Audit-1.0.14

Audit-1.0.14

[Boyce, Kevin P. (Melbourne, FL)]

[-- Attachment #1.1: Type: text/plain, Size: 992 bytes --]

I am trying to use a vanilla kernel from kernel.org version 2.6.12 and
2.6.16 with the audit daemon version 1.0.14.  I am using ubuntu, so I
have used alien to convert the redhat binary packages for an x86_64
architecture into *.deb files.  I can install the deb files and the
audit daemon runs, but it has trouble parsing the audit.rules file.  The
error I am getting is "Error sending insert watch request (Invalid
Argument)."

Please help.  I have a requirement to use these two kernel versions, and
unfortunately can't use redhat, fedora, or their kernel binaries.  I
have recompiled my kernel with auditing turned on.  I can look in the
audit.log file and see events being written there when I start and stop
the daemon, so I know the daemon works.  I just need to know how to
parse the log file correctly.  Also when you bypass the log file and
just use auditctl -w <file to watch>, the same error is returned.

Thanks in advance.

Kevin Boyce
kevin.boyce@ngc.com


[-- Attachment #1.2: Type: text/html, Size: 1557 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audit-1.0.14

[Steve Grubb]

On Wednesday 11 October 2006 07:49, Boyce, Kevin P. (Melbourne, FL) wrote:
> I can install the deb files and the audit daemon runs, but it has trouble
> parsing the audit.rules file.  The error I am getting is "Error sending
> insert watch request (Invalid Argument)."

This is not a parsing error...its worse. The audit 1.0.x series was developed 
to compliment the RHEL4 kernel. At the time, it was envisioned that the 
technique used for watches would be accepted upstream. It was rejected due to 
some overlap with inotify, so the watch system was re-written. The audit 
1.2.x series has the code for the new system. Watches were not accepted 
upstream until the 2.6.18 kernel.

> I have a requirement to use these two kernel versions, and unfortunately
> can't use redhat, fedora, or their kernel binaries.

They you are limited to inode based auditing. Or maybe if you put the things 
you have to watch onto one partition, you can use devmajor and minor. I'd try 
to move to a 2.6.18 kernel with the latest audit package.

-Steve

Re: Audit-1.0.14

[Todd, Charles]

> On Wednesday 11 October 2006 07:49, Boyce, Kevin P. (Melbourne, FL) wrote:
> > I can install the deb files and the audit daemon runs, but it has trouble
> > parsing the audit.rules file.  The error I am getting is "Error sending
> > insert watch request (Invalid Argument)."

> This is not a parsing error...its worse. The audit 1.0.x series was developed 
> to compliment the RHEL4 kernel. At the time, it was envisioned that the 
> technique used for watches would be accepted upstream. It was rejected due to 
> some overlap with inotify, so the watch system was re-written. The audit 
> 1.2.x series has the code for the new system. Watches were not accepted 
> upstream until the 2.6.18 kernel.

> > I have a requirement to use these two kernel versions, and unfortunately
> > can't use redhat, fedora, or their kernel binaries.

> They you are limited to inode based auditing. Or maybe if you put the things 
> you have to watch onto one partition, you can use devmajor and minor. I'd try 
> to move to a 2.6.18 kernel with the latest audit package.

> -Steve

Steve,
If I'm reading this correctly, you're telling me that the 1.0.14 auditd that ships with RHEL4u3 is immature, at best.  Does this mean that I will never get support for the dispatcher directive in /etc/auditd.conf?  I was hoping to use the development Snare scripts that Leigh put together, mainly for a unified, centralization of our audit trails, but it doesn't work if the dispatcher support option is missing.

I understand that file watching will not be an auditable event and that I'll have to filter out a lot of false positives.  I just want to get centralized auditing working without have to script a bunch of it myself.

Thanks!
Charlie Todd
Ball Aerospace & Technologies Corp.
ctodd- at -ball -com

Re: Audit-1.0.14

[Steve Grubb]

On Thursday 09 November 2006 14:56, Todd, Charles wrote:
> If I'm reading this correctly, you're telling me that the 1.0.14 auditd
> that ships with RHEL4u3 is immature, at best.

No, you are misparsing the problem...he is trying to use that version of audit 
with plain vanilla linux kernels. When paired with our kernel all is well.

> Does this mean that I will never get support for the dispatcher directive
> in /etc/auditd.conf?

I just about have 1.0.15 finished and it will have the dispatcher interface + 
some backported code around the time start/end directives and various 
bugfixes discovered during the LSPP work for RHEL5.

> I was  hoping to use the development Snare scripts that Leigh put together,
> mainly for a unified, centralization of our audit trails, but it doesn't
> work if the dispatcher support option is missing.

U5 it should be there.

-Steve

RE: Audit-1.0.14

[Todd, Charles]

[-- Attachment #1.1: Type: text/plain, Size: 1512 bytes --]


Thanks Steve.  I do actually have a ticket open with RedHat to make this available for pre-U5 versions, so you may have to pass off to the QC team.  We've had enough fun getting the 2.6.9-42 kernel to not break out-of tree kernel modules for commercial packages.  If I have to build audit 1.0.15 to be compatible with u3 I'll try to do that.

Thanks for your time and help,
Charlie Todd
Ball Aerospace & Technologies Corp.

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Mon 11/13/2006 9:19 AM
To: linux-audit@redhat.com
Cc: Todd, Charles
Subject: Re: Audit-1.0.14
 
On Thursday 09 November 2006 14:56, Todd, Charles wrote:
> If I'm reading this correctly, you're telling me that the 1.0.14 auditd
> that ships with RHEL4u3 is immature, at best.

No, you are misparsing the problem...he is trying to use that version of audit 
with plain vanilla linux kernels. When paired with our kernel all is well.

> Does this mean that I will never get support for the dispatcher directive
> in /etc/auditd.conf?

I just about have 1.0.15 finished and it will have the dispatcher interface + 
some backported code around the time start/end directives and various 
bugfixes discovered during the LSPP work for RHEL5.

> I was  hoping to use the development Snare scripts that Leigh put together,
> mainly for a unified, centralization of our audit trails, but it doesn't
> work if the dispatcher support option is missing.

U5 it should be there.

-Steve


[-- Attachment #1.2: Type: text/html, Size: 2094 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]