Bug 443792 - s-c-audit: not possible to add new "Event type rule"
s-c-audit: not possible to add new "Event type rule"
Status: CLOSED DUPLICATE of bug 446080
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: audit (Show other bugs)
5.2
All Linux
low Severity low
: rc
: ---
Assigned To: Steve Grubb
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-23 07:59 EDT by Eduard Benes
Modified: 2008-08-28 14:06 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-28 14:06:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix -F in the help text of auditctl (712 bytes, patch)
2008-05-13 00:06 EDT, Miloslav Trmač
no flags Details | Diff

  None (edit)
Description Eduard Benes 2008-04-23 07:59:23 EDT
Description of problem:
It is not possible to add new "Event type rule" using s-c-audit.
There seems to be problem with '-S all' added to the rule that is being 
generated by s-c-audit in /etc/audit/audit.rules. For example:
...
-a user,always -F auid=5000 -S all

And doesn't like it complainig:
Error: syscall auditing being added to user list
There was an error in line 7 of /etc/audit/audit.rules

Version-Release number of selected component (if applicable):
audit-1.6.5-9.el5

How reproducible:
always

Steps to Reproduce:
1. run s-c-audit  
2. try to add some "Event type rules"
3. save it and ask to apply changes right now
4. observe the above complain about error in audit.rules config
  
Actual results:
Generated rule is not correct ...

Expected results:
Successfully add "Event type rule" ...

Additional info:
The s-c-audit could also be helpful when user wants to add "bit mask" or "bit 
test" operators (&,&=) allowing him to use only meaningful field names, 
document it in man page. It should be also able load current rules from the 
audit.rules file as it does for file watches.

There is also a typo in auditctl program help, listing probably obsolete 
operator ^, that is not used anymore, and &= should be listed instead:

# auditctl -h 
... 
-F f=v   Build rule: field name, operator(=,!=,<,>,<=, >=,^,&) value
Comment 1 Miloslav Trmač 2008-05-13 00:06:07 EDT
Created attachment 305200 [details]
Fix -F in the help text of auditctl

Thanks for your report.

(In reply to comment #0)
> It is not possible to add new "Event type rule" using s-c-audit.
> There seems to be problem with '-S all' added to the rule that is being 
> generated by s-c-audit in /etc/audit/audit.rules. For example:
> ...
> -a user,always -F auid=5000 -S all
Will be fixed in system-config-audit-0.4.7.

> The s-c-audit could also be helpful when user wants to add "bit mask" or "bit

> test" operators (&,&=) allowing him to use only meaningful field names, 
> document it in man page. It should be also able load current rules from the 
> audit.rules file as it does for file watches.
(The problem is that the kernel prohibits & and &= with most field names in
some cases, and s-c-audit allows creating such rules.)	

kernel/auditfilter.c:audit_rule_to_entry() prohibits using & and &= with most
fields, but audit_data_to_entry() does not have such a restriction; therefore
the rules are at least potentially valid and s-c-audit must allow creating
them.  (From a theoretical cleanliness standpoint, there seems to be no reason
to prohibit the rules.)  s-c-audit already somewhat discourages the use of
these operators by placing them after a separator.

> There is also a typo in auditctl program help, listing probably obsolete 
> operator ^, that is not used anymore, and &= should be listed instead:
> 
> # auditctl -h 
> ... 
> -F f=v   Build rule: field name, operator(=,!=,<,>,<=, >=,^,&) value
Fixed in the attached patch.
Comment 2 Steve Grubb 2008-08-28 14:06:35 EDT
The fixes are in the current development audit package. Marking this as a duplicate of the audit rebase bug report.

*** This bug has been marked as a duplicate of bug 446080 ***

Note You need to log in before you can comment on or make changes to this bug.