which kernel config is required?

which kernel config is required?

[MontyRee]

[-- Attachment #1.1: Type: text/plain, Size: 570 bytes --]

Hello all.
 
My kernel is 2.6.19 at Centos 4.x.
and I have selected below kernel menu. 
 
[*] Auditing support                                                                                      │ │[*]   Enable system-call auditing support
 
But it seems that auditd doesn't works well.
 
Which menu should I select to use full audit function?
When I using rpm kernel, it works well.
 
 
 
Thanks in advance.
 
 
 
_________________________________________________________________
확 달라진 MSN 홈페이지, 지금 바로 만나보세요!
http://www.msn.co.kr

[-- Attachment #1.2: Type: text/html, Size: 1340 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: which kernel config is required?

[Steve Grubb]

On Monday 22 October 2007 22:38:37 MontyRee wrote:
> My kernel is 2.6.19 at Centos 4.x.

That would be unfortunate. I don't use Centos and have no good idea about 
their versioning. But if they've moved to 2.6.19 and the 4.x means RHEL4 
compatibility, I have a feeling the audit system won't work correctly. There 
were big changes between RHEL4 & 5 that require new audit packages. What 
does "uname -r" show you?

> and I have selected below kernel menu.
>
> [*] Auditing support                                                       
>                               │ │[*]   Enable system-call auditing support

You also need to enable file system auditing support in RHEL4 based kernels. 
If you have a 2.6.19 based kernel, the user space audit packages will have to 
be changed out. The communication between user space and kernel is different.

-Steve

RE: which kernel config is required?

[MontyRee]

Thanks for Steve about kind answer.


But I don't use rpm based kernel which installed automatically from the CD
but downloading the kernel source from the kernel.org site and compiles the kernel.
So I can use 2.6.19 or 2.6.23, but I don't know which menu should be selected
to use full auditd function?

Surely, I will use RHEL 5 based system sooner,
but I must do kernel compile for some reason.


> You also need to enable file system auditing support in RHEL4 based kernels.
you mean File systems  ---> Filesystem in Userspace support?

if not, please let me know which kernel menu is..


Thanks for your help again.



Regards.



_________________________________________________________________
MSN 메신저의 차세대 버전, Windows Live Messenger!
http://windowslive.msn.co.kr/wlm/messenger/

RE: which kernel config is required?

[Eric Paris]

On Wed, 2007-10-24 at 23:43 +0000, MontyRee wrote:
> 
> Thanks for Steve about kind answer.
> 
> 
> But I don't use rpm based kernel which installed automatically from the CD
> but downloading the kernel source from the kernel.org site and compiles the kernel.
> So I can use 2.6.19 or 2.6.23, but I don't know which menu should be selected
> to use full auditd function?
> 
> Surely, I will use RHEL 5 based system sooner,
> but I must do kernel compile for some reason.
> 
> 
> > You also need to enable file system auditing support in RHEL4 based kernels.
> you mean File systems  ---> Filesystem in Userspace support?
> 
> if not, please let me know which kernel menu is..
> 
> 
> Thanks for your help again.

He was saying that you have to get the new auditd as the one shipped
with RHEL4/CentOS4 is not going to work.  If you move to the newer
kernels move to the newer auditd as well.  RHEL5 should have an auditd
that works.
> 
> 
> 
> Regards.
> 
> 
> 
> _________________________________________________________________
> MSN 메신저의 차세대 버전, Windows Live Messenger!
> http://windowslive.msn.co.kr/wlm/messenger/
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: which kernel config is required?

[Steve Grubb]

On Wednesday 24 October 2007 07:43:01 pm MontyRee wrote:
> But I don't use rpm based kernel which installed automatically from the CD
> but downloading the kernel source from the kernel.org site and compiles the
> kernel. 

Part of the value that a distribution provides is coordinating all the pieces 
to work together. When you do your own upgrades outside of the distribution, 
you have to know a whole lot about how the whole thing works.

If you want cutting edge system, I recommend going to F8t3 also known as 
rawhide and F8 as soon as that is released. All the pieces are coordinated so 
they work together. If you want something recent and very stable, look to 
RHEL5 or its derivatives. If you want something well tested and stable, use 
RHEL4 or its derivatives. 

But you cannot mix kernels between RHEL4 & 5. Even replacing the audit daemon 
might not be enough. I suspect you will have to recompile everything that 
depends on libaudit.

> So I can use 2.6.19 or 2.6.23, but I don't know which menu should 
> be selected to use full auditd function?

In recent kernels, I think the setting you mentioned in the first email is all 
you need.

> Surely, I will use RHEL 5 based system sooner, but I must do kernel compile
> for some reason.

I really don't know if you can mix 2.6.23 with RHEL5. There are big changes in 
hotplug, for example, and other things that the packages shipped with RHEL5 
(udev/hal) might not work with. You'll have to try it to find out. But 
another reason to stick with a distribution's kernel is that not even the 
2.6.23 kernel has all the audit pieces that the RHEL5.1 kernel has. They are 
merging with the 2.6.24 kernel.

> you mean File systems  ---> Filesystem in Userspace support?

Nope. I was talking about the actual RHEL4 kernel, not 2.6.23.

Good Luck...

-Steve