On 2014/12/3 0:02, Paul Moore wrote: > > First, could you provide the /etc/audit/auditd.conf and > /etc/audit/audit.rules > files you used for your testing? I don't understand configuration > script/language you used above.
/etc/audit/audit.conf # # This file controls the configuration of the audit daemon # log_file = /var/log/audit/audit.log log_format = RAW log_group = root priority_boost = 4 flush = INCREMENTAL freq = 20 num_logs = 5 disp_qos = lossy dispatcher = /sbin/audispd name_format = NONE ##name = mydomain max_log_file = 5 max_log_file_action = ROTATE space_left = 2 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 1 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND ##tcp_listen_port = tcp_listen_queue = 5 tcp_max_per_addr = 1 ##tcp_client_ports = 1024-65535 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd ##krb5_key_file = /etc/audit/audit.key /etc/audit/audit.rules: # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 320 # Feel free to add below this line. See auditctl man page -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/selinux/ -p wa -k MAC-policy -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -S chown32 -S fchown32 -S lchown32 -F auid!=429496 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F aui -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid!=4294967295 -k -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid!=4294967295 -k a -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid!=4294967295 -k delete -w /etc/sudoers -p wa -k scope > > Second, I tested the patch against the audit tree's stable-3.18 branch, could > you (re)test against 3.18-rcX instead of 3.10.X? There have been a number of > changes to the audit subsystem since 3.10 was released and it would surprise > me if the patch I posted has problems on 3.10.X. > > * git://git.infradead.org/users/pcmoore/audit stable-3.18 > Sorry, my testing environment is built on a embedded arm device. Changing kernel version need lots of changes for device driver which is beyond my ability. I wish you could implement my configuration on your environment and test if it's OK. After that, we can list the changes from 3.10 stable to 3.18 stable. Thank you again~! Hu -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
