audit-kernel icon indicating copy to clipboard operation
audit-kernel copied to clipboard
verified publisher icon linux-audit

Q: adding system call monitoring rule on aarch64 fails

Open seemakumar8 opened this issue 2 years ago • 2 comments

I am unable to add auditd rules to monitor system calls. However, file monitoring rules work fine.

System arch: aarch64

I am using Yocto build system.

The Kernel is compiled with the following options: CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_WATCH=y CONFIG_AUDIT_TREE=y CONFIG_AUDIT_GENERIC=y CONFIG_AUDIT_ARCH_COMPAT_GENERIC=y CONFIG_AUDIT_COMPAT_GENERIC=y

When I execute the below command:

$> auditctl -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k timechange

I get the below error:

$> arch elf mapping not found auditd aarch64

seemakumar8 avatar Aug 17 '23 11:08 seemakumar8

Works for me. I would suggest checking that you have configured and compiled everything correctly, you can use Fedora as a working example.

% uname -r -m
6.6.0-0.rc1.20230915git9fdfb15a.17.1.secnext.fc40.aarch64 aarch64
% rpm -q audit
audit-3.1.2-4.fc40.aarch64
% auditctl -D
No rules
% auditctl -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k timechange
% auditctl -l
-a always,exit -F arch=b64 -S clock_settime,settimeofday,adjtimex -F key=timechange

pcmoore avatar Sep 18 '23 15:09 pcmoore

CONFIG_AUDIT_WATCH=y CONFIG_AUDIT_TREE=y

These two config options above were removed 5 years ago, so this kernel is pretty dated.

rgbriggs avatar Oct 05 '23 14:10 rgbriggs