Why doesn't this rule block syscall records?
Steve Grubb
sgrubb at redhat.com
Thu Jul 12 20:39:08 UTC 2007
On Thursday 12 July 2007 01:22:35 pm Taylor_Tad at emc.com wrote:
> I was trying out a syscall entry rule that I thought would block audit
> records from system services/daemons that haven't had their audit ID
> (auid) set yet.
Which kernel are you using? There was a signed/unsigned promotion and
comparison bug fixed not too long ago.
-Steve
More information about the Linux-audit
mailing list