Hello!

I have two questions. I had a quick search through the mailing archives before posting here.

-----

Question 1

I'm not even sure if this is feasible but does there exist an audit rule type <--> record type mapping?

For example, a file watch rule for writes and attribute changes (-p wa) would generate record types of SYSCALL and CWD. While a watch for execution (-p x) on a file would generate a SYSCALL, EXECVE and CWD.

Similarly, is there a way to know what record types the different audit rule types (file watches, syscalls) may generate?

-----

Question 2

I am trying to decipher a chmod related log entry. My audit rule is

-w /etc/passwd -p wa -k passwd_mod

I thereafter ran a "chmod 744 /etc/passwd" . I received a SYSCALL record type with the following parameters

type=SYSCALL msg=audit(1641846347.980:1326): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=1a600f0 a2=1a4 a3=3c0 items=1 ppid=6639 pid=6781 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=4294967295 comm="chmod" exe="/bin/chmod"

I'm trying to decipher whether the above event can give me the exact permission passed to the chmod command (755). I understand that execve may give it to me easier.

I see the underlying syscall is fchmodat which accepts 3 arguments

int dfd, const char __user *filename, umode_t mode

In which case, in the above log event, would a3=3c0 be the right argument to represent the new permission (755)? Or am I reading this incorrectly?

---

Thanks so much for the help!

Regards