Re: Problem regards event fields a0-a3 in audit logs
On Wednesday, November 30, 2016 4:40:01 PM EST C.y wrote:
I looked into audit log and find myself having difficultly in
understanding
the event field a0-a3.
I tried to look for answer but couldn't get any references for the
following question:
1. What are the initial value of a0-a3, and
Whatever was passed as arguments for the current syscall.
2. Is there any way to get 5-th and above arguments?
Nope. There is only 1 syscall that I know of that has a security relevant
argument higher than what is recorded. This is mmap. What we do is record that
value in a special AUDIT_MMAP auxiliary record. If there were any other
syscalls that had security relevant arguments higher than the first 4 I suspect
we'd do the same thing again.
Audit system reference from redhat (https://access.redhat.com/doc
umentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_
Guide/app-Audit_Reference.html) did mentioned that the first four arguments
of system call are recorded, but didn't mentions what their initial value
are when there a system call required less than four arguments.
For example, what will the value of a1, a2, a3 be when the system call
'close' are invoked? ('close' only takes 1 argument
http://man7.org/linux/man-pages/man2/close.2.html)
AFAIK, they are whatever is in memory. There is nothing that tells you they
are or are not valid. You would have to know that the syscall takes 2
arguments and just look at the first 2.
At first I am guessing that they might contain the a1-a3's value
from
previous syscall record, so I starting doing some experiment on the audit
log I have collected (https://drive.google.com/file
/d/0B85cIbQMuvqDSHVGSHdDVjRWdHc/view):
`$ ausyscall --dump | grep 6 | head -n 1 ` returns
6 close
and below are part of my audit log that contains 2 syscall records:
...
type=SYSCALL msg=audit(1479471647.440:197): arch=40000028 syscall=192
per=800000 success=yes exit=1995763712 a0=76f4f000 a1=1000 a2=3 a3=812
items=0 ppid=891 pid=907 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 ses=3 comm="raspistill"
exe="/opt/vc/bin/raspistill" key=(null)
type=MMAP msg=audit(1479471647.440:197): fd=3 flags=0x812
type=PROCTITLE msg=audit(1479471647.440:197): proctitle="-bash"
type=SYSCALL msg=audit(1479471647.440:198): arch=40000028 syscall=6
per=800000 success=yes exit=0 a0=3 a1=5 a2=76f31000 a3=0 items=0 ppid=891
pid=907 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 ses=3 comm="raspistill" exe="/opt/vc/bin/raspistill"
key=(null)
...
the second syscall record show that the a1's value are somehow modified,
which eventually proved that my guessing of that they will contain previous
invoked syscall a1's value(1000) is wrong. That's how I got myself confused
and write to seek for answer regards this question.
Best way to look at the records is ausearch -i.
Second, I wonder if there are way for me to know the 5-th and above
argument of a particular system call, i.e _llseek that takes 5 arguments?
Answered above.
-Steve