I've got a watch looking at /dev/mem
auditctl -w /dev/mem -k kernel -p wa
which I understand means that auditd is looking for writes or attribute
changes to /dev/mem (according to the manpage for auditctl)
The weird thing is that auditd seems to be flagging calls to fstat, and I'm
not sure why auditd would be doing this since.
2011-11-30T14:02:42.624523-08:00 node/x.x.x.x audispd: node=node
type=PATH msg=audit(1322690562.613:38): item=0 name="/dev/mem"
inode=1358 dev=00:05 mode=020640 ouid=0 ogid=15 rdev=01:01
2011-11-30T14:02:42.624494-08:00 node/x.x.x.x audispd: node=node
type=CWD msg=audit(1322690562.613:38): cwd="/"
2011-11-30T14:02:42.624480-08:00 node/x.x.x.x audispd: node=node
type=SYSCALL msg=audit(1322690562.613:38): arch=40000003 syscall=5
per=400000 success=yes exit=3 a0=8048f6c a1=2 a2=180 a3=0 items=1
ppid=4132 pid=4199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="IrqRouteTbl"
exe="/opt/hp/hp-health/bin/IrqRouteTbl" key="kernel"
running kernel 2.6.38.8 on ubuntu with auditd version 1.7.13-1ubuntu2.
Cheers,
peter
Show replies by date