Hi,

I am using redhat 6, and trying to create logs for some system call using the rule given below:

-a always,exit -F arch=b64  -S chmod -S fchmod -S fchmodat -F auid>=500  -F auid!=4294967295 -k perm_mod

-> After running command chmod i was not able to get any log, but when i used strace command i have seen that syscall have been called.
-> I also checked that auditd service is running properly.
-> May you guide me why i am not able to get any log message.
-> I also checked by writting rule for 32  bit, but problem still not resolved.



->When i have run the command "auditctl -l |grep chmod" i got the output as given below:

     LIST_RULES: exit,always arch=1073741827 (0x40000003) auid>=500 (0x1f4) auid!=-1 (0xffffffff) key=perm_mod syscall=chmod,fchmod,fchmodat
     LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) key=perm_mod syscall=chmod,fchmod,fchmodat


-> when i am using strace command it is showing that "fchmodat" system call have been called and i have included that in my rule but still i am not getting any log. strace command and its output is given below:

Command :  strace -o /root/bharat/chmodSystemCallOutput.txt chmod 765 /root/bharat/test02

Output:

execve("/bin/chmod", ["chmod", "765", "/root/bharat/test02"], [/* 31 vars */]) = 0
brk(0)                                  = 0xdbe000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa36aaa2000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=70036, ...}) = 0
mmap(NULL, 70036, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fa36aa90000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY)      = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\355\1\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1907344, ...}) = 0
mmap(NULL, 3737768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fa36a4f3000
mprotect(0x7fa36a67a000, 2097152, PROT_NONE) = 0
mmap(0x7fa36a87a000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x187000) = 0x7fa36a87a000
mmap(0x7fa36a87f000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fa36a87f000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa36aa8f000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa36aa8e000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa36aa8d000
arch_prctl(ARCH_SET_FS, 0x7fa36aa8e700) = 0
mprotect(0x7fa36a87a000, 16384, PROT_READ) = 0
mprotect(0x7fa36aaa3000, 4096, PROT_READ) = 0
munmap(0x7fa36aa90000, 70036)           = 0
brk(0)                                  = 0xdbe000
brk(0xddf000)                           = 0xddf000
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=99158752, ...}) = 0
mmap(NULL, 99158752, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fa364662000
close(3)                                = 0
umask(0)                                = 077
stat("/root/bharat/test02", {st_mode=S_IFREG|0777, st_size=18, ...}) = 0
fchmodat(AT_FDCWD, "/root/bharat/test02", 0765) = 0
close(1)                                = 0
close(2)                                = 0
exit_group(0)      



--
Bharat Gupta 
IIT -Roorkee