[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Why doesn't this rule block syscall records?



  It's pretty much a stock RHEL 4.4 system.  
  	{marge.rtp.dg.com}_5: rpm -q kernel audit audit-libs
  	kernel-2.6.9-42.EL
  	audit-1.0.14-1.EL4
  	audit-libs-1.0.14-1.EL4
  	{marge.rtp.dg.com}_6:
  
  So, is the general idea behind the rules sound?  You should be able to
block audit records for unset auids?
  
  -----Original Message-----
From: Steve Grubb [mailto:sgrubb redhat com] 
Sent: Thursday, July 12, 2007 4:39 PM
To: linux-audit redhat com
Cc: Taylor, Tad
Subject: Re: Why doesn't this rule block syscall records?
  
  On Thursday 12 July 2007 01:22:35 pm Taylor_Tad emc com wrote:
  > I was trying out a syscall entry rule that I thought would block
audit
  > records from system services/daemons that haven't had their audit ID
  > (auid) set yet.
  
  Which kernel are you using? There was a signed/unsigned promotion and 
  comparison bug fixed not too long ago.
  
  -Steve
  


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]