Michael C Thompson wrote:
With the current version of audit, auditctl -l only prints an equal, not
equal operator when it displays rules, while the rules in the kernel are
operating correctly, this is most an inconvenience, since is not
possible to tell what rules are really in the kernel.
The problem lies in the audit_print_reply logic not detecting the type
of the message (either AUDIT_LIST or AUDIT_LIST_RULE).
Below is a patch which adds this detection.
Thanks,
Mike
This thread is technically a repost, because I realized that hiding a
patch inside a big discussion thread is probably a no-no, and its just a
dumb idea to begin with. Oh well, live and be dumb.
Below is some testing between the original code and the patched code.
# auditctl -a entry,always -S chmod -F 'uid=100'
# auditctl -a entry,always -S chmod -F 'uid>200'
# auditctl -a entry,always -S chmod -F 'uid>=300'
# auditctl -a entry,always -S chmod -F 'uid!=400'
# auditctl -a entry,always -S chmod -F 'uid<500'
# auditctl -a entry,always -S chmod -F 'uid<=600'
# auditctl -l [ audit-1.2.2 auditctl pre-patch]
LIST_RULES: entry,always uid=100 (0x64) syscall=chmod
LIST_RULES: entry,always uid=200 (0xc8) syscall=chmod
LIST_RULES: entry,always uid=300 (0x12c) syscall=chmod
LIST_RULES: entry,always uid=400 (0x190) syscall=chmod
LIST_RULES: entry,always uid=500 (0x1f4) syscall=chmod
LIST_RULES: entry,always uid=600 (0x258) syscall=chmod
# auditctl -l [ audit-1.2.2 auditctl post-patch ]
LIST_RULES: entry,always uid=100 (0x64) syscall=chmod
LIST_RULES: entry,always uid>200 (0xc8) syscall=chmod
LIST_RULES: entry,always uid>=300 (0x12c) syscall=chmod
LIST_RULES: entry,always uid!=400 (0x190) syscall=chmod
LIST_RULES: entry,always uid<500 (0x1f4) syscall=chmod
LIST_RULES: entry,always uid<=600 (0x258) syscall=chmod
Thanks,
Mike
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
