Hello Steve, The error message is not appropriate when I try to set gid to negative. the value of "Unknown group:" should be the gid rather than "gid". There is the same problem in uids. I did as fallows: #auditctl -a exit,always -F gid=-1 Unknown group: gid -F unknown field: gid=-1 Signed-off-by: Cai Xianchao <caixianchao(a)cn.fujistu.com&gt; --- diff --git a/deprecated.c b/deprecated.c index e05e826..2d32ad3 100644 --- a/deprecated.c +++ b/deprecated.c @@ -259,7 +259,7 @@ int audit_rule_fieldpair(struct audit_rule *rule, const char *pair, int flags) if (name_to_uid(v, &rule->values[rule->field_count])) { audit_msg(LOG_ERR, "Unknown user: %s", - pair); + v); return -2; } } @@ -275,7 +275,7 @@ int audit_rule_fieldpair(struct audit_rule *rule, const char *pair, int flags) if (name_to_gid(v, &rule->values[rule->field_count])) { audit_msg(LOG_ERR, "Unknown group: %s", - pair); + v); return -2; } } diff --git a/libaudit.c b/libaudit.c index 4bedfaf..37e96e5 100644 --- a/libaudit.c +++ b/libaudit.c @@ -851,7 +851,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, if (audit_name_to_uid(v, &rule->values[rule->field_count])) { audit_msg(LOG_ERR, "Unknown user: %s", - pair); + v); return -2; } } @@ -867,7 +867,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, if (audit_name_to_gid(v, &rule->values[rule->field_count])) { audit_msg(LOG_ERR, "Unknown group: %s", - pair); + v); return -2; } }