only = and != equations work for auid field
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| audit (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
lsb_release -rc
Release: 22.04
Codename: jammy
dpkg -l|grep audi
ii auditd 1:3.0.7-1build1 amd64 User space tools for security auditing
ii libaudit-common 1:3.0.7-1build1 all Dynamic library for security auditing - common files
ii libaudit1:amd64 1:3.0.7-1build1 amd64 Dynamic library for security auditing
ii libauparse0:amd64 1:3.0.7-1build1 amd64 Dynamic library for parsing security auditing
work for = and !=
$ sudo auditctl -a always,exit -F auid=1000
$ sudo auditctl -a always,exit -F auid!=1000
$ sudo auditctl -D
No rules
Do not work for < > <= >=
$ sudo auditctl -a always,exit -F auid<1000
-bash: 1000: No such file or directory
$ sudo auditctl -a always,exit -F auid>1000
-F missing operation for auid
$ sudo auditctl -a always,exit -F auid<=1000
-F missing operation for auid
$ sudo auditctl -a always,exit -F auid>=1000
-F missing operation for auid
sudo auditctl -a always,exit -F auid<ubuntu
bash: ubuntu: No such file or directory
sudo auditctl -a always,exit -F auid>ubuntu
-F missing operation for auid
sudo auditctl -a always,exit -F auid<=ubuntu
bash: =ubuntu: No such file or directory
sudo auditctl -a always,exit -F auid>=ubuntu
-F missing operation for auid
sudo auditctl -a always,exit -F auid>'ubuntu'
-F missing operation for auid
sudo auditctl -a always,exit -F auid<'ubuntu'
-F missing operation for auid
sudo auditctl -a always,exit -F auid<='ubuntu'
-F missing operation for auid
sudo auditctl -a always,exit -F auid>='ubuntu'
-F missing operation for auid
| tags: | added: sts |
| Chuan Li (lccn) wrote | #1 |
| Changed in audit (Ubuntu): | |
| status: | New → Invalid |
> and < should be escaped in shell. It's not a bug. closing it.