Bug 231914
Description
Matthew Booth
2007-03-12 23:05:11 UTC
Created attachment 149880 [details] Patch against laus-0.1-70RHEL3 to add audit control events This patch adds the userspace handling for control events generated by the associated patch in BZ 231912. It also updates the appropriate man pages. The kernel patch adds a new event type for control events (ioctl()s on /dev/audit). The event consists of: * ioctl request number * ioctl return code It adds display code to pretty print the event in aucat and augrep. It also allows filtering on the event. To enable these events, the following line must be added to filter.conf: event audit-control = always; As this behaviour is expected and should be the norm, the patch adds this to default configuration file. Note that existing configurations which do not contain the above line will not see these events. Created attachment 149884 [details]
Patch against laus-0.1-70RHEL3 to add audit control events (with augrep options)
This patch obsoletes the previous patch. It adds the -e CONTROL option to
augrep to allow filtering on control events. It also updates the augrep man
page.
Created attachment 149886 [details]
Utility to detach a program from laus
This utility can be used to execute a program after detaching from laus. It is
also a useful test for this bug. Execute the following on a RHEL 3 U8 system:
laus_detach /bin/ls
Check the audit logs. Note that there is nothing there. You can even try
auditing all ioctls on /dev/audit by adding the following to filter.conf:
tag "FOO"
syscall ioctl = (is-auditdevice(arg0));
Note that this will audit most events, but not detach or resume.
Apply the patch in this bug to laus, and the associated kernel patch. Add the
following line to filter.conf:
event audit-control = always;
Rerun the test. Note that all control events are now audited.
Created attachment 149949 [details]
Patch against laus-0.1-70RHEL3 to add audit control events (with augrep options and old kernel fix)
Laus will exit immediately if you try to configure an event which isn't
recognised by the running kernel. This means that if a user updated to the new
laus without a kernel update, or they just didn't reboot, laus would fail to
start.
This is an updated patch which causes startup not to fail if the audit-control
event cannot be configured. All other events will continue to cause a failure.
Built laus-0.1-75RHEL3 for testing purposes. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0459.html Resolved. Closing ticket and informing customer. Internal Status set to 'Resolved' Status set to: Closed by Tech Resolution set to: 'RHEL 3.9' This event sent from IssueTracker by jfautley issue 116050 |