Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 233186 - LSPP: Add audit rule bit operators patch
Summary: LSPP: Add audit rule bit operators patch
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: audit
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Steve Grubb
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On: 232967
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-20 20:01 UTC by Steve Grubb
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RHBA-2007-0602
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-11-07 17:03:24 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0602 normal SHIPPED_LIVE audit bug fix and enhancement update 2007-10-30 15:35:36 UTC

Description Steve Grubb 2007-03-20 20:01:33 UTC
+++ This bug was initially created as a clone of Bug #232967 +++

Description of problem:
There is not good way to audit syscalls that have bit mapped options. A patch
was sent to the linux-audit mail list adding this capability. This is not
strictly required for LSPP, but helps customers.

This bz is to track the user space piece of it.

Comment 2 Steve Grubb 2007-03-21 00:48:05 UTC
The patch introduces the mask and bit test operators for creating audit rules.
For example, if you wanted to audit chmod syscalls that change a file to be
executable, with this patch applied you would do this:

auditctl -a always,entry -S chmod -F arg1&0111

As its is now, you would have to audit all chmods and search for the ones that
have the execute bit set...this is wasteful to say the least.

audit-1.5.1 already has this capability, this is a backport.

Comment 4 Eric Paris 2007-03-26 20:39:33 UTC
Stated not required for evaluation.  Steve, can we remove the LSPP whiteboard
mark so it doesn't come up on list and won't be considered a blocker?

Comment 5 Steve Grubb 2007-03-27 21:25:28 UTC
The lspp.70 kernel tests good with the patch included.

Comment 9 errata-xmlrpc 2007-11-07 17:03:24 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0602.html



Note You need to log in before you can comment on or make changes to this bug.