audit 1.0.3 released

Debora Velarde dvelarde at us.ibm.com
Wed Aug 24 04:48:00 UTC 2005






> - fix bug where inode, devmajor, devminor, exit, and success fields in
> auditctl rules were not getting the correct value stored

For auditctl, what are acceptable values for the -F success flag?
    0, 1, yes, no?

1. success=no and success=yes seem to result in the same filter rule being
added
If I do:
# auditctl -a exit,always -S chmod -F success=no
# auditctl -l
AUDIT_LIST: exit,always success=0 syscall=chmod

But if I do:
# auditctl -D
# auditctl -a exit,always -S chmod -F success=yes
# auditctl -l
AUDIT_LIST: exit,always success=0 syscall=chmod

Notice either way, the rule being added has success=0.


2.  If I add a rule with the flags success=0 and success=1, they seem fine
when I list them.
But I get the same behavior whether I passed in a 0 or 1.

'auditctl -a exit,always -S chmod -F success=0' captures only successful
syscalls.
# auditctl -l
AUDIT_LIST: exit,always success=0 syscall=chmod
type=SYSCALL msg=audit(1124855948.374:10067): arch=14 syscall=15
success=yes exit=0 a0=1001a8b0 a1=1ff a2=0 a3=fffffffffefefeff items=1
pid=15044 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="chmod" exe="/bin/chmod"

'auditctl -a exit,always -S chmod -F success=1' captures only successful
syscalls.
# auditctl -l
AUDIT_LIST: exit,always success=1 (0x1) syscall=chmod
type=SYSCALL msg=audit(1124855984.507:10070): arch=14 syscall=15
success=yes exit=0 a0=1001a8b0 a1=1ff a2=0 a3=fffffffffefefeff items=1
pid=15051 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="chmod" exe="/bin/chmod"

'auditctl -a exit,always -S chmod -F success!=0' captures only unsuccessful
syscalls
type=SYSCALL msg=audit(1124856028.814:10073): arch=14 syscall=15 success=no
exit=-1 a0=1001a8b0 a1=16d a2=a a3=10003490 items=1 pid=15059 auid=500
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
comm="chmod" exe="/bin/chmod"

'auditctl -a exit,always -S chmod -F success!=1' captures only unsuccessful
syscalls.
type=SYSCALL msg=audit(1124856071.099:10083): arch=14 syscall=15 success=no
exit=-1 a0=1001a8b0 a1=16d a2=a a3=10003490 items=1 pid=15069 auid=500
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
comm="chmod" exe="/bin/chmod"


3.  Should -1 be an acceptable value?  Currently it is accepted:
# auditctl -a exit,always -S chmod -F success=-1
# auditctl -l
AUDIT_LIST: exit,always success=-1 (0xffffffff) syscall=chmod
No watches
Only successful syscalls result in records which is opposite of what I was
expecting.
The following is an example audit record:
type=SYSCALL msg=audit(1124853111.231:9988): arch=14 syscall=15 success=yes
exit=0 a0=1001a8b0 a1=1ff a2=32000000 a3=fffffffffefefeff items=1 pid=14770
auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 comm="chmod" exe="/bin/chmod"

If I use the rule:
'auditctl -a exit,always -S chmod -f success!=-1'
Only unsuccessful syscall result in audit records:
type=SYSCALL msg=audit(1124854274.322:10026): arch=14 syscall=15 success=no
exit=-1 a0=1001a8b0 a1=16d a2=a a3=10003490 items=1 pid=14884 auid=500
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
comm="chmod" exe="/bin/chmod"

I've found similar problems with the 'exit' flag and am still
investigating.

-debbie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050823/5a8d8621/attachment.htm>


More information about the Linux-audit mailing list