Re: Audit not recording the correct syscall return value in Fedora 10?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tony Jones <tonyj@suse.de>
To: Paul Moore <paul.moore@hp.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit not recording the correct syscall return value in Fedora 10?
Date: Thu, 7 May 2009 16:05:00 -0700	[thread overview]
Message-ID: <20090507230500.GA24658@suse.de> (raw)
In-Reply-To: <200905051550.01946.paul.moore@hp.com>

On Tue, May 05, 2009 at 03:50:01PM -0400, Paul Moore wrote:

> No problem.  As far as I'm aware the discussion never went beyond this thread 
> as I was unable to recreate the problem with the (then) current kernels but it 
> may not be a bad idea to get the arch folks and perhaps lkml involved if we 
> can narrow this down a little.

Doesn't reproduce for me with 2.6.30-rc4-git1.

For our SLES11 kernel (2.6.27+patches) I needed your entry_64.S change to fix
the problem.

With just commit 6d208da89aabee8502debe842832ca0ab298d16d I get:

[snippet]

Starting auditd                                                      done
----
time->Thu May  7 12:51:46 2009
type=SYSCALL msg=audit(1241725906.513:121): arch=c000003e syscall=175 success=yes exit=0 a0=7f95478e2000 a1=1e18 a2=61a240 a3=61a240 items=0 ppid=4382 pid=4425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="modprobe" exe="/sbin/modprobe" key=(null)
Shutting down auditd                                                 done
Starting auditd                                                      done
----
time->Thu May  7 12:51:46 2009
type=SYSCALL msg=audit(1241725906.768:128): arch=c000003e syscall=175 success=yes exit=0 a0=7f2425e10000 a1=1e18 a2=61a240 a3=61a240 items=0 ppid=4382 pid=4488 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="modprobe" exe="/sbin/modprobe" key=(null)
Shutting down auditd                                                 done
Starting auditd                                                      done
----
time->Thu May  7 12:51:47 2009
type=SYSCALL msg=audit(1241725907.024:135): arch=c000003e syscall=175 success=no exit=-131939334922280 a0=7f9901b9a000 a1=1e18 a2=61a240 a3=61a240 items=0 ppid=4382 pid=4551 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="modprobe" exe="/sbin/modprobe" key=(null)
Shutting down auditd                                                 done
Starting auditd                                                      done
----
time->Thu May  7 12:51:47 2009
type=SYSCALL msg=audit(1241725907.288:142): arch=c000003e syscall=175 success=no exit=-131939285508136 a0=7f0807b15000 a1=1e18 a2=61a240 a3=61a240 items=0 ppid=4382 pid=4614 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="modprobe" exe="/sbin/modprobe" key=(null)
Shutting down auditd                                                 done
Starting auditd                                                      done
----
time->Thu May  7 12:51:47 2009
type=SYSCALL msg=audit(1241725907.544:149): arch=c000003e syscall=175 success=yes exit=0 a0=7f053f482000 a1=1e18 a2=61a240 a3=61a240 items=0 ppid=4382 pid=4677 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="modprobe" exe="/sbin/modprobe" key=(null)
Shutting down auditd 


test case:

for i in `seq 1 100`; do cat /dev/null > /var/log/audit/audit.log;  rmmod dummy; rcauditd restart; auditctl -a entry,always -S init_module; modprobe dummy; ausearch -c modprobe; done

This is on a Core2Duo.

Tony

next prev parent reply	other threads:[~2009-05-07 23:05 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-04-07 15:34 Audit not recording the correct syscall return value in Fedora 10? Paul Moore
2009-04-08  2:44 ` Klaus Heinrich Kiwi
2009-04-08 21:38   ` Paul Moore
2009-05-05 18:15   ` Tony Jones
2009-05-05 18:08 ` Tony Jones
2009-05-05 18:22   ` Paul Moore
2009-05-05 19:07     ` Tony Jones
2009-05-05 19:20       ` Paul Moore
2009-05-05 19:34         ` Tony Jones
2009-05-05 19:50           ` Paul Moore
2009-05-07 23:05             ` Tony Jones [this message]
2009-05-08 13:22               ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090507230500.GA24658@suse.de \
    --to=tonyj@suse.de \
    --cc=linux-audit@redhat.com \
    --cc=paul.moore@hp.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.