From: geckiv <geckiv@optonline.net>
To: linux-audit@redhat.com
Subject: Re: Writting to audit with an application
Date: Mon, 19 Mar 2007 15:58:46 -0400 [thread overview]
Message-ID: <45FEEB76.3070908@optonline.net> (raw)
In-Reply-To: <200703171824.37027.sgrubb@redhat.com>
[-- Attachment #1.1: Type: text/plain, Size: 1587 bytes --]
Steve,
I never heard of dbus before. Is there an example how it keeps it's
CAP_AUDIT_WRITE and changes uids? Is this just using setuid() some how?
Thanks,
Frank
Steve Grubb wrote:
>On Saturday 17 March 2007 17:34:57 geckiv wrote:
>
>
>> Thanks for the reply. I must have something wrong with my system as I
>>can't get it to work even running it as root. I get an error of:
>>
>>FAILURE: errno = 22
>>Error writing audit file: Invalid argument
>>Error writing audit: Illegal seek
>>
>>
>
>This does sound wrong. Maybe strace would shed some light on how its going
>wrong? What kernel are you using?
>
>
>
>>Also how do I set auditd to allow other process(s) running not as root
>>to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)?
>>
>>
>
>You can't. The audit system is designed to be high integrity meaning only
>trusted apps or processes that run as root or started as root but dropped
>privileges keeping CAP_AUDIT_WRITE. The audit event is written to the kernel,
>not auditd (meaning the kernel must be compiled with syscall audit support at
>a minimum). The kernel may decide to give the event to auditd.
>
>
>
>>I could not find any info on this. Also where do I find these trusted app
>>examples?
>>
>>
>
>dbus, nscd, passwd, shadow-utils, pam, ...
>
>
>
>>Is this something I down loa the src of Linux and look for?
>>
>>
>
>No, dbus is an example of a program that keeps CAP_AUDIT_WRITE after starting
>as root but changes uids. passwd is setuid root. pam runs as part of
>applications that stay root.
>
>-Steve
>
>
>
>
[-- Attachment #1.2: Type: text/html, Size: 2335 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2007-03-19 21:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-17 18:54 Writtign to audit with an application geckiv
2007-03-17 20:59 ` Steve Grubb
2007-03-17 21:34 ` Writting " geckiv
2007-03-17 22:24 ` Steve Grubb
2007-03-19 19:58 ` geckiv [this message]
2007-03-19 21:38 ` Steve Grubb
2007-03-17 22:50 ` Steve Grubb
2007-03-18 21:15 ` geckiv
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45FEEB76.3070908@optonline.net \
--to=geckiv@optonline.net \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.