auditctl task ignores -S flag
- First Post
- Replies
- Stats
-
Go to
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
Here at IBM we have found that if you create an audit rule which uses
"task", then the -S flag has no affect. Rather than only auditing the
specified syscalls, all syscalls will generate an audit message. fyi, the
-F flag seems to work as expected. If this behavior is acceptable and it
doesn't make sense to use the "-S" flag with "task" rules, then
auditctl
needs to be changed to not accept the -S flag in conjunction with "task",
or at least return a warning that the -S flag will be ignored. The man
page will also need to be changed in order to state the limitation.
Thanks,
debora
Attachments:
- attachment.html (text/html — 678 bytes)
On Mon, 2005-01-17 at 14:44 -0600, Debora Velarde wrote:
<html><body><p>Here at IBM we have found that if
you create an audit
rule which use=s "task", then the -S flag has no affect.
Rather than only a=uditing the specified syscalls, all syscalls will
generate an audit mes=sage.
Please don't send HTML email.
The 'task' rule list is used only at the time a task is created -- when
fork() or clone() is called by the parent task. Thus, the syscall mask
is not relevant -- only characteristics of the task which can be seen at
the time it is started, such as the uid, gid, etc., are relevant.
The three possible results of the task-creation rule list are as
follows:
AUDIT_NEVER: Do not allocate an audit context for the new task.
No syscall-specific audit records can be generated.
AUDIT_POSSIBLE: Allocate an audit context for the new task, and
always fill it in at syscall entry time. This makes a
full syscall record available if some other part of the
kernel decides it should be recorded.
AUDIT_ALWAYS: Allocate an audit context, always fill it in at
syscall entry time, and always write out a record at
syscall exit time.
fyi, the -F flag seems to work as expected. If this behavior =is
acceptable and it doesn't make sense to use the "-S" flag
=with "task" rules, then auditctl needs to be changed to not
a=ccept the -S flag in conjunction with "task", or at least
ret=urn a warning that the -S flag will be ignored. The man page will
also= need to be changed in order to state the limitation. <br><br>
Thanks,<br>debora</body></html>=
The -F flag will work for certain fields but not all. I agree that
auditctl should not accept the -S flag for a 'per-task' rule, and it
shouldn't accept the -F flag with a field numerically greater than
AUDIT_PERS either.
--
dwmw2
7278
days inactive
7279
days old
linux-audit@lists.linux-audit.osci.io
1 comments
2 participants
tags (0)
participants (2)
-
David Woodhouse -
Debora Velarde