[prev in list] [next in list] [prev in thread] [next in thread] 

List:       seandroid-list
Subject:    Re: audit rules support
From:       William Roberts <bill.c.roberts () gmail ! com>
Date:       2014-10-08 18:52:46
Message-ID: CAFftDdotYqLhnrsOkztXkeODaWapLR29DAo+ZfR0fYt9Lf8asA () mail ! gmail ! com
[Download RAW message or body]

Did you ever publish this in your tree, perhaps on the omap branch?

On Wed, Oct 8, 2014 at 11:09 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 10/08/2014 01:55 PM, William Roberts wrote:
> > On Tue, Oct 7, 2014 at 10:29 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > > On 10/07/2014 01:26 PM, William Roberts wrote:
> > > > is audit_n_rules the number or rules in the rule table? I ask, so if
> > > > the example audit.rules posted in the auditd directory is loaded, then
> > > > it
> > > > should have set audit_n_rules to something like 4. audit_enabled
> > > > shoudl be 1, so we shoudl end up getting the syscall records in a
> > > > similiar
> > > > fashion to the kernel patch that hardcodes it? I ask because desktop
> > > > world has -s support in audit.rules.
> > > 
> > > Yes, I believe that is correct. Use of -S (syscall filter) or -w (file
> > > watch) should increment the number of rules, which should turn on the
> > > machinery for collecting pathnames for later use by audit during
> > > pathname lookup.
> > > 
> > > 
> > 
> > Just to finish this thread, the reason I am not seeing the syscall
> > audits is because the archaic kernel version I am stuck on (3.0.35)
> > doesn't have AUDITSYCALL for ARM. I found this patch, but still need
> > to test it, but it looked straight forward and applied cleanly to the
> > tree:
> > https://www.redhat.com/archives/linux-audit/2011-October/msg00030.html
> > 
> > I also noticed this patch was mainlined here:
> > https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=29ef73b7a823b77a7cd0bdd7d7cded3fb6c2587b
> >  
> > 
> > Does anyone on this list have any deeper context around enabling this
> > on ARM, is it as trivial as the patch appears or are their a slew of
> > other patches I am missing?
> 
> That's the basic one you need to just get it up and working; we applied
> that on our older kernel trees when we wanted syscall audit information.
> There have been a number of fixes and improvements since that time, but
> if you are only using this as a policy debugging tool, that patch will
> likely suffice.
> 



-- 
Respectfully,

William C Roberts
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to Seandroid-list-leave@tycho.nsa.gov.
To get help, send an email containing "help" to Seandroid-list-request@tycho.nsa.gov.


[prev in list] [next in list] [prev in thread] [next in thread]