RE: [suse-sles-e] Audit help with SLES 10

From: Swisher, John (john.swisher_at_lmco.com)
Date: Thu Feb 01 2007 - 19:05:13 CET

• Next message: Marcus Meissner: "Re: [suse-sles-e] Audit help with SLES 10"
• Previous message: Marcus Meissner: "Re: [suse-sles-e] Audit help with SLES 10"
• In reply to: Marcus Meissner: "Re: [suse-sles-e] Audit help with SLES 10"
• Next in thread: Marcus Meissner: "Re: [suse-sles-e] Audit help with SLES 10"
• Reply: Marcus Meissner: "Re: [suse-sles-e] Audit help with SLES 10"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 01 Feb 2007 11:05:13 -0700
From: "Swisher, John" <john.swisher@lmco.com>
Message-id: <BAA666C1E230E143BB9E839ED55EF1949E7C52@emss02m12.us.lmco.com>
Subject: RE: [suse-sles-e] Audit help with SLES 10

So this means that until SP1 is out we will have to audit all accesses
to all files and filter them out ourselves, correct?
I assume that SLED 10 has these same issues as well?

John Swisher

-----Original Message-----
From: Marcus Meissner [mailto:meissner@suse.de]
Sent: Thursday, February 01, 2007 6:31 AM
To: Swisher, John
Cc: suse-sles-e@suse.com
Subject: Re: [suse-sles-e] Audit help with SLES 10

On Wed, Jan 31, 2007 at 11:21:19AM -0700, Swisher, John wrote:
> We have a need to be able to audit failed accesses to certain files
> and directories by non-root users on a SLES 10 installation here.
>
> It's bad enough that file watches aren't supported by audit under SLES

> 10, but the even the following entry in audit.rules doesn't work:
> -a exit,always -S open -F exit=-13 -F uid!=0
>
> I've tried simply looking at failures without regard to user:
> -a exit,always -S open -F exit=-13 (permission denied failures) -a
> exit,always -S open -F success=0 (all failures)
> -a exit,always -S open -F exit!=0 (all failures)
>
> None of the above entries generates audit records, but the following
> entry does:
> -a exit,always -S open
>
> This generates a huge number of audit records which must be filtered
> via scripts, not to mention the additional storage it's requiring for
> the unneeded records.
>
> Any suggestions on how to remedy this?

First,
we will be upgrading the audit system for Service Pack 1, out end of
May.
This will bring filewatches, and hopefully also bugfixes for above.

It seems that there is a mismatch between userland and kernel audit
system.
Userland seems to send more filter values than the kernel can handle
(and it will just not do anything).

Ciao, Marcus

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-sles-e-unsubscribe@suse.com
For additional commands, e-mail: suse-sles-e-help@suse.com

• Next message: Marcus Meissner: "Re: [suse-sles-e] Audit help with SLES 10"
• Previous message: Marcus Meissner: "Re: [suse-sles-e] Audit help with SLES 10"
• In reply to: Marcus Meissner: "Re: [suse-sles-e] Audit help with SLES 10"
• Next in thread: Marcus Meissner: "Re: [suse-sles-e] Audit help with SLES 10"
• Reply: Marcus Meissner: "Re: [suse-sles-e] Audit help with SLES 10"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Thu Feb 01 2007 - 21:11:08 CET