file system auditing, zany timezone issues, design document, etc, etc
Amy Griffis
amy.griffis at hp.com
Wed Apr 27 17:49:43 UTC 2005
Timothy R. Chavez wrote: [Wed Apr 27 2005, 11:26:27AM EDT]
> There is actually a bug in the listing feature... I changed around some
> things without updating user space and now I've managed to mess it all
> up, so I'm in the process of fixing it :) Patches out later today.
I re-tested today with the user space patch applied. I thought I
would post my results in case they are different from what you found.
1. -D (delete all rules) doesn't delete any rules
2. identical rules can be added to the rules list, creating
multiple entries of the same rule
The following occur only when we have at least 1 watch on the
watchlist:
1. audit rules are not listed
2. a non-existant rule can be deleted from the rules list, i.e. no
failure message from auditctl, and a log record is generated
saying a rule was removed
I see these bugs with the patched version of both audit-0.6.10 and
audit-0.7.1 running with the audit.24 kernel. I haven't tried the
2.6.12 kernel yet.
Hope this helps.
Amy
More information about the Linux-audit
mailing list