Bug 204855

Summary: [LSPP Audit] auditctl fails to reject invalid exclude rule options (-S and multiple -F)
Product: Red Hat Enterprise Linux 5 Reporter: IBM Bug Proxy <bugproxy>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: high    
Version: 5.0CC: iboverma
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: 5.0.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-02 14:29:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description IBM Bug Proxy 2006-08-31 21:43:02 UTC 
LTC Owner is: Redhat
LTC Originator is: mcthomps.com


---Problem Description---
auditctl fails to reject invalid rules:
auditctl -a exclude,always -S all
auditctl -a exclude,always -F msgtype=PATH -F msgtype=CWD
 
Contact Information = Michael Thompson mcthomps.com
 
---uname output---
Linux oracer2.ltc.austin.ibm.com 2.6.17-1.2586.2.2.fc6.lspp.48 #1 SMP Wed Aug 30
15:51:12 EDT 2006 x86_64 x86_64 x86_64 GNU/Linux
 
Machine Type = x86_64
 
---Debugger---
A debugger is not configured
 
---Steps to Reproduce---
auditctl -a exclude,always -S all
auditctl -a exclude,always -F msgtype=PATH -F msgtype=CWD

Both of these should be rejected.
 
---Base System Tools Component Data---
Userspace tool common name: auditctl

The userspace tool has the following bit modes: 64-bit

Userspace rpm: audit
 
*Additional Instructions for Michael Thompson mcthomps.com:
-Attach ltrace and strace of userspace application.
Comment 1 Steve Grubb 2006-09-21 18:05:12 UTC 
The problem with exclude list being used for syscalls is fixed in audit-1.2.7.
The other problem is being investigated.
Comment 2 Pete Graner 2006-09-21 22:50:58 UTC 
Steve pls open a new bz for the 2nd issue. Then move this one to MODIFIED and
dev_ack.
Comment 3 Steve Grubb 2006-09-22 13:18:45 UTC 
bug #207666 was opened to track progress resolving the multiple msgtype problem.
Comment 4 Jay Turner 2006-09-25 10:55:08 UTC 
QE ack for 5B2.  Appears to impact 14b.
Comment 5 Jay Turner 2006-10-02 14:20:42 UTC 
Fix confirmed with audit-1.2.7-2 which is included in the latest RHEL5 trees
(20060927.0)