Hi,
I am running Ubuntu 12.04 with audit 1.7.18. I notice that if I
specify the kernel boot parameter audit=1 (according to auditd(8)),
then the kernel audits some syscalls to /var/log/syslog before auditd
starts.
However, I am seeing only syscall=1 (write()). I assume there are more
syscalls like fork/clone() and execve() that are not being audited.
Can I make the kernel -- via boot/runtime configuration, not
recompilation -- audit more syscalls before auditd starts?
I googled but did not find the answer or even this exact question.
Jul 19 20:57:53 host kernel: [ 0.000000] Command line:
BOOT_IMAGE=/boot/vmlinuz-3.2.0-23-generic ... audit=1
Jul 19 20:57:53 host kernel: [ 0.000000] Kernel command line:
BOOT_IMAGE=/boot/vmlinuz-3.2.0-23-generic ... audit=1
Jul 19 20:57:53 host kernel: [ 0.000000] audit: enabled (after
initialization)
Jul 19 20:57:53 host kernel: [ 0.701807] audit: initializing
netlink socket (enabled)
Jul 19 20:57:53 host kernel: [ 0.701813] type=2000
audit(1342731461.540:1): initialized
Jul 19 20:57:53 host kernel: [ 10.112334] type=1400
audit(1342745872.190:2): apparmor="STATUS" operation="profile_load"
name="/sbin/dhclient" pid=393 comm="apparmor_parser"
Jul 19 20:57:53 host kernel: [ 10.112341] type=1400
audit(1342745872.190:3): apparmor="STATUS"
operation="profile_replace"
name="/sbin/dhclient" pid=550 comm="apparmor_parser"
Jul 19 20:57:53 host kernel: [ 10.112345] type=1300
audit(1342745872.190:2): arch=c000003e syscall=1 success=yes
exit=70195 ... exe="/sbin/apparmor_parser" key=(null)
Jul 19 20:57:53 host kernel: [ 10.112353] type=1300
audit(1342745872.190:3): arch=c000003e syscall=1 success=yes
exit=70195 ... exe="/sbin/apparmor_parser" key=(null)
...
...
Jul 19 20:58:16 host auditd[1217]: Init complete, auditd 1.7.18
listening for events (startup state enable)
Jul 19 20:58:16 host kernel: [ 34.614216] auditd (1217):
/proc/1217/oom_adj is deprecated, please use /proc/1217/oom_score_adj
instead.
Thanks.