From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mr Dash Four Subject: [PATCH 0/4] AUDIT: enable build on 2.6.35.13-91 (or earlier) kernels Date: Thu, 26 May 2011 00:42:42 +0100 Message-ID: <4DDD93F2.1040305@googlemail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.16]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p4PNqlpu029221 for ; Wed, 25 May 2011 19:52:47 -0400 Received: from mail-wy0-f174.google.com (mail-wy0-f174.google.com [74.125.82.174]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p4PNqjPw015445 for ; Wed, 25 May 2011 19:52:46 -0400 Received: by wya21 with SMTP id 21so185921wya.33 for ; Wed, 25 May 2011 16:52:45 -0700 (PDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux-audit List-Id: linux-audit@redhat.com All, Further to the private discussion I've had with Steve Grubb over the past few days, I am attaching a series of 4 patches enabling the AUDIT target, which was first introduced in the .39 version of the kernel, to run on version .35 (or even lower kernel versions, testing & further tweaking permitted). The reason, which prompted me to adopt this in earlier versions is because I saw huge benefit in using this superb feature - at least on my systems here (it would finally enable me to combine all security-related reporting into one single, secure place/source, without messing about with syslogs spread over various different places) and I couldn't afford to wait until the .39 kernel becomes "official" (in Fedora terms, at least). The feature is deployed and in fully working order on two of my machines here, though I am having trouble producing matches (see below). I have split the patches intentionally so that it is clear to everyone what is happening. All of them are made against the 2.6.35.13-91 source tree as distributed by Fedora (taken directly from the source rpm and dumped into a local git repository, after which I applied all the necessary source files to create the patches). The first 3 patches are more-or-less carbon copy of what was submitted and implemented in the .39 version of the kernel, with one significant exception: xt_AUDIT.c has various #ifdef's added so that it disables IPV6-related stuff if IPV6 is not enabled on the kernel during compilation. This, I was told, was fixed in .37 (and later) versions of the kernel - commit 2ea6d8c4467 (net: Enter net/ipv6/ even if CONFIG_IPV6=n) and it is not necessary in later versions of that kernel. I suspect the last patch is more interesting as it adds SELinux support to the AUDIT target. Typical (raw auditd) output after applying this patch would be something like this: type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=3 len=52 inif=? outif=eth0 obj=system_u:object_r:ssh_client_packet_t:s0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312 proto=6 sport=56150 dport=22 I am, however, unable to get any matching (particularly on SELinux role, subject or user) when using ausearch/aureport (one of the main reasons I wanted to get on this list and seek some advice). Last, but not least, I am no expert in audit(d) and am still learning so go easy on me! :) Mr Dash Four (4): AUDIT: add source files to enable build on 2.6.35.13-91 kernel AUDIT: modify Makefiles to enable build in 2.6.35.13-91 kernel AUDIT: modify Kconfig to enable build in 2.6.35.13-91 kernel AUDIT: add SELinux support include/linux/audit.h | 2 + include/linux/netfilter/Kbuild | 1 + include/linux/netfilter/xt_AUDIT.h | 30 +++++ kernel/audit.c | 2 + net/netfilter/Kconfig | 10 ++ net/netfilter/Makefile | 1 + net/netfilter/xt_AUDIT.c | 249 ++++++++++++++++++++++++++++++++++++ 7 files changed, 295 insertions(+), 0 deletions(-) create mode 100644 include/linux/netfilter/xt_AUDIT.h create mode 100644 net/netfilter/xt_AUDIT.c -- 1.7.3.4