From: "Bhagwat, Shriniketan Manjunath" <shriniketan.bhagwat@hpe.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: RE: Audit reporting Invalid argument
Date: Mon, 13 Jun 2016 08:15:36 +0000 [thread overview]
Message-ID: <8FC6AD31395616439ECBCD98E071A87F4BF3F544@G4W3296.americas.hpqcorp.net> (raw)
In-Reply-To: <1956741.kKb8qJBsiM@x2>
Hi,
Is it possible to start and stop the user written audit plug-in while auditd and audispd running?
As I understand, audispd is started by auditd. Audispd starts the user plug-in program using their configuration files present in /etc/audisp/plugins.d directory. Auditd and user plug-in are started and stopped as part of auditd startup and stop.
Is it possible to start the user plug-in after the auditd is started and stop the user plug-in before the auditd is stopped?
Regards,
Ketan
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, May 16, 2016 6:24 PM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit reporting Invalid argument
On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > Not today. The check for uid 0 is a poor man's check for
> > CAP_AUDIT_CONTROL
>
> Are there any future plans to support enabling audit from non root
> user using CAP_AUDIT_CONTROL?
You are the only person who has asked for it. I suppose it can be done in a couple lines of code. But you still have the permissions of the directories that hold the rules to correct. Easy to fix, but I think you might be fighting the distribution's package manager which would set things back to root every update.
> Regarding suppression of events, I will do some testing and let you
> know later.
>
> Is there a way I can avoid default logging of the audit events to
> /var/log/audit/audit.log?
If you have an old copy old the audit system (2.5.1 or earlier) then use log_format = NOLOG. If you have a current copy, then use write_logs = no.
-Steve
> I do not want audit to log audit events to audit.log, however I will
> capture them using my plug-in. Is there a way I can accomplish this? I
> tried to commenting the log_file filed from auditd.conf, however the
> events are still written to audit.log. I think below code from
> auditd-config.c is causing audit to write to audit.log
>
> config->log_file = strdup("/var/log/audit/audit.log");
next prev parent reply other threads:[~2016-06-13 8:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-09 13:40 Audit reporting Invalid argument Bhagwat, Shriniketan Manjunath
2016-05-09 13:50 ` Steve Grubb
2016-05-11 11:19 ` Bhagwat, Shriniketan Manjunath
2016-05-11 19:52 ` Steve Grubb
2016-05-14 9:40 ` Bhagwat, Shriniketan Manjunath
2016-05-16 12:53 ` Steve Grubb
2016-05-16 17:21 ` Richard Guy Briggs
2016-05-19 3:37 ` Bhagwat, Shriniketan Manjunath
2016-06-13 8:15 ` Bhagwat, Shriniketan Manjunath [this message]
2016-06-13 15:01 ` Steve Grubb
2016-06-14 13:44 ` Bhagwat, Shriniketan Manjunath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8FC6AD31395616439ECBCD98E071A87F4BF3F544@G4W3296.americas.hpqcorp.net \
--to=shriniketan.bhagwat@hpe.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.