Auditing the "chattr" command (ioctl syscall?)

Steve Grubb sgrubb at redhat.com
Wed Aug 24 15:53:15 UTC 2011

Previous message (by thread): Auditing the "chattr" command (ioctl syscall?)
Next message (by thread): Auditing the "chattr" command (ioctl syscall?)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday, August 24, 2011 10:40:32 AM Steve Grubb wrote:
> So, the rule is:
> 
> -a always,exit -F arch=b64 -S ioctl -F a1=40086602

One correction, you need a 0x in that:

-a always,exit -F arch=b64 -S ioctl -F a1=0x40086602

-Steve

Previous message (by thread): Auditing the "chattr" command (ioctl syscall?)
Next message (by thread): Auditing the "chattr" command (ioctl syscall?)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Linux-audit mailing list