Bug 166518
Summary: | auditctl inode auditing rules don't work | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Steve Grubb <sgrubb> |
Component: | audit | Assignee: | Steve Grubb <sgrubb> |
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.0 | CC: | andriusb |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHEA-2005-530 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-10-05 12:40:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 156322 |
Description
Steve Grubb
2005-08-22 19:40:15 UTC
This bug may also affect rules with the following fields: exit, success, devmajor, and devminor. Upgrade to version 1.0.3 is recommended solution. This bug needs to be fixed because the audit system doesn't work the way it is documented. The man pages say that the user can set certain kinds of rules. It turns out that they do not work because of the corruption. Adding to the U2 proposed list. From Steve in an email: You can pick values at random to test. The following shows the full extent of the issues. Try: [root@discovery ~]# auditctl -a exit,always -F devmajor=15 [root@discovery ~]# auditctl -a exit,always -F devminor=30 [root@discovery ~]# auditctl -a exit,always -F success=50 [root@discovery ~]# auditctl -a exit,always -F exit=50 [root@discovery ~]# auditctl -a exit,always -F inode=50 [root@discovery ~]# auditctl -l AUDIT_LIST: exit,always devmajor=0 syscall=all AUDIT_LIST: exit,always devminor=0 syscall=all AUDIT_LIST: exit,always success=0 syscall=all AUDIT_LIST: exit,always exit=0 syscall=all AUDIT_LIST: exit,always inode=0 syscall=all File system watches not supported You see, they all go to 0. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2005-530.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2005-530.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2005-530.html |