All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: chmod32, lchmod32, etc?
Date: Mon, 08 Jul 2013 14:01:13 -0400	[thread overview]
Message-ID: <1666664.44RFpIAcff@x2> (raw)
In-Reply-To: <CACv9p5pLmK0ebNnJBdxthv1k0FM97guzKBi7TaOP_Ms3N585Ow@mail.gmail.com>

On Monday, July 08, 2013 01:53:24 PM leam hall wrote:
> Morning all! My first post to the list.
> 
> I'm getting errors on a RHEL 5 box when I add audit rules for chown32 and
> lchown32.
> 
> Info on the box:
> 
> Linux myhost 2.6.18-348.6.1.el5 #1 SMP Fri Apr 26 09:21:26 EDT 2013 x86_64
> x86_64 x86_64 GNU/Linux
> 
> 
> Error:
> 
> service auditd restart
> Stopping auditd:                                           [  OK  ]
> Starting auditd:                                           [  OK  ]
> Syscall name unknown: chown32
> There was an error in line 215 of /etc/audit/audit.rules
> 
> 
> Line 215:
> -a exit,always -F arch=b64 -S chown32
> 
> 
> What else can I look at to trouble-shoot?

The ausyscall program was created just for troubleshooting things like this.

# ausyscall x86_64 chown32
Unknown syscall chown32 using x86_64 lookup table

# ausyscall i386 chown32
lchown32           198
fchown32           207
chown32            212

So, that means its only a 32bit syscall:
 -a exit,always -F arch=b32 -S chown32

On 64 bit machines, you normally should have rules for both the 64 bit and 32 
bit syscalls. Not all syscalls are on both interfaces.

-Steve

      reply	other threads:[~2013-07-08 18:01 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-07-08 17:53 chmod32, lchmod32, etc? leam hall
2013-07-08 18:01 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1666664.44RFpIAcff@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.