From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Linux audit newbie question (Sorry probably a little boring...)
Date: Mon, 8 May 2006 10:38:03 -0400
Message-ID: <200605081038.04062.sgrubb@redhat.com>
References: <027801c671e0$15e3a010$03022c0a@kearney>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <027801c671e0$15e3a010$03022c0a@kearney>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Adrian Powell <awp@cray.com>
List-Id: linux-audit@redhat.com

On Sunday 07 May 2006 10:11, Adrian Powell wrote:
>       I have a Linux system running  a 2.6.5 kernel, which cannot be
> upgraded to a later release for the time being.

Hi,

I think the native linux audit system landed in the 2.6.6 kernel. I think 
2.6.14 was the kernel where we finally had things working pretty good for 
syscall auditing. 

> I do have the source available, and can patch it if necessary. I wish to run
> some kind of system call level auditing/logging for security purposes. 

I think you will likely have to do quite a bit of work. You can copy 
kernel/audit.c and kernel/auditsc.c to your old kernel as well as 
include/linux/audit.h. The problem is going to be adding all the hook 
functions to the right place.

> I have the LaUS package installed with the PAM modules, but this does not
> impliment the system call level  logging that I require, without a patch.

LaUS is a different and incompatible audit system. The userspace piece that 
you would want is the audit-1.0.14 package. There is a lot of patching of 
trusted apps, though.

> The trouble is that the only patches that I can find are not compatible with
> this particular kernel.

Same with porting the native linux audit system. You would have to do quiet a 
bit of sleuthinging around to place all the hooks in the right place. The 
native audit system also depends quite a bit on netlink, which has been 
changed a few times during 2.6 lifetime. So, you may run into problems with 
that, too.

> What are my options here ?.

I think your options includes a fair amount of porting of something. Its 
either step up to newer kernel or do backporting.

-Steve