[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

watch with -p wa catching fstat calls?



I've got a watch looking at /dev/mem

  auditctl -w /dev/mem -k kernel -p wa

which I understand means that auditd is looking for writes or attribute changes to /dev/mem (according to the manpage for auditctl)

The weird thing is that auditd seems to be flagging calls to fstat, and I'm not sure why auditd would be doing this since.

2011-11-30T14:02:42.624523-08:00 node/x.x.x.x audispd: node=node type=PATH msg=audit(1322690562.613:38): item=0 name="/dev/mem" inode=1358 dev=00:05 mode=020640 ouid=0 ogid=15 rdev=01:01

2011-11-30T14:02:42.624494-08:00 node/x.x.x.x audispd: node=node type=CWD msg=audit(1322690562.613:38):  cwd="/"

2011-11-30T14:02:42.624480-08:00 node/x.x.x.x audispd: node=node type=SYSCALL msg=audit(1322690562.613:38): arch=40000003 syscall=5 per=400000 success=yes exit=3 a0=8048f6c a1=2 a2=180 a3=0 items=1 ppid=4132 pid=4199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="IrqRouteTbl" exe="/opt/hp/hp-health/bin/IrqRouteTbl" key="kernel"

running kernel 2.6.38.8 on ubuntu with auditd version 1.7.13-1ubuntu2.

Cheers,
peter

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]