syscall filtering on personality
Steve Grubb
sgrubb at redhat.com
Wed Mar 2 00:13:15 UTC 2005
On Tuesday 01 March 2005 18:01, Debora Velarde wrote:
> So if I want to audit a particular syscall, chmod for example, in a 32bit
> executable, is this the correct usage?:
> "auditctl -a exit,always -S chmod -F pers=0x0008"
Yes. This is the correct usage. The kernel should do the test at
http://lxr.linux.no/source/kernel/auditsc.c#L328
Your test program may not be doing what you think. You may need to strace it
and find the call into the kernel and look at the params. Post a simple test
program that illustrates the problem so we can try it and see what's wrong.
-Steve
More information about the Linux-audit
mailing list