When I try this one on my x86_64 system, I am seeing:
# auditctl -a entry,always -F arch=64b -S open
AUDIT_LIST: entry always arch=0 syscall=open
# auditctl -a entry,always -F arch=32b -S open
AUDIT_LIST: entry always arch=0 syscall=open
AUDIT_LIST: entry always arch=0 syscall=open
# auditctl -a entry,always -F arch=32 -S open
AUDIT_LIST: entry always arch=0 syscall=open
AUDIT_LIST: entry always arch=0 syscall=open
AUDIT_LIST: entry always arch=0 syscall=open
And I don't see any audit records generated for syscall=open.
If I do:
# auditctl -a entry,always -S open
then I do see records like:
type=KERNEL msg=audit(1113924447.821:5496854): syscall=2 arch=c000003e
success=yes exit=3 a0=2a9555bf20 a1=0 a2=3920 a3=ffffffd0 items=1 pid=5737
loginuid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm=tail exe=/usr/bin/tail
type=KERNEL msg=audit(1113924447.821:5496854): item=0
name="/lib64/tls/libpthread.so.0" inode=6947034 dev=fd:00 mode=0100755
uid=0 gid=0 rdev=00:00
When I try arch=c000003e, I get:
# auditctl -a entry,always -F arch=c000003e -S open
-F arch=c000003e machine type not found
So I believe auditctl is suposed to work with values like "arch=32b" or
"arch=64b". Is that correct?
-debbie
linux-audit-bounces(a)redhat.com wrote on 04/18/2005 04:16:46 PM:
Hello,
I've just released a new version of the audit daemon. It can be
downloaded
- Check log file size on start up
- Added priority_boost config item
- Reworked arch support
- Reworked how run level is changed
- Make allowances for ECONNREFUSED.
The program was not checking the logfile size on startup which could
make
it
add a record before deciding to perform the log file size action.
In order to help solve the lost records problem, I've added a
priority
boost
option to auditd.conf. The default is 3. you should probably check
you /etc/auditd.conf file to see that you have the new option.
The arch support has been reworked. Thanks to Debbie Velarde for
helping
gather the syscall tables. Please give this feature a try. I think it
should
be working (except for "both"). Please report any bugs with
this soon and
I'll release a 0.6.12 to fix any problems.
The way that the run level is changed was reworked to make SE Linux
policy
better. It was invoking system() now it does execve().
People that are rolling their own kernels and not including the audit
system
were being stopped from logging by pam. I made an exception that if
ECONNREFUSED is detected during sendto, they are using a modified kernel
and
we'll bypass logging. ECONNREFUSED means the kernel isn't
listening on
the
audit netlink socket....so I think this exception is safe.
Please give it some testing and report any problems.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit