Hey all,

Apparently, this is a repeated report of a known problem, but here it is anways:

I believe there is a short coming with auditctl and specifying a filter for a negative value for the field, such as exit, a0, etc.

Here are the steps you can use to verify this:

#include <unistd.h>
int main() {
        pread(-1,NULL,0,0);
}

Compile the above and add the following rules:

# auditctl -a exit,always -S pread -- captures record
# auditctl -D
# auditctl -a exit,always -S pread -F exit=-9 -- (return code on the system I am using) no record

This can also be done with any syscall (like chmod if you don't want to code C), as long as you filter on the right value. It seems that any negative value which you try to filter on will fail.

If you have any questions or want more information as to what I've seen, just ask.
Mike