minor rule questions

minor rule questions

[LC Bruzenak]

MINOR: It appears that there needs to be a space between the "key=xxx"
and "list=N" results from "ausearch -i -ts today":
...
type=CONFIG_CHANGE msg=audit(05/08/2008 10:34:57.259:151) : auid=unset
subj=system_u:system_r:auditctl_t:s0-s15:c0.c1023 op=add rule key=CFG
key=postfixlist=4 res=1 
...

I'm sure this one is on startup when the audit.rules file is parsed and
the auditctls all happen. And what does the "list=N" part represent?
Would it be the following (i.e. exit):
#define AUDIT_FILTER_EXIT       0x04    /* Apply rule at syscall exit */

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: minor rule questions

[Steve Grubb]

On Thursday 08 May 2008 13:14:12 LC Bruzenak wrote:
> MINOR: It appears that there needs to be a space between the "key=xxx"
> and "list=N" results from "ausearch -i -ts today":

Thanks, added to the TODO file.


> I'm sure this one is on startup when the audit.rules file is parsed and
> the auditctls all happen. 

Looks like its from the interpret option of ausearch.


> And what does the "list=N" part represent? 

The kernel filter list that the rule was added to. 


> Would it be the following (i.e. exit):
> #define AUDIT_FILTER_EXIT       0x04    /* Apply rule at syscall exit */

Yes.

-Steve