linux-audit-bounces(a)redhat.com wrote on 04/05/2005 04:05:34 PM:
On Tuesday 05 April 2005 16:47, David Woodhouse wrote:
> 0x80000000 is a flag for '64-bit'
> 0x40000000 is a flag for 'little-endian'
How would people want this to work? Like Debbie suggested?
I'm partial to:
auditctl -a entry,always -S chmod -F arch=64
auditctl -a entry,always -S chmod -F arch=32
or if you think it's more user friendly, this is okay too:
auditctl -a entry,always -S chmod -F arch=64BIT
auditctl -a entry,always -S chmod -F arch=32BIT
Something like 0x800000000 would be okay, if:
1. we document it in the man page what each value means
2. auditctl is smart enough to understand that 0x8000 is the same as
0x800000000.
The main thing is that whatever value means 64bit compiled or 32bit
compiled, it is the same for all the platforms.
I'd like to be able to put statements such as this in my test cases:
#if defined(__MODE_32)
auditctl -a entry,always -S chmod -F arch=32
#else
auditctl -a entry,always -S chmod -F arch=64
#endif
And not have to complicate with platform specific statements like:
#if defined(__X86_64) && !defined(__MODE_32)
Also, we need to decide what the default behavior should be.
For our tests, there would be considerably less impact if:
"auditctl -a entry,always -S chmod"
would result in two rules being added:
auditctl -a entry,always -S chmod -F arch=32
auditctl -a entry,always -S chmod -F arch=64
Also from the user point of view, if they want to audit chmod syscalls,
they more likely want to audit all of them, not just 32bit or 64bit
versions of them.
For the case: "auditctl -a entry,always -S 15"
My first thought is that only adding one rule would be okay.
-debbie