auditctl task ignores -S flag
David Woodhouse
dwmw2 at infradead.org
Tue Jan 18 11:06:18 UTC 2005
On Mon, 2005-01-17 at 14:44 -0600, Debora Velarde wrote:
> <html><body><p>Here at IBM we have found that if you create an audit
> rule which use=s "task", then the -S flag has no affect.
> Rather than only a=uditing the specified syscalls, all syscalls will
> generate an audit mes=sage.
Please don't send HTML email.
The 'task' rule list is used only at the time a task is created -- when
fork() or clone() is called by the parent task. Thus, the syscall mask
is not relevant -- only characteristics of the task which can be seen at
the time it is started, such as the uid, gid, etc., are relevant.
The three possible results of the task-creation rule list are as
follows:
AUDIT_NEVER: Do not allocate an audit context for the new task.
No syscall-specific audit records can be generated.
AUDIT_POSSIBLE: Allocate an audit context for the new task, and
always fill it in at syscall entry time. This makes a
full syscall record available if some other part of the
kernel decides it should be recorded.
AUDIT_ALWAYS: Allocate an audit context, always fill it in at
syscall entry time, and always write out a record at
syscall exit time.
> fyi, the -F flag seems to work as expected. If this behavior =is
> acceptable and it doesn't make sense to use the "-S" flag
> =with "task" rules, then auditctl needs to be changed to not
> a=ccept the -S flag in conjunction with "task", or at least
> ret=urn a warning that the -S flag will be ignored. The man page will
> also= need to be changed in order to state the limitation. <br><br>
> Thanks,<br>debora</body></html>=
The -F flag will work for certain fields but not all. I agree that
auditctl should not accept the -S flag for a 'per-task' rule, and it
shouldn't accept the -F flag with a field numerically greater than
AUDIT_PERS either.
--
dwmw2
More information about the Linux-audit
mailing list