Re: test patch for auditctl inter-field comparisons on euid/uid, egid/gid

On Thu, Dec 15, 2011 at 5:36 AM, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: I've got a sort of hacky way of getting -l to work. In order to use fieldtab.h and audit_field_to_name, I had to move the AUDIT_COMPARE_* defines to be unique WRT to the other audit fields in include/linux/audit.h. Then I can add the AUDIT_COMPARE_* definitions to fieldtab.h like: _S(AUDIT_COMPARE_UID_TO_OBJ_UID, "uid,obj_uid" ) ... _S(AUDIT_COMPARE_SGID_TO_FSGID, "sgid,fsgid" ) then auditctl -l splits on the ','. This does mean that no matter what order comparisons are entered on the command line, they'll only ever be displayed in the order in which they appear in fieldtab.h Does this sound reasonable? I can send my patches along if it does. Cheers, peter -- Peter Moody      Google    1.650.253.7306 Security Engineer  pgp:0xC3410038