From: Steve Grubb <sgrubb@redhat.com>
To: "Bhagwat, Shriniketan Manjunath" <shriniketan.bhagwat@hpe.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: Audit reporting Invalid argument
Date: Mon, 16 May 2016 08:53:34 -0400 [thread overview]
Message-ID: <1956741.kKb8qJBsiM@x2> (raw)
In-Reply-To: <8FC6AD31395616439ECBCD98E071A87F4BF15630@G4W3202.americas.hpqcorp.net>
On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL
>
> Are there any future plans to support enabling audit from non root user
> using CAP_AUDIT_CONTROL?
You are the only person who has asked for it. I suppose it can be done in a
couple lines of code. But you still have the permissions of the directories
that hold the rules to correct. Easy to fix, but I think you might be fighting
the distribution's package manager which would set things back to root every
update.
> Regarding suppression of events, I will do some testing and let you know
> later.
>
> Is there a way I can avoid default logging of the audit events to
> /var/log/audit/audit.log?
If you have an old copy old the audit system (2.5.1 or earlier) then use
log_format = NOLOG. If you have a current copy, then use write_logs = no.
-Steve
> I do not want audit to log audit events to
> audit.log, however I will capture them using my plug-in. Is there a way I
> can accomplish this? I tried to commenting the log_file filed from
> auditd.conf, however the events are still written to audit.log. I think
> below code from auditd-config.c is causing audit to write to audit.log
>
> config->log_file = strdup("/var/log/audit/audit.log");
next prev parent reply other threads:[~2016-05-16 12:53 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-09 13:40 Audit reporting Invalid argument Bhagwat, Shriniketan Manjunath
2016-05-09 13:50 ` Steve Grubb
2016-05-11 11:19 ` Bhagwat, Shriniketan Manjunath
2016-05-11 19:52 ` Steve Grubb
2016-05-14 9:40 ` Bhagwat, Shriniketan Manjunath
2016-05-16 12:53 ` Steve Grubb [this message]
2016-05-16 17:21 ` Richard Guy Briggs
2016-05-19 3:37 ` Bhagwat, Shriniketan Manjunath
2016-06-13 8:15 ` Bhagwat, Shriniketan Manjunath
2016-06-13 15:01 ` Steve Grubb
2016-06-14 13:44 ` Bhagwat, Shriniketan Manjunath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1956741.kKb8qJBsiM@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=shriniketan.bhagwat@hpe.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.