Red Hat Bugzilla – Bug 671261
auditctl and audit.rules man pages inconsistent on -a option
Last modified: 2012-02-21 01:38:01 EST
Description of problem:
Append rule to the end of list with action. Please note the
comma separating the two values.
-a action,list -S syscall -F field=value -k keyname
The -a option tells the kernel’s rule matching engine that we want to
append a rule and the end of the rule list.
Additionally both options do work:
# auditctl -a entry,always -F arch=b32 -S execve -F euid=0
# auditctl -a always,entry -F arch=b32 -S execve -F uid=0
# auditctl -l
LIST_RULES: entry,always arch=1073741827 (0x40000003) euid=0 syscall=execve
LIST_RULES: entry,always arch=1073741827 (0x40000003) uid=0 syscall=execve
This seems to have been fixed upstream:
And this fix is due to be included in RHEL6.1
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. man auditctl
2. man audit.rules
audit-1.8-1.el5 was built to address this problem.
Patch was missing - now fixed in audit-1.8-2.el5.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.