On Wednesday, January 19, 2011 09:48:25 am PJB wrote: > On Wed, Jan 19, 2011 at 09:33:30AM -0500, Steve Grubb [[email protected]] > wrote: > > On Wednesday, January 19, 2011 09:01:55 am PJB wrote: > > > > That should work unless the is a 32 bit bug everyone has missed or > > > > you have another rule preventing the logging. If you do cat > > > > /proc/self/loginuid, do you get a number > 0? Also, if you use > > > > auid!=4294967295, does that work? > > > > > > The loginuid is 4294967295. If I pass '-F auid!=4294967295' into the > > > filters, when I run 'auditctl -l' the rules are listed, but each one > > > has 'auid=2147483647 (0x7fffffff)'. I get log entries then, but they > > > are all tagged with auid 4294967295. Is this proper or did I stumble > > > upon a bug after all? > > > > That is a 32 bit bug. I'm looking at how best to solve this. Probably all > > variants of uid and gid are affected by this. > > I was afraid you would say that! Would it be a bug in the auditd userspace > programs or in the kernel code? I assume it's the former?
Specifically, the bug is right here: https://fedorahosted.org/audit/browser/trunk/lib/libaudit.c#L1134 AUID on 32 bit should be treated like the AUDIT_INODE field. Still looking at it... -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
