audit 1.0.3 released

[Steve Grubb]

On Wednesday 24 August 2005 00:48, Debora Velarde wrote:
> For auditctl, what are acceptable values for the -F success flag?
>     0, 1, yes, no?

1 & 0. I have updated the man page for 1.0.4 that explains it. i supposed I 
might be able to check the value for yes/no true/false. But right now, its 1 
or 0.

> 1. success=no and success=yes seem to result in the same filter rule being
> added

This is because atoi of yes is 0.

> 2.  If I add a rule with the flags success=0 and success=1, they seem fine
> when I list them.

Right.

> But I get the same behavior whether I passed in a 0 or 1.

There is a kernel bug in my opinion (auditsc.c):

442     case AUDIT_SUCCESS:
443         if (ctx && ctx->return_valid)
444             result = (ctx->return_valid == AUDITSC_SUCCESS);
445         break;

This doesn't use the value that was passed into the kernel. I think this 
should be:

442     case AUDIT_SUCCESS:
443         if (ctx && ctx->return_valid)
444             result = (ctx->return_valid == AUDITSC_SUCCESS) == value;
445         break;

> 3.  Should -1 be an acceptable value?

I guess not if we add the value check into the kernel. Only 1 & 0 should be 
permitted.

> I've found similar problems with the 'exit' flag and am still
> investigating.

The exit flag is compared in the kernel. Offhand I don't see a bug with it. If 
you do see something, let us know.

-Steve