audit syscall information
Debora Velarde
dvelarde at us.ibm.com
Fri Apr 29 15:32:43 UTC 2005
> The information you request is in the changelog of the kernel RPM:
> $ rpm -q --changelog kernel | grep -B1 IPC
> - * Fri Feb 18 2005 David Woodhouse <dwmw2 at redhat.com> audit.6
> - Fix list handling errors in IPC patch
> --
> - * Tue Feb 1 2005 David Woodhouse <dwmw2 at redhat.com> audit.4
> - Log requested values of IPC_SET calls.
> --
Then this patch is already on the system I am testing on.
But the a0, a1, a2, and a3 values for the IPC syscalls are still not
matching the expected values when compiled and run in 32bit mode on a 64bit
system.
This is particularly important for the ipc syscalls because a0 is used to
indicate a particular IPC syscall.
For example: when semget is executed in 32bit mode on a 64bit system,
instead of a0=2 (value for SEMGET in ipc.h), I am seeing a0=0.
Not only is the record incorrect, but I am also not able to audit only a
particular ipc syscall in 32bit mode.
If I want to only audit semget 32bit syscalls, I should be able to do this
with:
auditctl -a entry,always -F arch=b32 -S ipc -F a0=2
But this doesn't generate any audit records. The only way I can capture
them is by using:
auditctl -a entry,always -F arch=b32 -S ipc
This audits ALL 32bit ipc syscalls
Note, "auditctl -a entry,always -F arch=b64 -S ipc -F a0=2" does have
correct behavior.
-debbie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050429/866523f7/attachment.htm>
More information about the Linux-audit
mailing list