On 09/09/2013 09:47 AM, Stephen Smalley wrote: > On 09/06/2013 03:50 PM, Joshua Brindle wrote: >> Add libaudit support for adding directory watch rules. >> >> Add rule parsing support to auditd. >> >> Rule format matches auditctl. Currently only supports -w and -e. >> >> Change-Id: I8bdaea1b5e2a216eec79cd8c9dae583de8295d26 >> >> Signed-off-by: Joshua Brindle <[email protected]> > > Maybe a bug in user, but I did this: > - applied patch and rebuilt, > - reflashed and booted, > - created a /data/misc/audit/audit.rules file that contained: > -w /data/system -p wa > - adb reboot > - adb logcat > logcat.txt > - adb shell su 0 cat /proc/kmsg > dmesg.txt > > logcat.txt showed: > --------- beginning of /dev/log/system > I/auditd ( 119): Starting up > I/audit_log( 119): Previous audit logfile detected, rotating > E/audit_rules( 119): -w /data/system -p wa > > And then nothing else from auditd. > > /data/misc/audit/audit.log has no entries other than the usual: > type=2000 msg=audit(0.710:1): initialized > type=1403 msg=audit(1378733645.695:2): policy loaded auid=4294967295 > ses=4294967295 > type=1404 msg=audit(1378733645.695:3): enforcing=1 old_enforcing=0 > auid=4294967295 ses=4294967295 > type=1403 msg=audit(1378733647.665:4): policy loaded auid=4294967295 > ses=4294967295 > type=1404 msg=audit(1378733830.500:5): enforcing=0 old_enforcing=1 > auid=4294967295 ses=4294967295 > > Creating and deleting files under /data/system appears to do nothing. > What did I miss?
So I re-tested with our kernel (i.e. TARGET_PREBUILT_KERNEL=/path/to/seandroid/kernel/exynos/arch/arm/boot/zImage) and that did generate the expected audit records. I'm guessing that is because we have a patch in our kernel tree that enables audit by default. Since your patch implements the -e (enable) support, I thought I would try that on an unmodified kernel by putting -e 1 -w /data/system -p wa into audit.rules. But we then get a parse error from audit_rules, E/audit_rules( 2504): Could not read audit rules E/auditd ( 2504): error reading audit rules: Try again Am I doing something wrong or is the parser broken? -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
