From: Marcus Meissner (meissner_at_suse.de)
Date: Thu Feb 01 2007 - 13:31:19 CET
Date: Thu, 1 Feb 2007 13:31:19 +0100 From: Marcus Meissner <meissner@suse.de> Message-ID: <20070201123119.GA28352@suse.de> Subject: Re: [suse-sles-e] Audit help with SLES 10
On Wed, Jan 31, 2007 at 11:21:19AM -0700, Swisher, John wrote:
> We have a need to be able to audit failed accesses to certain files and
> directories by non-root users on a SLES 10 installation here.
>
> It's bad enough that file watches aren't supported by audit under SLES
> 10, but the even the following entry in audit.rules doesn't work:
> -a exit,always -S open -F exit=-13 -F uid!=0
>
> I've tried simply looking at failures without regard to user:
> -a exit,always -S open -F exit=-13 (permission denied failures)
> -a exit,always -S open -F success=0 (all failures)
> -a exit,always -S open -F exit!=0 (all failures)
>
> None of the above entries generates audit records, but the following
> entry does:
> -a exit,always -S open
>
> This generates a huge number of audit records which must be filtered via
> scripts, not to mention the additional storage it's requiring for the
> unneeded records.
>
> Any suggestions on how to remedy this?
First,
we will be upgrading the audit system for Service Pack 1, out end of May.
This will bring filewatches, and hopefully also bugfixes for above.
It seems that there is a mismatch between userland and kernel audit system.
Userland seems to send more filter values than the kernel can handle (and
it will just not do anything).
Ciao, Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-sles-e-unsubscribe@suse.com
For additional commands, e-mail: suse-sles-e-help@suse.com
This archive was generated by hypermail 2.1.7 : Thu Feb 01 2007 - 15:35:14 CET