bug?: audit filtering on negative values
Timothy R. Chavez
tinytim at us.ibm.com
Wed Jan 18 20:18:50 UTC 2006
Hey Mike,
On Wed, 2006-01-18 at 13:49 -0600, Michael C Thompson wrote:
> Hey all,
>
> I'm not sure if anyone else has seen this, or if its been brought up
> before (though I think
> not), but I've discovered a problem with trying to have audit filter
> on fields with negative
> values. I suspect this is due to a difference in kernel space and user
> space, given the
> results I've seen below, but here are the particulars:
>
> On zSeries and on xSeries, we have noticed that we are incapable (in
> some situations) of
> filtering messages when the filter value is negative. On zSeries, this
> seems to be true for all
> fields, while on xSeries, its true if the field is a1,a2,a3.
>
> We have explicity tested -9 and -1, but I believe this code will
> extend to all manner of
> negative values because seems to be related to the representation of
> these values in
> the different architectures (32 v 64). I have not tested it on a
> 32-bit only platform, if someone
> has the ability to that (should take all of 3minutes) that would
> probably be useful :)
>
> Below is all of my test information.
>
> Thanks,
> Mike
What kernel are you testing on? I just checked the latest kernel
(lspp.6) and this does look like a problem:
struct audit_field {
u32 type;
u32 val;
u32 op;
};
We only allow unsigned val(ues). Eek
-tim
More information about the Linux-audit
mailing list