Auditing the "chattr" command (ioctl syscall?)
Max Williams
Max.Williams at betfair.com
Wed Aug 24 16:04:39 UTC 2011
Ah, the 0x was it! It was producing the wrong rule:
Wrong: LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=40086602 (0x263ac4a) key=chattr1 syscall=ioctl
Right: LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=1074292226 (0x40086602) key=chattr3 syscall=ioctl
You are right, if I specify a path for this rule, it stops working.
Thank you very much for your help Steve.
Cheers,
Max
-----Original Message-----
From: linux-audit-bounces at redhat.com [mailto:linux-audit-bounces at redhat.com] On Behalf Of Steve Grubb
Sent: 24 August 2011 16:53
To: linux-audit at redhat.com
Subject: Re: Auditing the "chattr" command (ioctl syscall?)
On Wednesday, August 24, 2011 10:40:32 AM Steve Grubb wrote:
> So, the rule is:
>
> -a always,exit -F arch=b64 -S ioctl -F a1=40086602
One correction, you need a 0x in that:
-a always,exit -F arch=b64 -S ioctl -F a1=0x40086602
-Steve
--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
More information about the Linux-audit
mailing list