Some syscalls not getting records

[David Woodhouse]

On Mon, 2005-02-14 at 14:44 -0600, Kris Wilson wrote:
> <html><body><p>Hi,<br><br>The India team was seeing a lack of audit
> records in some of the syscalls tests,<br>so I did a little manual
> experimenting.  With rules set for entry and exit for chown<br> and
> chmod, I found that I got records for chmod and not chown (same
> results if<br> I only have rules for one or the other).  As root I
> created a file, su'ed to ealuser, <br> and tried to do chmod and chown
> on that file.  A record was created for chmod but<br> not for chown.
> I su'ed back to root and successfully executed both commands;<br>
> again a record for chmod but not chown.  We were getting records for
> chown on<br> the previous audit release.  I haven't tried other
> syscalls to see how many might<br> have this problem.<br>
> <br><br><br>

Please don't send HTML mail.

I can't reproduce this problem with audit-0.6.2 and my current
2.6.9-5.EL.audit.5 kernel. However, I do see that the 'chown' utility
doesn't actually call the chown syscall if there is nothing to change.
Could you use strace and check that the syscall is actually being made?
If you still think there's a problem, please cut and paste the precise
commands you used, and show the output of 'auditctl -l'.

-- 
dwmw2