Uploaded image for project: 'Product Technical Learning'
  1. Product Technical Learning
  2. PTL-14889

Ch06s05: Example auditctl custom rule is incorrect

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • None
    • None
    • RH415
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      Please fill in the following information:

      URL: https://rol.training-china.com/rol/app/courses/rh415-9.2/pages/ch06s05
      Reporter RHNID: imxcai
      Section Title: Writing Custom Audit Rules                       

      Issue description

      The example auditctl command in the student workbook is incorrect:

      Disable auditing of failed USER_LOGIN events for the example user.

      [root@host ~]# auditctl -a exclude,never -F auid=example \
      -F msgtype=USER_LOGIN -F success=0

      Steps to reproduce:

      [root@servera ~]# auditctl -a exclude,never -F auid=student -F msgtype=USER_LOGIN -F success=0
      Only msgtype, uid, *gid, pid, and subj fields can be used with exclude filter

      It can't use success=0 to determine whether the event failed, it should be difficult to implement this example. Maybe changing it to "Disable auditing of USER_LOGIN event for the example user" will make it easier to implement.

       

      Workaround:

       

      Expected result:

              wraja@redhat.com Wasim Raja
              imxcai Houwang Cai (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: