> The information you request is in the changelog of the kernel RPM:
> $ rpm -q --changelog kernel | grep -B1 IPC
> - * Fri Feb 18 2005 David Woodhouse <dwmw2@redhat.com> audit.6
> - Fix list handling errors in IPC patch
> --
> - * Tue Feb 1 2005 David Woodhouse <dwmw2@redhat.com> audit.4
> - Log requested values of IPC_SET calls.
> --
Then this patch is already on the system I am testing on.
But the a0, a1, a2, and a3 values for the IPC syscalls are still not matching the expected values when compiled and run in 32bit mode on a 64bit system.
This is particularly important for the ipc syscalls because a0 is used to indicate a particular IPC syscall.
For example: when semget is executed in 32bit mode on a 64bit system, instead of a0=2 (value for SEMGET in ipc.h), I am seeing a0=0.
Not only is the record incorrect, but I am also not able to audit only a particular ipc syscall in 32bit mode.
If I want to only audit semget 32bit syscalls, I should be able to do this with:
auditctl -a entry,always -F arch=b32 -S ipc -F a0=2
But this doesn't generate any audit records. The only way I can capture them is by using:
auditctl -a entry,always -F arch=b32 -S ipc
This audits ALL 32bit ipc syscalls
Note, "auditctl -a entry,always -F arch=b64 -S ipc -F a0=2" does have correct behavior.
-debbie