All of lore.kernel.org
 help / color / mirror / Atom feed
* Running auditd from  Raspberry Pi (Raspbian)
@ 2015-10-23 23:16 Kangkook Jee
  2015-10-26 15:55 ` Steve Grubb
  0 siblings, 1 reply; 8+ messages in thread
From: Kangkook Jee @ 2015-10-23 23:16 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 1226 bytes --]

Hi, all 

From my Raspberry Pi machine (running Debian Wheezy distribution), I could see the kernel is built with audit enabled, and I could manage to install user-space audit client with the following command. 

pi@raspberrypi ~ $ sudo apt-get install auditd

However, when I tried to enable audit issuing the following commands it doesn’t seem to run properly.

pi@raspberrypi ~ $ sudo auditctl -l
No rules
pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
Error detecting machine type
pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
arch=armeb machine type not found

Can anyone tell me whether audit support ARM based linux systems?
Here’s my system information and thanks a lot for your help in advance!

pi@raspberrypi ~ $ sudo uname -a
Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015 armv7l GNU/Linux

pi@raspberrypi ~ $ dpkg -l |grep audit
ii  auditd                                1:1.7.18-1.1                            armhf        User space tools for security auditing
ii  libaudit0                             1:1.7.18-1.1                            armhf        Dynamic library for security auditing

Regards, Kangkook



[-- Attachment #1.2: Type: text/html, Size: 2668 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: Running auditd from  Raspberry Pi (Raspbian)
  2015-10-23 23:16 Running auditd from Raspberry Pi (Raspbian) Kangkook Jee
@ 2015-10-26 15:55 ` Steve Grubb
  2015-10-26 17:13   ` Kangkook Jee
  2015-10-26 20:25   ` Kangkook Jee
  0 siblings, 2 replies; 8+ messages in thread
From: Steve Grubb @ 2015-10-26 15:55 UTC (permalink / raw)
  To: linux-audit

On Friday, October 23, 2015 07:16:40 PM Kangkook Jee wrote:
> Hi, all
> 
> From my Raspberry Pi machine (running Debian Wheezy distribution), I could
> see the kernel is built with audit enabled, and I could manage to install
> user-space audit client with the following command.
> 
> pi@raspberrypi ~ $ sudo apt-get install auditd
> 
> However, when I tried to enable audit issuing the following commands it
> doesn’t seem to run properly.
> 
> pi@raspberrypi ~ $ sudo auditctl -l
> No rules
> pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
> Error detecting machine type
> pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
> arch=armeb machine type not found
> 
> Can anyone tell me whether audit support ARM based linux systems?

Yes. It was added starting in 2.0.4 and was corrected several times.


> Here’s my system information and thanks a lot for your help in advance!
> 
> pi@raspberrypi ~ $ sudo uname -a
> Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015
> armv7l GNU/Linux
> 
> pi@raspberrypi ~ $ dpkg -l |grep audit
> ii  auditd                                1:1.7.18-1.1                      
>      armhf        User space tools for security auditing ii  libaudit0     
>                        1:1.7.18-1.1                            armhf       

That one is too old. You need a newer audit package.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: Running auditd from  Raspberry Pi (Raspbian)
  2015-10-26 15:55 ` Steve Grubb
@ 2015-10-26 17:13   ` Kangkook Jee
  2015-10-26 20:25   ` Kangkook Jee
  1 sibling, 0 replies; 8+ messages in thread
From: Kangkook Jee @ 2015-10-26 17:13 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit

Thanks a lot for your support. I will try with newer version and let you know how it goes!

Regards, Kangkook

> On Oct 26, 2015, at 11:55 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> 
> On Friday, October 23, 2015 07:16:40 PM Kangkook Jee wrote:
>> Hi, all
>> 
>> From my Raspberry Pi machine (running Debian Wheezy distribution), I could
>> see the kernel is built with audit enabled, and I could manage to install
>> user-space audit client with the following command.
>> 
>> pi@raspberrypi ~ $ sudo apt-get install auditd
>> 
>> However, when I tried to enable audit issuing the following commands it
>> doesn’t seem to run properly.
>> 
>> pi@raspberrypi ~ $ sudo auditctl -l
>> No rules
>> pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
>> Error detecting machine type
>> pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
>> arch=armeb machine type not found
>> 
>> Can anyone tell me whether audit support ARM based linux systems?
> 
> Yes. It was added starting in 2.0.4 and was corrected several times.
> 
> 
>> Here’s my system information and thanks a lot for your help in advance!
>> 
>> pi@raspberrypi ~ $ sudo uname -a
>> Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015
>> armv7l GNU/Linux
>> 
>> pi@raspberrypi ~ $ dpkg -l |grep audit
>> ii  auditd                                1:1.7.18-1.1                      
>>     armhf        User space tools for security auditing ii  libaudit0     
>>                       1:1.7.18-1.1                            armhf       
> 
> That one is too old. You need a newer audit package.
> 
> -Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: Running auditd from  Raspberry Pi (Raspbian)
  2015-10-26 15:55 ` Steve Grubb
  2015-10-26 17:13   ` Kangkook Jee
@ 2015-10-26 20:25   ` Kangkook Jee
  2015-10-26 20:37     ` Steve Grubb
  1 sibling, 1 reply; 8+ messages in thread
From: Kangkook Jee @ 2015-10-26 20:25 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit

Dear Steve,

I built auditctl from recent audit source and tried it again but I failed with the following errors. 

pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320 lost=0 backlog=0
(reverse-i-search)`b': sudo auditctl -e1 -^C102400
pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F arch=armeb -S clone
arch elf mapping not found
pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone
Error detecting machine type

Would you help me with this?

Thanks a lot for your help again!

Regards, Kangkook


> On Oct 26, 2015, at 11:55 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> 
> On Friday, October 23, 2015 07:16:40 PM Kangkook Jee wrote:
>> Hi, all
>> 
>> From my Raspberry Pi machine (running Debian Wheezy distribution), I could
>> see the kernel is built with audit enabled, and I could manage to install
>> user-space audit client with the following command.
>> 
>> pi@raspberrypi ~ $ sudo apt-get install auditd
>> 
>> However, when I tried to enable audit issuing the following commands it
>> doesn’t seem to run properly.
>> 
>> pi@raspberrypi ~ $ sudo auditctl -l
>> No rules
>> pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
>> Error detecting machine type
>> pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
>> arch=armeb machine type not found
>> 
>> Can anyone tell me whether audit support ARM based linux systems?
> 
> Yes. It was added starting in 2.0.4 and was corrected several times.
> 
> 
>> Here’s my system information and thanks a lot for your help in advance!
>> 
>> pi@raspberrypi ~ $ sudo uname -a
>> Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015
>> armv7l GNU/Linux
>> 
>> pi@raspberrypi ~ $ dpkg -l |grep audit
>> ii  auditd                                1:1.7.18-1.1                      
>>     armhf        User space tools for security auditing ii  libaudit0     
>>                       1:1.7.18-1.1                            armhf       
> 
> That one is too old. You need a newer audit package.
> 
> -Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: Running auditd from  Raspberry Pi (Raspbian)
  2015-10-26 20:25   ` Kangkook Jee
@ 2015-10-26 20:37     ` Steve Grubb
  2015-10-26 20:57       ` Kangkook Jee
  0 siblings, 1 reply; 8+ messages in thread
From: Steve Grubb @ 2015-10-26 20:37 UTC (permalink / raw)
  To: Kangkook Jee; +Cc: linux-audit

On Monday, October 26, 2015 04:25:57 PM Kangkook Jee wrote:
> Dear Steve,
> 
> I built auditctl from recent audit source and tried it again but I failed
> with the following errors.
> 
> pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
> AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320
> lost=0 backlog=0 (reverse-i-search)`b': sudo auditctl -e1 -^C102400
> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F
> arch=armeb -S clone arch elf mapping not found
> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone
> Error detecting machine type
> 
> Would you help me with this?

Did you add --with-arm to the ./configure line? Its disabled by default.

-Steve

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: Running auditd from  Raspberry Pi (Raspbian)
  2015-10-26 20:37     ` Steve Grubb
@ 2015-10-26 20:57       ` Kangkook Jee
  2015-10-26 21:18         ` Kangkook Jee
  0 siblings, 1 reply; 8+ messages in thread
From: Kangkook Jee @ 2015-10-26 20:57 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit

I added “—with-armeb” should it be just “—with-arm” ?

This following shows my configuration status.

pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
ac_cs_config="'--with-armeb'"
  set X /bin/bash './configure'  '--with-armeb' $ac_configure_extra_args --no-create --no-recursion
host='armv7l-unknown-linux-gnueabihf'
build='armv7l-unknown-linux-gnueabihf'
sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9 /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib '
sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib '
S["target_cpu"]="armv7l"
S["target"]="armv7l-unknown-linux-gnueabihf"
S["host_cpu"]="armv7l"
S["host"]="armv7l-unknown-linux-gnueabihf"
S["build_cpu"]="armv7l"
S["build"]="armv7l-unknown-linux-gnueabihf”


> On Oct 26, 2015, at 4:37 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> 
> On Monday, October 26, 2015 04:25:57 PM Kangkook Jee wrote:
>> Dear Steve,
>> 
>> I built auditctl from recent audit source and tried it again but I failed
>> with the following errors.
>> 
>> pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
>> AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320
>> lost=0 backlog=0 (reverse-i-search)`b': sudo auditctl -e1 -^C102400
>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F
>> arch=armeb -S clone arch elf mapping not found
>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone
>> Error detecting machine type
>> 
>> Would you help me with this?
> 
> Did you add --with-arm to the ./configure line? Its disabled by default.
> 
> -Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: Running auditd from  Raspberry Pi (Raspbian)
  2015-10-26 20:57       ` Kangkook Jee
@ 2015-10-26 21:18         ` Kangkook Jee
  2015-10-27  3:12           ` Steve Grubb
  0 siblings, 1 reply; 8+ messages in thread
From: Kangkook Jee @ 2015-10-26 21:18 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 2946 bytes --]

This time, I built with —with-arm option and tried again. It still fails but with different error message.


pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
ac_cs_config="'--with-arm'"
  set X /bin/bash './configure'  '--with-arm' $ac_configure_extra_args --no-create --no-recursion
host='armv7l-unknown-linux-gnueabihf'
build='armv7l-unknown-linux-gnueabihf'
sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9 /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib '
sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib '
S["target_cpu"]="armv7l"
S["target"]="armv7l-unknown-linux-gnueabihf"
S["host_cpu"]="armv7l"
S["host"]="armv7l-unknown-linux-gnueabihf"
S["build_cpu"]="armv7l"
S["build"]="armv7l-unknown-linux-gnueabihf"
pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S execve
Error sending add rule data request (Invalid argument)


> On Oct 26, 2015, at 4:57 PM, Kangkook Jee <aixer77@gmail.com> wrote:
> 
> I added “—with-armeb” should it be just “—with-arm” ?
> 
> This following shows my configuration status.
> 
> pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
> ac_cs_config="'--with-armeb'"
>  set X /bin/bash './configure'  '--with-armeb' $ac_configure_extra_args --no-create --no-recursion
> host='armv7l-unknown-linux-gnueabihf'
> build='armv7l-unknown-linux-gnueabihf'
> sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9 /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib '
> sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib '
> S["target_cpu"]="armv7l"
> S["target"]="armv7l-unknown-linux-gnueabihf"
> S["host_cpu"]="armv7l"
> S["host"]="armv7l-unknown-linux-gnueabihf"
> S["build_cpu"]="armv7l"
> S["build"]="armv7l-unknown-linux-gnueabihf”
> 
> 
>> On Oct 26, 2015, at 4:37 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> 
>> On Monday, October 26, 2015 04:25:57 PM Kangkook Jee wrote:
>>> Dear Steve,
>>> 
>>> I built auditctl from recent audit source and tried it again but I failed
>>> with the following errors.
>>> 
>>> pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
>>> AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320
>>> lost=0 backlog=0 (reverse-i-search)`b': sudo auditctl -e1 -^C102400
>>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F
>>> arch=armeb -S clone arch elf mapping not found
>>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone
>>> Error detecting machine type
>>> 
>>> Would you help me with this?
>> 
>> Did you add --with-arm to the ./configure line? Its disabled by default.
>> 
>> -Steve
> 


[-- Attachment #1.2: Type: text/html, Size: 4293 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: Running auditd from  Raspberry Pi (Raspbian)
  2015-10-26 21:18         ` Kangkook Jee
@ 2015-10-27  3:12           ` Steve Grubb
  0 siblings, 0 replies; 8+ messages in thread
From: Steve Grubb @ 2015-10-27  3:12 UTC (permalink / raw)
  To: Kangkook Jee; +Cc: linux-audit

On Monday, October 26, 2015 05:18:12 PM Kangkook Jee wrote:
> This time, I built with —with-arm option and tried again. It still fails but
> with different error message.
> 
> 
> pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
> ac_cs_config="'--with-arm'"
>   set X /bin/bash './configure'  '--with-arm' $ac_configure_extra_args
> --no-create --no-recursion host='armv7l-unknown-linux-gnueabihf'
> build='armv7l-unknown-linux-gnueabihf'
> sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9
> /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib '
> sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib
> /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf
> /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib '
> S["target_cpu"]="armv7l"
> S["target"]="armv7l-unknown-linux-gnueabihf"
> S["host_cpu"]="armv7l"
> S["host"]="armv7l-unknown-linux-gnueabihf"
> S["build_cpu"]="armv7l"
> S["build"]="armv7l-unknown-linux-gnueabihf"
> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S execve
> Error sending add rule data request (Invalid argument)

If this works:

ausyscall armeb open

returns something like:

open               5
mq_open            274
openat             322
perf_event_open    364
open_by_handle_at  371

Then user space is working. Anything else would be kernel issues.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-10-27  3:12 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-10-23 23:16 Running auditd from Raspberry Pi (Raspbian) Kangkook Jee
2015-10-26 15:55 ` Steve Grubb
2015-10-26 17:13   ` Kangkook Jee
2015-10-26 20:25   ` Kangkook Jee
2015-10-26 20:37     ` Steve Grubb
2015-10-26 20:57       ` Kangkook Jee
2015-10-26 21:18         ` Kangkook Jee
2015-10-27  3:12           ` Steve Grubb

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.