> - fix bug where inode, devmajor, devminor, exit, and success fields in
> auditctl rules were not getting the correct value stored
For auditctl, what are acceptable values for the -F success flag?
0, 1, yes, no?
1. success=no and success=yes seem to result in the same filter rule being added
If I do:
# auditctl -a exit,always -S chmod -F success=no
# auditctl -l
AUDIT_LIST: exit,always success=0 syscall=chmod
But if I do:
# auditctl -D
# auditctl -a exit,always -S chmod -F success=yes
# auditctl -l
AUDIT_LIST: exit,always success=0 syscall=chmod
Notice either way, the rule being added has success=0.
2. If I add a rule with the flags success=0 and success=1, they seem fine when I list them.
But I get the same behavior whether I passed in a 0 or 1.
'auditctl -a exit,always -S chmod -F success=0' captures only successful syscalls.
# auditctl -l
AUDIT_LIST: exit,always success=0 syscall=chmod
type=SYSCALL msg=audit(1124855948.374:10067): arch=14 syscall=15 success=yes exit=0 a0=1001a8b0 a1=1ff a2=0 a3=fffffffffefefeff items=1 pid=15044 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="chmod" exe="/bin/chmod"
'auditctl -a exit,always -S chmod -F success=1' captures only successful syscalls.
# auditctl -l
AUDIT_LIST: exit,always success=1 (0x1) syscall=chmod
type=SYSCALL msg=audit(1124855984.507:10070): arch=14 syscall=15 success=yes exit=0 a0=1001a8b0 a1=1ff a2=0 a3=fffffffffefefeff items=1 pid=15051 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="chmod" exe="/bin/chmod"
'auditctl -a exit,always -S chmod -F success!=0' captures only unsuccessful syscalls
type=SYSCALL msg=audit(1124856028.814:10073): arch=14 syscall=15 success=no exit=-1 a0=1001a8b0 a1=16d a2=a a3=10003490 items=1 pid=15059 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="chmod" exe="/bin/chmod"
'auditctl -a exit,always -S chmod -F success!=1' captures only unsuccessful syscalls.
type=SYSCALL msg=audit(1124856071.099:10083): arch=14 syscall=15 success=no exit=-1 a0=1001a8b0 a1=16d a2=a a3=10003490 items=1 pid=15069 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="chmod" exe="/bin/chmod"
3. Should -1 be an acceptable value? Currently it is accepted:
# auditctl -a exit,always -S chmod -F success=-1
# auditctl -l
AUDIT_LIST: exit,always success=-1 (0xffffffff) syscall=chmod
No watches
Only successful syscalls result in records which is opposite of what I was expecting.
The following is an example audit record:
type=SYSCALL msg=audit(1124853111.231:9988): arch=14 syscall=15 success=yes exit=0 a0=1001a8b0 a1=1ff a2=32000000 a3=fffffffffefefeff items=1 pid=14770 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="chmod" exe="/bin/chmod"
If I use the rule:
'auditctl -a exit,always -S chmod -f success!=-1'
Only unsuccessful syscall result in audit records:
type=SYSCALL msg=audit(1124854274.322:10026): arch=14 syscall=15 success=no exit=-1 a0=1001a8b0 a1=16d a2=a a3=10003490 items=1 pid=14884 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="chmod" exe="/bin/chmod"
I've found similar problems with the 'exit' flag and am still investigating.
-debbie