Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-40243

auditctl -l prints rule wrongly

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Minor Minor
    • rhel-9.5
    • rhel-9.4
    • audit
    • None
    • audit-3.1.5-1.el9
    • None
    • Moderate
    • 2
    • rhel-sst-security-special-projects
    • ssg_security
    • 26
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • SECENGSP Cycle 6, SECENGSP Cycle 7
    • Release Note Not Required
    • None

      What were you trying to do that didn't work?

      In order to troubleshoot a case, I started auditing modifying on the journal, except the ones done by systemd-journald process:

      # auditctl -a exit,always -F dir=/var/log/journal/$(cat /etc/machine-id) -F "exe!=/usr/lib/systemd/systemd-journald" -k JOURNAL

      It appears that listing the rules shows exe!=xxx becamse the opposite:

      # auditctl -l
-a always,exit -S all -F dir=/var/log/journal/b5af1fc93c0a4c7eae36e167138931d5 -F exe=/usr/lib/systemd/systemd-journald -F key=JOURNAL

      I doubt this is expected, it looks like "different" is not handle properly by auditctl.
      But internally the rule works as expected, it seems to just be a display issue.

      Please provide the package NVR for which bug is seen:

      audit-3.1.2-2.el9.x86_64

      How reproducible:

      Always, see above.

              rh-ee-alakatos Attila Lakatos
              rhn-support-rmetrich Renaud Métrich
              Sergio Correia Sergio Correia
              Natália Bubáková Natália Bubáková
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: