New field seen in audit.log
Steve Grubb
sgrubb at redhat.com
Fri Oct 18 14:56:09 UTC 2019
On Friday, October 18, 2019 10:38:08 AM EDT Evelyn Mitchell wrote:
> For my own learning, I'm trying to understand what personality=40000 means.
>
> In looking at /uapi/linux/personality.h where the
> personality types are defined, and manually converting 40000 to hex
> 0x9C40, it looks to me like the personality is set to enable:
> ADDR_LIMIT_3GB = 0x8000000
> SHORT_INODE = 0x1000000
> ADDR_LIMIT_32BIT = 0x0800000
> READ_IMPLIES_EXEC = 0x0400000
> ADDR_COMPAT_LAYOUT = 0x0200000
> MMAP_PAGE_ZERO = 0x0100000
> ADDR_NO_RANDOMIZE = 0x0040000
>
> But, this looks unreasonable to me as a set of flags someone would
> deliberately pick, so I thought I'd ask if I'm interpreting this
> correctly.
I think so. The executable is gdb. It needs to disable ASLR so that it can
reliably map the symbols to addresses.
-Steve
> > You may never have seen it before because it appears you now have a
> > personality other than PER_LINUX for this event. 32-bit binary on 64
> > bit? I assume your arch is x86 64 (LE)?
> >
> > > type=SYSCALL msg=audit(1571245536.351:43593): arch=c000003e syscall=3
> > > *per=40000* success=yes exit=0 a0=5 a1=5 a2=556213b6d6bc
> > > a3=7f483b98bcc0
> > > items=0 ppid=2653 pid=2655 auid=1000 uid=1000 gid=1000 euid=1000
> > > suid=1000
> > > fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="gdb"
> > > exe="/usr/bin/gdb" key=(null)
> >
> > - RGB
> >
> > --
> > Richard Guy Briggs <rgb at redhat.com>
> > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > Remote, Ottawa, Red Hat Canada
> > IRC: rgb, SunRaycer
> > Voice: +1.647.777.2635, Internal: (81) 32635
> >
> >
> >
> > ------------------------------
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list