From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com, linux-kernel@vger.kernel.org,
Sven Schnelle <svens@linux.ibm.com>
Cc: Eric Paris <eparis@redhat.com>
Subject: Re: [PATCH 1/2] audit: add call argument to socketcall auditing
Date: Tue, 03 May 2022 13:16:18 -0400 [thread overview]
Message-ID: <4396517.LvFx2qVVIh@x2> (raw)
In-Reply-To: <20220503090212.1322050-1-svens@linux.ibm.com>
Hello,
On Tuesday, May 3, 2022 5:02:11 AM EDT Sven Schnelle wrote:
> socketcall auditing misses the call argument:
>
> type=SOCKETCALL msg=audit: nargs=3 a0=10 a1=3 a2=c
>
> which renders socketcall auditing (almost) useless. Add the call
> argument so it is possible to decode the actual syscall from the
> audit log:
>
> type=SOCKETCALL msg=audit: call=1 nargs=3 a0=10 a1=3 a2=c
The call argument is in arg0 in the syscall record
type=PROCTITLE msg=audit(1651597634.301:1034): proctitle="./test"
type=SOCKADDR msg=audit(1651597634.301:1034):
saddr=020000357F0000013030303030303030
type=SOCKETCALL msg=audit(1651597634.301:1034): nargs=3 a0=3 a1=fff47510
a2=10
type=SYSCALL msg=audit(1651597634.301:1034): arch=40000003 syscall=102
success=no exit=-111 a0=3 a1=fff47520 a2=f7f306cb a3=35000002 items=0
ppid=10425 pid=10428 auid=325 uid=1325 gid=1325 euid=1325 suid=1325
fsuid=1325 egid=1325 sgid=1325 fsgid=1325 tty=pts2 ses=3 comm="test" exe="/
home/socketcall/test" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="32bit-abi"
which user space translates into:
type=PROCTITLE msg=audit(05/03/2022 13:07:14.301:1034) : proctitle=./test
type=SOCKADDR msg=audit(05/03/2022 13:07:14.301:1034) : saddr={
saddr_fam=inet laddr=127.0.0.1 lport=53 }
type=SOCKETCALL msg=audit(05/03/2022 13:07:14.301:1034) : nargs=3 a0=0x3
a1=0xfff47510 a2=0x10
type=SYSCALL msg=audit(05/03/2022 13:07:14.301:1034) : arch=i386
syscall=socketcall(connect) success=no exit=ECONNREFUSED(Connection refused)
a0=connect a1=0xfff47520 a2=0xf7f306cb a3=0x35000002 items=0 ppid=10425
pid=10428 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb
fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts2 ses=3 comm=test
exe=/home/test/socketcall/test subj=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 key=32bit-abi
Nothing is missing.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
WARNING: multiple messages have this Message-ID (diff)
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com, linux-kernel@vger.kernel.org,
Sven Schnelle <svens@linux.ibm.com>
Cc: Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>
Subject: Re: [PATCH 1/2] audit: add call argument to socketcall auditing
Date: Tue, 03 May 2022 13:16:18 -0400 [thread overview]
Message-ID: <4396517.LvFx2qVVIh@x2> (raw)
In-Reply-To: <20220503090212.1322050-1-svens@linux.ibm.com>
Hello,
On Tuesday, May 3, 2022 5:02:11 AM EDT Sven Schnelle wrote:
> socketcall auditing misses the call argument:
>
> type=SOCKETCALL msg=audit: nargs=3 a0=10 a1=3 a2=c
>
> which renders socketcall auditing (almost) useless. Add the call
> argument so it is possible to decode the actual syscall from the
> audit log:
>
> type=SOCKETCALL msg=audit: call=1 nargs=3 a0=10 a1=3 a2=c
The call argument is in arg0 in the syscall record
type=PROCTITLE msg=audit(1651597634.301:1034): proctitle="./test"
type=SOCKADDR msg=audit(1651597634.301:1034):
saddr=020000357F0000013030303030303030
type=SOCKETCALL msg=audit(1651597634.301:1034): nargs=3 a0=3 a1=fff47510
a2=10
type=SYSCALL msg=audit(1651597634.301:1034): arch=40000003 syscall=102
success=no exit=-111 a0=3 a1=fff47520 a2=f7f306cb a3=35000002 items=0
ppid=10425 pid=10428 auid=325 uid=1325 gid=1325 euid=1325 suid=1325
fsuid=1325 egid=1325 sgid=1325 fsgid=1325 tty=pts2 ses=3 comm="test" exe="/
home/socketcall/test" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="32bit-abi"
which user space translates into:
type=PROCTITLE msg=audit(05/03/2022 13:07:14.301:1034) : proctitle=./test
type=SOCKADDR msg=audit(05/03/2022 13:07:14.301:1034) : saddr={
saddr_fam=inet laddr=127.0.0.1 lport=53 }
type=SOCKETCALL msg=audit(05/03/2022 13:07:14.301:1034) : nargs=3 a0=0x3
a1=0xfff47510 a2=0x10
type=SYSCALL msg=audit(05/03/2022 13:07:14.301:1034) : arch=i386
syscall=socketcall(connect) success=no exit=ECONNREFUSED(Connection refused)
a0=connect a1=0xfff47520 a2=0xf7f306cb a3=0x35000002 items=0 ppid=10425
pid=10428 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb
fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts2 ses=3 comm=test
exe=/home/test/socketcall/test subj=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 key=32bit-abi
Nothing is missing.
-Steve
next prev parent reply other threads:[~2022-05-03 17:16 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-03 9:02 [PATCH 1/2] audit: add call argument to socketcall auditing Sven Schnelle
2022-05-03 9:02 ` Sven Schnelle
2022-05-03 9:02 ` [PATCH 2/2] audit: add filterkey to special audit messages Sven Schnelle
2022-05-03 9:02 ` Sven Schnelle
2022-05-03 16:57 ` Paul Moore
2022-05-03 16:57 ` Paul Moore
2022-05-04 5:22 ` Sven Schnelle
2022-05-04 5:22 ` Sven Schnelle
2022-05-03 13:32 ` [PATCH 1/2] audit: add call argument to socketcall auditing kernel test robot
2022-05-03 13:32 ` kernel test robot
2022-05-03 13:32 ` kernel test robot
2022-05-03 13:32 ` kernel test robot
2022-05-03 14:04 ` kernel test robot
2022-05-03 14:04 ` kernel test robot
2022-05-03 16:07 ` Paul Moore
2022-05-03 16:07 ` Paul Moore
2022-05-03 17:16 ` Steve Grubb [this message]
2022-05-03 17:16 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4396517.LvFx2qVVIh@x2 \
--to=sgrubb@redhat.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=svens@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.