<html><body>
<p><tt>> > ---------------<br>
> > Problem 2:<br>
> > "auditctl -a" rule also always translates numbers to the syscall name found<br>
> > in /usr/include/asm-x86_64/unistd.h<br>
</tt><br>
<tt>> Even with pers flag?</tt><br>
<tt>Yes. The current version of auditctl does.<br>
</tt><br>
<br>
<tt>> > ---------------<br>
> > Problem 3:<br>
> > Personality is currently always 0 by default. We can NOT assume that an<br>
> > application will manually set personality to another number. Therefore we<br>
> > cannot currently use the "pers" flag to determine if a syscall was executed<br>
> > from a 32bit or a 64bit compiled program.<br>
</tt><br>
<tt>> What does this mean? It's the ELF headers that will describe how the<br>
> program is treated. What am I missing?</tt><br>
<tt><br>
When I brought up this issue it was thought that this could be solved by filtering on personality.</tt><br>
<tt>But personality is always 0 whether my program was compiled in 32bit or 64 bit (unless I set personality to something else inside my program).</tt><br>
<tt>Is personality only useful in determining what OS it was compiled on, and not the mode the program itself was compiled in?</tt><br>
<tt>Is it possible to query the ELF headers when the audit record is being created and add the binary mode (32 or 64) in the audit record?</tt><br>
<br>
<tt>> > Possible Solution 2:<br>
> > Fix personality so that it determines from the binary whether it was 32bit<br>
> > or 64bit.<br>
</tt><br>
<tt>> What does this mean?<br>
Perhaps it's not personality that needs to be fixed. </tt><br>
<tt>Maybe we need a new 'mode' flag to indicate if the executable compiled was in 32bit or 64bit mode?</tt><br>
<br>
<tt>> > ---------------<br>
> > Problem 4:<br>
> > Audit record does not indicate if a 32bit or a 64bit syscall was executed.<br>
> > Because of this, you are unable to determine which syscall resulted in an<br>
> > audit record.<br>
> > For example, we cannot currently determine if a record with "syscall=2"<br>
> > resulted from an __NR_open call (compiled 64bit) or a __NR_fork call<br>
> > (compiled 32bit) because<br>
> > From /usr/include/asm-i386/unistd.h:<br>
> > #define __NR_fork 2<br>
> > From /usr/include/asm-x86_64/unistd.h:<br>
> > #define __NR_open 2<br>
> ><br>
</tt><br>
<tt>> > Possible Solution 2:<br>
> > Fix 'pers' flag so that it can determine if it was a 32bit or 64bit<br>
> > syscall. Currently 'pers' flag is included in the audit record if<br>
> > 'pers'!=0.<br>
</tt><br>
<tt>> Is it not legit to assume native binary unless otherwise indicated?</tt><br>
<tt>Yes. It is safe to assume that the syscall was compiled on the native OS, Linux.</tt><br>
<tt>But we need to be able to distinguish if it was compiled in 32bit or 64bit mode.<br>
</tt><br>
<tt>> > ---------------<br>
> > Problem 5:<br>
> > Some syscalls are not defined in either unistd.h file. Therefore, auditctl<br>
> > -t is not able to translate the syscall number to a syscall name. This is<br>
> > a usability problem for administrators.<br>
</tt><br>
<tt>> Do you have examples?<br>
OK, looking into this further I found what I wrote here isn't correct. </tt><br>
<tt>All of the syscall numbers that auditctl isn't able to translate are found in /usr/include/asm-i386/unistd.h.</tt><br>
<tt>So once auditctl checks both of the unistd.h files, it shouldn't have a problem translating any of the syscall numbers. </tt><br>
<br>
<tt>What isn't found in either of the unistd.h files are some of the syscall names.</tt><br>
<tt>Some of the syscalls in Klaus' list are found in the header files with a different syscall name.</tt><br>
<tt>Here are the ones I found:</tt><br>
<tt>Syscall # Klaus /usr/include/asm-i386/unistd.h</tt><br>
<tt>182 __NR_chown16 __NR_chown</tt><br>
<tt>95 __NR_fchown16 __NR_fchown</tt><br>
<tt>16 __NR_lchown16 __NR_lchown</tt><br>
<tt>139 __NR_setfsgid16 __NR_setfsgid</tt><br>
<tt>138 __NR_setfsuid16 __NR_setfsuid</tt><br>
<tt>46 __NR_setgid16 __NR_setgid</tt><br>
<tt>81 __NR_setgroups16 __NR_setgroups</tt><br>
<tt>71 __NR_setregid16 __NR_setregid</tt><br>
<tt>170 __NR_setresgid16 __NR_setresgid</tt><br>
<tt>164 __NR_setresuid16 __NR_setresuid</tt><br>
<tt>70 __NR_setreuid16 __NR_setreuid</tt><br>
<tt>23 __NR_setuid16 __NR_setuid</tt><br>
<br>
<tt>A user still wouldn't be able to add a filtering rule such as "auditctl -a entry,always -S chown16", but they could add it by the syscall number or the name 'chown'.</tt><br>
<tt>It is a little strange that in 32bit mode __NR_chown16 = __NR_chown = 182. But __NR_chown32 = 212. If I added -S chown (running in 32bit mode), I would of thought that it would be auditing __NR_chown32, not __NR_chown16.</tt><br>
<br>
<tt>-debbie</tt><br>
</body></html>