linux-audit-bounces(a)redhat.com wrote on 04/19/2005 02:03:15 PM:
On Tuesday 19 April 2005 11:34, Debora Velarde wrote:
> # auditctl -a entry,always -F arch=64b -S open
> AUDIT_LIST: entry always arch=0 syscall=open
OK I found and fixed some minor bugs. However, the main problem here
is
that
you need to use b64 and not 64b.
Seems to work fine on x86_64 if you use the b64, b32 flag.
chmod from a 64bit compiled record:
type=KERNEL msg=audit(1113940516.264:7457468): item=0
name="/tmp/arch64_check" inode=5701640 dev=fd:00 mode=0100644 uid=0 gid=0
rdev=00:00
type=KERNEL msg=audit(1113940516.264:7457468): syscall=90 arch=c000003e
success=yes exit=0 a0=4006d5 a1=1ff a2=34bbf2ea03 a3=0 items=1 pid=24480
loginuid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm=arch64 exe=/deb/arch_test/arch64
chmod from a 32bit compiled record:
type=KERNEL msg=audit(1113940549.990:7466028): syscall=15 arch=40000003
success=yes exit=0 a0=a7eff4 a1=0 a2=8048442 a3=0 items=1 pid=24512
loginuid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm=arch32 exe=/deb/arch_test/arch32
type=KERNEL msg=audit(1113940549.990:7466028): item=0
name="/tmp/arch32_check" inode=5701647 dev=fd:00 mode=0100644 uid=0 gid=0
rdev=00:00
Thanks!
debbie