[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit 0.9.12 released



On Thursday 23 June 2005 14:09, David Woodhouse wrote:
> Watch filters should have a syscall. If you didn't specify any, then I'd
> guess that neither of those rules are matching, so you're getting the
> default behaviour.

I fixed auditctl so that if you do not specify a syscall, it will default to 
all. I use the following and confirmed that it works (will be in 0.9.13):

auditctl -a watch,never -F auid=500
auditctl -w /etc/passwd -k test -p rwxa
cat /etc/passwd >/dev/null

However...I looked at the user filtering and it is not working. I think I know 
why. netlink is an async interface. This means that the task may not be alive 
when the user message is processed. It currently detects the and returns 
-ESRCH, but the sender is long gone.

This means that the generic audit_filter_rules() cannot be used. You can only 
filter based on the credentials that netlink gathered from the caller at 
reception of message, or move the filtering to the message entry point after 
permission checks.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]