Re: auditing subsystem
On Thu, 03 Mar 2005 22:18:11 PST, Russell Miller said: > I've been doing a lot of research on this, and I keep coming up with things > I notice there is a CONFIG_AUDIT option. Is this what I am looking for, and > how do I use it? /dev/audit seems not to work... oooh.. a victim^Wtester ;) CONFIG_AUDIT is indeed what you're looking for, in combination with the audit-0.6.5 userspace end just released. Mailing list is [EMAIL PROTECTED], visit http://www.redhat.com/mailman/listinfo/linux-audit for more info (Currently, there's still a add-on kernel patch for stuff that's not in the mainstream yet - but that's hopefully temporary.. ;) pgpQvwrzuXgzT.pgp Description: PGP signature
Re: auditing subsystem
* Russell Miller ([EMAIL PROTECTED]) wrote: > I've been doing a lot of research on this, and I keep coming up with things > that don't work, have been abandoned, or are almost impossible to find or get > working. So I'll ask here. Maybe one of the ultra-elightened linux gods > will have a ready answer. You'll have better luck using linux-audit list. > I want to be able to audit system calls - I want to log when files are > opened, > created, changed, deleted, etc. Preferably I would like to do it without > having to apply kernel patches, using vanilla (or close to vanilla) kernel. > If this isn't possible, my net preference is to use a module. If this isn't > possible, well, I'll do what I have to. No patches needed (although you will want 2.6.11 because the inode filter was busted, and you'll likely want to use it), for opened anyway. You'll need an additional auditfs patch for created/deleted/changed(for more than just knowing open w/ write access) and it's not a stable patch yet. > I notice there is a CONFIG_AUDIT option. Is this what I am looking for, and > how do I use it? /dev/audit seems not to work... You'll need auditd, auditctl, and some rules to capture what you care about. For example: To watch accesses to /etc/passwd (not creation/deletion events). # auditd # auditctl -a entry,possible -S open # auditctl -a exit,always -S open -F inode=(inode of /etc/passwd) -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
auditing subsystem
I've been doing a lot of research on this, and I keep coming up with things that don't work, have been abandoned, or are almost impossible to find or get working. So I'll ask here. Maybe one of the ultra-elightened linux gods will have a ready answer. I want to be able to audit system calls - I want to log when files are opened, created, changed, deleted, etc. Preferably I would like to do it without having to apply kernel patches, using vanilla (or close to vanilla) kernel. If this isn't possible, my net preference is to use a module. If this isn't possible, well, I'll do what I have to. I notice there is a CONFIG_AUDIT option. Is this what I am looking for, and how do I use it? /dev/audit seems not to work... Thanks. If you can even point me a suitable FM to R, I'd be content. --Russell -- Russell Miller - [EMAIL PROTECTED] - Agoura, CA - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/