Hello!
I have two questions. I had a quick search through the mailing archives
before posting here.
-----
Question 1
I'm not even sure if this is feasible but does there exist an audit rule
type <--> record type mapping?
For example, a file watch rule for writes and attribute changes (-p wa)
would generate record types of SYSCALL and CWD. While a watch for execution
(-p x) on a file would generate a SYSCALL, EXECVE and CWD.
Similarly, is there a way to know what record types the different audit
rule types (file watches, syscalls) may generate?
-----
Question 2
I am trying to decipher a chmod related log entry. My audit rule is
-w /etc/passwd -p wa -k passwd_mod
I thereafter ran a "chmod 744 /etc/passwd" . I received a SYSCALL record
type with the following parameters
type=SYSCALL msg=audit(1641846347.980:1326): arch=c000003e syscall=268
success=yes exit=0 a0=ffffffffffffff9c a1=1a600f0 a2=1a4 a3=3c0 items=1
ppid=6639 pid=6781 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts6 ses=4294967295 comm="chmod" exe="/bin/chmod"
I'm trying to decipher whether the above event can give me the exact
permission passed to the chmod command (755). I understand that execve may
give it to me easier.
I see the underlying syscall is fchmodat which accepts 3 arguments
int dfd, const char __user *filename, umode_t mode
In which case, in the above log event, would a3=3c0 be the right argument
to represent the new permission (755)? Or am I reading this incorrectly?
---
Thanks so much for the help!
Regards
Rohit