 a1=0xd93660 > a2=O_RDONLY|O_NOCTTY| > O_NONBLOCK|O_DIRECTORY a3=0x0 items=1 ppid=3831 pid=3832 auid=sgrubb > uid=sgrubb > gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb > fsgid=sgrubb tty=pts2 ses=1 comm=find exe=/bin/find > subj=unconfined_u:unconfined_r:unconfined_t:s0 key=access > > The idea is to reduce the need to go digging through header files to see what > arguments were being passed to some common and/or security related syscalls. > In > the case where a uid/gid was being passed to the syscall, its now interpretted > to the account name/group name. Awesome! I had to implement something like this in post-processing for signal generation. Cheers, peter > -Steve -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
