* Which userspace packages modified for audit @ 2007-02-22 23:03 Tony Jones 2007-02-23 10:18 ` SUSE ELS and Audit Johnston Mark (UK) 2007-02-23 11:47 ` Which userspace packages modified for audit Steve Grubb 0 siblings, 2 replies; 16+ messages in thread From: Tony Jones @ 2007-02-22 23:03 UTC (permalink / raw) To: linux-audit Is there a list of which userspace packages have been modified in Fedora to add calls to the audit system? I thought I had them all but I didn't :-) Thanks! Tony ^ permalink raw reply [flat|nested] 16+ messages in thread
* SUSE ELS and Audit 2007-02-22 23:03 Which userspace packages modified for audit Tony Jones @ 2007-02-23 10:18 ` Johnston Mark (UK) 2007-02-23 10:20 ` Marcus Meissner 2007-02-23 10:26 ` Roman Drahtmueller 2007-02-23 11:47 ` Which userspace packages modified for audit Steve Grubb 1 sibling, 2 replies; 16+ messages in thread From: Johnston Mark (UK) @ 2007-02-23 10:18 UTC (permalink / raw) To: linux-audit Hi guys, I'm really struggling to get an understanding of what kernel and audit version I need to be able to use file system watches on my SLES 10 box. >From what I've managed to read and understand, we need kernel 2.6.18 and audit version 1.2.x ? Is that correct ? At the moment I'm struggling to install 1.2.x, but I've managed to get the kernel up and running. Also worth a note here ... by default, SLES 10 does not show system calls. It's disabled in /etc/sysconfig/auditd. Edit AUDITD_DISABLE_CONTEXTS, and make it ="no" Cheers Mark This electronic message contains information from O2 which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address below) immediately. O2 (UK) Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 1743099. VAT number: GB 778 6037 85 ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: SUSE ELS and Audit 2007-02-23 10:18 ` SUSE ELS and Audit Johnston Mark (UK) @ 2007-02-23 10:20 ` Marcus Meissner 2007-02-23 10:26 ` Roman Drahtmueller 1 sibling, 0 replies; 16+ messages in thread From: Marcus Meissner @ 2007-02-23 10:20 UTC (permalink / raw) To: Johnston Mark (UK); +Cc: linux-audit On Fri, Feb 23, 2007 at 10:18:36AM -0000, Johnston Mark (UK) wrote: > Hi guys, > > I'm really struggling to get an understanding of what kernel and audit > version I need to be able to use file system watches on my SLES 10 box. > > >From what I've managed to read and understand, we need kernel 2.6.18 and > audit version 1.2.x ? Is that correct ? At the moment I'm struggling to > install 1.2.x, but I've managed to get the kernel up and running. > > Also worth a note here ... by default, SLES 10 does not show system > calls. It's disabled in /etc/sysconfig/auditd. Edit > AUDITD_DISABLE_CONTEXTS, and make it ="no" SLES 10 Service Pack 1 will have the necessary functionality, filewatches are not in the SLES 10 GA version. Ciao, Marcus ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: SUSE ELS and Audit 2007-02-23 10:18 ` SUSE ELS and Audit Johnston Mark (UK) 2007-02-23 10:20 ` Marcus Meissner @ 2007-02-23 10:26 ` Roman Drahtmueller 2007-02-23 10:59 ` Johnston Mark (UK) 1 sibling, 1 reply; 16+ messages in thread From: Roman Drahtmueller @ 2007-02-23 10:26 UTC (permalink / raw) To: Johnston Mark (UK); +Cc: linux-audit Mark, > > Hi guys, > > I'm really struggling to get an understanding of what kernel and audit > version I need to be able to use file system watches on my SLES 10 box. > > >From what I've managed to read and understand, we need kernel 2.6.18 and > audit version 1.2.x ? Is that correct ? At the moment I'm struggling to > install 1.2.x, but I've managed to get the kernel up and running. > > Also worth a note here ... by default, SLES 10 does not show system > calls. It's disabled in /etc/sysconfig/auditd. Edit > AUDITD_DISABLE_CONTEXTS, and make it ="no" > SLES10 doesn't have file-watch until Service Pack 1, which is work-in-progress. I can make updated audit packages available for you to spare you the package building. The same accounts for the kernel package as well as pwdutils-plugin-audit. I'd be glad to know the results of your testing, in case. Contact me off-list to get the packages. > Cheers > Mark Thanks, Roman. ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: SUSE ELS and Audit 2007-02-23 10:26 ` Roman Drahtmueller @ 2007-02-23 10:59 ` Johnston Mark (UK) 0 siblings, 0 replies; 16+ messages in thread From: Johnston Mark (UK) @ 2007-02-23 10:59 UTC (permalink / raw) To: Roman Drahtmueller; +Cc: linux-audit Any ideas on when SP1 will be released? Thanks Mark -----Original Message----- From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Roman Drahtmueller Sent: 23 February 2007 10:27 To: Johnston Mark (UK) Cc: linux-audit@redhat.com Subject: Re: SUSE ELS and Audit Mark, > > Hi guys, > > I'm really struggling to get an understanding of what kernel and audit > version I need to be able to use file system watches on my SLES 10 box. > > >From what I've managed to read and understand, we need kernel 2.6.18 and > audit version 1.2.x ? Is that correct ? At the moment I'm struggling to > install 1.2.x, but I've managed to get the kernel up and running. > > Also worth a note here ... by default, SLES 10 does not show system > calls. It's disabled in /etc/sysconfig/auditd. Edit > AUDITD_DISABLE_CONTEXTS, and make it ="no" > SLES10 doesn't have file-watch until Service Pack 1, which is work-in-progress. I can make updated audit packages available for you to spare you the package building. The same accounts for the kernel package as well as pwdutils-plugin-audit. I'd be glad to know the results of your testing, in case. Contact me off-list to get the packages. > Cheers > Mark Thanks, Roman. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit This electronic message contains information from O2 which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address below) immediately. O2 (UK) Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 1743099. VAT number: GB 778 6037 85 ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Which userspace packages modified for audit 2007-02-22 23:03 Which userspace packages modified for audit Tony Jones 2007-02-23 10:18 ` SUSE ELS and Audit Johnston Mark (UK) @ 2007-02-23 11:47 ` Steve Grubb 2007-02-23 14:22 ` Matthew Booth 1 sibling, 1 reply; 16+ messages in thread From: Steve Grubb @ 2007-02-23 11:47 UTC (permalink / raw) To: Tony Jones; +Cc: linux-audit On Thursday 22 February 2007 18:03:40 Tony Jones wrote: > s there a list of which userspace packages have been modified in Fedora to > add calls to the audit system? passwd-0.73-1 vixie-cron-4.1-64.fc6 openssh-4.3p2-14.fc6 shadow-utils-4.0.17-12.fc6 util-linux-2.13-0.46.fc6 gdm-2.16.5-1.fc6 pam-0.99.6.2-3.15.fc6 aide-0.13-1 dbus-1.0.1-9.fc6 policycoreutils-1.34.1-4.fc6 cups-1.2.7-1.8.fc6 frysk-0.0.1.2007.02.07.rh1-1.fc6 I also think glibc's nscd is there too. But nscd & dbus are for SE Linux support. -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Which userspace packages modified for audit 2007-02-23 11:47 ` Which userspace packages modified for audit Steve Grubb @ 2007-02-23 14:22 ` Matthew Booth 2007-02-25 18:41 ` Steve Grubb 0 siblings, 1 reply; 16+ messages in thread From: Matthew Booth @ 2007-02-23 14:22 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 1035 bytes --] Steve, If you get a minute, can you add a 1 line summary of what the modification does wrt auditing? Thanks, Matt On Fri, 2007-02-23 at 06:47 -0500, Steve Grubb wrote: > On Thursday 22 February 2007 18:03:40 Tony Jones wrote: > > s there a list of which userspace packages have been modified in Fedora to > > add calls to the audit system? > > passwd-0.73-1 > vixie-cron-4.1-64.fc6 > openssh-4.3p2-14.fc6 > shadow-utils-4.0.17-12.fc6 > util-linux-2.13-0.46.fc6 > gdm-2.16.5-1.fc6 > pam-0.99.6.2-3.15.fc6 > aide-0.13-1 > dbus-1.0.1-9.fc6 > policycoreutils-1.34.1-4.fc6 > cups-1.2.7-1.8.fc6 > frysk-0.0.1.2007.02.07.rh1-1.fc6 > > I also think glibc's nscd is there too. But nscd & dbus are for SE Linux > support. > > -Steve > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 [-- Attachment #1.2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Which userspace packages modified for audit 2007-02-23 14:22 ` Matthew Booth @ 2007-02-25 18:41 ` Steve Grubb 2007-02-25 18:41 ` Marcus Meissner 2007-02-25 22:15 ` Matthew Booth 0 siblings, 2 replies; 16+ messages in thread From: Steve Grubb @ 2007-02-25 18:41 UTC (permalink / raw) To: linux-audit On Friday 23 February 2007 09:22:42 Matthew Booth wrote: > If you get a minute, can you add a 1 line summary of what the > modification does wrt auditing? I don't have time to document this for a while. They are generally all logging something. -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Which userspace packages modified for audit 2007-02-25 18:41 ` Steve Grubb @ 2007-02-25 18:41 ` Marcus Meissner 2007-02-25 19:40 ` Steve Grubb 2007-02-25 22:15 ` Matthew Booth 1 sibling, 1 reply; 16+ messages in thread From: Marcus Meissner @ 2007-02-25 18:41 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit On Sun, Feb 25, 2007 at 01:41:38PM -0500, Steve Grubb wrote: > On Friday 23 February 2007 09:22:42 Matthew Booth wrote: > > If you get a minute, can you add a 1 line summary of what the > > modification does wrt auditing? > > I don't have time to document this for a while. They are generally all logging > something. Most of them have just support for emitting USER_LOGIN audit records. Are these necessary, because PAM emits USER_START / USER_END records anyway... Ciao, Marcus ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Which userspace packages modified for audit 2007-02-25 18:41 ` Marcus Meissner @ 2007-02-25 19:40 ` Steve Grubb 2007-02-26 13:21 ` Marcus Meissner 0 siblings, 1 reply; 16+ messages in thread From: Steve Grubb @ 2007-02-25 19:40 UTC (permalink / raw) To: Marcus Meissner; +Cc: linux-audit On Sunday 25 February 2007 13:41:56 Marcus Meissner wrote: > Most of them have just support for emitting USER_LOGIN audit records. > > Are these necessary, because PAM emits USER_START / USER_END records > anyway... Yes. NISPOM is concerned about tracking login/logout. How do you distinguish an actual login/logout vs the start of a session with the pam records? su and cron, for example, do not do an actual login yet they create those records. -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Which userspace packages modified for audit 2007-02-25 19:40 ` Steve Grubb @ 2007-02-26 13:21 ` Marcus Meissner 2007-02-26 14:40 ` Steve Grubb 0 siblings, 1 reply; 16+ messages in thread From: Marcus Meissner @ 2007-02-26 13:21 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit On Sun, Feb 25, 2007 at 02:40:57PM -0500, Steve Grubb wrote: > On Sunday 25 February 2007 13:41:56 Marcus Meissner wrote: > > Most of them have just support for emitting USER_LOGIN audit records. > > > > Are these necessary, because PAM emits USER_START / USER_END records > > anyway... > > Yes. NISPOM is concerned about tracking login/logout. How do you distinguish > an actual login/logout vs the start of a session with the pam records? su and > cron, for example, do not do an actual login yet they create those records. We could really handle this together with the loginuid tracking, right? The pam_loginuid module could also generate the USER_LOGIN messages for instance? Ciao, Marcus ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Which userspace packages modified for audit 2007-02-26 13:21 ` Marcus Meissner @ 2007-02-26 14:40 ` Steve Grubb 0 siblings, 0 replies; 16+ messages in thread From: Steve Grubb @ 2007-02-26 14:40 UTC (permalink / raw) To: Marcus Meissner; +Cc: linux-audit On Monday 26 February 2007 08:21, Marcus Meissner wrote: > > Yes. NISPOM is concerned about tracking login/logout. How do you > > distinguish an actual login/logout vs the start of a session with the pam > > records? su and cron, for example, do not do an actual login yet they > > create those records. > > We could really handle this together with the loginuid tracking, right? No, cron sets the loginuid because the action performed by the scripts is on a certain user's behalf. Everything is the way it is for a reason. -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Which userspace packages modified for audit 2007-02-25 18:41 ` Steve Grubb 2007-02-25 18:41 ` Marcus Meissner @ 2007-02-25 22:15 ` Matthew Booth 2007-02-25 22:30 ` Steve Grubb 1 sibling, 1 reply; 16+ messages in thread From: Matthew Booth @ 2007-02-25 22:15 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 673 bytes --] On a related note, what's the api for injecting an arbitrary audit event from userspace in 1.0.15? There doesn't appear to be anything obvious in the man pages. Thanks, Matt On Sun, 2007-02-25 at 13:41 -0500, Steve Grubb wrote: > On Friday 23 February 2007 09:22:42 Matthew Booth wrote: > > If you get a minute, can you add a 1 line summary of what the > > modification does wrt auditing? > > I don't have time to document this for a while. They are generally all logging > something. > > -Steve -- Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 [-- Attachment #1.2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Which userspace packages modified for audit 2007-02-25 22:15 ` Matthew Booth @ 2007-02-25 22:30 ` Steve Grubb 2007-02-25 22:35 ` Matthew Booth 0 siblings, 1 reply; 16+ messages in thread From: Steve Grubb @ 2007-02-25 22:30 UTC (permalink / raw) To: Matthew Booth; +Cc: linux-audit On Sunday 25 February 2007 17:15:23 Matthew Booth wrote: > On a related note, what's the api for injecting an arbitrary audit event > from userspace in 1.0.15? audit_log_user_message(). > There doesn't appear to be anything obvious in the man pages. There are several APIs to enforce consistent messages depending on the purpose. They all start with audit_log_ . -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Which userspace packages modified for audit 2007-02-25 22:30 ` Steve Grubb @ 2007-02-25 22:35 ` Matthew Booth 2007-02-25 23:07 ` Steve Grubb 0 siblings, 1 reply; 16+ messages in thread From: Matthew Booth @ 2007-02-25 22:35 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 974 bytes --] On Sun, 2007-02-25 at 17:30 -0500, Steve Grubb wrote: > On Sunday 25 February 2007 17:15:23 Matthew Booth wrote: > > On a related note, what's the api for injecting an arbitrary audit event > > from userspace in 1.0.15? > > audit_log_user_message(). > > > There doesn't appear to be anything obvious in the man pages. > > There are several APIs to enforce consistent messages depending on the > purpose. They all start with audit_log_ . That's a lot of choices. I specifically want to log a message in my ausetauid utility containing the fully command line executed under a different auid. To make sure it turns up in searches, I want it to have the same audit event ID as the LOGIN message it generates. Is this achievable, and which function should I read the source for ;) ? Thanks, Matt -- Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 [-- Attachment #1.2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Which userspace packages modified for audit 2007-02-25 22:35 ` Matthew Booth @ 2007-02-25 23:07 ` Steve Grubb 0 siblings, 0 replies; 16+ messages in thread From: Steve Grubb @ 2007-02-25 23:07 UTC (permalink / raw) To: Matthew Booth; +Cc: linux-audit On Sunday 25 February 2007 17:35:08 Matthew Booth wrote: >> There are several APIs to enforce consistent messages depending on the >> purpose. They all start with audit_log_ . > > That's a lot of choices. I specifically want to log a message in my > ausetauid utility containing the fully command line executed under a > different auid. You would need to build your message in a buffer and pass it to audit_log_user_message() as the message param since an API has not been built for the purpose you described in 1.0.15. You will also want to follow naming conventions laid out in the parsing spec. > To make sure it turns up in searches, I want it to have the same audit event > ID as the LOGIN message it generates. No can do. > Is this achievable, and which function should I read the source for ;) ? Nope. Setting the loginuid is a discrete event seen from the kernel's perspective. -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2007-02-26 14:40 UTC | newest] Thread overview: 16+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-02-22 23:03 Which userspace packages modified for audit Tony Jones 2007-02-23 10:18 ` SUSE ELS and Audit Johnston Mark (UK) 2007-02-23 10:20 ` Marcus Meissner 2007-02-23 10:26 ` Roman Drahtmueller 2007-02-23 10:59 ` Johnston Mark (UK) 2007-02-23 11:47 ` Which userspace packages modified for audit Steve Grubb 2007-02-23 14:22 ` Matthew Booth 2007-02-25 18:41 ` Steve Grubb 2007-02-25 18:41 ` Marcus Meissner 2007-02-25 19:40 ` Steve Grubb 2007-02-26 13:21 ` Marcus Meissner 2007-02-26 14:40 ` Steve Grubb 2007-02-25 22:15 ` Matthew Booth 2007-02-25 22:30 ` Steve Grubb 2007-02-25 22:35 ` Matthew Booth 2007-02-25 23:07 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox