Why doesn't this rule block syscall records?
Taylor_Tad at emc.com
Taylor_Tad at emc.com
Thu Jul 12 17:22:35 UTC 2007
I was trying out a syscall entry rule that I thought would block audit
records from system services/daemons that haven't had their audit ID
(auid) set yet. I've tried both:
-a entry,never -S all -F auid=-1
AND
-a entry,never -S all -F auid=4294967295
(4294967295) is the value that shows up in the audit log for these
services. I would have thought this rule was saying that at syscall
entry (for any system call), don't generate an audit event if the auid
is -1 or 4294967295. It seems to have the opposite effect. Have I
missed something? Is this rule not saying what I want?
--Tad Taylor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070712/a1594e7e/attachment.htm>
More information about the Linux-audit
mailing list