On Thursday 17 September 2009 10:54:53 am Tangren, Bill wrote: > I am running a RHEL ES 5.4 system (64bit), fully patched. I am trying to > configure auditing, and I am using a rule such as this: > > -a exit,always -S chmod -S lchown -S chown -F success=0 -F exit!=-11
This should be written as 2 rules: -a exit,always -F arch=b32 -S chmod -S lchown -S chown -F success=0 -F exit!=-11 -a exit,always -F arch=b64 -S chmod -S lchown -S chown -F success=0 -F exit!=-11 > WARNING = 32/64 bit syscall mismatch in line 36, you should specify an arch This is to let you know that on multilib systems, you might not be auditing what you think you are. Take the case of chmod: #ausyscall x86_64 chmod --exact 90 # ausyscall i386 chmod --exact 15 The auditctl program takes the text for chmod and looks it up for a syscall number. This is because the kernel only understands numbers and not strings. So, in the case of chmod, there are two choices depending on if you want to audit 32 or 64 bit apps. In the absence of declaring which api you intended, it looks up the native interface and uses that. So previously, you would be auditing syscall 90 for both x86_64 and i386 applications. So, lets see what 90 maps to: #ausyscall i386 90 mmap You really did not intend to audit mmap, I'm sure. So, auditctl now warns you that you have a problem, but it loads the rule anyways. > I googled, and came up with something from the RH archives It was in linux-audit mail list, but now it will be in the RH archives. :) -Steve _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
