Filtering out non-interactive users

Steve Grubb sgrubb at redhat.com
Wed Jan 19 15:04:11 UTC 2011


On Wednesday, January 19, 2011 09:48:25 am PJB wrote:
> On Wed, Jan 19, 2011 at 09:33:30AM -0500, Steve Grubb [sgrubb at redhat.com] wrote:
> > On Wednesday, January 19, 2011 09:01:55 am PJB wrote:
> > > > That should work unless the is a 32 bit bug everyone has missed or
> > > > you have another  rule preventing the logging. If you do cat
> > > > /proc/self/loginuid, do you get a number > 0? Also, if you use
> > > > auid!=4294967295, does that work?
> > > 
> > > The loginuid is 4294967295. If I pass '-F auid!=4294967295' into the
> > > filters, when I run 'auditctl -l' the rules are listed, but each one
> > > has 'auid=2147483647 (0x7fffffff)'. I get log entries then, but they
> > > are all tagged with auid 4294967295. Is this proper or did I stumble
> > > upon a bug after all?
> > 
> > That is a 32 bit bug. I'm looking at how best to solve this. Probably all
> > variants of uid and gid are affected by this.
> 
> I was afraid you would say that! Would it be a bug in the auditd userspace
> programs or in the kernel code? I assume it's the former?

Specifically, the bug is right here:
https://fedorahosted.org/audit/browser/trunk/lib/libaudit.c#L1134

AUID on 32 bit should be treated like the AUDIT_INODE field. Still looking at it...

-Steve




More information about the Linux-audit mailing list