File watches supported in Audit 1.1.5 on Fedora Core 5?

File watches supported in Audit 1.1.5 on Fedora Core 5?

[Jonathan Abbey]

[-- Attachment #1.1: Type: text/plain, Size: 1719 bytes --]

Hi, folks.  I'm working on getting Audit working on Fedora Core 5,
using the latest assembly of RPMS from Fedora:

  audit-libs-1.1.5-1
  audit-libs-devel-1.1.5-1
  audit-libs-python-1.1.5-1
  audit-1.1.5-1

and I'm having quite a few problems with it.  It appears that,
contrary to the man pages in the audit RPM, file watches are not
supported.

Likewise, many of the example rules in /usr/share/doc/audit-1.1.5/sample.rules,
such as

  # Auditing failed opens
  -a entry,always -S open -F success!=0

seem to be out of step with the actual rules supported by
/sbin/auditctl and/or the kernel.  (I get the sensible 'Field success
cannot be checked at syscall entry' message).

Now, I understand from the Audit System FAQ at

  http://people.redhat.com/sgrubb/audit/

that file watches in the kernel are being refactored to use inotify,
so I presume that explains why auditctl tells me that 'File system
watches not supported' when I run 'auditctl -L', and why it gives me a
vaguer complaint when I actually try to run 'auditctl -w'.

My questions are these:

Would the latest FC5 kernels support inotify-based file watches with a
more recent version of the Audit user tools?

Is there any up-to-date documentation that would serve me better than
that in the /usr/share/doc/audit-1.1.5 directory on FC5?  I don't see
any on Steve Grubb's Audit page.

Thanks,

 Jon

-- 
-------------------------------------------------------------------------------
Jonathan Abbey 				              jonabbey@arlut.utexas.edu
Applied Research Laboratories                 The University of Texas at Austin
GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg

[-- Attachment #1.2: Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: File watches supported in Audit 1.1.5 on Fedora Core 5?

[Steve Grubb]

On Monday 19 June 2006 20:52, Jonathan Abbey wrote:
> It appears that, contrary to the man pages in the audit RPM, file watches
> are not supported.

The file system watches in 1.1.5 are the kind that the RHEL4 kernel is 
expecting. We had trouble merging the patches into the kernel.org kernel and 
had to spend a long time rewriting the subsystem.

> Likewise, many of the example rules in
> /usr/share/doc/audit-1.1.5/sample.rules, such as
>
>   # Auditing failed opens
>   -a entry,always -S open -F success!=0
>
> seem to be out of step with the actual rules supported by
> /sbin/auditctl and/or the kernel.  (I get the sensible 'Field success
> cannot be checked at syscall entry' message).

Right, so you just move the rule to the exit filter.

> Would the latest FC5 kernels support inotify-based file watches with a
> more recent version of the Audit user tools?

The file system watches are scheduled to land in the 2.6.18 kernel. We have a 
test kernel that you can test with in the mean time:

http://people.redhat.com/sgrubb/files/lspp/

> Is there any up-to-date documentation that would serve me better than
> that in the /usr/share/doc/audit-1.1.5 directory on FC5?  I don't see
> any on Steve Grubb's Audit page.

This mail list is a good place to ask. We have not done much in terms of 
tutorials or HOWTOs because half the audit system has been missing from 
common kernels. The 1.2.x series audit packages is reworked to fit the file 
system audit code that goes with the 2.6.18 kernel. I will push that into 
Fedora Core 5 when 2.6.18 starts into the rc phase. So, if you want to 
experiment, install a lspp kernel and build a 1.2.x audit package for fc5. 
You should be set.

-Steve

Re: File watches supported in Audit 1.1.5 on Fedora Core 5?

[Steve]

> install a lspp kernel and build a 1.2.x audit package for fc5. 
> You should be set.

This may be of use, I installed the lspp kernel and had to do the 
following to get audit installed on FC5...

Download the latest unifdef, glibc-kernheaders, and audit from: 
http://mirrors.usc.edu/pub/linux/distributions/fedora/core/development/source/SRPMS/

  # rpmbuild --rebuild unifdef-*.src.rpm
  # cd /usr/src/redhat/RPMS
  # rpm -ivh unidef*
  # cd -
  # rpmbuild --rebuild glibc-kernheaders-*.src.rpm
  # cd -
  # rpm -Uvh glibc-kernheaders*
  # cd -
  # rpmbuild --rebuild audit-*.src.rpm
  # cd -
  # rpm -Uvh audit*

Steve

Re: File watches supported in Audit 1.1.5 on Fedora Core 5?

[Michael C Thompson]

Steve wrote:
>> install a lspp kernel and build a 1.2.x audit package for fc5. You 
>> should be set.
> 
> This may be of use, I installed the lspp kernel and had to do the 
> following to get audit installed on FC5...
> 
> Download the latest unifdef, glibc-kernheaders, and audit from: 
> http://mirrors.usc.edu/pub/linux/distributions/fedora/core/development/source/SRPMS/ 
> 
> 
>  # rpmbuild --rebuild unifdef-*.src.rpm
>  # cd /usr/src/redhat/RPMS
>  # rpm -ivh unidef*
>  # cd -
>  # rpmbuild --rebuild glibc-kernheaders-*.src.rpm
>  # cd -
>  # rpm -Uvh glibc-kernheaders*
>  # cd -
>  # rpmbuild --rebuild audit-*.src.rpm
>  # cd -
>  # rpm -Uvh audit*
> 
> Steve

You can also install audit from rawhide, or "fedora-development.repo". 
This is a bit easier and has worked for me with minimal effort :) Just 
enable fedora-development.repo and yum install audit.

Mike

Re: File watches supported in Audit 1.1.5 on Fedora Core 5?

[Jonathan Abbey]

[-- Attachment #1.1: Type: text/plain, Size: 1265 bytes --]

On Mon, Jun 19, 2006 at 10:08:55PM -0400, Steve Grubb wrote:
| This mail list is a good place to ask. We have not done much in terms of 
| tutorials or HOWTOs because half the audit system has been missing from 
| common kernels. The 1.2.x series audit packages is reworked to fit the file 
| system audit code that goes with the 2.6.18 kernel. I will push that into 
| Fedora Core 5 when 2.6.18 starts into the rc phase. So, if you want to 
| experiment, install a lspp kernel and build a 1.2.x audit package for fc5. 
| You should be set.

I installed the 

  kernel-2.6.17-1.2293.2.1_FC6.lspp.37.i686.rpm
  kernel-devel-2.6.17-1.2293.2.1_FC6.lspp.37.i686.rpm

RPMs, but when I try to rebuild audit-1.2.3-1.src.rpm under the latest kernel,
I get the complaint about the kernel-headers being out of date.

Is there another component I can install on top of Fedora Core 5, or
do I need to move wholesale to rawhide?

 Jon

| -Steve

-- 
-------------------------------------------------------------------------------
Jonathan Abbey 				              jonabbey@arlut.utexas.edu
Applied Research Laboratories                 The University of Texas at Austin
GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg

[-- Attachment #1.2: Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: File watches supported in Audit 1.1.5 on Fedora Core 5?

[Steve Grubb]

On Tuesday 20 June 2006 20:32, Jonathan Abbey wrote:
> Is there another component I can install on top of Fedora Core 5, or
> do I need to move wholesale to rawhide?

Just get the rawhide glibc-kerneheaders source rpm and install that. Do an 
rpmbuild -bp to get it to expand the source code, then find the audit.h file 
and copy it to /usr/include/linux. You can save the old one just in case you 
ever need it. You should be safe rolling that one file forward. I would not 
update any other file from rawhide's package.

-Steve