Why doesn't this rule block syscall records?

Taylor_Tad at emc.com Taylor_Tad at emc.com
Fri Jul 13 12:18:57 UTC 2007


  It's pretty much a stock RHEL 4.4 system.  
  	{marge.rtp.dg.com}_5: rpm -q kernel audit audit-libs
  	kernel-2.6.9-42.EL
  	audit-1.0.14-1.EL4
  	audit-libs-1.0.14-1.EL4
  	{marge.rtp.dg.com}_6:
  
  So, is the general idea behind the rules sound?  You should be able to
block audit records for unset auids?
  
  -----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com] 
Sent: Thursday, July 12, 2007 4:39 PM
To: linux-audit at redhat.com
Cc: Taylor, Tad
Subject: Re: Why doesn't this rule block syscall records?
  
  On Thursday 12 July 2007 01:22:35 pm Taylor_Tad at emc.com wrote:
  > I was trying out a syscall entry rule that I thought would block
audit
  > records from system services/daemons that haven't had their audit ID
  > (auid) set yet.
  
  Which kernel are you using? There was a signed/unsigned promotion and 
  comparison bug fixed not too long ago.
  
  -Steve
  




More information about the Linux-audit mailing list