Unable to filter on negative values
Linda Knippers
linda.knippers at hp.com
Tue Feb 14 18:17:47 UTC 2006
It seems to work with a rule like this:
/sbin/auditctl -a exit,always -S pread64 -F success=no -F exit=9
-- ljk
Michael C Thompson wrote:
>
> Hey all,
>
> Apparently, this is a repeated report of a known problem, but here it is
> anways:
>
> I believe there is a short coming with auditctl and specifying a filter
> for a negative value for the field, such as exit, a0, etc.
>
> Here are the steps you can use to verify this:
>
> #include <unistd.h>
> int main() {
> pread(-1,NULL,0,0);
> }
>
> Compile the above and add the following rules:
>
> # auditctl -a exit,always -S pread -- captures record
> # auditctl -D
> # auditctl -a exit,always -S pread -F exit=-9 -- (return code on the
> system I am using) no record
>
> This can also be done with any syscall (like chmod if you don't want to
> code C), as long as you filter on the right value. It seems that any
> negative value which you try to filter on will fail.
>
> If you have any questions or want more information as to what I've seen,
> just ask.
> Mike
>
>
> ------------------------------------------------------------------------
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list