From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael C Thompson Subject: Re: Double addition of rule yields two log messages Date: Fri, 19 May 2006 12:40:51 -0500 Message-ID: <446E0323.4030905@us.ibm.com> References: <446DE295.8040503@us.ibm.com> <446DEF68.5050405@hp.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k4JHfC9n032393 for ; Fri, 19 May 2006 13:41:12 -0400 Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k4JHf9Cj006485 for ; Fri, 19 May 2006 13:41:09 -0400 Received: from d03relay04.boulder.ibm.com (d03relay04.boulder.ibm.com [9.17.195.106]) by e33.co.us.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id k4JHexeV025170 for ; Fri, 19 May 2006 13:40:59 -0400 Received: from d03av03.boulder.ibm.com (d03av03.boulder.ibm.com [9.17.195.169]) by d03relay04.boulder.ibm.com (8.12.10/NCO/VER6.8) with ESMTP id k4JHeuR5098762 for ; Fri, 19 May 2006 11:40:58 -0600 Received: from d03av03.boulder.ibm.com (loopback [127.0.0.1]) by d03av03.boulder.ibm.com (8.12.11/8.13.3) with ESMTP id k4JHeuCK025252 for ; Fri, 19 May 2006 11:40:56 -0600 In-Reply-To: <446DEF68.5050405@hp.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linda Knippers Cc: Linux Audit List-Id: linux-audit@redhat.com Linda Knippers wrote: > Michael C Thompson wrote: >> Hey all, >> >> Adding a rule successfully (i.e. not malformed and that rule didn't >> already exist) creates a log entry: >> type=CONFIG_CHANGE msg=audit(1147986115.721:28510): auid=0 >> subj=root:staff_r:staff_t:s0-s15:c0.c255 add rule to list=2 res=0 >> >> Then, adding the same rule again will resulting in an error message >> being reported to the user saying that rule exists (although it uses the >> work "File exists", which if that could be changed to "Rule exists", >> might be nice). However, despite this apparent failure, we get a log entry: >> type=CONFIG_CHANGE msg=audit(1147986117.389:28511): auid=0 >> subj=root:staff_r:staff_t:s0-s15:c0.c255 add rule to list=2 res=0 >> >> Most FYI, not sure if this is a problem or not. > > That's interesting. When I do this sequence with the .22 kernel > and the 1.2.1 tools: > > # auditctl -a entry,always -S all -F pid=1005 > # auditctl -a entry,always -S all -F pid=1005 > Error sending add rule request (File exists) > > I get these records: > > type=CONFIG_CHANGE msg=audit(1148054817.056:575): auid=500 > subj=user_u:system_r:auditctl_t:s0-s0:c0.c255 add rule to list=2 res=1 > type=CONFIG_CHANGE msg=audit(1148054831.417:576): auid=500 > subj=user_u:system_r:auditctl_t:s0-s0:c0.c255 add rule to list=2 res=0 > > I believe res=1 means the operation was successful and the res=0 means > it failed. Are you sure one of your records doesn't have res=1? Yes, you are infact correct. I missed that with my testing. 1 for the first entry, 0 for all subsequent doubles. > I don't know what the "add rule to list=2" means though. list=2 means that it was added to the entry list, now the CONFIG_CHANGE messages tell you which filter list it was added to. 2 == entry, 5 == exclude, etc. > > What is the exact rule you're adding? And which kernel/tools are you > running? auditctl -a entry,always -S chmod -F se_sen=s0-s15:c However, the action seems to be independent of the rule. The audit is 1.2.2 and 25 kernel. Thanks, Mike