Hey all,

I've found an issue with the logging of the value of the 4th argument of the ptrace syscall.

The call is: ptrace(PTRACE_TRACEME,0,0,0)   and  ptrace(PTRACE_KILL,1,0,0) the value of the 4th argument, that is the 0, is logged as the following:

type=SYSCALL msg=audit(1140022035.377:246959): arch=16 syscall=26 success=yes exit=0 a0=0 a1=0 a2=0 a3=20000000000 items=0 pid=5236 auid=500 uid=501 gid=501 euid=501 suid=0 fsuid=501 egid=501 sgid=0 fsgid=501 comm="ptrace_test" exe="/rhcc/lspp/tests/LTP/ltp-merged/testcases/audit/syscalls/ptrace_test"

As you can see, a3 is logged as "a3=20000000000".

I am not sure if this extends to other syscalls, but this issue makes logging with specific argument values challenging at best.

Mike