Why doesn't this rule block syscall records?
Taylor_Tad at emc.com
Taylor_Tad at emc.com
Fri Jul 13 12:18:57 UTC 2007
It's pretty much a stock RHEL 4.4 system.
{marge.rtp.dg.com}_5: rpm -q kernel audit audit-libs
kernel-2.6.9-42.EL
audit-1.0.14-1.EL4
audit-libs-1.0.14-1.EL4
{marge.rtp.dg.com}_6:
So, is the general idea behind the rules sound? You should be able to
block audit records for unset auids?
-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com]
Sent: Thursday, July 12, 2007 4:39 PM
To: linux-audit at redhat.com
Cc: Taylor, Tad
Subject: Re: Why doesn't this rule block syscall records?
On Thursday 12 July 2007 01:22:35 pm Taylor_Tad at emc.com wrote:
> I was trying out a syscall entry rule that I thought would block
audit
> records from system services/daemons that haven't had their audit ID
> (auid) set yet.
Which kernel are you using? There was a signed/unsigned promotion and
comparison bug fixed not too long ago.
-Steve
More information about the Linux-audit
mailing list