On Fri, 12 May 2006 09:05:40 -0700 Debora Velarde <[EMAIL PROTECTED]> wrote:
> With the new types added to audit, this is what the message types will be > changed to: > > // admin adds a user accessible device to the configuration file > # dev_allocator_config -a -n cdrom -f /dev/cdrom -c cdrom -m SystemLow -x > SystemHigh > type=USER msg=audit(1146766083.884:9290): user pid=14757 uid=0 auid=0 > msg='devmgr: device="/dev/cdrom" > context="system_u:object_r:unallocated_device_t:SystemLow", device > initialized to unallocated state' > type=USER msg=audit(1146766083.884:9291): user pid=14757 uid=0 auid=0 > msg='devmgr: configuration file altered' > // New type to be changed to: > // #define AUDIT_USYS_CONFIG 1111 /* User space system config > change */ > > > // allocate device > $ dev_allocator -a /dev/cdrom > type=USER msg=audit(1146766179.402:9293): user pid=14766 uid=0 auid=501 > msg='devmgr: device="/dev/cdrom" > context="system_u:object_r:removable_device_t:SystemLow", device > allocated' > // New type to be changed to: > // #define AUDIT_DEV_ALLOCATION 2307 > > > // unallocate the device > $ dev_allocator -u /dev/cdrom > type=USER msg=audit(1146513843.584:8139): user pid=27579 uid=0 auid=501 > msg='devmgr: device="/dev/cdrom" > context="system_u:object_r:unallocated_device_t:SystemLow", device > unallocated' > // New type to be changed to: > > #define AUDIT_DEV_DEALLOCATION 2308 > > > // admin deletes the device from the configuration file > # dev_allocator_config -d -n cdrom -f /dev/cdrom > type=USER msg=audit(1146766993.245:9296): user pid=14829 uid=0 auid=0 > msg='devmgr: device="/dev/cdrom" > context="system_u:object_r:removable_device_t:SystemLow", device released > from management' > type=USER msg=audit(1146766993.249:9297): user pid=14829 uid=0 auid=0 > msg='devmgr: configuration file altered' > // New type to be changed to: > // #define AUDIT_USYS_CONFIG 1111 /* User space system config > change */ I can make the changes to the devallocator this weekend so that it is using the appropriate audit routine and types. For the time being I'll use currently available message types with the AUDIT_DEV* ones conditionally in there. The new version of the devallocator should be available on Monday. -- Cory Olmo Secure Systems Engineer Trusted Computer Solutions 121 West Goose Alley Urbana, IL 61801 www.TrustedCS.com -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
