From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [Patch]Fix the bug of using "-S syscall -a list, action", no errors will be reported. Date: Wed, 6 Aug 2008 12:57:51 -0400 Message-ID: <200808061257.52481.sgrubb@redhat.com> References: <000901c8f2ae$209adb30$958da70a@truly> <200808042018.41069.sgrubb@redhat.com> <003901c8f795$d0df9300$958da70a@truly> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <003901c8f795$d0df9300$958da70a@truly> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Chu Li Cc: 'linux-audit' List-Id: linux-audit@redhat.com On Wednesday 06 August 2008 03:27:00 Chu Li wrote: > =C2=A0And I found another problem, when using "-a 'list','action' -w /m= nt", it > will always add the rule "LIST_RULES: exit,always dir=3D/mnt (0x4) perm= =3Drwxa". > I found "-w" will use the "exit" list automatically. I think it's bette= r to > add something about it in manual. There are 2 forms of audit rules, the syscall syntax (-a) and the watch s= yntax=20 (-w). They cannot be mixed. When -w is given, only -p and -k are valid.=20 When -a is given, -w is invalid. The -w notation is primarily for backwards compatibility with RHEL4. In i= t you=20 do not give a list. When writing watches in RHEL5 and later, you can now = use=20 syscall notation like this: -a always,exit -F perm=3Dwa -F path=3D/etc/shadow Note that -S is not given. The kernel selects the syscalls based on the p= erm=20 field. Hope this helps. -Steve