3:14 p.m.
Hi Steve,
I discovered a usability bug in auditctl while attempting to load
rules from a file. When auditctl reaches a line containing only
whitespace, it silently terminates, without loading the remainder of
the rules.
I suppose either continuing on, or terminating with an error message
would be acceptable behavior.
Thanks,
Amy
3:21 p.m.
On Tuesday 26 July 2005 16:14, Amy Griffis wrote:
I discovered a usability bug in auditctl while attempting to load
rules from a file. When auditctl reaches a line containing only
whitespace, it silently terminates, without loading the remainder of
the rules.
It is supposed to skip that line and continue. I'll check into this.
-Steve
3:48 p.m.
On Tue, Jul 26, 2005 at 04:35:19PM -0400, Steve Grubb wrote:
OK, found and fixed. Will be corrected in next release.
One other item in the same vein, since auditctl doesn't make use of
command arguments (as opposed to option arguments), it would be
helpful if it would give a syntax error when they are provided. This
often happens to me:
# auditctl -a entry,always open
# auditctl -l
AUDIT_LIST: entry,always syscall=all
No watches
Thanks,
Amy
4:11 p.m.
On Tuesday 26 July 2005 16:48, Amy Griffis wrote:
# auditctl -a entry,always open
# auditctl -l
AUDIT_LIST: entry,always syscall=all
No watches
jeez. I wished this was reported a long time ago. This behavior has probably
been there from the beginning. I'm glad you are reporting it. Adding to TODO
list...
-Steve
4:23 p.m.
On Tuesday 26 July 2005 16:11, Steve Grubb wrote:
On Tuesday 26 July 2005 16:48, Amy Griffis wrote:
> # auditctl -a entry,always open
>
> # auditctl -l
> AUDIT_LIST: entry,always syscall=all
> No watches
jeez. I wished this was reported a long time ago. This behavior has probably
been there from the beginning. I'm glad you are reporting it. Adding to TODO
list...
This isn't a userspace issue, but do you think this should be permitted? I'd
expect a "Rule already exists" type error *shrug*
[root@liltux ~]# auditctl -aexit,always -S open
[root@liltux ~]# auditctl -l
AUDIT_LIST: exit,always syscall=open
No watches
[root@liltux ~]# auditctl -aexit,always -S open
[root@liltux ~]# auditctl -l
AUDIT_LIST: exit,always syscall=open
AUDIT_LIST: exit,always syscall=open
-tim
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
4:33 p.m.
Steve Grubb wrote: [Tue Jul 26 2005, 05:27:58PM EDT]
On Tuesday 26 July 2005 17:23, Timothy R. Chavez wrote:
> This isn't a userspace issue, but do you think this should be permitted?
> ?I'd expect a "Rule already exists" type error *shrug*
This is already on the TODO list. I'll try to fix this in the next round of
development.
Shouldn't this be checked in kernel? Versus userspace having to get
the list of rules from the kernel and walk through it?
Which way were you thinking?
Amy
4:39 p.m.
On Tuesday 26 July 2005 17:33, Amy Griffis wrote:
Shouldn't this be checked in kernel?
That was my preference. I don't think they wanted to do it, though. The
problem truly is a kernel problem as auditctl may not be the only utility in
the future.
Versus userspace having to get the list of rules from the kernel and
walk
through it?
Which way were you thinking?
Get the list and walk it.
-Steve
5:36 p.m.
David, Tim,
Steve Grubb wrote: [Tue Jul 26 2005, 05:39:41PM EDT]
On Tuesday 26 July 2005 17:33, Amy Griffis wrote:
> Shouldn't this be checked in kernel?
That was my preference. I don't think they wanted to do it, though.
Is there any reason we're not checking for duplicate syscall rules on
add?
Amy
5:49 p.m.
On Thursday 28 July 2005 18:36, Amy Griffis wrote:
Is there any reason we're not checking for duplicate syscall
rules on
add?
I personally can't think of a good reason not to. If you submit a patch, I'm
sure that would help. I think fsaudit code does as I've seen messages stating
that. I think syscalls are all that's lacking.
BTW, the next auditctl release will trim the trailing '/' from paths to help
auditfs code.
-Steve
4:37 p.m.
New subject: duplicate watches
Timothy R. Chavez wrote: [Tue Jul 26 2005, 05:23:43PM EDT]
This isn't a userspace issue, but do you think this should be
permitted? I'd
expect a "Rule already exists" type error *shrug*
[root@liltux ~]# auditctl -aexit,always -S open
[root@liltux ~]# auditctl -l
AUDIT_LIST: exit,always syscall=open
No watches
[root@liltux ~]# auditctl -aexit,always -S open
[root@liltux ~]# auditctl -l
AUDIT_LIST: exit,always syscall=open
AUDIT_LIST: exit,always syscall=open
I just found this as well:
# auditctl -w /tmp
# auditctl -w /tmp/
# auditctl -l
No rules
AUDIT_WATCH_LIST: dev=8:6, path=/tmp, filterkey=, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:6, path=/tmp/, filterkey=, perms=, valid=0
7202
days inactive
7204
days old
linux-audit@lists.linux-audit.osci.io
11 comments
3 participants
participants (3)
-
Amy Griffis -
Steve Grubb -
Timothy R. Chavez