audit 0.6.11 released
Debora Velarde
dvelarde at us.ibm.com
Tue Apr 19 20:07:05 UTC 2005
linux-audit-bounces at redhat.com wrote on 04/19/2005 02:03:15 PM:
> On Tuesday 19 April 2005 11:34, Debora Velarde wrote:
> > # auditctl -a entry,always -F arch=64b -S open
> > AUDIT_LIST: entry always arch=0 syscall=open
> OK I found and fixed some minor bugs. However, the main problem here is
that
> you need to use b64 and not 64b.
Seems to work fine on x86_64 if you use the b64, b32 flag.
chmod from a 64bit compiled record:
type=KERNEL msg=audit(1113940516.264:7457468): item=0
name="/tmp/arch64_check" inode=5701640 dev=fd:00 mode=0100644 uid=0 gid=0
rdev=00:00
type=KERNEL msg=audit(1113940516.264:7457468): syscall=90 arch=c000003e
success=yes exit=0 a0=4006d5 a1=1ff a2=34bbf2ea03 a3=0 items=1 pid=24480
loginuid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm=arch64 exe=/deb/arch_test/arch64
chmod from a 32bit compiled record:
type=KERNEL msg=audit(1113940549.990:7466028): syscall=15 arch=40000003
success=yes exit=0 a0=a7eff4 a1=0 a2=8048442 a3=0 items=1 pid=24512
loginuid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm=arch32 exe=/deb/arch_test/arch32
type=KERNEL msg=audit(1113940549.990:7466028): item=0
name="/tmp/arch32_check" inode=5701647 dev=fd:00 mode=0100644 uid=0 gid=0
rdev=00:00
Thanks!
debbie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050419/d95718cc/attachment.htm>
More information about the Linux-audit
mailing list