Red Hat Bugzilla – Bug 233186
LSPP: Add audit rule bit operators patch
Last modified: 2007-11-30 17:07:42 EST
+++ This bug was initially created as a clone of Bug #232967 +++
Description of problem:
There is not good way to audit syscalls that have bit mapped options. A patch
was sent to the linux-audit mail list adding this capability. This is not
strictly required for LSPP, but helps customers.
This bz is to track the user space piece of it.
The patch introduces the mask and bit test operators for creating audit rules.
For example, if you wanted to audit chmod syscalls that change a file to be
executable, with this patch applied you would do this:
auditctl -a always,entry -S chmod -F arg1&0111
As its is now, you would have to audit all chmods and search for the ones that
have the execute bit set...this is wasteful to say the least.
audit-1.5.1 already has this capability, this is a backport.
Stated not required for evaluation. Steve, can we remove the LSPP whiteboard
mark so it doesn't come up on list and won't be considered a blocker?
The lspp.70 kernel tests good with the patch included.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.