On 14/11/17, Steve Grubb wrote: > On Monday, November 17, 2014 11:09:08 AM Paul Moore wrote: > > On Friday, November 14, 2014 10:32:51 PM Richard Guy Briggs wrote: > > > On 14/11/13, Steve Grubb wrote: > > > > On Thursday, November 13, 2014 08:08:52 PM Richard Guy Briggs wrote: > > > > The audit 2.4.1 package has been pushed to everything from F20 -> > > > > rawhide. > > > > If you don't see any problems, then its safe. But check carefully around > > > > the things that you did change. Right now, we only are caring about only > > > > one kernel feature, --loginuid-immutable. Check that it still works, > > > > auditctl -s. > > > > > > Here's my output, which I assume looks sane: > > Yeah, but how do we know its really selecting the right feature? > > > > > [root@f20 ~]# rpm -q audit > > > audit-2.4.1-1.fc20.x86_64 > > > [root@f20 ~]# auditctl -s > > > enabled 1 > > > flag 1 > > > pid 307 > > > rate_limit 0 > > > backlog_limit 320 > > > lost 0 > > > backlog 0 > > > backlog_wait_time 60000 > > > loginuid_immutable 0 unlocked > > > > Looks like good output to me, Steve? > > I would like it better if the following was tested as root: > > auditctl -s > echo "1" > /proc/self/loginuid > auditctl --loginuid-immutable > auditctl -s > echo "2" > /proc/self/loginuid > > This was we know that the feature is correctly reported, selected, and > working.
This looks sane: [root@f20 ~]# auditctl -s enabled 1 flag 1 pid 307 rate_limit 0 backlog_limit 320 lost 0 backlog 0 backlog_wait_time 60000 loginuid_immutable 0 unlocked [root@f20 ~]# echo "1" > /proc/self/loginuid [root@f20 ~]# auditctl --loginuid-immutable [root@f20 ~]# auditctl -s enabled 1 flag 1 pid 307 rate_limit 0 backlog_limit 320 lost 0 backlog 0 backlog_wait_time 60000 loginuid_immutable 1 locked [root@f20 ~]# echo "2" > /proc/self/loginuid -bash: echo: write error: Operation not permitted > -Steve - RGB -- Richard Guy Briggs <[email protected]> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
