Amongst other things, I'm auditing all open calls on RHEL4 U4. I've noticed that the dynamic linker generates a massive amount of noise, most of which is open calls for files which don't exist. These are uninteresting from an audit perspective as they don't relate to a successful or unsuccessful attempt to read or write to a particular file. On my workload, these make up about 45% of audit traffic. The exit code for these failures is -2 (No such file or directory).
I tried the following on both i386 and x86_64: auditctl -a exit,always -S open -F exit!=-2 This works exactly as expected on i386, but not on x86_64. The effect on x86_64 is as if no filtering had been applied. However the following, for eg, works fine: auditctl -a exit,always -S open -F exit=3 I'm using auditd-1.0.15 from U5 (audit-1.0.15-2.EL4). I saw the same behaviour on the vanilla auditd, version 1.0.14. Is this a known issue, expected behaviour, or user error? If the former, I'll be happy to file a BZ. However, I'd like to know if it's in user space or kernel space in case I have to look at it myself. Thanks, Matt -- Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
signature.asc
Description: This is a digitally signed message part
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
