Unable to filter on negative values
Michael C Thompson
mcthomps at us.ibm.com
Tue Feb 14 18:07:50 UTC 2006
Hey all,
Apparently, this is a repeated report of a known problem, but here it is
anways:
I believe there is a short coming with auditctl and specifying a filter
for a negative value for the field, such as exit, a0, etc.
Here are the steps you can use to verify this:
#include <unistd.h>
int main() {
pread(-1,NULL,0,0);
}
Compile the above and add the following rules:
# auditctl -a exit,always -S pread -- captures record
# auditctl -D
# auditctl -a exit,always -S pread -F exit=-9 -- (return code on the
system I am using) no record
This can also be done with any syscall (like chmod if you don't want to
code C), as long as you filter on the right value. It seems that any
negative value which you try to filter on will fail.
If you have any questions or want more information as to what I've seen,
just ask.
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060214/cf9af638/attachment.htm>
More information about the Linux-audit
mailing list