[PATCH] auditctl -l listing with correct operators
Michael C Thompson
thompsmc at us.ibm.com
Wed May 17 19:14:02 UTC 2006
Michael C Thompson wrote:
> With the current version of audit, auditctl -l only prints an equal, not
> equal operator when it displays rules, while the rules in the kernel are
> operating correctly, this is most an inconvenience, since is not
> possible to tell what rules are really in the kernel.
>
> The problem lies in the audit_print_reply logic not detecting the type
> of the message (either AUDIT_LIST or AUDIT_LIST_RULE).
>
> Below is a patch which adds this detection.
>
> Thanks,
> Mike
This thread is technically a repost, because I realized that hiding a
patch inside a big discussion thread is probably a no-no, and its just a
dumb idea to begin with. Oh well, live and be dumb.
Below is some testing between the original code and the patched code.
# auditctl -a entry,always -S chmod -F 'uid=100'
# auditctl -a entry,always -S chmod -F 'uid>200'
# auditctl -a entry,always -S chmod -F 'uid>=300'
# auditctl -a entry,always -S chmod -F 'uid!=400'
# auditctl -a entry,always -S chmod -F 'uid<500'
# auditctl -a entry,always -S chmod -F 'uid<=600'
# auditctl -l [ audit-1.2.2 auditctl pre-patch]
LIST_RULES: entry,always uid=100 (0x64) syscall=chmod
LIST_RULES: entry,always uid=200 (0xc8) syscall=chmod
LIST_RULES: entry,always uid=300 (0x12c) syscall=chmod
LIST_RULES: entry,always uid=400 (0x190) syscall=chmod
LIST_RULES: entry,always uid=500 (0x1f4) syscall=chmod
LIST_RULES: entry,always uid=600 (0x258) syscall=chmod
# auditctl -l [ audit-1.2.2 auditctl post-patch ]
LIST_RULES: entry,always uid=100 (0x64) syscall=chmod
LIST_RULES: entry,always uid>200 (0xc8) syscall=chmod
LIST_RULES: entry,always uid>=300 (0x12c) syscall=chmod
LIST_RULES: entry,always uid!=400 (0x190) syscall=chmod
LIST_RULES: entry,always uid<500 (0x1f4) syscall=chmod
LIST_RULES: entry,always uid<=600 (0x258) syscall=chmod
Thanks,
Mike
More information about the Linux-audit
mailing list