Problems with -F exit!=-2 on x86_64
Matthew Booth
mbooth at redhat.com
Mon Feb 19 21:46:00 UTC 2007
Amongst other things, I'm auditing all open calls on RHEL4 U4. I've
noticed that the dynamic linker generates a massive amount of noise,
most of which is open calls for files which don't exist. These are
uninteresting from an audit perspective as they don't relate to a
successful or unsuccessful attempt to read or write to a particular
file. On my workload, these make up about 45% of audit traffic. The exit
code for these failures is -2 (No such file or directory).
I tried the following on both i386 and x86_64:
auditctl -a exit,always -S open -F exit!=-2
This works exactly as expected on i386, but not on x86_64. The effect on
x86_64 is as if no filtering had been applied. However the following,
for eg, works fine:
auditctl -a exit,always -S open -F exit=3
I'm using auditd-1.0.15 from U5 (audit-1.0.15-2.EL4). I saw the same
behaviour on the vanilla auditd, version 1.0.14. Is this a known issue,
expected behaviour, or user error? If the former, I'll be happy to file
a BZ. However, I'd like to know if it's in user space or kernel space in
case I have to look at it myself.
Thanks,
Matt
--
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070219/b3ef1183/attachment.sig>
More information about the Linux-audit
mailing list