only = and != equations work for auid field
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
audit (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
lsb_release -rc
Release: 22.04
Codename: jammy
dpkg -l|grep audi
ii auditd 1:3.0.7-1build1 amd64 User space tools for security auditing
ii libaudit-common 1:3.0.7-1build1 all Dynamic library for security auditing - common files
ii libaudit1:amd64 1:3.0.7-1build1 amd64 Dynamic library for security auditing
ii libauparse0:amd64 1:3.0.7-1build1 amd64 Dynamic library for parsing security auditing
work for = and !=
$ sudo auditctl -a always,exit -F auid=1000
$ sudo auditctl -a always,exit -F auid!=1000
$ sudo auditctl -D
No rules
Do not work for < > <= >=
$ sudo auditctl -a always,exit -F auid<1000
-bash: 1000: No such file or directory
$ sudo auditctl -a always,exit -F auid>1000
-F missing operation for auid
$ sudo auditctl -a always,exit -F auid<=1000
-F missing operation for auid
$ sudo auditctl -a always,exit -F auid>=1000
-F missing operation for auid
sudo auditctl -a always,exit -F auid<ubuntu
bash: ubuntu: No such file or directory
sudo auditctl -a always,exit -F auid>ubuntu
-F missing operation for auid
sudo auditctl -a always,exit -F auid<=ubuntu
bash: =ubuntu: No such file or directory
sudo auditctl -a always,exit -F auid>=ubuntu
-F missing operation for auid
sudo auditctl -a always,exit -F auid>'ubuntu'
-F missing operation for auid
sudo auditctl -a always,exit -F auid<'ubuntu'
-F missing operation for auid
sudo auditctl -a always,exit -F auid<='ubuntu'
-F missing operation for auid
sudo auditctl -a always,exit -F auid>='ubuntu'
-F missing operation for auid
> and < should be escaped in shell. It's not a bug. closing it.