SuSE 10.1 and linux audit

SuSE 10.1 and linux audit

[Clif Flynt]

Hi,
  Here's the steps I've gone through for making the audit package work
with SuSE 10.1.  If someone wants to point out some really bad things
I've done, feel free.  I suspect that I've cut some corners that aren't
safe, but this seems to work.

  This is a kludgey way to get things done, but it's working for now,
and these steps might help other folks do a better job of getting SuSE
10.1 and the audit utilities to play well together.

  My hope is that by the time I need to go live with the site,
there will be an out-of-the-box solution to the problems.

  I'm using stock 10.1, with the online updates, and Audit 1.2.5.
I install from the downloadable CD-ROM set.
  
  1) Base install with C/C++ Development, and kernel development. 
     Do the online update as part of the install.  (Is there an easy 
     way to get a snapshot of the updates as an ISO?)

  2) Install 2.6.17.6 kernel source.  I got the tarball from:
  http://linux.softpedia.com/progDownload/Linux-Kernel-Download-1960.html
    
    Untar, remove the old 'linux' link and create a new symlink
    to the new kernel directory.

  3) make oldconfig; 
    Take all defaults.

  4) edit arch/i386/Makefile, 
    set FDINITRD flag = 1
    There's probably a better way to do this, but this worked.  It
    wasn't necessary 2 weeks ago, and may not be necessary in the future,
    but without that flag the kernel gets built but no initrd is
    constructed, and the kernel won't boot.

  5) Build and install kernel; 
     make; make modules; make install; make modules_install

  6) Reboot to new kernel.

  7) Install swig and python-devel using Yast2
  
  8) Install the new kernel headers.  I got these from:
http://rpm.pbone.net/index.php3/stat/26/dist/0/size/728548/name/glibc-kernheaders-3.0-45.3.src.rpm
    
    I extracted the tar bz2 file with rpm2cpio, and then untarred
    that file to install the headers.
    
    This is one step that I think is very suspect.  I'm not sure where these
    headers are referenced, and which code is using what.
    
    I've tried building the 2.6.17 kernel with both the original headers
    and the new ones and seen no difference in behavior, but I might have 
    just not done a test that would exercise the trouble spots.
    
  9) Extract the audit 1.2.5 code.

 10) Rebuild the configure script, configure make and install.  

    I follow the cut/paste instructions in README-install
    autoreconf -fv --install, etc.

 11) Edit /etc/init.d/auditd
     Remove the -n flag that's added for AUDITD_DISABLE_CONTEXTS"
     under the start case.  I don't think the -n option
     is supported in 1.2.5, and when it's there, the output messages
     go to /var/log/messages instead of /var/log/audit/audit.log.

    Add
    /sbin/auditctl -D 
    to the stop method.  This gets rid of
    an interminable set of messages to the screen during halt.
    
    This is another thing that I think is suspect.  Can a halt
    be aborted once it's reached the K15auditd stage of shutdown?
    If so, this is a security hole that would allow an unprivileged
    user to disable auditing, if not, then it should be fine.
 
 12) Install my audit.rules - I'm using all of the -a rules from
    the sample capp.rules set.

 13) create /etc/audit and copy /etc/auditd.conf and audit.rules
     to it.  Again, I think this step could be avoided by proper
     use of various compile time flags, but this works.

-- 
.... Clif Flynt ... http://www.cflynt.com ... clif@cflynt.com ...
.. Tcl/Tk: A Developer's Guide (2nd edition) - Morgan Kauffman ..
..13th Annual Tcl/Tk Conference:  Oct 9-13, 2006,  Chicago, IL ..
.............  http://www.tcl.tk/community/tcl2006/  ............

Re: SuSE 10.1 and linux audit

[Klaus Weidner]

On Fri, Aug 11, 2006 at 12:25:11PM -0400, Clif Flynt wrote:
>   8) Install the new kernel headers.  I got these from:
> http://rpm.pbone.net/index.php3/stat/26/dist/0/size/728548/name/glibc-kernheaders-3.0-45.3.src.rpm
>     
>     I extracted the tar bz2 file with rpm2cpio, and then untarred
>     that file to install the headers.
>     
>     This is one step that I think is very suspect.  I'm not sure where these
>     headers are referenced, and which code is using what.

Instead of doing that, you could unpack the headers to a separate
location, and provide that directory as an additional include path (using
-I) when compiling the audit tools.

It'll probably also work to completely skip the glibc-kernheaders, and
add the include/linux and include/asm directories from your kernel source
tree to the include path when compiling auditd.

>     I've tried building the 2.6.17 kernel with both the original headers
>     and the new ones and seen no difference in behavior, but I might have 
>     just not done a test that would exercise the trouble spots.

Building the kernel does not reference glibc-kernheaders, those are only
used for compiling userspace apps that need to know about kernel data
structures.

>     This is another thing that I think is suspect.  Can a halt
>     be aborted once it's reached the K15auditd stage of shutdown?
>     If so, this is a security hole that would allow an unprivileged
>     user to disable auditing, if not, then it should be fine.

If your untrusted users have enough privileges to shut down your system,
I think stopping auditd is the least of your worries...

>  13) create /etc/audit and copy /etc/auditd.conf and audit.rules
>      to it.  Again, I think this step could be avoided by proper
>      use of various compile time flags, but this works.

It would probably be better to use symlinks instead of copies to avoid
having multiple versions of the files on the system. You could also do

	ln -s /etc /etc/audit

to create a symlink pointing from /etc/audit/ back to /etc/ to keep the
apps happy if they don't agree about the location.

-Klaus