Bitbake-type build question
Aaron Biver
aaron.biver at gmail.com
Wed Mar 11 22:01:54 UTC 2020
I'm attempting to cross-compile the 2.8 maintenance branch with petalinux,
which uses bitbake yocto under the hood to build it, and I run it on a
system V target which is a 64 bit arm architecture. I'm seeing some errors
when I attempt to load rules for system some calls (like open, creat,
rename, link, etc) with auditctl, and I'm not sure how critical these
errors are. This is my first encounter with linux auditing, and I'll
apologize in advance because I'm sure this is something easy, but I could
not find a way to search the mailing list archives.
These are some of my errors from auditctl's output:
> Syscall name unknown: creat
> There was an error in line 14 of /etc/audit/audit.rules
> Syscall name unknown: link
> There was an error in line 15 of /etc/audit/audit.rules
> Syscall name unknown: open
> There was an error in line 16 of /etc/audit/audit.rules
> Syscall name unknown: open
> There was an error in line 17 of /etc/audit/audit.rules
> Syscall name unknown: rename
> There was an error in line 19 of /etc/audit/audit.rules
> Syscall name unknown: rename
> There was an error in line 20 of /etc/audit/audit.rules
Those lines are below in an excerpt from my rules file (with line numbers
prepended for easy reading):
13 -w /etc/hostname -p wa -k system-locale
14 -a always,exit -F arch=b64 -S
creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -F
key=creation
15 -a always,exit -F arch=b64 -S link,mkdir,symlink,mkdirat -F exit=-EPERM
-F key=creation
16 -a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F
exit=-EACCES -F key=open
17 -a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F
exit=-EPERM -F key=open
18 -a always,exit -F arch=b64 -S close -F exit=-EIO -F key=close
19 -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod
-S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F
key=mods
20 -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod
-S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F
key=mods
The startup script and rules I'm repurposing had rules for open, create,
link, unlink, rename, and others, and it seems like those would be part of
a reasonable auditing security plan, but these system calls do not appear
to be auditable on my system.
My target platform is a 64 bit arm architecture. I have a bitbake recipe
which uses the --with-aarch64.
I build the kernel with auditing support (CONFIG_AUDIT and others like it),
and I pass the audit=1 argument on the kernel boot command line.
Are there other incantations I am missing? Any help would be greatly
appreciated.
Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20200311/04b8cfb0/attachment.htm>
More information about the Linux-audit
mailing list