bug?: audit filtering on negative values

Wed Jan 18 20:18:50 UTC 2006

Hey Mike,

On Wed, 2006-01-18 at 13:49 -0600, Michael C Thompson wrote:
> Hey all,
> 
> I'm not sure if anyone else has seen this, or if its been brought up
> before (though I think
> not), but I've discovered a problem with trying to have audit filter
> on fields with negative
> values. I suspect this is due to a difference in kernel space and user
> space, given the
> results I've seen below, but here are the particulars:
> 
> On zSeries and on xSeries, we have noticed that we are incapable (in
> some situations) of
> filtering messages when the filter value is negative. On zSeries, this
> seems to be true for all
> fields, while on xSeries, its true if the field is a1,a2,a3.
> 
> We have explicity tested -9 and -1, but I believe this code will
> extend to all manner of
> negative values because seems to be related to the representation of
> these values in
> the different architectures (32 v 64). I have not tested it on a
> 32-bit only platform, if someone
> has the ability to that (should take all of 3minutes) that would
> probably be useful :)
> 
> Below is all of my test information.
> 
> Thanks,
> Mike

What kernel are you testing on?  I just checked the latest kernel
(lspp.6) and this does look like a problem:

struct audit_field {
        u32                     type;
        u32                     val;
        u32                     op;
};

We only allow unsigned val(ues).  Eek

-tim