auditctl question
Klaus Weidner
klaus at atsec.com
Thu Aug 3 00:22:07 UTC 2006
On Wed, Aug 02, 2006 at 04:49:02PM -0400, Lane Williams wrote:
> Should the following work???
>
> auditctl -a exit,always -S all -F exit=-13
>
> When I use a negative value for exit, I get no output into the logs when
> I should.
> I am using audit-1.2.3 on SuSE Enterprise 10 with the 2.6.16.21 kernel.
What do the audit records look like that you expect to be matching, and
what architecture are you running on? I recall a bug on ia64 where failed
system calls were being audited with "success=yes" and the positive errno,
and a patch to change that to negative errno to be consistent with other
architectures.
Cf.:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173500
which claims to be fixed by:
http://rhn.redhat.com/errata/RHSA-2006-0132.html
-Klaus
More information about the Linux-audit
mailing list