Re: Audit rules keys

[Miloslav Trmac]

Henning, Arthur C. (CSL) napsal(a):
> Copy NISPOM.rules to /etc/audit/audit.rules
> 
> Using system-config-audit, I create a rule for the SYSCALL kill with a
> key of kill
> "Save" the configuration.
> Get the described error.
Thanks for your report.  The attached patch, to be included in s-c-audit
0.4.3, should fix the problem.
        Mirek

diff -r f457891036d2 -r d27e1fc8660b src/audit_rules.py
--- a/src/audit_rules.py	Tue Aug 28 18:28:52 2007 +0200
+++ b/src/audit_rules.py	Tue Aug 28 18:29:14 2007 +0200
@@ -347,13 +347,18 @@ class Field(object):
         self.op = self.OP_EQ
         self.value = self.get_field_type(self.var).parse_value(string, self.op)
 
-    def option_text(self):
-        '''Return a string representing this field as an auditctl option.'''
+    def option_text(self, rule):
+        '''Return a string representing this field as an auditctl option.
+
+        Use rule to determine the correct syntax.
+
+        '''
         val = self._value_text()
         if self.var == audit.AUDIT_FILTERKEY:
             assert self.op == self.OP_EQ
             return '-k %s' % val
-        elif self.var == audit.AUDIT_PERM:
+        elif (self.var == audit.AUDIT_PERM and
+              len([f for f in rule.fields if f.var == audit.AUDIT_WATCH]) == 1):
             assert self.op == self.OP_EQ
             return '-p %s' % val
         else:
@@ -443,16 +448,21 @@ class Rule(object):
             o.append('-w %s' % watches[0].value)
             watch_used = True
         # Add fields before syscalls because -F arch=... may change the meaning
-        # of syscall names
+        # of syscall names.  But add AUDIT_FILTERKEY only after -S, auditctl
+        # stubbornly insists on that order.
         for f in self.fields:
-            if f.var != audit.AUDIT_WATCH or not watch_used:
-                o.append(f.option_text())
+            if (f.var != audit.AUDIT_FILTERKEY and
+                (f.var != audit.AUDIT_WATCH or not watch_used)):
+                o.append(f.option_text(self))
         if list is not rules.exclude_rules:
             for s in self.syscalls:
                 if s == self.SYSCALLS_ALL:
                     o.append('-S all')
                 else:
                     o.append('-S %s' % util.syscall_string(s, self.machine))
+        for f in self.fields:
+            if f.var == audit.AUDIT_FILTERKEY:
+                o.append(f.option_text(self))
         return ' '.join(o)
 
     def __eq__(self, rule):

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit