[Patch]Fix the bug of using "-S syscall -a list, action", no errors will be reported.
Steve Grubb
sgrubb at redhat.com
Wed Aug 6 16:57:51 UTC 2008
On Wednesday 06 August 2008 03:27:00 Chu Li wrote:
> And I found another problem, when using "-a 'list','action' -w /mnt", it
> will always add the rule "LIST_RULES: exit,always dir=/mnt (0x4) perm=rwxa".
> I found "-w" will use the "exit" list automatically. I think it's better to
> add something about it in manual.
There are 2 forms of audit rules, the syscall syntax (-a) and the watch syntax
(-w). They cannot be mixed. When -w is given, only -p and -k are valid.
When -a is given, -w is invalid.
The -w notation is primarily for backwards compatibility with RHEL4. In it you
do not give a list. When writing watches in RHEL5 and later, you can now use
syscall notation like this:
-a always,exit -F perm=wa -F path=/etc/shadow
Note that -S is not given. The kernel selects the syscalls based on the perm
field. Hope this helps.
-Steve
More information about the Linux-audit
mailing list