Bug 447630 - auditctl -w /path -F arch=... not allowed
auditctl -w /path -F arch=... not allowed
Product: Fedora
Classification: Fedora
Component: audit (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Steve Grubb
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-05-20 17:33 EDT by Miloslav Trmač
Modified: 2008-11-20 16:24 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-11-20 16:24:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Miloslav Trmač 2008-05-20 17:33:11 EDT
Version-Release number of selected component (if applicable):

Steps to Reproduce:
1. auditctl -a exit,always -F path=/etc/anacrontab -F arch=i386 -S afs_syscall
-k mydir
2. auditctl -w /etc/anacrontab -F arch=i386 -S afs_syscall -k mydir
Actual results:
1. succeeds
2. fails with "-F arch must be before -S"

Expected results:
2. succeeds - 1. and 2. are really the same rule.
Comment 1 Steve Grubb 2008-05-20 17:56:54 EDT
The second form is expected to fail. The -w rule construct is for backwards
compatibility with RHEL4. Its limited to just -k and -p options. Any other
option should fail.

To use the advanced features of the new rule/watch system, you should express
the rules in the form of syscall auditing with a path or dir field option.
Comment 2 Miloslav Trmač 2008-05-20 20:10:02 EDT
Thanks, I have modified system-config-audit to respect these rules.  Other users
might find them useful, please document them in auditctl(8).

The existing error message should be more general, currently the error message
reports something that obviously isn't true.
Comment 3 Steve Grubb 2008-05-21 10:53:57 EDT
I agree that this could be better explained. I'll see if we can update the man
pages as well as auditctl.
Comment 4 Steve Grubb 2008-11-20 16:24:06 EST
A better explanation was added in svn commit 193. Closing this out. Thanks for pointing out the documentation problem.

Note You need to log in before you can comment on or make changes to this bug.