Assorted questions

Assorted questions

[Matthew Booth]

[-- Attachment #1.1: Type: text/plain, Size: 738 bytes --]

Questions relate to RHEL4 (unless they don't).

What are the meanings of the following fields from the SYSCALL record:
* items
* fsuid
* fsgid

What are the meanings of the following fields from the PATH record:
* flags 
* rdev

How can I programmatically translate an architecture into human, eg
40000003 => 'i686'?

Is there a way of doing a syscall name lookup without having root?

In RHEL5, what's the equivalent of 'auditctl -t'?

Is there any master documentation I've missed? I'm only aware of the man
pages.

Thanks,

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Assorted questions

[Debora Velarde]

[-- Attachment #1.1: Type: text/plain, Size: 1357 bytes --]

linux-audit-bounces@redhat.com wrote on 08/09/2007 07:34:06 AM:

Hi Matt,

> Questions relate to RHEL4 (unless they don't).
>
> What are the meanings of the following fields from the SYSCALL record:
> * items
      the number of path records in the event

> * fsuid
      Filesystem User ID

> * fsgid
      Filesystem Group ID
>
> What are the meanings of the following fields from the PATH record:
> * flags
      file system namei flags

> * rdev
      device identifier
>
> How can I programmatically translate an architecture into human, eg
> 40000003 => 'i686'?
When creating a rule with auditctl, you should be able to use either 'b32'
or 'b64' for the architecture.
If you're trying to read the audit log, ausearch has an option "-i" that
interprets numeric items into text.  I'm not sure how well it works with
the arch fields, but might be worth a try.

>
> Is there a way of doing a syscall name lookup without having root?
Without root access, I'm not sure.  You could probably find the syscall
table for your arch type online.

>
> In RHEL5, what's the equivalent of 'auditctl -t'?
Sorry I've forgotten what -t meant in auditctl.

>
> Is there any master documentation I've missed? I'm only aware of the man
> pages.
http://people.redhat.com/sgrubb/audit/

Hope that helps,
debora

----
Debora Velarde
Linux Security
IBM Linux Technology Center

[-- Attachment #1.2: Type: text/html, Size: 1955 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Assorted questions

[Steve Grubb]

On Thursday 09 August 2007 10:34:06 Matthew Booth wrote:
> Questions relate to RHEL4 (unless they don't).
>
> How can I programmatically translate an architecture into human, eg
> 40000003 => 'i686'?

>From ausearch source code, ausearch-report.c:

static void print_arch(const char *val)
{
        unsigned int ival;
        const char *ptr;

        errno = 0;
        ival = strtoul(val, NULL, 16);
        if (errno) {
                printf("conversion error(%s) ", val);
                return;
        }
        machine = audit_elf_to_machine(ival);
        if (machine < 0) {
                printf("unknown elf type(%s) ", val);
                return;
        }
        ptr = audit_machine_to_name(machine);
        printf("%s ", ptr);
}


> Is there a way of doing a syscall name lookup without having root?

You do not have to have root to call either of these functions:

extern int audit_name_to_syscall(const char *sc, int machine);
extern const char *audit_syscall_to_name(int sc, int machine);


> In RHEL5, what's the equivalent of 'auditctl -t'?

auditctl -t does not exist anymore.

-Steve