[PATCH 4/5] Fix the bug of AUDIT_PERM field added without a watch
Steve Grubb
sgrubb at redhat.com
Wed Aug 6 19:13:18 UTC 2008
On Wednesday 06 August 2008 04:15:09 Zhang Xiliang wrote:
> AUDIT_PERM field should used after a watch given.
>
> For example,
> auditctl -a exit,always -F perm=r
>
> No error message is outputed.
> I think we should add checking for it.
This is a legal rule. The kernel will pick the syscalls that satisfy the read
permission. Typically, you would have other fields in addition. So...I'm not
applying this patch.
Thanks,
-Steve
More information about the Linux-audit
mailing list