Bug 442556
Summary: | audit rules with >= get corrupted | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Steve Grubb <sgrubb> | ||||
Component: | audit | Assignee: | Steve Grubb <sgrubb> | ||||
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 5.2 | CC: | ebenes | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | RHEA-2008-0358 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-05-21 14:32:59 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Steve Grubb
2008-04-15 15:00:18 UTC
Created attachment 302748 [details]
patch fixing problems described herein
This is the proposed patch.
audit-1.6.5-9.el5 was built to address this problem. Steve, I'm not able to reproduce the '!=' bug using older audit packages. Do you have any idea what could be causing this? Here is a log using old audit- 1.6.5-6.el5 packages, it should FAIL but as you can see it passes on all archs. Tried 1.6.5-{6,7,8,9} and all passed. Sample log: Linux xxxxxxx.redhat.com 2.6.18-83.el5 #1 SMP Thu Feb 21 12:14:23 EST 2008 i686 i686 i386 GNU/Linux Tue Apr 22 15:47:28 CEST 2008 ---- audit-1.6.5-6.el5 sudo-1.6.8p12-12.el5 ===== Running Test /CoreOS/audit/bugzilla/bug442556 ===== Stopping auditd: [ OK ] Starting auditd: [ OK ] + auditctl -D No rules + auditctl -a always,exit -S open -F 'auid>=500' + auditctl -l LIST_RULES: exit,always auid>=500 (0x1f4) syscall=open + set +x ===== Test /CoreOS/audit/bugzilla/bug442556 Finished ===== Test result [ PASS ] Try this: auditctl -a always,exit -S open -F 'auid>=500' -F auid!=4294967295 -k open An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2008-0358.html |