<html><body> <tt>> - fix bug where inode, devmajor, devminor, exit, and success fields in > auditctl rules were not getting the correct value stored</tt> <tt>For auditctl, what are acceptable values for the -F success flag? </tt> <tt> 0, 1, yes, no? </tt> <tt>1. success=no and success=yes seem to result in the same filter rule being added</tt> <tt>If I do:</tt> <tt># auditctl -a exit,always -S chmod -F success=no</tt> <tt># auditctl -l</tt> <tt>AUDIT_LIST: exit,always success=0 syscall=chmod</tt> <tt>But if I do:</tt> <tt># auditctl -D</tt> <tt># auditctl -a exit,always -S chmod -F success=yes</tt> <tt># auditctl -l</tt> <tt>AUDIT_LIST: exit,always success=0 syscall=chmod</tt> <tt>Notice either way, the rule being added has success=0.</tt> <tt>2. If I add a rule with the flags success=0 and success=1, they seem fine when I list them.</tt> <tt>But I get the same behavior whether I passed in a 0 or 1.</tt> <tt>'auditctl -a exit,always -S chmod -F success=0' captures only successful syscalls.</tt> <tt># auditctl -l</tt> <tt>AUDIT_LIST: exit,always success=0 syscall=chmod</tt> <tt>type=SYSCALL msg=audit(1124855948.374:10067): arch=14 syscall=15 success=yes exit=0 a0=1001a8b0 a1=1ff a2=0 a3=fffffffffefefeff items=1 pid=15044 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="chmod" exe="/bin/chmod"</tt> <tt>'auditctl -a exit,always -S chmod -F success=1' captures only successful syscalls.</tt> <tt># auditctl -l</tt> <tt>AUDIT_LIST: exit,always success=1 (0x1) syscall=chmod</tt> <tt>type=SYSCALL msg=audit(1124855984.507:10070): arch=14 syscall=15 success=yes exit=0 a0=1001a8b0 a1=1ff a2=0 a3=fffffffffefefeff items=1 pid=15051 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="chmod" exe="/bin/chmod"</tt> <tt>'auditctl -a exit,always -S chmod -F success!=0' captures only unsuccessful syscalls</tt> <tt>type=SYSCALL msg=audit(1124856028.814:10073): arch=14 syscall=15 success=no exit=-1 a0=1001a8b0 a1=16d a2=a a3=10003490 items=1 pid=15059 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="chmod" exe="/bin/chmod"</tt> <tt>'auditctl -a exit,always -S chmod -F success!=1' captures only unsuccessful syscalls.</tt> <tt>type=SYSCALL msg=audit(1124856071.099:10083): arch=14 syscall=15 success=no exit=-1 a0=1001a8b0 a1=16d a2=a a3=10003490 items=1 pid=15069 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="chmod" exe="/bin/chmod"</tt> <tt>3. Should -1 be an acceptable value? Currently it is accepted:</tt> <tt># auditctl -a exit,always -S chmod -F success=-1</tt> <tt># auditctl -l</tt> <tt>AUDIT_LIST: exit,always success=-1 (0xffffffff) syscall=chmod</tt> <tt>No watches</tt> <tt>Only successful syscalls result in records which is opposite of what I was expecting.</tt> <tt>The following is an example audit record:</tt> <tt>type=SYSCALL msg=audit(1124853111.231:9988): arch=14 syscall=15 success=yes exit=0 a0=1001a8b0 a1=1ff a2=32000000 a3=fffffffffefefeff items=1 pid=14770 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="chmod" exe="/bin/chmod"</tt> <tt>If I use the rule:</tt> <tt>'auditctl -a exit,always -S chmod -f success!=-1' </tt> <tt>Only unsuccessful syscall result in audit records:</tt> <tt>type=SYSCALL msg=audit(1124854274.322:10026): arch=14 syscall=15 success=no exit=-1 a0=1001a8b0 a1=16d a2=a a3=10003490 items=1 pid=14884 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="chmod" exe="/bin/chmod"</tt> <tt>I've found similar problems with the 'exit' flag and am still investigating.</tt> <tt>-debbie</tt></body></html>