Description of problem: It is not possible to add new "Event type rule" using s-c-audit. There seems to be problem with '-S all' added to the rule that is being generated by s-c-audit in /etc/audit/audit.rules. For example: ... -a user,always -F auid=5000 -S all And doesn't like it complainig: Error: syscall auditing being added to user list There was an error in line 7 of /etc/audit/audit.rules Version-Release number of selected component (if applicable): audit-1.6.5-9.el5 How reproducible: always Steps to Reproduce: 1. run s-c-audit 2. try to add some "Event type rules" 3. save it and ask to apply changes right now 4. observe the above complain about error in audit.rules config Actual results: Generated rule is not correct ... Expected results: Successfully add "Event type rule" ... Additional info: The s-c-audit could also be helpful when user wants to add "bit mask" or "bit test" operators (&,&=) allowing him to use only meaningful field names, document it in man page. It should be also able load current rules from the audit.rules file as it does for file watches. There is also a typo in auditctl program help, listing probably obsolete operator ^, that is not used anymore, and &= should be listed instead: # auditctl -h ... -F f=v Build rule: field name, operator(=,!=,<,>,<=, >=,^,&) value
Created attachment 305200 [details] Fix -F in the help text of auditctl Thanks for your report. (In reply to comment #0) > It is not possible to add new "Event type rule" using s-c-audit. > There seems to be problem with '-S all' added to the rule that is being > generated by s-c-audit in /etc/audit/audit.rules. For example: > ... > -a user,always -F auid=5000 -S all Will be fixed in system-config-audit-0.4.7. > The s-c-audit could also be helpful when user wants to add "bit mask" or "bit > test" operators (&,&=) allowing him to use only meaningful field names, > document it in man page. It should be also able load current rules from the > audit.rules file as it does for file watches. (The problem is that the kernel prohibits & and &= with most field names in some cases, and s-c-audit allows creating such rules.) kernel/auditfilter.c:audit_rule_to_entry() prohibits using & and &= with most fields, but audit_data_to_entry() does not have such a restriction; therefore the rules are at least potentially valid and s-c-audit must allow creating them. (From a theoretical cleanliness standpoint, there seems to be no reason to prohibit the rules.) s-c-audit already somewhat discourages the use of these operators by placing them after a separator. > There is also a typo in auditctl program help, listing probably obsolete > operator ^, that is not used anymore, and &= should be listed instead: > > # auditctl -h > ... > -F f=v Build rule: field name, operator(=,!=,<,>,<=, >=,^,&) value Fixed in the attached patch.
The fixes are in the current development audit package. Marking this as a duplicate of the audit rebase bug report. *** This bug has been marked as a duplicate of bug 446080 ***