On 10/08/2014 01:55 PM, William Roberts wrote: > On Tue, Oct 7, 2014 at 10:29 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On 10/07/2014 01:26 PM, William Roberts wrote: >>> is audit_n_rules the number or rules in the rule table? I ask, so if >>> the example audit.rules posted in the auditd directory is loaded, then >>> it >>> should have set audit_n_rules to something like 4. audit_enabled >>> shoudl be 1, so we shoudl end up getting the syscall records in a >>> similiar >>> fashion to the kernel patch that hardcodes it? I ask because desktop >>> world has -s support in audit.rules. >> >> Yes, I believe that is correct. Use of -S (syscall filter) or -w (file >> watch) should increment the number of rules, which should turn on the >> machinery for collecting pathnames for later use by audit during >> pathname lookup. >> >> > > Just to finish this thread, the reason I am not seeing the syscall > audits is because the archaic kernel version I am stuck on (3.0.35) > doesn't have AUDITSYCALL for ARM. I found this patch, but still need > to test it, but it looked straight forward and applied cleanly to the > tree: > https://www.redhat.com/archives/linux-audit/2011-October/msg00030.html > > I also noticed this patch was mainlined here: > https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=29ef73b7a823b77a7cd0bdd7d7cded3fb6c2587b > > > Does anyone on this list have any deeper context around enabling this > on ARM, is it as trivial as the patch appears or are their a slew of > other patches I am missing?
That's the basic one you need to just get it up and working; we applied that on our older kernel trees when we wanted syscall audit information. There have been a number of fixes and improvements since that time, but if you are only using this as a policy debugging tool, that patch will likely suffice. _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
