Hello,
the attached patches propose a way to audit administrative commands.
Summary
---
A per-process audit TTY input attribute is added. The attribute is
inherited across fork (). A new PAM module is used to turn the
attribute on or off on login. Data read from TTYs by processes with the
Hello,
John D. Ramsdell napsal(a):
diff -ur a/audit-1.5.6/Makefile.am b/audit-1.5.6/Makefile.am
--- a/audit-1.5.6/Makefile.am 2007-06-27 06:19:18.0 -0400
+++ b/audit-1.5.6/Makefile.am 2007-07-30 07:53:45.0 -0400
@@ -21,9 +21,14 @@
# Rickard E. (Rik) Faith [EMAIL PROTECTED]
Renumber AUDIT_TTY_[GS]ET to avoid a conflict with netlink message types
already used in the wild.
From: Miloslav Trmac [EMAIL PROTECTED]
Renumber AUDIT_TTY_[GS]ET to avoid a conflict with netlink message types
already used in the wild.
Signed-off-by: Miloslav Trmac [EMAIL PROTECTED
Henning, Arthur C. (CSL) napsal(a):
Copy NISPOM.rules to /etc/audit/audit.rules
Using system-config-audit, I create a rule for the SYSCALL kill with a
key of kill
Save the configuration.
Get the described error.
Thanks for your report. The attached patch, to be included in s-c-audit
0.4.3,
Steve Grubb napsal(a):
On Wednesday 14 November 2007 15:22:08 Eric Paris wrote:
+ if (unlikely((return_code == -ERESTART_RESTARTBLOCK) ||
+(return_code == -ERESTARTNOHAND) ||
+(return_code == -ERESTARTSYS) ||
+(return_code ==
Hello,
(make check) currently builds tests against libaudit headers installed
system-wide; if no headers are installed, the build fails.
The attached patch fixes the build.
Mirek
diff -urN audit/auparse/test/Makefile.am audit-1.6.2/auparse/test/Makefile.am
---
),
+.BR ausearch_clear (3),
+.BR ausearch_next_event (3).
+
+.SH AUTHOR
+Miloslav Trmac
diff -urN audit/docs/Makefile.am audit-1.6.2/docs/Makefile.am
--- audit/docs/Makefile.am 2007-09-18 17:31:41.0 +0200
+++ audit-1.6.2/docs/Makefile.am 2007-11-09 10:12:03.0 +0100
@@ -43,8 +43,9
Hello,
John Dennis napsal(a):
The current formatting of the record timestamp
(e.g. audit(.mmm:iii) is inconsistent with
all other name/value pairs. It should be seconds=sss
milliseconds=mmm serial=iii, this allows parsing to be regular and
consistent.
Isn't this unnecessarily verbose? Just
Hello,
auparse would crash if there was an interpreted filter item defined and
the field could not be interpreted (e.g. it had an invalid format).
The attached patch modifies auparse to use the raw value in such cases.
Mirek
diff -ur audit/auparse/auparse.c
Hello,
this patch fixes __attribute__ ((hidden)) use. The
hidden_def(SYM)/hidden_proto(SYM) pair should be used for symbols that
are a part of the public API; it creates hidden aliases (SYM_internal)
for use within the shared library, which speeds up both dynamic linking
and code execution.
Hello,
audit_log_acct_message() is currently quoting acct differently from all
other users: it adds quotes to acct if it is represented in hexadecimal,
not when it is represented as-is.
The attached patch fixes it - but it also changes the format of some of
the most-often used messages. It
Tomas Mraz napsal(a):
This proposal is just for starting the discussion.
1. Messages contain name=value pairs separated by spaces.
2. All names are just alphanumeric sequences.
3. Values can be either:
a) byte sequences with the following special characters encoded as %XX
where XX is
Hello,
- LC Bruzenak le...@magitekltd.com wrote:
Is there a way to specify on the command line a way to tell the
audit-viewer to read a specific raw event file?
No.
Mirek
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
- Dan Gruhn dan.gr...@groupw.com wrote:
I have audit-viewer-0.4 and get the following error from make
install
Byte-compiling python modules...
client.py dialog_base.py event_dialog.py event_source.py filters.py
format_versions.py list_properties.py list_tab.py File
Dan,
- Dan Gruhn dan.gr...@groupw.com wrote:
I'm having problems running audit-viewer and it appears that I am
missing some packages like python-gtkextra, PyChart, and sexy-python. I
don't have them available on RHEL 5.2 (or 5.3 for that matter) and
have been trying to compile them.
Oh,
Hello,
- Dan Gruhn dan.gr...@groupw.com wrote:
I am getting this error when audit viewer starts:
# audit-viewer
Error reading audit events: No such file or directory.
Thinking that perhaps something is pointing to the wrong files, I
attempted to use Window/Change event source.. .
Hello,
- Dan Gruhn dan.gr...@groupw.com wrote:
You are right, the path was /usr/local/var/log/audit. Once I recompiled
with this change everything seems to be working. Does this default of
--prefix subree make sense in any situation? I ask because perhaps a
default of /var would more
From: Miloslav Trmač m...@redhat.com
Add SELinux context information and TTY name (consistent with the
AUDIT_SYSCALL record) to AUDIT_TTY. An example record after applying
this patch:
type=TTY msg=audit(1237480806.220:22): tty pid=2601 uid=0 auid=500 ses=1
Hello,
ausearch -i and libauparse currently crash (access NULL) if a mode= field
contains an unknown file type. Such records are generated by the kernel for
IPC, e.g.
node=jcdx156 type=IPC msg=audit(1237915952.720:2294): ouid=500 ogid=1106
mode=0600
- LC Bruzenak le...@magitekltd.com wrote:
Thank you for this patch...wherever it may be.
:)
Ooops :/
Do you have a standard auparse test you use to track these down?
No, I only have a small Python program to use auparse to interpret a supplied
log file (attached). There is also (make
- LC Bruzenak le...@magitekltd.com wrote:
After applying this patch my build fails in the parse test section due
to a difference of no space after a comma:
-mode=040730 (dir, 730)
+mode=040730 (dir,730)
Do you think your changes would cause this?
Yes, that change was
I planned to create a plugin which would extend the current audit
capabilities adding a new type of rule - a reactive rule. This
type of rule is different in the way that it watches for an event
like an ordinary rule, however, when the event happens, it reacts
to that adding or deleting other
From: Juraj Hlista juro@gmail.com
I'm working on implementation of reactive rules into the audit.
I've come up with a new type of rule (AUDIT_ALWAYS_REACT)
which is almost the same as AUDIT_ALWAYS. The only difference is that
the kernel generates one more message of type REACT_RULE when
- LC Bruzenak le...@magitekltd.com wrote:
Is there any plan to add printing capability to the audit-viewer?
Not currently; you can export any tab to HTML[1] and use a web browser (or
perhaps (lynx -dump | lpr)) to print it. Is that an acceptable solution for
you?
Mirek
[1] I have just
- LC Bruzenak le...@magitekltd.com wrote:
Thanks for the reply. I tried the export, however it isn't the tab
contents per se which have the important data for us. We have modified
the event tab to include the entire raw event, because in our system,
the really important data is in usually
Hello,
audit-viewer-0.6 is now available at
https://fedorahosted.org/audit-viewer/wiki/AuditViewerDownloads .
Changes:
* Fix a crash when exporting an event list
* Fix chart display
* New or updated translations:
- Asturian by Astur malditoas...@gmail.com
- Danish by Kris Thomsen
Hello,
the code looks reasonable, some minor comments are below. I'll let Steve and
others comment on the high-level design (just to point out a question, is it OK
that auditctl will depend on sqlite?).
Mirek
- Juraj Hlista juro.hli...@gmail.com wrote:
diff --git a/lib/libaudit.c
Hello,
- Juraj Hlista juro.hli...@gmail.com wrote:
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
@@ -415,7 +424,8 @@ static struct audit_entry *audit_data_to_entry(struct
audit_rule_data *data,
- int i;
+ int i, j = 0;
+ int k;
@@ -425,7 +435,7 @@ static struct
- Eric Paris epa...@redhat.com wrote:
Add a new spot in the assembly which will call a function which will
check if audit_n_rules 0 and if so will set TIF_SYSCALL_AUDIT and if
not will clear TIF_SYSCALL_AUDIT? It might make things slightly worse
on systems which explictly disable audit
Hello,
I'm posting these patches for early review again; users of the code are not in
the kernel yet.
Changes since the previous version:
- New record type CRYPTO_AUDIT_CRYPTO_KEY_VALUE, to implement basic level
from CC
- aureport handles events with multiple crypto records
Record types
Hello,
Thanks for the comments.
- Eric Paris epa...@redhat.com wrote:
A couple functions I think you can safely drop a level of indentation
include audit_log_crypto_op(), audit_filter_rules(), and maybe
log_crypto_op() needs a helper function to cut down the indentation?
Maybe not.
Fixed
Hello,
- Robert Daniels robertdaniels2...@gmail.com wrote:
I'm using pam_tty_audit and am collecting specific users, including root.
When logged in as root, the tty events are sent to the plugin in near
real-time.
However, when logged in as a user, the events are cached someplace
- Jure Simsic jure.sim...@gmail.com wrote:
Hi
I need to audit some specific commands which have the following form
cmd -arg1 -arg2 -query 'some query(args)'
In audit log I get a record like:
type=EXECVE msg=audit(1282117611.037:27469599): argv [0] =cmd argv [1]
=-arg1 argv
Hello,
attached is an user-space patch that adds support for auditing uses of the
AF_ALG protocol family developed by Herbert Xu to provide user-space access to
kernel crypto accelerators. Kernel patches will follow.
One new record is defined: AUDIT_CRYPTO_USERSPACE_OP. An audited event is
Here's a patch for version 2.1.3 which solves bug 435682 (
https://bugzilla.redhat.com/show_bug.cgi?id=435682 ).
Patched auditctl allows to specify files having spaces in ther names
- just surround a filename with apostrophes.
This patch also arbitrarily breaks handling of apostrophes and
Hello,
- Original Message -
Every keystroke are logged in /var/log/audit/audit.log which is great.
My only issue is that I just realized that prompt passwords are also
logged, eg MySQL password or Spacewalk, etc.
I can read them in plain text when doing aureport --tty -if
- Original Message -
It might still be an idea to have auparse_get_uid(au) etc.
I'm not 100% sure what you mean, but is perhaps auparse_interpret_field what
you are looking for? It returns an intepreted (as opposed to raw) version
of the field, e.g. a name instead of an UID.
Mirek
- Original Message -
I'm having a problem trying to cross-compile audit. The problem is that
gen_actiontabs_h is built using the cross-compiler (for ARM), and then it's
asked to run on the host (x86_64).
Is there a simple way around this? A complex way, perhaps? Extra points for
- Original Message -
So my question is why normal users audit event logs cant be captured
as a type=USER_TTY , where as root logs can be captured
similarway.
USER_TTY is sent by the process that accepts the keyboard input. Unprivileged
users are not allowed to send audit records
- Original Message -
If I understand correctly it's only adding arch detection and syscall
tables to ausyscall. Why are these syscall table conditional?
To reduce the number of text relocations in libaudit. Libaudit links against a
number of applications and text relocations eats
- Original Message -
Le Fri, 30 Nov 2012 09:05:19 -0500,
Steve Grubb sgr...@redhat.com a écrit :
On Friday, November 30, 2012 02:42:27 PM Laurent Bigonville wrote:
Le Mon, 26 Nov 2012 12:21:55 -0500 (EST),
Miloslav Trmac m...@redhat.com a écrit :
FWIW, at least
Hello,
- Original Message -
But if user1 does log on, no commands are logged
Are you talking about TTY or USER_TTY records, and are you checking immediately
after entering the command, or after exiting the session?
Unprivileged users are not allowed to send USER_TTY records as
- Original Message -
I am resurrecting this old thread from last summer because I ran into the same
issue and found the thread in the archives via Google. It would be very nice
if
everything could be logged except passwords.
There is work being done. Sorry, I don't have more
- Original Message -
Please do post the patch here when you have it worked out as I am
very likely
to miss it in the flood of kernel patches when it goes to/from
Linus.
Here you go. Given Steve's good question, this control method may
change.
Isn't icanon _true_ when the data
- Original Message -
On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote:
- Original Message -
Please do post the patch here when you have it worked out as I
am
very likely
to miss it in the flood of kernel patches when it goes to/from
Linus
- Original Message -
2) Write an audispd plugin that used the sd-journal API to store
audit events in the journal.
3) Add sd-journal as a log format to auditd.
Both of these will run into the problem recently discussed on this mailing
list: the available methods to parse an audit
- Original Message -
Most commands are entered one line at a time and processed as complete
lines in non-canonical mode. Commands that interactively require a
password, enter canonical mode to do this. This feature (icanon) can be
used to avoid logging passwords by audit while still
47 matches
Mail list logo