audit 0.9.12 released
Steve Grubb
sgrubb at redhat.com
Thu Jun 23 19:16:44 UTC 2005
On Thursday 23 June 2005 14:09, David Woodhouse wrote:
> Watch filters should have a syscall. If you didn't specify any, then I'd
> guess that neither of those rules are matching, so you're getting the
> default behaviour.
I fixed auditctl so that if you do not specify a syscall, it will default to
all. I use the following and confirmed that it works (will be in 0.9.13):
auditctl -a watch,never -F auid=500
auditctl -w /etc/passwd -k test -p rwxa
cat /etc/passwd >/dev/null
However...I looked at the user filtering and it is not working. I think I know
why. netlink is an async interface. This means that the task may not be alive
when the user message is processed. It currently detects the and returns
-ESRCH, but the sender is long gone.
This means that the generic audit_filter_rules() cannot be used. You can only
filter based on the credentials that netlink gathered from the caller at
reception of message, or move the filtering to the message entry point after
permission checks.
-Steve
More information about the Linux-audit
mailing list