http://bugzilla.suse.com/show_bug.cgi?id=965861 Bug ID: 965861 Summary: Auditd reports unknown field for comm and exe when used on rules Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: david.westfall@red-inc.us QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I am trying to create an exclude filter based on what program made the system call. I have tried both comm and exe. auditctl -a exit,never -F comm="opera" -F unknown field: comm auditctl -a exit,never -F exe="/usr/lib/opera/opera" -F unknown field: exe According to the man page for audit.rules the exit filer is able to use all fields in the audit record. Man Page: The third paragraph under syscall. The entry list is run through at each syscall entry. The exit list is checked on syscall exit. The main difference between these two is that some things are not available at syscall entry and cannot be checked, like the exit value. Rules on the exit filter are much more common and all fields are available for use at syscall exit. At some point in the near future the entry filter will be deprecated, so it would be best to only use the exit filter. I used the following to rule to test if a -S syscall is need on an audit rule. -a exit,never -F arch=b32 The system accepted the rule and filtered out all b32 events. I am seeing the same errors on 13.1 13.2 and 42.1. Dave W -- You are receiving this mail because: You are on the CC list for the bug.