Red Hat Bugzilla – Bug 206427
LTC26985-[LSPP Audit] auditctl fails to reject malformed ARCH filter
Last modified: 2009-06-19 05:01:10 EDT
Escalated to Bugzilla from IssueTracker
I sent an e-mail directly to the ibm reporter to ask this question (since I was
apparently supposed to have all this fixed by last monday) but should follow
process as well.
By "invalid" do they mean the usage of > or < ? I assume they believe that only
= or != should be allowed? If so this should be done in userspace in the
auditctl utility in audit_rule_fieldpair_data() by returning -12 and explaining
it in an error inside setopt. This should not be a kernel fix.
only = and != are valid for arch field. This needs to be in the kernel since
anyone could use an old audit tool or write their own.
QE ack for RHEL5B2. Related to 14b of the release criteria.
patch posted for revew on 9/29.