RE: Auditing the "chattr" command (ioctl syscall?)

Ah, the 0x was it! It was producing the wrong rule: Wrong: LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=40086602 (0x263ac4a) key=chattr1 syscall=ioctl Right: LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=1074292226 (0x40086602) key=chattr3 syscall=ioctl You are right, if I specify a path for this rule, it stops working. Thank you very much for your help Steve. Cheers, Max -----Original Message----- From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Steve Grubb Sent: 24 August 2011 16:53 To: linux-audit(a)redhat.com Subject: Re: Auditing the "chattr" command (ioctl syscall?) On Wednesday, August 24, 2011 10:40:32 AM Steve Grubb wrote: One correction, you need a 0x in that: -a always,exit -F arch=b64 -S ioctl -F a1=0x40086602 -Steve -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________