I have a question about how to filter on personality.
From /usr/include/linux/personality.h I see:
PER_LINUX =
0x0000,
PER_LINUX_32BIT = 0x0000 | ADDR_LIMIT_32BIT,
PER_LINUX32 = 0x0008,
PER_LINUX32_3GB = 0x0008 | ADDR_LIMIT_3GB,
So if I want to audit a particular syscall, chmod for example, in a 32bit
executable, is this the correct usage?:
"auditctl -a exit,always -S chmod -F pers=0x0008"
I've created a simple test that executes the __NR_chmod syscall and
compiled it 32bit
(out put from "file":
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux
2.2.5, dynamically linked (uses shared libs), not stripped")
When I add the above rule, it is accepted by auditctl and is listed as:
"AUDIT_LIST: exit always pers=8 (0x8) syscall=chmod"
But I do not see any audit records generated.
Also, if I add the rule
"auditctl -a exit,always -S chmod -F pers=0x0000"
It is accepted by auditctl and is listed as:
"AUDIT_LIST: exit always pers=0 syscall=chmod"
And I do see audit records generated in /var/log/messages. Note: "pers" is
not displayed in the record.
I wasn't sure if 0x0008 was the correct value to capture syscalls compiled
in 32bit mode. So I tried this auditctl filter next:
"auditctl -a exit,always -S chmod -F pers!=0x0000"
It is accepted by auditctl and is listed as:
"AUDIT_LIST: exit always pers!=0 syscall=chmod"
Again, no audit records are generated.
In the same personality.h, I found:
ADDR_LIMIT_32BIT = 0x0800000,
So I also tried:
"auditctl -a exit,always -S chmod -F pers=0x0800000"
It is accepted by auditctl and is listed as:
AUDIT_LIST: exit always pers=8388608 (0x800000) syscall=chmod
But again, I don't see any audit records generated.
-debbie