Mailinglist Archive: opensuse-bugs (4510 mails)

< Previous Next >
[Bug 965861] New: Auditd reports unknown field for comm and exe when used on rules
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Tue, 09 Feb 2016 13:57:36 +0000
  • Message-id: <bug-965861-21960@http.bugzilla.suse.com/>
http://bugzilla.suse.com/show_bug.cgi?id=965861


Bug ID: 965861
Summary: Auditd reports unknown field for comm and exe when
used on rules
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.1
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@xxxxxxx
Reporter: david.westfall@xxxxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

I am trying to create an exclude filter based on what program made the system
call.

I have tried both comm and exe.

auditctl -a exit,never -F comm="opera"
-F unknown field: comm

auditctl -a exit,never -F exe="/usr/lib/opera/opera"
-F unknown field: exe

According to the man page for audit.rules the exit filer is able to use all
fields in the audit record.

Man Page: The third paragraph under syscall.
The entry list is run through at each syscall entry. The exit list is checked
on syscall exit. The main difference between these two is that some things are
not available at syscall entry and cannot be checked, like the exit value.
Rules on the exit filter are much more common and all fields are available for
use at syscall exit. At some point in the near future the entry filter will be
deprecated, so it would be best to only use the exit filter.

I used the following to rule to test if a -S syscall is need on an audit rule.
-a exit,never -F arch=b32

The system accepted the rule and filtered out all b32 events.

I am seeing the same errors on 13.1 13.2 and 42.1.

Dave W

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
Follow Ups