+++ This bug was initially created as a clone of Bug #232967 +++ Description of problem: There is not good way to audit syscalls that have bit mapped options. A patch was sent to the linux-audit mail list adding this capability. This is not strictly required for LSPP, but helps customers. This bz is to track the user space piece of it.
The patch introduces the mask and bit test operators for creating audit rules. For example, if you wanted to audit chmod syscalls that change a file to be executable, with this patch applied you would do this: auditctl -a always,entry -S chmod -F arg1&0111 As its is now, you would have to audit all chmods and search for the ones that have the execute bit set...this is wasteful to say the least. audit-1.5.1 already has this capability, this is a backport.
Stated not required for evaluation. Steve, can we remove the LSPP whiteboard mark so it doesn't come up on list and won't be considered a blocker?
The lspp.70 kernel tests good with the patch included.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0602.html