exec_name fail

Question

exec_name fail

gaochong2016 opened this issue 7 years ago · 4 comments

gaochong2016 commented 7 years ago

system("auditctl -a always,exit -S all -F exe=$exec -k $key");
-F unknown field: exe

Maybe should system("auditctl -a always,exit -S all -F path=$exec -k $key"); ??

Answer 1 · 2017-04-18T05:21:26.000Z

The test is correct. This would be in the "exec_name" test which was added to test the new "audit by executable name" feature. #3

Upstream:
kernel: v4.3 commit 896545098777564212b9e91af4c973f094649aa7
userspace: v2.5.0 commit 87b9af8

RHEL7:
https://bugzilla.redhat.com/show_bug.cgi?id=1135562 kernel-3.10.0-351.el7
https://bugzilla.redhat.com/show_bug.cgi?id=1135565 audit-2.5.2-1.el7

RHEL6:
https://bugzilla.redhat.com/show_bug.cgi?id=837856 deferred.

@pcmoore Please assign to me and close.

Answer 2 · 2017-04-19T10:41:04.000Z

But I use "man auditctl" only see "audit ... -F path=...", no "audit ... -F exe=..."
And example use "auditctl -a always,exit -F path=/etc/shadow -F perm=wa"

Am i auditctl version wrong? And I can't access that 3 rhel bugs.

Answer 3 · 2017-04-19T10:55:01.000Z

Oh, I google "rhel bug 1135562" to see the change in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.3_Release_Notes/new_features_security.html

Get it~ thanks

Answer 4 · 2017-04-19T17:46:42.000Z

@gaochong2016 It sounds like you have an older distribution or haven't done an update for a while. The manpage has been updated to reflect the new option.