* key options with spaces
@ 2013-06-11 21:04 LC Bruzenak
2013-06-11 21:32 ` LC Bruzenak
2013-06-19 12:34 ` Steve Grubb
0 siblings, 2 replies; 4+ messages in thread
From: LC Bruzenak @ 2013-06-11 21:04 UTC (permalink / raw)
To: linux-audit
I was playing with audit rules using keys with spaces.
Is the following expected (ignore the logic; was just testing the returns)?
# auditctl -l -k lsmod
LIST_RULES: exit,always watch=/sbin/lsmod perm=x key=lsmod kernel
LIST_RULES: exit,always watch=/bin/ping perm=x key=lsmod ping
Thx,
LCB
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: key options with spaces
2013-06-11 21:04 key options with spaces LC Bruzenak
@ 2013-06-11 21:32 ` LC Bruzenak
2013-06-19 12:34 ` Steve Grubb
1 sibling, 0 replies; 4+ messages in thread
From: LC Bruzenak @ 2013-06-11 21:32 UTC (permalink / raw)
To: linux-audit
On 06/11/2013 04:04 PM, LC Bruzenak wrote:
> I was playing with audit rules using keys with spaces.
> Is the following expected (ignore the logic; was just testing the returns)?
>
> # auditctl -l -k lsmod
> LIST_RULES: exit,always watch=/sbin/lsmod perm=x key=lsmod kernel
> LIST_RULES: exit,always watch=/bin/ping perm=x key=lsmod ping
>
>
> Thx,
> LCB
>
Sorry - forgot the version : audit-2.2-1.
Thx,
LCB
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: key options with spaces
2013-06-11 21:04 key options with spaces LC Bruzenak
2013-06-11 21:32 ` LC Bruzenak
@ 2013-06-19 12:34 ` Steve Grubb
2013-06-19 18:49 ` LC Bruzenak
1 sibling, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2013-06-19 12:34 UTC (permalink / raw)
To: linux-audit
On Tuesday, June 11, 2013 04:04:54 PM LC Bruzenak wrote:
> I was playing with audit rules using keys with spaces.
> Is the following expected (ignore the logic; was just testing the returns)?
>
> # auditctl -l -k lsmod
> LIST_RULES: exit,always watch=/sbin/lsmod perm=x key=lsmod kernel
> LIST_RULES: exit,always watch=/bin/ping perm=x key=lsmod ping
What are you expecting? I can make it not accept keys with spaces. I don't
think putting spaces in keys is a good idea.
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: key options with spaces
2013-06-19 12:34 ` Steve Grubb
@ 2013-06-19 18:49 ` LC Bruzenak
0 siblings, 0 replies; 4+ messages in thread
From: LC Bruzenak @ 2013-06-19 18:49 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1145 bytes --]
Hey Steve,
I was expecting it to not match the one with the spaces.
I can live with any answer; either disallowing spaces or allowing spaces
and matching exactly, or (less desirable) even if it is desired to match
the first occurrence of the string and it is noted as such in the man page.
The reason I tried the spaces was at direction from a security guy who was
looking at a (now-mofied) RHEL 6 STIG beta release. I am not a fan of the
spaces myself; was probably going to substitute underscores.
Thanks,
LCB
On Wed, Jun 19, 2013 at 5:34 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Tuesday, June 11, 2013 04:04:54 PM LC Bruzenak wrote:
> > I was playing with audit rules using keys with spaces.
> > Is the following expected (ignore the logic; was just testing the
> returns)?
> >
> > # auditctl -l -k lsmod
> > LIST_RULES: exit,always watch=/sbin/lsmod perm=x key=lsmod kernel
> > LIST_RULES: exit,always watch=/bin/ping perm=x key=lsmod ping
>
> What are you expecting? I can make it not accept keys with spaces. I don't
> think putting spaces in keys is a good idea.
>
> -Steve
>
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
[-- Attachment #1.2: Type: text/html, Size: 1799 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-06-19 18:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-11 21:04 key options with spaces LC Bruzenak
2013-06-11 21:32 ` LC Bruzenak
2013-06-19 12:34 ` Steve Grubb
2013-06-19 18:49 ` LC Bruzenak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox