New field seen in audit.log

Evelyn Mitchell efmphone at gmail.com
Fri Oct 18 14:38:08 UTC 2019


For my own learning, I'm trying to understand what personality=40000 means.

In looking at /uapi/linux/personality.h where the
personality types are defined, and manually converting 40000 to hex
0x9C40, it looks to me like the personality is set to enable:
ADDR_LIMIT_3GB =        0x8000000
SHORT_INODE =           0x1000000
ADDR_LIMIT_32BIT =      0x0800000
READ_IMPLIES_EXEC =     0x0400000
ADDR_COMPAT_LAYOUT =    0x0200000
MMAP_PAGE_ZERO =        0x0100000
ADDR_NO_RANDOMIZE =     0x0040000

But, this looks unreasonable to me as a set of flags someone would
deliberately pick, so I thought I'd ask if I'm interpreting this
correctly.

Evelyn Mitchell


> You may never have seen it before because it appears you now have a
> personality other than PER_LINUX for this event.  32-bit binary on 64
> bit?  I assume your arch is x86 64 (LE)?
>
> > type=SYSCALL msg=audit(1571245536.351:43593): arch=c000003e syscall=3
> > *per=40000* success=yes exit=0 a0=5 a1=5 a2=556213b6d6bc a3=7f483b98bcc0
> > items=0 ppid=2653 pid=2655 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
> > fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="gdb"
> > exe="/usr/bin/gdb" key=(null)
> >
>
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
>
>
> ------------------------------




More information about the Linux-audit mailing list