type=PATH msg=audit(05/21/2010 10:59:08.167:35) : item=1 name=(null) inode=3535788
dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(05/21/2010 10:59:08.167:35) : item=0 name=/usr/libexec/qemu-kvm
inode=509820 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:qemu_exec_t:s0
type=CWD msg=audit(05/21/2010 10:59:08.167:35) : cwd=/
type=EXECVE msg=audit(05/21/2010 10:59:08.167:35) : argc=6 a0=/usr/libexec/qemu-kvm a1=-S
a2=-M a3=rhel5.4.0 a4=-m a5=512 a6=-smp a7=1 a8=-name a9=kvm01 a10=-uuid
a11=dab72a67-a431-d39e-3c7c-89c5fa313b8c a12=-no-kvm-pit-reinjection a13=-monitor a14=pty
a15=-pidfile a16=/var/run/libvirt/qemu//kvm01.pid a17=-boot a18=c a19=-drive
a20=file=/var/lib/libvirt/images/kvm01,if=virtio,index=0,boot=on,cache=none a21=-drive
a22=file=/root/RHEL5.5-Server-20100322.0-x86_64-DVD.iso,if=ide,media=cdrom,index=2,cache=none
a23=-net a24=nic,macaddr=54:52:00:dd:f5:c6,vlan=0 a25=-net
a26=tap,fd=11,script=,vlan=0,ifname=virtnet7 a27=-serial a28=pty a29=-parallel a30=none
a31=-usb a32=-vnc a33=127.0.0.1:0 a34=-k a35=en-us
type=SYSCALL msg=audit(05/21/2010 10:59:08.167:35) : arch=x86_64 syscall=execve
success=yes exit=0 a0=6bca700 a1=6bca3c0 a2=6bc3240 a3=38c2016220 items=2 ppid=2809
pid=2810 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=virt_qemu_exec
Just wanted to check if I got the meaning of the EXECVE record right.
Should the 'argc' field bring the number of argv[] items? Why is argc=6
in the record above if we apparently have 36 items?
uname -a:
Linux
lepton.ltc.br.ibm.com 2.6.18-199.el5 #1 SMP Fri May 14 15:30:11 EDT 2010 x86_64
x86_64 x86_64 GNU/Linux
-Klaus
--
Klaus Heinrich Kiwi | klausk(a)br.ibm.com |
http://blog.klauskiwi.com
Open Source Security blog :
http://www.ratliff.net/blog
IBM Linux Technology Center :
http://www.ibm.com/linux/ltc