audit rule problem
LC Bruzenak
lenny at magitekltd.com
Wed Nov 15 17:20:57 UTC 2017
On 11/15/2017 10:16 AM, Steve Grubb wrote:
> OK. That's something that can be checked. And I confirm this is the case.
>
> [root at x2 ~]# auditctl -a always,exit -F arch=b64 -S open -F subj_type=doesnt_exist_t
> [root at x2 ~]# echo $?
> 0
> [root at x2 ~]# auditctl -l | grep doesnt_exist_t
> -a always,exit -F arch=b64 -S open -F subj_type=doesnt_exist_t
> [root at x2 ~]# auditctl -d always,exit -F arch=b64 -S open -F subj_type=doesnt_exist_t
>
> That said, you can also write a rule with auid=40000 which would be an invalid
> user. The kernel has no concept of what uids are valid. So, I expect we have
> the same issue with policy. I don't know if the kernel can check if a type is
> valid. Typically policy is compiled into numbers and that's what the kernel
> understands.
>
> -Steve
Thanks Steve. I wouldn't mind as much if it accepts types not currently
loaded (seems like a warning would be nice though), however the part
about it subsequently discarding valid events due to the bogus type is
the troubling part.
LCB
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3805 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20171115/c4ef1d1e/attachment.p7s>
More information about the Linux-audit
mailing list