Re: audit 0.9.12 released

On Thursday 23 June 2005 14:09, David Woodhouse wrote: I fixed auditctl so that if you do not specify a syscall, it will default to all. I use the following and confirmed that it works (will be in 0.9.13): auditctl -a watch,never -F auid=500 auditctl -w /etc/passwd -k test -p rwxa cat /etc/passwd >/dev/null However...I looked at the user filtering and it is not working. I think I know why. netlink is an async interface. This means that the task may not be alive when the user message is processed. It currently detects the and returns -ESRCH, but the sender is long gone. This means that the generic audit_filter_rules() cannot be used. You can only filter based on the credentials that netlink gathered from the caller at reception of message, or move the filtering to the message entry point after permission checks. -Steve