From: "Adrian Powell" <awp@cray.com>
To: Steve Grubb <sgrubb@redhat.com>, linux-audit@redhat.com
Subject: Re: Linux audit newbie question (Sorry probably a little boring...)
Date: Sun, 7 May 2006 15:46:16 +0100 [thread overview]
Message-ID: <028601c671e5$00134470$03022c0a@kearney> (raw)
In-Reply-To: 200605081038.04062.sgrubb@redhat.com
Steve,
Thanks for the information. If we were able to go for a 2.6.14
kernel at
some point in the future, would you be fairly confident that this syscall
auditing
code would be maintained in the forseeable future ?. It appears that many
of the earlier developers have now moved on to other things from what I can
find.
Who is regarded as the definitive developer of this code these days ?.
Adrian.
----- Original Message -----
From: "Steve Grubb" <sgrubb@redhat.com>
To: <linux-audit@redhat.com>
Cc: "Adrian Powell" <awp@cray.com>
Sent: Monday, May 08, 2006 3:38 PM
Subject: Re: Linux audit newbie question (Sorry probably a little boring...)
> On Sunday 07 May 2006 10:11, Adrian Powell wrote:
>> I have a Linux system running a 2.6.5 kernel, which cannot be
>> upgraded to a later release for the time being.
>
> Hi,
>
> I think the native linux audit system landed in the 2.6.6 kernel. I think
> 2.6.14 was the kernel where we finally had things working pretty good for
> syscall auditing.
>
>> I do have the source available, and can patch it if necessary. I wish to
>> run
>> some kind of system call level auditing/logging for security purposes.
>
> I think you will likely have to do quite a bit of work. You can copy
> kernel/audit.c and kernel/auditsc.c to your old kernel as well as
> include/linux/audit.h. The problem is going to be adding all the hook
> functions to the right place.
>
>> I have the LaUS package installed with the PAM modules, but this does not
>> impliment the system call level logging that I require, without a patch.
>
> LaUS is a different and incompatible audit system. The userspace piece
> that
> you would want is the audit-1.0.14 package. There is a lot of patching of
> trusted apps, though.
>
>> The trouble is that the only patches that I can find are not compatible
>> with
>> this particular kernel.
>
> Same with porting the native linux audit system. You would have to do
> quiet a
> bit of sleuthinging around to place all the hooks in the right place. The
> native audit system also depends quite a bit on netlink, which has been
> changed a few times during 2.6 lifetime. So, you may run into problems
> with
> that, too.
>
>> What are my options here ?.
>
> I think your options includes a fair amount of porting of something. Its
> either step up to newer kernel or do backporting.
>
> -Steve
>
next prev parent reply other threads:[~2006-05-07 14:46 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-07 14:11 Linux audit newbie question (Sorry probably a little boring...) Adrian Powell
2006-05-08 14:38 ` Steve Grubb
2006-05-07 14:46 ` Adrian Powell [this message]
2006-05-08 15:12 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='028601c671e5$00134470$03022c0a@kearney' \
--to=awp@cray.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox