Re: Linux audit newbie question (Sorry probably a little boring...)

[Steve Grubb <sgrubb@redhat.com>]

On Sunday 07 May 2006 10:11, Adrian Powell wrote:
>       I have a Linux system running  a 2.6.5 kernel, which cannot be
> upgraded to a later release for the time being.

Hi,

I think the native linux audit system landed in the 2.6.6 kernel. I think 
2.6.14 was the kernel where we finally had things working pretty good for 
syscall auditing. 

> I do have the source available, and can patch it if necessary. I wish to run
> some kind of system call level auditing/logging for security purposes. 

I think you will likely have to do quite a bit of work. You can copy 
kernel/audit.c and kernel/auditsc.c to your old kernel as well as 
include/linux/audit.h. The problem is going to be adding all the hook 
functions to the right place.

> I have the LaUS package installed with the PAM modules, but this does not
> impliment the system call level  logging that I require, without a patch.

LaUS is a different and incompatible audit system. The userspace piece that 
you would want is the audit-1.0.14 package. There is a lot of patching of 
trusted apps, though.

> The trouble is that the only patches that I can find are not compatible with
> this particular kernel.

Same with porting the native linux audit system. You would have to do quiet a 
bit of sleuthinging around to place all the hooks in the right place. The 
native audit system also depends quite a bit on netlink, which has been 
changed a few times during 2.6 lifetime. So, you may run into problems with 
that, too.

> What are my options here ?.

I think your options includes a fair amount of porting of something. Its 
either step up to newer kernel or do backporting.

-Steve