New field seen in audit.log
Evelyn Mitchell
efmphone at gmail.com
Fri Oct 18 14:38:08 UTC 2019
For my own learning, I'm trying to understand what personality=40000 means.
In looking at /uapi/linux/personality.h where the
personality types are defined, and manually converting 40000 to hex
0x9C40, it looks to me like the personality is set to enable:
ADDR_LIMIT_3GB = 0x8000000
SHORT_INODE = 0x1000000
ADDR_LIMIT_32BIT = 0x0800000
READ_IMPLIES_EXEC = 0x0400000
ADDR_COMPAT_LAYOUT = 0x0200000
MMAP_PAGE_ZERO = 0x0100000
ADDR_NO_RANDOMIZE = 0x0040000
But, this looks unreasonable to me as a set of flags someone would
deliberately pick, so I thought I'd ask if I'm interpreting this
correctly.
Evelyn Mitchell
> You may never have seen it before because it appears you now have a
> personality other than PER_LINUX for this event. 32-bit binary on 64
> bit? I assume your arch is x86 64 (LE)?
>
> > type=SYSCALL msg=audit(1571245536.351:43593): arch=c000003e syscall=3
> > *per=40000* success=yes exit=0 a0=5 a1=5 a2=556213b6d6bc a3=7f483b98bcc0
> > items=0 ppid=2653 pid=2655 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
> > fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="gdb"
> > exe="/usr/bin/gdb" key=(null)
> >
>
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
>
>
> ------------------------------
More information about the Linux-audit
mailing list