Problems with -F exit!=-2 on x86_64

Problems with -F exit!=-2 on x86_64

[Matthew Booth]

[-- Attachment #1.1: Type: text/plain, Size: 1287 bytes --]

Amongst other things, I'm auditing all open calls on RHEL4 U4. I've
noticed that the dynamic linker generates a massive amount of noise,
most of which is open calls for files which don't exist. These are
uninteresting from an audit perspective as they don't relate to a
successful or unsuccessful attempt to read or write to a particular
file. On my workload, these make up about 45% of audit traffic. The exit
code for these failures is -2 (No such file or directory).

I tried the following on both i386 and x86_64:

auditctl -a exit,always -S open -F exit!=-2

This works exactly as expected on i386, but not on x86_64. The effect on
x86_64 is as if no filtering had been applied. However the following,
for eg, works fine:

auditctl -a exit,always -S open -F exit=3

I'm using auditd-1.0.15 from U5 (audit-1.0.15-2.EL4). I saw the same
behaviour on the vanilla auditd, version 1.0.14. Is this a known issue,
expected behaviour, or user error? If the former, I'll be happy to file
a BZ. However, I'd like to know if it's in user space or kernel space in
case I have to look at it myself.

Thanks,

Matt
-- 
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Problems with -F exit!=-2 on x86_64

[Steve Grubb]

On Monday 19 February 2007 16:46, Matthew Booth wrote:
> I tried the following on both i386 and x86_64:
>
> auditctl -a exit,always -S open -F exit!=-2
>
> This works exactly as expected on i386, but not on x86_64. The effect on
> x86_64 is as if no filtering had been applied. However the following,
> for eg, works fine:

Its a kernel bug. bz 196233 Its scheduled to be in RHEL4U5.

-Steve