Re: Why doesn't this rule block syscall records?
On Friday 13 July 2007 08:18:57 am Taylor_Tad(a)emc.com wrote:
{marge.rtp.dg.com}_5: rpm -q kernel audit audit-libs
kernel-2.6.9-42.EL
OK, had to double check this. I think you are OK because the miscompare was bz
196233 which appears to have been fixed in -42. The current release, though,
is -55 which has another important audit fix in it. The rule comparison is
done by the kernel, so that is what matters. But also note that you could
have several kernels on a machine, so "uname -r" rather than "rpm -q
kernel"
is more appropriate.
So, is the general idea behind the rules sound?
Yes.
You should be able to block audit records for unset auids?
Yes. I think the long unsigned number is what you want to pass. Also, this
rule has to be the first one sent after deleting all rules in the audit.rules
file. This is because the audit system does "first match wins" top down order
when evaluating the rules.
-Steve