Re: audit rule problem
On 11/15/2017 10:16 AM, Steve Grubb wrote:
OK. That's something that can be checked. And I confirm this is
the case.
[root@x2 ~]# auditctl -a always,exit -F arch=b64 -S open -F subj_type=doesnt_exist_t
[root@x2 ~]# echo $?
0
[root@x2 ~]# auditctl -l | grep doesnt_exist_t
-a always,exit -F arch=b64 -S open -F subj_type=doesnt_exist_t
[root@x2 ~]# auditctl -d always,exit -F arch=b64 -S open -F subj_type=doesnt_exist_t
That said, you can also write a rule with auid=40000 which would be an invalid
user. The kernel has no concept of what uids are valid. So, I expect we have
the same issue with policy. I don't know if the kernel can check if a type is
valid. Typically policy is compiled into numbers and that's what the kernel
understands.
-Steve
Thanks Steve. I wouldn't mind as much if it accepts types not currently
loaded (seems like a warning would be nice though), however the part
about it subsequently discarding valid events due to the bogus type is
the troubling part.
LCB
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
Attachments:
- smime.p7s (application/pkcs7-signature — 3.7 KB)