From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kangkook Jee Subject: Running auditd from Raspberry Pi (Raspbian) Date: Fri, 23 Oct 2015 19:16:40 -0400 Message-ID: Mime-Version: 1.0 (Mac OS X Mail 8.2 $2104$) Content-Type: multipart/mixed; boundary="===============2315016299332923164==" Return-path: Received: from mx1.redhat.com (ext-mx01.extmail.prod.ext.phx2.redhat.com [10.5.110.25]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t9NNGik3012011 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 23 Oct 2015 19:16:44 -0400 Received: from mail-qg0-f51.google.com (mail-qg0-f51.google.com [209.85.192.51]) by mx1.redhat.com (Postfix) with ESMTPS id 31897A58A4 for ; Fri, 23 Oct 2015 23:16:43 +0000 (UTC) Received: by qgad10 with SMTP id d10so78928404qga.3 for ; Fri, 23 Oct 2015 16:16:42 -0700 (PDT) Received: from am14-mac3.nec-labs.com ([138.15.165.52]) by smtp.gmail.com with ESMTPSA id k136sm8343423qhk.2.2015.10.23.16.16.41 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 23 Oct 2015 16:16:41 -0700 (PDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============2315016299332923164== Content-Type: multipart/alternative; boundary="Apple-Mail=_077A7A49-37E6-46F5-8AAE-867709E04343" --Apple-Mail=_077A7A49-37E6-46F5-8AAE-867709E04343 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi, all=20 =46rom my Raspberry Pi machine (running Debian Wheezy distribution), I = could see the kernel is built with audit enabled, and I could manage to = install user-space audit client with the following command.=20 pi@raspberrypi ~ $ sudo apt-get install auditd However, when I tried to enable audit issuing the following commands it = doesn=E2=80=99t seem to run properly. pi@raspberrypi ~ $ sudo auditctl -l No rules pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open Error detecting machine type pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=3Darmeb -S open arch=3Darmeb machine type not found Can anyone tell me whether audit support ARM based linux systems? Here=E2=80=99s my system information and thanks a lot for your help in = advance! pi@raspberrypi ~ $ sudo uname -a Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST = 2015 armv7l GNU/Linux pi@raspberrypi ~ $ dpkg -l |grep audit ii auditd 1:1.7.18-1.1 = armhf User space tools for security auditing ii libaudit0 1:1.7.18-1.1 = armhf Dynamic library for security auditing Regards, Kangkook --Apple-Mail=_077A7A49-37E6-46F5-8AAE-867709E04343 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hi, all

=46rom my Raspberry Pi machine (running Debian Wheezy = distribution), I could see the kernel is built with audit enabled, and I = could manage to install user-space audit client with the following = command.

pi@raspberrypi ~ $ sudo apt-get install = auditd

However, when I tried to enable audit issuing the following = commands it doesn=E2=80=99t seem to run properly.

pi@raspberrypi ~ $ sudo auditctl -l

No rules

pi@raspberrypi= ~ $ sudo auditctl -a entry,always -S open

Error detecting machine type

pi@raspberrypi ~ $ sudo auditctl -a entry,always -F = arch=3Darmeb -S open

arch=3Darmeb = machine type not found

Can anyone tell me whether audit = support ARM based linux systems?

Here=E2=80=99s my = system information and thanks a lot for your help in advance!

pi@raspberrypi ~ $ sudo uname -a

Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 = 18:07:59 BST 2015 armv7l GNU/Linux

pi@raspberrypi ~ $ dpkg -l |grep audit

ii auditd = = 1:1.7.18-1.1 = armhf = User space tools for security auditing

ii libaudit0 = = 1:1.7.18-1.1 = armhf = Dynamic library for security auditing

Regards, = Kangkook

= --Apple-Mail=_077A7A49-37E6-46F5-8AAE-867709E04343-- --===============2315016299332923164== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============2315016299332923164==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Running auditd from Raspberry Pi (Raspbian) Date: Mon, 26 Oct 2015 11:55:05 -0400 Message-ID: <1761781.EmJWtSeSBl@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com T24gRnJpZGF5LCBPY3RvYmVyIDIzLCAyMDE1IDA3OjE2OjQwIFBNIEthbmdrb29rIEplZSB3cm90 ZToKPiBIaSwgYWxsCj4gCj4gRnJvbSBteSBSYXNwYmVycnkgUGkgbWFjaGluZSAocnVubmluZyBE ZWJpYW4gV2hlZXp5IGRpc3RyaWJ1dGlvbiksIEkgY291bGQKPiBzZWUgdGhlIGtlcm5lbCBpcyBi dWlsdCB3aXRoIGF1ZGl0IGVuYWJsZWQsIGFuZCBJIGNvdWxkIG1hbmFnZSB0byBpbnN0YWxsCj4g dXNlci1zcGFjZSBhdWRpdCBjbGllbnQgd2l0aCB0aGUgZm9sbG93aW5nIGNvbW1hbmQuCj4gCj4g cGlAcmFzcGJlcnJ5cGkgfiAkIHN1ZG8gYXB0LWdldCBpbnN0YWxsIGF1ZGl0ZAo+IAo+IEhvd2V2 ZXIsIHdoZW4gSSB0cmllZCB0byBlbmFibGUgYXVkaXQgaXNzdWluZyB0aGUgZm9sbG93aW5nIGNv bW1hbmRzIGl0Cj4gZG9lc27igJl0IHNlZW0gdG8gcnVuIHByb3Blcmx5Lgo+IAo+IHBpQHJhc3Bi ZXJyeXBpIH4gJCBzdWRvIGF1ZGl0Y3RsIC1sCj4gTm8gcnVsZXMKPiBwaUByYXNwYmVycnlwaSB+ ICQgc3VkbyBhdWRpdGN0bCAtYSBlbnRyeSxhbHdheXMgLVMgb3Blbgo+IEVycm9yIGRldGVjdGlu ZyBtYWNoaW5lIHR5cGUKPiBwaUByYXNwYmVycnlwaSB+ICQgc3VkbyBhdWRpdGN0bCAtYSBlbnRy eSxhbHdheXMgLUYgYXJjaD1hcm1lYiAtUyBvcGVuCj4gYXJjaD1hcm1lYiBtYWNoaW5lIHR5cGUg bm90IGZvdW5kCj4gCj4gQ2FuIGFueW9uZSB0ZWxsIG1lIHdoZXRoZXIgYXVkaXQgc3VwcG9ydCBB Uk0gYmFzZWQgbGludXggc3lzdGVtcz8KClllcy4gSXQgd2FzIGFkZGVkIHN0YXJ0aW5nIGluIDIu MC40IGFuZCB3YXMgY29ycmVjdGVkIHNldmVyYWwgdGltZXMuCgoKPiBIZXJl4oCZcyBteSBzeXN0 ZW0gaW5mb3JtYXRpb24gYW5kIHRoYW5rcyBhIGxvdCBmb3IgeW91ciBoZWxwIGluIGFkdmFuY2Uh Cj4gCj4gcGlAcmFzcGJlcnJ5cGkgfiAkIHN1ZG8gdW5hbWUgLWEKPiBMaW51eCByYXNwYmVycnlw aSAzLjE4LjExLXY3KyAjNzgxIFNNUCBQUkVFTVBUIFR1ZSBBcHIgMjEgMTg6MDc6NTkgQlNUIDIw MTUKPiBhcm12N2wgR05VL0xpbnV4Cj4gCj4gcGlAcmFzcGJlcnJ5cGkgfiAkIGRwa2cgLWwgfGdy ZXAgYXVkaXQKPiBpaSAgYXVkaXRkICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAxOjEu Ny4xOC0xLjEgICAgICAgICAgICAgICAgICAgICAgCj4gICAgICBhcm1oZiAgICAgICAgVXNlciBz cGFjZSB0b29scyBmb3Igc2VjdXJpdHkgYXVkaXRpbmcgaWkgIGxpYmF1ZGl0MCAgICAgCj4gICAg ICAgICAgICAgICAgICAgICAgICAxOjEuNy4xOC0xLjEgICAgICAgICAgICAgICAgICAgICAgICAg ICAgYXJtaGYgICAgICAgCgpUaGF0IG9uZSBpcyB0b28gb2xkLiBZb3UgbmVlZCBhIG5ld2VyIGF1 ZGl0IHBhY2thZ2UuCgotU3RldmUKCi0tCkxpbnV4LWF1ZGl0IG1haWxpbmcgbGlzdApMaW51eC1h dWRpdEByZWRoYXQuY29tCmh0dHBzOi8vd3d3LnJlZGhhdC5jb20vbWFpbG1hbi9saXN0aW5mby9s aW51eC1hdWRpdA== From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kangkook Jee Subject: Re: Running auditd from Raspberry Pi (Raspbian) Date: Mon, 26 Oct 2015 13:13:57 -0400 Message-ID: References: <1761781.EmJWtSeSBl@x2> Mime-Version: 1.0 (Mac OS X Mail 8.2 $2104$) Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <1761781.EmJWtSeSBl@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com VGhhbmtzIGEgbG90IGZvciB5b3VyIHN1cHBvcnQuIEkgd2lsbCB0cnkgd2l0aCBuZXdlciB2ZXJz aW9uIGFuZCBsZXQgeW91IGtub3cgaG93IGl0IGdvZXMhCgpSZWdhcmRzLCBLYW5na29vawoKPiBP biBPY3QgMjYsIDIwMTUsIGF0IDExOjU1IEFNLCBTdGV2ZSBHcnViYiA8c2dydWJiQHJlZGhhdC5j b20+IHdyb3RlOgo+IAo+IE9uIEZyaWRheSwgT2N0b2JlciAyMywgMjAxNSAwNzoxNjo0MCBQTSBL YW5na29vayBKZWUgd3JvdGU6Cj4+IEhpLCBhbGwKPj4gCj4+IEZyb20gbXkgUmFzcGJlcnJ5IFBp IG1hY2hpbmUgKHJ1bm5pbmcgRGViaWFuIFdoZWV6eSBkaXN0cmlidXRpb24pLCBJIGNvdWxkCj4+ IHNlZSB0aGUga2VybmVsIGlzIGJ1aWx0IHdpdGggYXVkaXQgZW5hYmxlZCwgYW5kIEkgY291bGQg bWFuYWdlIHRvIGluc3RhbGwKPj4gdXNlci1zcGFjZSBhdWRpdCBjbGllbnQgd2l0aCB0aGUgZm9s bG93aW5nIGNvbW1hbmQuCj4+IAo+PiBwaUByYXNwYmVycnlwaSB+ICQgc3VkbyBhcHQtZ2V0IGlu c3RhbGwgYXVkaXRkCj4+IAo+PiBIb3dldmVyLCB3aGVuIEkgdHJpZWQgdG8gZW5hYmxlIGF1ZGl0 IGlzc3VpbmcgdGhlIGZvbGxvd2luZyBjb21tYW5kcyBpdAo+PiBkb2VzbuKAmXQgc2VlbSB0byBy dW4gcHJvcGVybHkuCj4+IAo+PiBwaUByYXNwYmVycnlwaSB+ICQgc3VkbyBhdWRpdGN0bCAtbAo+ PiBObyBydWxlcwo+PiBwaUByYXNwYmVycnlwaSB+ICQgc3VkbyBhdWRpdGN0bCAtYSBlbnRyeSxh bHdheXMgLVMgb3Blbgo+PiBFcnJvciBkZXRlY3RpbmcgbWFjaGluZSB0eXBlCj4+IHBpQHJhc3Bi ZXJyeXBpIH4gJCBzdWRvIGF1ZGl0Y3RsIC1hIGVudHJ5LGFsd2F5cyAtRiBhcmNoPWFybWViIC1T IG9wZW4KPj4gYXJjaD1hcm1lYiBtYWNoaW5lIHR5cGUgbm90IGZvdW5kCj4+IAo+PiBDYW4gYW55 b25lIHRlbGwgbWUgd2hldGhlciBhdWRpdCBzdXBwb3J0IEFSTSBiYXNlZCBsaW51eCBzeXN0ZW1z Pwo+IAo+IFllcy4gSXQgd2FzIGFkZGVkIHN0YXJ0aW5nIGluIDIuMC40IGFuZCB3YXMgY29ycmVj dGVkIHNldmVyYWwgdGltZXMuCj4gCj4gCj4+IEhlcmXigJlzIG15IHN5c3RlbSBpbmZvcm1hdGlv biBhbmQgdGhhbmtzIGEgbG90IGZvciB5b3VyIGhlbHAgaW4gYWR2YW5jZSEKPj4gCj4+IHBpQHJh c3BiZXJyeXBpIH4gJCBzdWRvIHVuYW1lIC1hCj4+IExpbnV4IHJhc3BiZXJyeXBpIDMuMTguMTEt djcrICM3ODEgU01QIFBSRUVNUFQgVHVlIEFwciAyMSAxODowNzo1OSBCU1QgMjAxNQo+PiBhcm12 N2wgR05VL0xpbnV4Cj4+IAo+PiBwaUByYXNwYmVycnlwaSB+ICQgZHBrZyAtbCB8Z3JlcCBhdWRp dAo+PiBpaSAgYXVkaXRkICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAxOjEuNy4xOC0x LjEgICAgICAgICAgICAgICAgICAgICAgCj4+ICAgICBhcm1oZiAgICAgICAgVXNlciBzcGFjZSB0 b29scyBmb3Igc2VjdXJpdHkgYXVkaXRpbmcgaWkgIGxpYmF1ZGl0MCAgICAgCj4+ICAgICAgICAg ICAgICAgICAgICAgICAxOjEuNy4xOC0xLjEgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXJt aGYgICAgICAgCj4gCj4gVGhhdCBvbmUgaXMgdG9vIG9sZC4gWW91IG5lZWQgYSBuZXdlciBhdWRp dCBwYWNrYWdlLgo+IAo+IC1TdGV2ZQoKCi0tCkxpbnV4LWF1ZGl0IG1haWxpbmcgbGlzdApMaW51 eC1hdWRpdEByZWRoYXQuY29tCmh0dHBzOi8vd3d3LnJlZGhhdC5jb20vbWFpbG1hbi9saXN0aW5m by9saW51eC1hdWRpdA== From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kangkook Jee Subject: Re: Running auditd from Raspberry Pi (Raspbian) Date: Mon, 26 Oct 2015 16:25:57 -0400 Message-ID: <7941F2ED-39A0-45E7-815D-5F46CD859579@gmail.com> References: <1761781.EmJWtSeSBl@x2> Mime-Version: 1.0 (Mac OS X Mail 8.2 $2104$) Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <1761781.EmJWtSeSBl@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com RGVhciBTdGV2ZSwKCkkgYnVpbHQgYXVkaXRjdGwgZnJvbSByZWNlbnQgYXVkaXQgc291cmNlIGFu ZCB0cmllZCBpdCBhZ2FpbiBidXQgSSBmYWlsZWQgd2l0aCB0aGUgZm9sbG93aW5nIGVycm9ycy4g CgpwaUByYXNwYmVycnlwaSB+L2F1ZGl0LTIuNC40ICQgc3VkbyBhdWRpdGN0bCAtZTEgLWIgMTAy NDAwCkFVRElUX1NUQVRVUzogZW5hYmxlZD0xIGZsYWc9MSBwaWQ9MjAyMiByYXRlX2xpbWl0PTAg YmFja2xvZ19saW1pdD0zMjAgbG9zdD0wIGJhY2tsb2c9MAoocmV2ZXJzZS1pLXNlYXJjaClgYic6 IHN1ZG8gYXVkaXRjdGwgLWUxIC1eQzEwMjQwMApwaUByYXNwYmVycnlwaSB+L2F1ZGl0LTIuNC40 ICQgc3VkbyBzcmMvYXVkaXRjdGwgLWEgZXhpdCxhbHdheXMgLUYgYXJjaD1hcm1lYiAtUyBjbG9u ZQphcmNoIGVsZiBtYXBwaW5nIG5vdCBmb3VuZApwaUByYXNwYmVycnlwaSB+L2F1ZGl0LTIuNC40 ICQgc3VkbyBzcmMvYXVkaXRjdGwgLWEgZXhpdCxhbHdheXMgLVMgY2xvbmUKRXJyb3IgZGV0ZWN0 aW5nIG1hY2hpbmUgdHlwZQoKV291bGQgeW91IGhlbHAgbWUgd2l0aCB0aGlzPwoKVGhhbmtzIGEg bG90IGZvciB5b3VyIGhlbHAgYWdhaW4hCgpSZWdhcmRzLCBLYW5na29vawoKCj4gT24gT2N0IDI2 LCAyMDE1LCBhdCAxMTo1NSBBTSwgU3RldmUgR3J1YmIgPHNncnViYkByZWRoYXQuY29tPiB3cm90 ZToKPiAKPiBPbiBGcmlkYXksIE9jdG9iZXIgMjMsIDIwMTUgMDc6MTY6NDAgUE0gS2FuZ2tvb2sg SmVlIHdyb3RlOgo+PiBIaSwgYWxsCj4+IAo+PiBGcm9tIG15IFJhc3BiZXJyeSBQaSBtYWNoaW5l IChydW5uaW5nIERlYmlhbiBXaGVlenkgZGlzdHJpYnV0aW9uKSwgSSBjb3VsZAo+PiBzZWUgdGhl IGtlcm5lbCBpcyBidWlsdCB3aXRoIGF1ZGl0IGVuYWJsZWQsIGFuZCBJIGNvdWxkIG1hbmFnZSB0 byBpbnN0YWxsCj4+IHVzZXItc3BhY2UgYXVkaXQgY2xpZW50IHdpdGggdGhlIGZvbGxvd2luZyBj b21tYW5kLgo+PiAKPj4gcGlAcmFzcGJlcnJ5cGkgfiAkIHN1ZG8gYXB0LWdldCBpbnN0YWxsIGF1 ZGl0ZAo+PiAKPj4gSG93ZXZlciwgd2hlbiBJIHRyaWVkIHRvIGVuYWJsZSBhdWRpdCBpc3N1aW5n IHRoZSBmb2xsb3dpbmcgY29tbWFuZHMgaXQKPj4gZG9lc27igJl0IHNlZW0gdG8gcnVuIHByb3Bl cmx5Lgo+PiAKPj4gcGlAcmFzcGJlcnJ5cGkgfiAkIHN1ZG8gYXVkaXRjdGwgLWwKPj4gTm8gcnVs ZXMKPj4gcGlAcmFzcGJlcnJ5cGkgfiAkIHN1ZG8gYXVkaXRjdGwgLWEgZW50cnksYWx3YXlzIC1T IG9wZW4KPj4gRXJyb3IgZGV0ZWN0aW5nIG1hY2hpbmUgdHlwZQo+PiBwaUByYXNwYmVycnlwaSB+ ICQgc3VkbyBhdWRpdGN0bCAtYSBlbnRyeSxhbHdheXMgLUYgYXJjaD1hcm1lYiAtUyBvcGVuCj4+ IGFyY2g9YXJtZWIgbWFjaGluZSB0eXBlIG5vdCBmb3VuZAo+PiAKPj4gQ2FuIGFueW9uZSB0ZWxs IG1lIHdoZXRoZXIgYXVkaXQgc3VwcG9ydCBBUk0gYmFzZWQgbGludXggc3lzdGVtcz8KPiAKPiBZ ZXMuIEl0IHdhcyBhZGRlZCBzdGFydGluZyBpbiAyLjAuNCBhbmQgd2FzIGNvcnJlY3RlZCBzZXZl cmFsIHRpbWVzLgo+IAo+IAo+PiBIZXJl4oCZcyBteSBzeXN0ZW0gaW5mb3JtYXRpb24gYW5kIHRo YW5rcyBhIGxvdCBmb3IgeW91ciBoZWxwIGluIGFkdmFuY2UhCj4+IAo+PiBwaUByYXNwYmVycnlw aSB+ICQgc3VkbyB1bmFtZSAtYQo+PiBMaW51eCByYXNwYmVycnlwaSAzLjE4LjExLXY3KyAjNzgx IFNNUCBQUkVFTVBUIFR1ZSBBcHIgMjEgMTg6MDc6NTkgQlNUIDIwMTUKPj4gYXJtdjdsIEdOVS9M aW51eAo+PiAKPj4gcGlAcmFzcGJlcnJ5cGkgfiAkIGRwa2cgLWwgfGdyZXAgYXVkaXQKPj4gaWkg IGF1ZGl0ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgMToxLjcuMTgtMS4xICAgICAg ICAgICAgICAgICAgICAgIAo+PiAgICAgYXJtaGYgICAgICAgIFVzZXIgc3BhY2UgdG9vbHMgZm9y IHNlY3VyaXR5IGF1ZGl0aW5nIGlpICBsaWJhdWRpdDAgICAgIAo+PiAgICAgICAgICAgICAgICAg ICAgICAgMToxLjcuMTgtMS4xICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFybWhmICAgICAg IAo+IAo+IFRoYXQgb25lIGlzIHRvbyBvbGQuIFlvdSBuZWVkIGEgbmV3ZXIgYXVkaXQgcGFja2Fn ZS4KPiAKPiAtU3RldmUKCgotLQpMaW51eC1hdWRpdCBtYWlsaW5nIGxpc3QKTGludXgtYXVkaXRA cmVkaGF0LmNvbQpodHRwczovL3d3dy5yZWRoYXQuY29tL21haWxtYW4vbGlzdGluZm8vbGludXgt YXVkaXQ= From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Running auditd from Raspberry Pi (Raspbian) Date: Mon, 26 Oct 2015 16:37:54 -0400 Message-ID: <2580157.z3kgxFZchv@x2> References: <1761781.EmJWtSeSBl@x2> <7941F2ED-39A0-45E7-815D-5F46CD859579@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <7941F2ED-39A0-45E7-815D-5F46CD859579@gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Kangkook Jee Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday, October 26, 2015 04:25:57 PM Kangkook Jee wrote: > Dear Steve, > > I built auditctl from recent audit source and tried it again but I failed > with the following errors. > > pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400 > AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320 > lost=0 backlog=0 (reverse-i-search)`b': sudo auditctl -e1 -^C102400 > pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F > arch=armeb -S clone arch elf mapping not found > pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone > Error detecting machine type > > Would you help me with this? Did you add --with-arm to the ./configure line? Its disabled by default. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kangkook Jee Subject: Re: Running auditd from Raspberry Pi (Raspbian) Date: Mon, 26 Oct 2015 16:57:18 -0400 Message-ID: <079DE06B-6E74-486D-8031-847A378DACF8@gmail.com> References: <1761781.EmJWtSeSBl@x2> <7941F2ED-39A0-45E7-815D-5F46CD859579@gmail.com> <2580157.z3kgxFZchv@x2> Mime-Version: 1.0 (Mac OS X Mail 8.2 $2104$) Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <2580157.z3kgxFZchv@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com SSBhZGRlZCDigJzigJR3aXRoLWFybWVi4oCdIHNob3VsZCBpdCBiZSBqdXN0IOKAnOKAlHdpdGgt YXJt4oCdID8KClRoaXMgZm9sbG93aW5nIHNob3dzIG15IGNvbmZpZ3VyYXRpb24gc3RhdHVzLgoK cGlAcmFzcGJlcnJ5cGkgfi9hdWRpdC0yLjQuNCAkIGdyZXAgYXJtIGNvbmZpZy5zdGF0dXMKYWNf Y3NfY29uZmlnPSInLS13aXRoLWFybWViJyIKICBzZXQgWCAvYmluL2Jhc2ggJy4vY29uZmlndXJl JyAgJy0td2l0aC1hcm1lYicgJGFjX2NvbmZpZ3VyZV9leHRyYV9hcmdzIC0tbm8tY3JlYXRlIC0t bm8tcmVjdXJzaW9uCmhvc3Q9J2FybXY3bC11bmtub3duLWxpbnV4LWdudWVhYmloZicKYnVpbGQ9 J2FybXY3bC11bmtub3duLWxpbnV4LWdudWVhYmloZicKc3lzX2xpYl9zZWFyY2hfcGF0aF9zcGVj PScvdXNyL2xpYi9nY2MvYXJtLWxpbnV4LWdudWVhYmloZi80LjkgL3Vzci9saWIvYXJtLWxpbnV4 LWdudWVhYmloZiAvdXNyL2xpYiAvbGliL2FybS1saW51eC1nbnVlYWJpaGYgL2xpYiAnCnN5c19s aWJfZGxzZWFyY2hfcGF0aF9zcGVjPScvbGliNjQgL3Vzci9saWI2NCAvbGliIC91c3IvbGliIC9v cHQvdmMvbGliIC9saWIvYXJtLWxpbnV4LWdudWVhYmloZiAvdXNyL2xpYi9hcm0tbGludXgtZ251 ZWFiaWhmIC91c3IvbGliL2FybS1saW51eC1nbnVlYWJpaGYvbGliZmFrZXJvb3QgL3Vzci9sb2Nh bC9saWIgJwpTWyJ0YXJnZXRfY3B1Il09ImFybXY3bCIKU1sidGFyZ2V0Il09ImFybXY3bC11bmtu b3duLWxpbnV4LWdudWVhYmloZiIKU1siaG9zdF9jcHUiXT0iYXJtdjdsIgpTWyJob3N0Il09ImFy bXY3bC11bmtub3duLWxpbnV4LWdudWVhYmloZiIKU1siYnVpbGRfY3B1Il09ImFybXY3bCIKU1si YnVpbGQiXT0iYXJtdjdsLXVua25vd24tbGludXgtZ251ZWFiaWhm4oCdCgoKPiBPbiBPY3QgMjYs IDIwMTUsIGF0IDQ6MzcgUE0sIFN0ZXZlIEdydWJiIDxzZ3J1YmJAcmVkaGF0LmNvbT4gd3JvdGU6 Cj4gCj4gT24gTW9uZGF5LCBPY3RvYmVyIDI2LCAyMDE1IDA0OjI1OjU3IFBNIEthbmdrb29rIEpl ZSB3cm90ZToKPj4gRGVhciBTdGV2ZSwKPj4gCj4+IEkgYnVpbHQgYXVkaXRjdGwgZnJvbSByZWNl bnQgYXVkaXQgc291cmNlIGFuZCB0cmllZCBpdCBhZ2FpbiBidXQgSSBmYWlsZWQKPj4gd2l0aCB0 aGUgZm9sbG93aW5nIGVycm9ycy4KPj4gCj4+IHBpQHJhc3BiZXJyeXBpIH4vYXVkaXQtMi40LjQg JCBzdWRvIGF1ZGl0Y3RsIC1lMSAtYiAxMDI0MDAKPj4gQVVESVRfU1RBVFVTOiBlbmFibGVkPTEg ZmxhZz0xIHBpZD0yMDIyIHJhdGVfbGltaXQ9MCBiYWNrbG9nX2xpbWl0PTMyMAo+PiBsb3N0PTAg YmFja2xvZz0wIChyZXZlcnNlLWktc2VhcmNoKWBiJzogc3VkbyBhdWRpdGN0bCAtZTEgLV5DMTAy NDAwCj4+IHBpQHJhc3BiZXJyeXBpIH4vYXVkaXQtMi40LjQgJCBzdWRvIHNyYy9hdWRpdGN0bCAt YSBleGl0LGFsd2F5cyAtRgo+PiBhcmNoPWFybWViIC1TIGNsb25lIGFyY2ggZWxmIG1hcHBpbmcg bm90IGZvdW5kCj4+IHBpQHJhc3BiZXJyeXBpIH4vYXVkaXQtMi40LjQgJCBzdWRvIHNyYy9hdWRp dGN0bCAtYSBleGl0LGFsd2F5cyAtUyBjbG9uZQo+PiBFcnJvciBkZXRlY3RpbmcgbWFjaGluZSB0 eXBlCj4+IAo+PiBXb3VsZCB5b3UgaGVscCBtZSB3aXRoIHRoaXM/Cj4gCj4gRGlkIHlvdSBhZGQg LS13aXRoLWFybSB0byB0aGUgLi9jb25maWd1cmUgbGluZT8gSXRzIGRpc2FibGVkIGJ5IGRlZmF1 bHQuCj4gCj4gLVN0ZXZlCgoKLS0KTGludXgtYXVkaXQgbWFpbGluZyBsaXN0CkxpbnV4LWF1ZGl0 QHJlZGhhdC5jb20KaHR0cHM6Ly93d3cucmVkaGF0LmNvbS9tYWlsbWFuL2xpc3RpbmZvL2xpbnV4 LWF1ZGl0 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kangkook Jee Subject: Re: Running auditd from Raspberry Pi (Raspbian) Date: Mon, 26 Oct 2015 17:18:12 -0400 Message-ID: <75B9BC31-3878-4739-8F47-369C4FD5FFA5@gmail.com> References: <1761781.EmJWtSeSBl@x2> <7941F2ED-39A0-45E7-815D-5F46CD859579@gmail.com> <2580157.z3kgxFZchv@x2> <079DE06B-6E74-486D-8031-847A378DACF8@gmail.com> Mime-Version: 1.0 (Mac OS X Mail 8.2 $2104$) Content-Type: multipart/mixed; boundary="===============4062630959849005080==" Return-path: In-Reply-To: <079DE06B-6E74-486D-8031-847A378DACF8@gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============4062630959849005080== Content-Type: multipart/alternative; boundary="Apple-Mail=_6EA38B20-B6A4-43A4-949F-C485F0DD2B7D" --Apple-Mail=_6EA38B20-B6A4-43A4-949F-C485F0DD2B7D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 This time, I built with =E2=80=94with-arm option and tried again. It = still fails but with different error message. pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status ac_cs_config=3D"'--with-arm'" set X /bin/bash './configure' '--with-arm' $ac_configure_extra_args = --no-create --no-recursion host=3D'armv7l-unknown-linux-gnueabihf' build=3D'armv7l-unknown-linux-gnueabihf' sys_lib_search_path_spec=3D'/usr/lib/gcc/arm-linux-gnueabihf/4.9 = /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib ' sys_lib_dlsearch_path_spec=3D'/lib64 /usr/lib64 /lib /usr/lib = /opt/vc/lib /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf = /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib ' S["target_cpu"]=3D"armv7l" S["target"]=3D"armv7l-unknown-linux-gnueabihf" S["host_cpu"]=3D"armv7l" S["host"]=3D"armv7l-unknown-linux-gnueabihf" S["build_cpu"]=3D"armv7l" S["build"]=3D"armv7l-unknown-linux-gnueabihf" pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S = execve Error sending add rule data request (Invalid argument) > On Oct 26, 2015, at 4:57 PM, Kangkook Jee wrote: >=20 > I added =E2=80=9C=E2=80=94with-armeb=E2=80=9D should it be just = =E2=80=9C=E2=80=94with-arm=E2=80=9D ? >=20 > This following shows my configuration status. >=20 > pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status > ac_cs_config=3D"'--with-armeb'" > set X /bin/bash './configure' '--with-armeb' = $ac_configure_extra_args --no-create --no-recursion > host=3D'armv7l-unknown-linux-gnueabihf' > build=3D'armv7l-unknown-linux-gnueabihf' > sys_lib_search_path_spec=3D'/usr/lib/gcc/arm-linux-gnueabihf/4.9 = /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib ' > sys_lib_dlsearch_path_spec=3D'/lib64 /usr/lib64 /lib /usr/lib = /opt/vc/lib /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf = /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib ' > S["target_cpu"]=3D"armv7l" > S["target"]=3D"armv7l-unknown-linux-gnueabihf" > S["host_cpu"]=3D"armv7l" > S["host"]=3D"armv7l-unknown-linux-gnueabihf" > S["build_cpu"]=3D"armv7l" > S["build"]=3D"armv7l-unknown-linux-gnueabihf=E2=80=9D >=20 >=20 >> On Oct 26, 2015, at 4:37 PM, Steve Grubb wrote: >>=20 >> On Monday, October 26, 2015 04:25:57 PM Kangkook Jee wrote: >>> Dear Steve, >>>=20 >>> I built auditctl from recent audit source and tried it again but I = failed >>> with the following errors. >>>=20 >>> pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400 >>> AUDIT_STATUS: enabled=3D1 flag=3D1 pid=3D2022 rate_limit=3D0 = backlog_limit=3D320 >>> lost=3D0 backlog=3D0 (reverse-i-search)`b': sudo auditctl -e1 = -^C102400 >>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F >>> arch=3Darmeb -S clone arch elf mapping not found >>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S = clone >>> Error detecting machine type >>>=20 >>> Would you help me with this? >>=20 >> Did you add --with-arm to the ./configure line? Its disabled by = default. >>=20 >> -Steve >=20 --Apple-Mail=_6EA38B20-B6A4-43A4-949F-C485F0DD2B7D Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

This time, I built with =E2=80=94with-arm = option and tried again. It still fails but with different error = message.

pi@raspberrypi = ~/audit-2.4.4 $ grep arm config.status

ac_cs_config=3D"'--with-arm'"

set = X /bin/bash './configure' '--with-arm' $ac_configure_extra_args = --no-create --no-recursion

host=3D'armv7l-unknown-linux-gnueabihf'

build=3D'armv7l-unknown-linux-gnueabihf'

sys_lib_search_path_spec=3D'/usr/lib/gcc/arm-linux-gnueabihf/4.= 9 /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib = '

sys_lib_dlsearch_path_spec=3D'/lib64 /usr/lib64 = /lib /usr/lib /opt/vc/lib /lib/arm-linux-gnueabihf = /usr/lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf/libfakeroot = /usr/local/lib '

S["target_cpu"]=3D"armv7l"

S["target"]=3D"armv7l-unknown-linux-gnueabihf"

S["host_cpu"]=3D"armv7l"

S["host"]=3D"armv7l-unknown-linux-gnueabihf"

S["build_cpu"]=3D"armv7l"

S["build"]=3D"armv7l-unknown-linux-gnueabihf"

pi@raspberrypi ~/audit-2.4.4 $ sudo = src/auditctl -a exit,always -S execve

Error sending add rule data request (Invalid = argument)

On = Oct 26, 2015, at 4:57 PM, Kangkook Jee <aixer77@gmail.com> = wrote:

I = added =E2=80=9C=E2=80=94with-armeb=E2=80=9D should it be just = =E2=80=9C=E2=80=94with-arm=E2=80=9D ?

This = following shows my configuration status.

pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
ac_cs_config=3D"'--with-armeb'"
set X = /bin/bash './configure' '--with-armeb' $ac_configure_extra_args = --no-create --no-recursion
host=3D'armv7l-unknown-linux-gnueabihf'
build=3D'armv7l-unknown-linux-gnueabihf'
sys_lib_search_path_spec=3D'/usr/lib/gcc/arm-linux-gnueabihf/4.= 9 /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib = '
sys_lib_dlsearch_path_spec=3D'/lib64 /usr/lib64 /lib = /usr/lib /opt/vc/lib /lib/arm-linux-gnueabihf = /usr/lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf/libfakeroot = /usr/local/lib '
S["target_cpu"]=3D"armv7l"
S["target"]=3D"armv7l-unknown-linux-gnueabihf"
S["host_cpu"]=3D"armv7l"
S["host"]=3D"armv7l-unknown-linux-gnueabihf"
S["build_cpu"]=3D"armv7l"
S["build"]=3D"armv7l-unknown-linux-gnueabihf=E2=80=9D

On Oct 26, 2015, at 4:37 PM, Steve Grubb <sgrubb@redhat.com> = wrote:

On Monday, October 26, 2015 04:25:57 = PM Kangkook Jee wrote:
Dear Steve,

I built auditctl = from recent audit source and tried it again but I failed
with the following errors.

pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
AUDIT_STATUS: enabled=3D1 flag=3D1 pid=3D2022 rate_limit=3D0 = backlog_limit=3D320
lost=3D0 backlog=3D0 = (reverse-i-search)`b': sudo auditctl -e1 -^C102400
pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a = exit,always -F
arch=3Darmeb -S clone arch elf mapping not = found
pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a = exit,always -S clone
Error detecting machine type

Would you help me with this?

Did you add --with-arm to the = ./configure line? Its disabled by default.

-Steve

= --Apple-Mail=_6EA38B20-B6A4-43A4-949F-C485F0DD2B7D-- --===============4062630959849005080== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============4062630959849005080==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Running auditd from Raspberry Pi (Raspbian) Date: Mon, 26 Oct 2015 23:12:28 -0400 Message-ID: <1510421.Y9nL66ejeu@x2> References: <079DE06B-6E74-486D-8031-847A378DACF8@gmail.com> <75B9BC31-3878-4739-8F47-369C4FD5FFA5@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <75B9BC31-3878-4739-8F47-369C4FD5FFA5@gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Kangkook Jee Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com T24gTW9uZGF5LCBPY3RvYmVyIDI2LCAyMDE1IDA1OjE4OjEyIFBNIEthbmdrb29rIEplZSB3cm90 ZToKPiBUaGlzIHRpbWUsIEkgYnVpbHQgd2l0aCDigJR3aXRoLWFybSBvcHRpb24gYW5kIHRyaWVk IGFnYWluLiBJdCBzdGlsbCBmYWlscyBidXQKPiB3aXRoIGRpZmZlcmVudCBlcnJvciBtZXNzYWdl Lgo+IAo+IAo+IHBpQHJhc3BiZXJyeXBpIH4vYXVkaXQtMi40LjQgJCBncmVwIGFybSBjb25maWcu c3RhdHVzCj4gYWNfY3NfY29uZmlnPSInLS13aXRoLWFybSciCj4gICBzZXQgWCAvYmluL2Jhc2gg Jy4vY29uZmlndXJlJyAgJy0td2l0aC1hcm0nICRhY19jb25maWd1cmVfZXh0cmFfYXJncwo+IC0t bm8tY3JlYXRlIC0tbm8tcmVjdXJzaW9uIGhvc3Q9J2FybXY3bC11bmtub3duLWxpbnV4LWdudWVh YmloZicKPiBidWlsZD0nYXJtdjdsLXVua25vd24tbGludXgtZ251ZWFiaWhmJwo+IHN5c19saWJf c2VhcmNoX3BhdGhfc3BlYz0nL3Vzci9saWIvZ2NjL2FybS1saW51eC1nbnVlYWJpaGYvNC45Cj4g L3Vzci9saWIvYXJtLWxpbnV4LWdudWVhYmloZiAvdXNyL2xpYiAvbGliL2FybS1saW51eC1nbnVl YWJpaGYgL2xpYiAnCj4gc3lzX2xpYl9kbHNlYXJjaF9wYXRoX3NwZWM9Jy9saWI2NCAvdXNyL2xp YjY0IC9saWIgL3Vzci9saWIgL29wdC92Yy9saWIKPiAvbGliL2FybS1saW51eC1nbnVlYWJpaGYg L3Vzci9saWIvYXJtLWxpbnV4LWdudWVhYmloZgo+IC91c3IvbGliL2FybS1saW51eC1nbnVlYWJp aGYvbGliZmFrZXJvb3QgL3Vzci9sb2NhbC9saWIgJwo+IFNbInRhcmdldF9jcHUiXT0iYXJtdjds Igo+IFNbInRhcmdldCJdPSJhcm12N2wtdW5rbm93bi1saW51eC1nbnVlYWJpaGYiCj4gU1siaG9z dF9jcHUiXT0iYXJtdjdsIgo+IFNbImhvc3QiXT0iYXJtdjdsLXVua25vd24tbGludXgtZ251ZWFi aWhmIgo+IFNbImJ1aWxkX2NwdSJdPSJhcm12N2wiCj4gU1siYnVpbGQiXT0iYXJtdjdsLXVua25v d24tbGludXgtZ251ZWFiaWhmIgo+IHBpQHJhc3BiZXJyeXBpIH4vYXVkaXQtMi40LjQgJCBzdWRv IHNyYy9hdWRpdGN0bCAtYSBleGl0LGFsd2F5cyAtUyBleGVjdmUKPiBFcnJvciBzZW5kaW5nIGFk ZCBydWxlIGRhdGEgcmVxdWVzdCAoSW52YWxpZCBhcmd1bWVudCkKCklmIHRoaXMgd29ya3M6Cgph dXN5c2NhbGwgYXJtZWIgb3BlbgoKcmV0dXJucyBzb21ldGhpbmcgbGlrZToKCm9wZW4gICAgICAg ICAgICAgICA1Cm1xX29wZW4gICAgICAgICAgICAyNzQKb3BlbmF0ICAgICAgICAgICAgIDMyMgpw ZXJmX2V2ZW50X29wZW4gICAgMzY0Cm9wZW5fYnlfaGFuZGxlX2F0ICAzNzEKClRoZW4gdXNlciBz cGFjZSBpcyB3b3JraW5nLiBBbnl0aGluZyBlbHNlIHdvdWxkIGJlIGtlcm5lbCBpc3N1ZXMuCgot U3RldmUKCi0tCkxpbnV4LWF1ZGl0IG1haWxpbmcgbGlzdApMaW51eC1hdWRpdEByZWRoYXQuY29t Cmh0dHBzOi8vd3d3LnJlZGhhdC5jb20vbWFpbG1hbi9saXN0aW5mby9saW51eC1hdWRpdA==