[Logwatch-Devel] patch to audit.conf for recent kernels

Capelle Benoit capelle at labri.fr
Mon Sep 15 08:19:53 MST 2008


Hi,

With recent kernels, there are no more reports from audit service.

Audit type has been added to audit messages:
http://www.redhat.com/archives/linux-audit/2007-September/msg00000.html
Commit:
http://kerneltrap.org/mailarchive/linux-kernel/2008/2/1/683814

Audit messages from older kernels:
Sep 14 22:55:24 aivcalc kernel: audit(1221425724.645:10675): avc:  denied  { 
read write } for  pid=12183 comm="pickup" name="[eventpoll]" dev=anon_inodefs 
ino=324 scontext=system_u:system_r:postfix_pickup_t:s0 
tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file

Audit messages from recent kernels:
Sep 12 12:11:49 ying kernel: type=1400 audit(1221214309.338:19): avc:  denied  
{ sys_rawio } for  pid=30858 comm="sshd" capability=17 
scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 
tcontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability

Unfortunately, this change broke the regular expression used in audit.conf

Following patch fixes the issue while remaining compatible with older kernels.

Regards
--
Benoit

diff -ur a/conf/services/audit.conf b/conf/services/audit.conf
--- a/conf/services/audit.conf       2005-06-07 20:17:20.000000000 +0200
+++ b/conf/services/audit.conf   2008-09-15 16:23:15.000000000 +0200
@@ -21,7 +21,7 @@
 # Note that audit lines may have something like audit(1114839915.618:0)
 # as the service name
 # (Some implementations might not precede it with "kernel:")
-*OnlyService = (kernel:)?\s*audit.*
+*OnlyService = (kernel:)?\s*(type=[0-9]+\s*)?audit.*
 *RemoveHeaders

 ########################################################


More information about the Logwatch-Devel mailing list