Socketcall / sockaddr logging.
David Woodhouse
dwmw2 at infradead.org
Tue May 17 10:55:21 UTC 2005
On Mon, 2005-05-16 at 23:41 +0100, David Woodhouse wrote:
> audit.37 in the yum repo has a first attempt to log sys_socketcall()
> arguments and any sockaddr which is passed as a syscall argument. (And
> no, if I fix the obvious bug in that first version, it doesn't fix my
> memory corruption).
I've tracked down the memory corruption -- it was introduced by my
socketcall patch, and should now be fixed in the attached version.
The patch logs the arguments to the sys_socketcall() system call, and
also any sockaddr which is copied from userspace as part of a system
call. It gives output along these lines...
audit(1116327000.714:160055): syscall=102 arch=40000003 success=no exit=-101 a0=3 a1=bffeeb20 a2=4 a3=806eb40 items=0 pid=4884 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ping6" exe="/bin/ping6"
audit(1116327000.714:160055): saddr=0A00040100000000200108B0010B000102095BFFFE840C9E00000000
audit(1116327000.714:160055): nargs=3 a0=4 a1=bffeebe0 a2=1c
The equivalent strace output is this:
connect(4, {sa_family=AF_INET6, sin6_port=htons(1025), inet_pton(AF_INET6,
"2001:8b0:10b:1:209:5bff:fe84:c9e", &sin6_addr), sin6_flowinfo=0,
sin6_scope_id=0}, 28) = -1 ENETUNREACH (Network is unreachable)
I'm building audit.39 with it now.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linux-2.6.9-audit-socketcalls.patch
Type: text/x-patch
Size: 4619 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050517/b7f707ee/attachment.bin>
More information about the Linux-audit
mailing list