RE: Why doesn't this rule block syscall records?
It's pretty much a stock RHEL 4.4 system.
{marge.rtp.dg.com}_5: rpm -q kernel audit audit-libs
kernel-2.6.9-42.EL
audit-1.0.14-1.EL4
audit-libs-1.0.14-1.EL4
{marge.rtp.dg.com}_6:
So, is the general idea behind the rules sound? You should be able to
block audit records for unset auids?
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Thursday, July 12, 2007 4:39 PM
To: linux-audit(a)redhat.com
Cc: Taylor, Tad
Subject: Re: Why doesn't this rule block syscall records?
On Thursday 12 July 2007 01:22:35 pm Taylor_Tad(a)emc.com wrote:
I was trying out a syscall entry rule that I thought would block
audit
records from system services/daemons that haven't had their audit
ID
(auid) set yet.
Which kernel are you using? There was a signed/unsigned promotion and
comparison bug fixed not too long ago.
-Steve