Hi Steve,
When I use -a user,always -S open, errors will be reported. But when I
use -S open -a user,always, no errors will report. There is no
corresponding codes to deal with the later format.
I'm still thinking about this patch. I'll look at it again tomorrow.
I modified the
Hello Steve,
I think the missing value for -F should be checking.
For example,
auditctl -a exit,always -F pid=
No error message is output and pid=0 is added to rule.
Signed-off-by: Zhang Xiliang [EMAIL PROTECTED]
---
lib/deprecated.c |3 +++
lib/libaudit.c |3 +++
src/auditctl.c
Hello Steve,
The error message of -1 is -F missing = for
The opration isnot only =.
So I think F missing opration for is better.
Signed-off-by: Zhang Xiliang [EMAIL PROTECTED]
---
src/auditctl.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/auditctl.c
Hello Steve,
Some fields don't support value which isnot number.
For example,
auditctl -a exit,always -F pid=a
No error message is output and pid=0 is added to rule.
I think we should add checking for it.
Signed-off-by: Zhang Xiliang [EMAIL PROTECTED]
---
lib/deprecated.c |3 +++
Hello Steve,
I found some code is invalid in auditctl.
So I suggested to delete it.
Signed-off-by: Zhang Xiliang [EMAIL PROTECTED]
---
src/auditctl.c | 10 ++
1 files changed, 2 insertions(+), 8 deletions(-)
diff --git a/src/auditctl.c b/src/auditctl.c
index b356faa..93e84a0
Hello Steve,
if (v == NULL || f == v)
return -1;
I have some questions for f == v.
I think it only checks the address of f and v. It seems unuseful.
If we need to check whether the value is equal to the field, I think we should
use strcmp().
What your opinion about it?
Hi Steve,
When I use -a user,always -S open, errors will be reported. But when I
use -S open -a user,always, no errors will report. There is no
corresponding codes to deal with the later format.
I'm still thinking about this patch. I'll look at it again tomorrow.
I modified the
How does one enable file system watches on RHEL5 update 0?
When I run auditctl -l It says File system watches not supported. I
have reverted back to audit-1.0.15 and upgraded the kernel to 2.6.18-52.
Anyone have any suggestions?
Thanks,
Kevin
--
Linux-audit mailing list
Linux-audit@redhat.com
We are interested in using auditing's context pathname information.
Is this the best way of accessing it?
Add support for accessing auditing's inode full pathname.
Signed-off-by: Mimi Zohar [EMAIL PROTECTED]
Index: security-testing-2.6/include/linux/audit.h
On Wednesday 06 August 2008 03:27:00 Chu Li wrote:
And I found another problem, when using -a 'list','action' -w /mnt, it
will always add the rule LIST_RULES: exit,always dir=/mnt (0x4) perm=rwxa.
I found -w will use the exit list automatically. I think it's better to
add something about it
Quoting Mimi Zohar ([EMAIL PROTECTED]):
We are interested in using auditing's context pathname information.
Is this the best way of accessing it?
Add support for accessing auditing's inode full pathname.
Interesting idea. It does seem to do what you need.
-serge
Signed-off-by: Mimi
On Wednesday 06 August 2008 04:12:42 Zhang Xiliang wrote:
I think the missing value for -F should be checking.
For example,
auditctl -a exit,always -F pid=
snip
+ if (*v == NULL)
+ return -20;
I changed these to (*v == 0) since it is a char and not a pointer. Thanks for
On Wednesday 06 August 2008 04:13:25 Zhang Xiliang wrote:
Some fields don't support value which isnot number.
Applied. Thanks for the patch !
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Wednesday 06 August 2008 04:13:01 Zhang Xiliang wrote:
So I think F missing opration for is better.
I changed it to operator. Applied. Thanks for the patch !
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Wednesday 06 August 2008 04:15:09 Zhang Xiliang wrote:
AUDIT_PERM field should used after a watch given.
For example,
auditctl -a exit,always -F perm=r
No error message is outputed.
I think we should add checking for it.
This is a legal rule. The kernel will pick the syscalls that
On Wednesday 06 August 2008 04:46:27 Zhang Xiliang wrote:
Hello Steve,
if (v == NULL || f == v)
return -1;
I have some questions for f == v.
I think it only checks the address of f and v.
Yes, this was in attempt to make sure that they didn't type -F =10. In that
case v
On Wednesday 06 August 2008 04:15:17 Zhang Xiliang wrote:
I found some code is invalid in auditctl.
So I suggested to delete it.
OK, I guess this needs cleanup after changing PERM to require new rule format.
diff --git a/src/auditctl.c b/src/auditctl.c
index b356faa..93e84a0 100644
---
Hi Steve,
I think such codes about basename in auditd-config.c and audispd-pconfig.c
is unnecessary. In these part nv-value can't be null and basename() will
never return an empty string. And the variable base is not used in the
following
codes. So such codes are better to be deleted.
Hi Steve,
When auditd is stoped, auditctl -s will show pid=0. I think it's not
correct information. It's better to tell users auditd not started.
Signed-off-by: Chu Li [EMAIL PROTECTED]
---
diff --git a/src/auditctl.c b/src/auditctl.c
index 10894f9..b26dd82 100755
--- a/src/auditctl.c
+++
19 matches
Mail list logo