Steve Grubb
Steve Grubb
First, thanks for all the time and effort to create and maintain networkD3! I was wondering if it would be possible to pass a parameter to add a "charge" to...
The files at include/asm-generic/audit_*.h have syscalls used to trigger watches for various syscalls without having to know the exact syscall. It appears that the the last time it was updated...
People have varying workloads as well as audit rules. Right now the consensus is to set the backlog to 8192. This eats up memory on some smaller systems. It should...
The *setxattr syscalls take 5 arguments. One that is important is the fifth argument, flags. This denotes creation or replacement of the extended attribute. A similar situation occurred for mmap...
Watches on execution of a program seem to not be working on the 4.17 kernel. $ which ping /usr/sbin/ping $ auditctl -w /usr/sbin/ping -p x -k test $ ping yahoo.com...
When you run load_policy, you get this in the logs: type=USER_AVC msg=audit(1485430158.330:324): pid=833 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=2) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' There's a lot...
There are some syscalls being emitted that have missing success and exit values. For example: type=PROCTITLE msg=audit(11/16/2016 12:50:35.860:856) : proctitle=/lib/ld-linux.so.2 --verify /home/sgrubb/working/BUILDROOT/audit-2.7-1.fc24.x86_64/sbin/audisp-remote type=SYSCALL msg=audit(11/16/2016 12:50:35.860:856) : arch=i386 syscall=exit_group a0=EXIT_FAILURE a1=0xffc738a4...
In some cases, a path record is not included in an event because the end item cannot be resolved due to permissions. Meanwhile, the path as a string is usually...
fsconfig looks like this when captured by strace: fsconfig(3, FSCONFIG_SET_STRING, "source", "/dev/ram0", 0) The audit event looks like this: syscall=fsconfig success=yes exit=0 a0=0x3 a1=0x1 a2=0x7fba578b5fed a3=0x56519590dac0 with nothing but a...
The fsopen syscall looks like this in strace: fsopen("ramfs", FSOPEN_CLOEXEC) what is recorded by audit is: syscall=fsopen success=yes exit=3 a0=0x56519590daa0 a1=0x1 We are missing the file system being opened. The...