On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote: > On Wed, Mar 30, 2022 at 1:59 AM CGEL <cgel....@gmail.com> wrote: > > On Tue, Mar 29, 2022 at 09:11:19AM -0400, Paul Moore wrote: > > > On Mon, Mar 28, 2022 at 11:22 PM CGEL <cgel....@gmail.com> wrote: > > > > On Mon, Mar 28, 2022 at 11:06:12PM -0400, Paul Moore wrote: > > > > > On Mon, Mar 28, 2022 at 9:48 PM CGEL <cgel....@gmail.com> wrote: > > > > > > Sorry could anybody give a hand to solve this? It works well on > > > > > > x86_64 and arm64. > > > > > > I have no alpha environment and not familiar to this arch, much > > > > > > thanks! > > > > > > > > > > Regardless of if this is fixed, I'm not convinced this is something we > > > > > want to merge. After all, a process executed a syscall and we should > > > > > process it like any other; just because it happens to be an > > > > > unrecognized syscall on a particular kernel build doesn't mean it > > > > > isn't security relevant (probing for specific syscall numbers may be a > > > > > useful attack fingerprint). > > > > > > > > Thanks for your reply. > > > > > > > > But syscall number less than 0 is even invalid for auditctl. So we > > > > will never hit this kind of audit rule. And invalid syscall number > > > > will always cause failure early in syscall handle. > > > > > > > > sh-4.2# auditctl -a always,exit -F arch=b64 -S -1 > > > > Syscall name unknown: -1 > > > > > > You can add an audit filter without explicitly specifying a syscall: > > > > > > % auditctl -a exit,always -F auid=1000 > > > % auditctl -l > > > -a always,exit -S all -F auid=1000 > > > > > I have tried this, and execute program which call syscall number is -1, > > audit still didn't record it. It supports that there's no need for audit > > to handle syscall number less than 0. > > > > sh-4.2# auditctl -a exit,always > > sh-4.2# auditctl -l > > -a always,exit -S all > > If audit is not generating SYSCALL records, even for invalid/ENOSYS > syscalls, I would consider that a bug which should be fixed. > If we fix this bug, do you think audit invalid/ENOSYS syscalls better be forcible or be a rule that can be configure? I think configure is better. > -- > paul-moore.com
-- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit