* Running auditd from Raspberry Pi (Raspbian)
@ 2015-10-23 23:16 Kangkook Jee
2015-10-26 15:55 ` Steve Grubb
0 siblings, 1 reply; 8+ messages in thread
From: Kangkook Jee @ 2015-10-23 23:16 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1226 bytes --]
Hi, all
From my Raspberry Pi machine (running Debian Wheezy distribution), I could see the kernel is built with audit enabled, and I could manage to install user-space audit client with the following command.
pi@raspberrypi ~ $ sudo apt-get install auditd
However, when I tried to enable audit issuing the following commands it doesn’t seem to run properly.
pi@raspberrypi ~ $ sudo auditctl -l
No rules
pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
Error detecting machine type
pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
arch=armeb machine type not found
Can anyone tell me whether audit support ARM based linux systems?
Here’s my system information and thanks a lot for your help in advance!
pi@raspberrypi ~ $ sudo uname -a
Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015 armv7l GNU/Linux
pi@raspberrypi ~ $ dpkg -l |grep audit
ii auditd 1:1.7.18-1.1 armhf User space tools for security auditing
ii libaudit0 1:1.7.18-1.1 armhf Dynamic library for security auditing
Regards, Kangkook
[-- Attachment #1.2: Type: text/html, Size: 2668 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Running auditd from Raspberry Pi (Raspbian)
2015-10-23 23:16 Running auditd from Raspberry Pi (Raspbian) Kangkook Jee
@ 2015-10-26 15:55 ` Steve Grubb
2015-10-26 17:13 ` Kangkook Jee
2015-10-26 20:25 ` Kangkook Jee
0 siblings, 2 replies; 8+ messages in thread
From: Steve Grubb @ 2015-10-26 15:55 UTC (permalink / raw)
To: linux-audit
On Friday, October 23, 2015 07:16:40 PM Kangkook Jee wrote:
> Hi, all
>
> From my Raspberry Pi machine (running Debian Wheezy distribution), I could
> see the kernel is built with audit enabled, and I could manage to install
> user-space audit client with the following command.
>
> pi@raspberrypi ~ $ sudo apt-get install auditd
>
> However, when I tried to enable audit issuing the following commands it
> doesn’t seem to run properly.
>
> pi@raspberrypi ~ $ sudo auditctl -l
> No rules
> pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
> Error detecting machine type
> pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
> arch=armeb machine type not found
>
> Can anyone tell me whether audit support ARM based linux systems?
Yes. It was added starting in 2.0.4 and was corrected several times.
> Here’s my system information and thanks a lot for your help in advance!
>
> pi@raspberrypi ~ $ sudo uname -a
> Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015
> armv7l GNU/Linux
>
> pi@raspberrypi ~ $ dpkg -l |grep audit
> ii auditd 1:1.7.18-1.1
> armhf User space tools for security auditing ii libaudit0
> 1:1.7.18-1.1 armhf
That one is too old. You need a newer audit package.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Running auditd from Raspberry Pi (Raspbian)
2015-10-26 15:55 ` Steve Grubb
@ 2015-10-26 17:13 ` Kangkook Jee
2015-10-26 20:25 ` Kangkook Jee
1 sibling, 0 replies; 8+ messages in thread
From: Kangkook Jee @ 2015-10-26 17:13 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
Thanks a lot for your support. I will try with newer version and let you know how it goes!
Regards, Kangkook
> On Oct 26, 2015, at 11:55 AM, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Friday, October 23, 2015 07:16:40 PM Kangkook Jee wrote:
>> Hi, all
>>
>> From my Raspberry Pi machine (running Debian Wheezy distribution), I could
>> see the kernel is built with audit enabled, and I could manage to install
>> user-space audit client with the following command.
>>
>> pi@raspberrypi ~ $ sudo apt-get install auditd
>>
>> However, when I tried to enable audit issuing the following commands it
>> doesn’t seem to run properly.
>>
>> pi@raspberrypi ~ $ sudo auditctl -l
>> No rules
>> pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
>> Error detecting machine type
>> pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
>> arch=armeb machine type not found
>>
>> Can anyone tell me whether audit support ARM based linux systems?
>
> Yes. It was added starting in 2.0.4 and was corrected several times.
>
>
>> Here’s my system information and thanks a lot for your help in advance!
>>
>> pi@raspberrypi ~ $ sudo uname -a
>> Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015
>> armv7l GNU/Linux
>>
>> pi@raspberrypi ~ $ dpkg -l |grep audit
>> ii auditd 1:1.7.18-1.1
>> armhf User space tools for security auditing ii libaudit0
>> 1:1.7.18-1.1 armhf
>
> That one is too old. You need a newer audit package.
>
> -Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Running auditd from Raspberry Pi (Raspbian)
2015-10-26 15:55 ` Steve Grubb
2015-10-26 17:13 ` Kangkook Jee
@ 2015-10-26 20:25 ` Kangkook Jee
2015-10-26 20:37 ` Steve Grubb
1 sibling, 1 reply; 8+ messages in thread
From: Kangkook Jee @ 2015-10-26 20:25 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
Dear Steve,
I built auditctl from recent audit source and tried it again but I failed with the following errors.
pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320 lost=0 backlog=0
(reverse-i-search)`b': sudo auditctl -e1 -^C102400
pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F arch=armeb -S clone
arch elf mapping not found
pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone
Error detecting machine type
Would you help me with this?
Thanks a lot for your help again!
Regards, Kangkook
> On Oct 26, 2015, at 11:55 AM, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Friday, October 23, 2015 07:16:40 PM Kangkook Jee wrote:
>> Hi, all
>>
>> From my Raspberry Pi machine (running Debian Wheezy distribution), I could
>> see the kernel is built with audit enabled, and I could manage to install
>> user-space audit client with the following command.
>>
>> pi@raspberrypi ~ $ sudo apt-get install auditd
>>
>> However, when I tried to enable audit issuing the following commands it
>> doesn’t seem to run properly.
>>
>> pi@raspberrypi ~ $ sudo auditctl -l
>> No rules
>> pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
>> Error detecting machine type
>> pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
>> arch=armeb machine type not found
>>
>> Can anyone tell me whether audit support ARM based linux systems?
>
> Yes. It was added starting in 2.0.4 and was corrected several times.
>
>
>> Here’s my system information and thanks a lot for your help in advance!
>>
>> pi@raspberrypi ~ $ sudo uname -a
>> Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015
>> armv7l GNU/Linux
>>
>> pi@raspberrypi ~ $ dpkg -l |grep audit
>> ii auditd 1:1.7.18-1.1
>> armhf User space tools for security auditing ii libaudit0
>> 1:1.7.18-1.1 armhf
>
> That one is too old. You need a newer audit package.
>
> -Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Running auditd from Raspberry Pi (Raspbian)
2015-10-26 20:25 ` Kangkook Jee
@ 2015-10-26 20:37 ` Steve Grubb
2015-10-26 20:57 ` Kangkook Jee
0 siblings, 1 reply; 8+ messages in thread
From: Steve Grubb @ 2015-10-26 20:37 UTC (permalink / raw)
To: Kangkook Jee; +Cc: linux-audit
On Monday, October 26, 2015 04:25:57 PM Kangkook Jee wrote:
> Dear Steve,
>
> I built auditctl from recent audit source and tried it again but I failed
> with the following errors.
>
> pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
> AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320
> lost=0 backlog=0 (reverse-i-search)`b': sudo auditctl -e1 -^C102400
> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F
> arch=armeb -S clone arch elf mapping not found
> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone
> Error detecting machine type
>
> Would you help me with this?
Did you add --with-arm to the ./configure line? Its disabled by default.
-Steve
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Running auditd from Raspberry Pi (Raspbian)
2015-10-26 20:37 ` Steve Grubb
@ 2015-10-26 20:57 ` Kangkook Jee
2015-10-26 21:18 ` Kangkook Jee
0 siblings, 1 reply; 8+ messages in thread
From: Kangkook Jee @ 2015-10-26 20:57 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
I added “—with-armeb” should it be just “—with-arm” ?
This following shows my configuration status.
pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
ac_cs_config="'--with-armeb'"
set X /bin/bash './configure' '--with-armeb' $ac_configure_extra_args --no-create --no-recursion
host='armv7l-unknown-linux-gnueabihf'
build='armv7l-unknown-linux-gnueabihf'
sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9 /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib '
sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib '
S["target_cpu"]="armv7l"
S["target"]="armv7l-unknown-linux-gnueabihf"
S["host_cpu"]="armv7l"
S["host"]="armv7l-unknown-linux-gnueabihf"
S["build_cpu"]="armv7l"
S["build"]="armv7l-unknown-linux-gnueabihf”
> On Oct 26, 2015, at 4:37 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Monday, October 26, 2015 04:25:57 PM Kangkook Jee wrote:
>> Dear Steve,
>>
>> I built auditctl from recent audit source and tried it again but I failed
>> with the following errors.
>>
>> pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
>> AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320
>> lost=0 backlog=0 (reverse-i-search)`b': sudo auditctl -e1 -^C102400
>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F
>> arch=armeb -S clone arch elf mapping not found
>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone
>> Error detecting machine type
>>
>> Would you help me with this?
>
> Did you add --with-arm to the ./configure line? Its disabled by default.
>
> -Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Running auditd from Raspberry Pi (Raspbian)
2015-10-26 20:57 ` Kangkook Jee
@ 2015-10-26 21:18 ` Kangkook Jee
2015-10-27 3:12 ` Steve Grubb
0 siblings, 1 reply; 8+ messages in thread
From: Kangkook Jee @ 2015-10-26 21:18 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 2946 bytes --]
This time, I built with —with-arm option and tried again. It still fails but with different error message.
pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
ac_cs_config="'--with-arm'"
set X /bin/bash './configure' '--with-arm' $ac_configure_extra_args --no-create --no-recursion
host='armv7l-unknown-linux-gnueabihf'
build='armv7l-unknown-linux-gnueabihf'
sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9 /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib '
sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib '
S["target_cpu"]="armv7l"
S["target"]="armv7l-unknown-linux-gnueabihf"
S["host_cpu"]="armv7l"
S["host"]="armv7l-unknown-linux-gnueabihf"
S["build_cpu"]="armv7l"
S["build"]="armv7l-unknown-linux-gnueabihf"
pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S execve
Error sending add rule data request (Invalid argument)
> On Oct 26, 2015, at 4:57 PM, Kangkook Jee <aixer77@gmail.com> wrote:
>
> I added “—with-armeb” should it be just “—with-arm” ?
>
> This following shows my configuration status.
>
> pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
> ac_cs_config="'--with-armeb'"
> set X /bin/bash './configure' '--with-armeb' $ac_configure_extra_args --no-create --no-recursion
> host='armv7l-unknown-linux-gnueabihf'
> build='armv7l-unknown-linux-gnueabihf'
> sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9 /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib '
> sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib '
> S["target_cpu"]="armv7l"
> S["target"]="armv7l-unknown-linux-gnueabihf"
> S["host_cpu"]="armv7l"
> S["host"]="armv7l-unknown-linux-gnueabihf"
> S["build_cpu"]="armv7l"
> S["build"]="armv7l-unknown-linux-gnueabihf”
>
>
>> On Oct 26, 2015, at 4:37 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>>
>> On Monday, October 26, 2015 04:25:57 PM Kangkook Jee wrote:
>>> Dear Steve,
>>>
>>> I built auditctl from recent audit source and tried it again but I failed
>>> with the following errors.
>>>
>>> pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
>>> AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320
>>> lost=0 backlog=0 (reverse-i-search)`b': sudo auditctl -e1 -^C102400
>>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F
>>> arch=armeb -S clone arch elf mapping not found
>>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone
>>> Error detecting machine type
>>>
>>> Would you help me with this?
>>
>> Did you add --with-arm to the ./configure line? Its disabled by default.
>>
>> -Steve
>
[-- Attachment #1.2: Type: text/html, Size: 4293 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Running auditd from Raspberry Pi (Raspbian)
2015-10-26 21:18 ` Kangkook Jee
@ 2015-10-27 3:12 ` Steve Grubb
0 siblings, 0 replies; 8+ messages in thread
From: Steve Grubb @ 2015-10-27 3:12 UTC (permalink / raw)
To: Kangkook Jee; +Cc: linux-audit
On Monday, October 26, 2015 05:18:12 PM Kangkook Jee wrote:
> This time, I built with —with-arm option and tried again. It still fails but
> with different error message.
>
>
> pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
> ac_cs_config="'--with-arm'"
> set X /bin/bash './configure' '--with-arm' $ac_configure_extra_args
> --no-create --no-recursion host='armv7l-unknown-linux-gnueabihf'
> build='armv7l-unknown-linux-gnueabihf'
> sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9
> /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib '
> sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib
> /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf
> /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib '
> S["target_cpu"]="armv7l"
> S["target"]="armv7l-unknown-linux-gnueabihf"
> S["host_cpu"]="armv7l"
> S["host"]="armv7l-unknown-linux-gnueabihf"
> S["build_cpu"]="armv7l"
> S["build"]="armv7l-unknown-linux-gnueabihf"
> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S execve
> Error sending add rule data request (Invalid argument)
If this works:
ausyscall armeb open
returns something like:
open 5
mq_open 274
openat 322
perf_event_open 364
open_by_handle_at 371
Then user space is working. Anything else would be kernel issues.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-10-27 3:12 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-10-23 23:16 Running auditd from Raspberry Pi (Raspbian) Kangkook Jee
2015-10-26 15:55 ` Steve Grubb
2015-10-26 17:13 ` Kangkook Jee
2015-10-26 20:25 ` Kangkook Jee
2015-10-26 20:37 ` Steve Grubb
2015-10-26 20:57 ` Kangkook Jee
2015-10-26 21:18 ` Kangkook Jee
2015-10-27 3:12 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.