auditctl task ignores -S flag
Debora Velarde
dvelarde at us.ibm.com
Mon Jan 17 20:44:32 UTC 2005
Here at IBM we have found that if you create an audit rule which uses
"task", then the -S flag has no affect. Rather than only auditing the
specified syscalls, all syscalls will generate an audit message. fyi, the
-F flag seems to work as expected. If this behavior is acceptable and it
doesn't make sense to use the "-S" flag with "task" rules, then auditctl
needs to be changed to not accept the -S flag in conjunction with "task",
or at least return a warning that the -S flag will be ignored. The man
page will also need to be changed in order to state the limitation.
Thanks,
debora
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050117/257dff73/attachment.htm>
More information about the Linux-audit
mailing list