From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Booth Subject: Problems with -F exit!=-2 on x86_64 Date: Mon, 19 Feb 2007 21:46:00 +0000 Message-ID: <1171921560.3592.12.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1876081965==" Return-path: Received: from [10.247.122.13] (sebastian-int.corp.redhat.com [172.16.52.221]) by pobox.surrey.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id l1JLk0Wh001140 for ; Mon, 19 Feb 2007 21:46:04 GMT List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit List-Id: linux-audit@redhat.com --===============1876081965== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-muW+w6C9qEpUmbpssihL" --=-muW+w6C9qEpUmbpssihL Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Amongst other things, I'm auditing all open calls on RHEL4 U4. I've noticed that the dynamic linker generates a massive amount of noise, most of which is open calls for files which don't exist. These are uninteresting from an audit perspective as they don't relate to a successful or unsuccessful attempt to read or write to a particular file. On my workload, these make up about 45% of audit traffic. The exit code for these failures is -2 (No such file or directory). I tried the following on both i386 and x86_64: auditctl -a exit,always -S open -F exit!=3D-2 This works exactly as expected on i386, but not on x86_64. The effect on x86_64 is as if no filtering had been applied. However the following, for eg, works fine: auditctl -a exit,always -S open -F exit=3D3 I'm using auditd-1.0.15 from U5 (audit-1.0.15-2.EL4). I saw the same behaviour on the vanilla auditd, version 1.0.14. Is this a known issue, expected behaviour, or user error? If the former, I'll be happy to file a BZ. However, I'd like to know if it's in user space or kernel space in case I have to look at it myself. Thanks, Matt --=20 Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 --=-muW+w6C9qEpUmbpssihL Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBF2hqYNEHqGdM8NJARAioGAJ9D85gh0+Yprl7K/hvvzUVnpYlMvgCgh0cE 3ssLU7xpGh9YAih+pU7KJjQ= =cjtq -----END PGP SIGNATURE----- --=-muW+w6C9qEpUmbpssihL-- --===============1876081965== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1876081965==--