Why doesn't this rule block syscall records?
Steve Grubb
sgrubb at redhat.com
Fri Jul 13 13:26:48 UTC 2007
On Friday 13 July 2007 08:18:57 am Taylor_Tad at emc.com wrote:
> {marge.rtp.dg.com}_5: rpm -q kernel audit audit-libs
> kernel-2.6.9-42.EL
OK, had to double check this. I think you are OK because the miscompare was bz
196233 which appears to have been fixed in -42. The current release, though,
is -55 which has another important audit fix in it. The rule comparison is
done by the kernel, so that is what matters. But also note that you could
have several kernels on a machine, so "uname -r" rather than "rpm -q kernel"
is more appropriate.
> So, is the general idea behind the rules sound?
Yes.
> You should be able to block audit records for unset auids?
Yes. I think the long unsigned number is what you want to pass. Also, this
rule has to be the first one sent after deleting all rules in the audit.rules
file. This is because the audit system does "first match wins" top down order
when evaluating the rules.
-Steve
More information about the Linux-audit
mailing list