[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: auditctl task ignores -S flag

On Mon, 2005-01-17 at 14:44 -0600, Debora Velarde wrote:
> <html><body><p>Here at IBM we have found that if you create an audit
> rule which use=s &quot;task&quot;, then the -S flag has no affect.
> Rather than only a=uditing the specified syscalls, all syscalls will
> generate an audit mes=sage. 

Please don't send HTML email. 

The 'task' rule list is used only at the time a task is created -- when
fork() or clone() is called by the parent task. Thus, the syscall mask
is not relevant -- only characteristics of the task which can be seen at
the time it is started, such as the uid, gid, etc., are relevant.

The three possible results of the task-creation rule list are as

	AUDIT_NEVER: Do not allocate an audit context for the new task.
		No syscall-specific audit records can be generated.

	AUDIT_POSSIBLE: Allocate an audit context for the new task, and
		always fill it in at syscall entry time. This makes a
		full syscall record available if some other part of the
		kernel decides it should be recorded.

	AUDIT_ALWAYS: Allocate an audit context, always fill it in at
		syscall entry time, and always write out a record at
		syscall exit time.

> fyi, the -F flag seems to work as expected.   If  this behavior =is
> acceptable and it doesn't make sense to use the &quot;-S&quot; flag
> =with &quot;task&quot; rules, then auditctl needs to be changed to not
> a=ccept the -S flag in conjunction with &quot;task&quot;, or at least
> ret=urn a warning that the -S flag will be ignored.  The man page will
> also= need to be changed in order to state the limitation.  <br><br>
> Thanks,<br>debora</body></html>=

The -F flag will work for certain fields but not all. I agree that
auditctl should not accept the -S flag for a 'per-task' rule, and it
shouldn't accept the -F flag with a field numerically greater than
AUDIT_PERS either.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]