BUG: fE field is being wrongly interpreted as chown #18
Assignees
Labels
Comments
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Apr 20, 2017
The file effective capability is a boolean. It is being interpreted as the capability "chown" by auparse. Just print its raw value. An example from an execve syscall: type=BPRM_FCAPS msg=audit(03/07/2017 17:29:56.494:969) : fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none old_pe=none new_pp=sys_admin new_pi=none new_pe=sys_admin Fixed: type=BPRM_FCAPS msg=audit(03/07/2017 17:29:56.494:969) : fver=2 fp=sys_admin fi=none fe=1 old_pp=none old_pi=none old_pe=none new_pp=sys_admin new_pi=none new_pe=sys_admin See: linux-audit#18 Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
stevegrubb
pushed a commit
that referenced
this issue
Jun 13, 2017
The file effective capability is a boolean. It is being interpreted as the capability "chown" by auparse. Just print its raw value. An example from an execve syscall: type=BPRM_FCAPS msg=audit(03/07/2017 17:29:56.494:969) : fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none old_pe=none new_pp=sys_admin new_pi=none new_pe=sys_admin Fixed: type=BPRM_FCAPS msg=audit(03/07/2017 17:29:56.494:969) : fver=2 fp=sys_admin fi=none fe=1 old_pp=none old_pi=none old_pe=none new_pp=sys_admin new_pi=none new_pe=sys_admin See: #18 Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
|
Upstreamed. |
|
Patch posted upstream: https://www.redhat.com/archives/linux-audit/2017-June/msg00039.html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The file effective capability is a boolean. It is being interpreted as the capability "chown" by auparse. Just print its raw value.
The text was updated successfully, but these errors were encountered: