[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Unable to filter on negative values

It seems to work with a rule like this:
/sbin/auditctl -a exit,always -S pread64 -F success=no -F exit=9

-- ljk

Michael C Thompson wrote:

Hey all,

Apparently, this is a repeated report of a known problem, but here it is anways:

I believe there is a short coming with auditctl and specifying a filter for a negative value for the field, such as exit, a0, etc.

Here are the steps you can use to verify this:

#include <unistd.h>
int main() {

Compile the above and add the following rules:

# auditctl -a exit,always -S pread -- captures record
# auditctl -D
# auditctl -a exit,always -S pread -F exit=-9 -- (return code on the system I am using) no record

This can also be done with any syscall (like chmod if you don't want to code C), as long as you filter on the right value. It seems that any negative value which you try to filter on will fail.

If you have any questions or want more information as to what I've seen, just ask.


Linux-audit mailing list
Linux-audit redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]