test patch for auditctl inter-field comparisons on euid/uid, egid/gid
Peter Moody
pmoody at google.com
Fri Dec 16 23:34:41 UTC 2011
On Thu, Dec 15, 2011 at 5:36 AM, Steve Grubb <sgrubb at redhat.com> wrote:
>
> Yeah, good catch. I can fix this when I apply the patch to svn. No need to re-
> send unless there is something else needing fixing as well.
I've got a sort of hacky way of getting -l to work.
In order to use fieldtab.h and audit_field_to_name, I had to move the
AUDIT_COMPARE_* defines to be unique WRT to the other audit fields in
include/linux/audit.h. Then I can add the AUDIT_COMPARE_* definitions
to fieldtab.h like:
_S(AUDIT_COMPARE_UID_TO_OBJ_UID, "uid,obj_uid" )
...
_S(AUDIT_COMPARE_SGID_TO_FSGID, "sgid,fsgid" )
then auditctl -l splits on the ','. This does mean that no matter what
order comparisons are entered on the command line, they'll only ever
be displayed in the order in which they appear in fieldtab.h
Does this sound reasonable? I can send my patches along if it does.
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
More information about the Linux-audit
mailing list