From mboxrd@z Thu Jan 1 00:00:00 1970 From: geckiv Subject: Re: Writting to audit with an application Date: Mon, 19 Mar 2007 15:58:46 -0400 Message-ID: <45FEEB76.3070908@optonline.net> References: <45FC397E.3050307@optonline.net> <200703171659.20981.sgrubb@redhat.com> <45FC5F01.4070504@optonline.net> <200703171824.37027.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0760113758==" Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l2JLTAJY011896 for ; Mon, 19 Mar 2007 17:29:10 -0400 Received: from mta4.srv.hcvlny.cv.net (mta4.srv.hcvlny.cv.net [167.206.4.199]) by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l2JLT9wx013818 for ; Mon, 19 Mar 2007 17:29:09 -0400 Received: from optonline.net (ool-4352b24e.dyn.optonline.net [67.82.178.78]) by mta4.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTP id <0JF6008UZ25T16A0@mta4.srv.hcvlny.cv.net> for linux-audit@redhat.com; Mon, 19 Mar 2007 15:58:43 -0400 (EDT) In-reply-to: <200703171824.37027.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============0760113758== Content-type: multipart/alternative; boundary="Boundary_(ID_tL8derLhHXvXIx6buHya+w)" This is a multi-part message in MIME format. --Boundary_(ID_tL8derLhHXvXIx6buHya+w) Content-type: text/plain; charset=UTF-8; format=flowed Content-transfer-encoding: 7BIT Steve, I never heard of dbus before. Is there an example how it keeps it's CAP_AUDIT_WRITE and changes uids? Is this just using setuid() some how? Thanks, Frank Steve Grubb wrote: >On Saturday 17 March 2007 17:34:57 geckiv wrote: > > >> Thanks for the reply. I must have something wrong with my system as I >>can't get it to work even running it as root. I get an error of: >> >>FAILURE: errno = 22 >>Error writing audit file: Invalid argument >>Error writing audit: Illegal seek >> >> > >This does sound wrong. Maybe strace would shed some light on how its going >wrong? What kernel are you using? > > > >>Also how do I set auditd to allow other process(s) running not as root >>to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)? >> >> > >You can't. The audit system is designed to be high integrity meaning only >trusted apps or processes that run as root or started as root but dropped >privileges keeping CAP_AUDIT_WRITE. The audit event is written to the kernel, >not auditd (meaning the kernel must be compiled with syscall audit support at >a minimum). The kernel may decide to give the event to auditd. > > > >>I could not find any info on this. Also where do I find these trusted app >>examples? >> >> > >dbus, nscd, passwd, shadow-utils, pam, ... > > > >>Is this something I down loa the src of Linux and look for? >> >> > >No, dbus is an example of a program that keeps CAP_AUDIT_WRITE after starting >as root but changes uids. passwd is setuid root. pam runs as part of >applications that stay root. > >-Steve > > > > --Boundary_(ID_tL8derLhHXvXIx6buHya+w) Content-type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Steve,
=C2=A0=C2=A0=C2=A0 I never heard of dbus before. Is there an example how = it keeps it's=C2=A0 CAP_AUDIT_WRITE and changes uids? Is this just using setuid() some how?

Thanks,

Frank

Steve Grubb wrote:
On Saturday 17 March 2007 17:34:57 geckiv wrote:
  
=C2=A0Thanks for the reply. =C2=A0I must have somethin=
g wrong =C2=A0with my system as I
can't get it to work even running it as root. I get an error of:

FAILURE: =C2=A0errno =3D 22
Error writing audit file: Invalid argument
Error writing audit: Illegal seek
    

This does sound wrong. Maybe strace would shed some light on how its goin=
g=20
wrong? What kernel are you using?

  
Also how do I set auditd to allow other process(s) run=
ning not as root
to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)?
    

You can't. The audit system is designed to be high integrity meaning only=
=20
trusted apps or processes that run as root or started as root but dropped=
=20
privileges keeping CAP_AUDIT_WRITE. The audit event is written to the ker=
nel,=20
not auditd (meaning the kernel must be compiled with syscall audit suppor=
t at=20
a minimum). The kernel may decide to give the event to auditd.

  
I could not find any info on this. =C2=A0Also where do=
 I find these trusted app
examples?
    

dbus, nscd, passwd, shadow-utils, pam, ...

  
Is this something I down loa the src of Linux and look=
 for?
    

No, dbus is an example of a program that keeps CAP_AUDIT_WRITE after star=
ting=20
as root but changes uids. passwd is setuid root. pam runs as part of=20
applications that stay root.

-Steve
--Boundary_(ID_tL8derLhHXvXIx6buHya+w)-- --===============0760113758== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0760113758==--