[PATCH] auditctl -l listing with correct operators

Dustin Kirkland dustin.kirkland at gmail.com
Thu May 18 21:11:11 UTC 2006 

On 5/17/06, Michael C Thompson <thompsmc at us.ibm.com> wrote:
> Michael C Thompson wrote:
> > With the current version of audit, auditctl -l only prints an equal, not
> > equal operator when it displays rules, while the rules in the kernel are
> > operating correctly, this is most an inconvenience, since is not
> > possible to tell what rules are really in the kernel.
> >
> > The problem lies in the audit_print_reply logic not detecting the type
> > of the message (either AUDIT_LIST or AUDIT_LIST_RULE).
> >
> > Below is a patch which adds this detection.
> >
> > Thanks,
> > Mike
>
> This thread is technically a repost, because I realized that hiding a
> patch inside a big discussion thread is probably a no-no, and its just a
> dumb idea to begin with. Oh well, live and be dumb.
>
> Below is some testing between the original code and the patched code.
>
> # auditctl -a entry,always -S chmod -F 'uid=100'
> # auditctl -a entry,always -S chmod -F 'uid>200'
> # auditctl -a entry,always -S chmod -F 'uid>=300'
> # auditctl -a entry,always -S chmod -F 'uid!=400'
> # auditctl -a entry,always -S chmod -F 'uid<500'
> # auditctl -a entry,always -S chmod -F 'uid<=600'
>
> # auditctl -l    [ audit-1.2.2 auditctl pre-patch]
> LIST_RULES: entry,always uid=100 (0x64) syscall=chmod
> LIST_RULES: entry,always uid=200 (0xc8) syscall=chmod
> LIST_RULES: entry,always uid=300 (0x12c) syscall=chmod
> LIST_RULES: entry,always uid=400 (0x190) syscall=chmod
> LIST_RULES: entry,always uid=500 (0x1f4) syscall=chmod
> LIST_RULES: entry,always uid=600 (0x258) syscall=chmod
>
>
> # auditctl -l   [ audit-1.2.2 auditctl post-patch ]
> LIST_RULES: entry,always uid=100 (0x64) syscall=chmod
> LIST_RULES: entry,always uid>200 (0xc8) syscall=chmod
> LIST_RULES: entry,always uid>=300 (0x12c) syscall=chmod
> LIST_RULES: entry,always uid!=400 (0x190) syscall=chmod
> LIST_RULES: entry,always uid<500 (0x1f4) syscall=chmod
> LIST_RULES: entry,always uid<=600 (0x258) syscall=chmod
>

This looks good, Mike.


:-Dustin

More information about the Linux-audit mailing list