Re: Writting to audit with an application

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Writting to audit with an application
Date: Sat, 17 Mar 2007 18:24:36 -0400	[thread overview]
Message-ID: <200703171824.37027.sgrubb@redhat.com> (raw)
In-Reply-To: <45FC5F01.4070504@optonline.net>

On Saturday 17 March 2007 17:34:57 geckiv wrote:
>  Thanks for the reply.  I must have something wrong  with my system as I
> can't get it to work even running it as root. I get an error of:
>
> FAILURE:  errno = 22
> Error writing audit file: Invalid argument
> Error writing audit: Illegal seek

This does sound wrong. Maybe strace would shed some light on how its going 
wrong? What kernel are you using?

> Also how do I set auditd to allow other process(s) running not as root
> to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)?

You can't. The audit system is designed to be high integrity meaning only 
trusted apps or processes that run as root or started as root but dropped 
privileges keeping CAP_AUDIT_WRITE. The audit event is written to the kernel, 
not auditd (meaning the kernel must be compiled with syscall audit support at 
a minimum). The kernel may decide to give the event to auditd.

> I could not find any info on this.  Also where do I find these trusted app
> examples?

dbus, nscd, passwd, shadow-utils, pam, ...

> Is this something I down loa the src of Linux and look for?

No, dbus is an example of a program that keeps CAP_AUDIT_WRITE after starting 
as root but changes uids. passwd is setuid root. pam runs as part of 
applications that stay root.

-Steve

next prev parent reply	other threads:[~2007-03-17 22:24 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-03-17 18:54 Writtign to audit with an application geckiv
2007-03-17 20:59 ` Steve Grubb
2007-03-17 21:34   ` Writting " geckiv
2007-03-17 22:24     ` Steve Grubb [this message]
2007-03-19 19:58       ` geckiv
2007-03-19 21:38         ` Steve Grubb
2007-03-17 22:50     ` Steve Grubb
2007-03-18 21:15       ` geckiv

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200703171824.37027.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.