[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Why doesn't this rule block syscall records?

On Friday 13 July 2007 08:18:57 am Taylor_Tad emc com wrote:
>         {marge.rtp.dg.com}_5: rpm -q kernel audit audit-libs
>         kernel-2.6.9-42.EL

OK, had to double check this. I think you are OK because the miscompare was bz 
196233 which appears to have been fixed in -42. The current release, though, 
is -55 which has another important audit fix in it. The rule comparison is 
done by the kernel, so that is what matters. But also note that you could 
have several kernels on a machine, so "uname -r" rather than "rpm -q kernel" 
is more appropriate.

>   So, is the general idea behind the rules sound?


>  You should be able to block audit records for unset auids?

Yes. I think the long unsigned number is what you want to pass. Also, this 
rule has to be the first one sent after deleting all rules in the audit.rules 
file. This is because the audit system does "first match wins" top down order 
when evaluating the rules.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]