Bug 491344 - auditctl fails to parse multiple syscall options
auditctl fails to parse multiple syscall options
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: audit (Show other bugs)
All Linux
low Severity medium
: rc
: ---
Assigned To: Steve Grubb
Depends On:
  Show dependency treegraph
Reported: 2009-03-20 10:57 EDT by CCS Admins
Modified: 2009-04-21 12:45 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-04-21 12:45:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description CCS Admins 2009-03-20 10:57:15 EDT
Description of problem:

auditctl fails to parse comma separated syscall list as -S argument, contrary to man page. 

Version-Release number of selected component (if applicable):


How reproducible:       

Steps to Reproduce:

1. [root@XXX ~]# auditctl -S open,close
Syscall name unknown: open,close
Actual results:

auditctl fails add audit rule.

Expected results:

auditctl should add audit rule.

Additional info:

man page indicates that this syntax is valid.

       -S [Syscall name or number|all]
              Any  syscall name or number may be used. The word 'all' may also
              be used.
              You may also specify multiple  syscalls  in the same rule as a 
              comma separated list with
              no spaces in between. Doing so improves performance since  fewer
              rules need to be evaluated.
Comment 1 CCS Admins 2009-03-20 11:05:32 EDT
Workaround: specify multiple -S options (... -S open -S close ...)
Comment 2 CCS Admins 2009-03-20 11:14:40 EDT
Oops. That should be against audit-1.7.7-6.el5. Need more coffee.
Comment 3 Steve Grubb 2009-04-21 12:45:55 EDT
This looks like a man page error that was corrected in the 5.3 release. The auditctl man page looks like it was corrected sometime before the 1.7.7 release. This is the man page's raw form:


It says to use multiple '-S' options. So, I think we can close this one. If you do have 1.7.7-6 installed, you may want to check that the man page was really updated, rpm -qV audit.

Closing since it appears to be fixed. Thanks for reporting the bug.

Note You need to log in before you can comment on or make changes to this bug.