Re: Audit not recording the correct syscall return value in Fedora 10?

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Tony Jones <tonyj@suse.de>
To: Paul Moore <paul.moore@hp.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit not recording the correct syscall return value in Fedora 10?
Date: Thu, 7 May 2009 16:05:00 -0700	[thread overview]
Message-ID: <20090507230500.GA24658@suse.de> (raw)
In-Reply-To: <200905051550.01946.paul.moore@hp.com>

On Tue, May 05, 2009 at 03:50:01PM -0400, Paul Moore wrote:

> No problem.  As far as I'm aware the discussion never went beyond this thread 
> as I was unable to recreate the problem with the (then) current kernels but it 
> may not be a bad idea to get the arch folks and perhaps lkml involved if we 
> can narrow this down a little.

Doesn't reproduce for me with 2.6.30-rc4-git1.

For our SLES11 kernel (2.6.27+patches) I needed your entry_64.S change to fix
the problem.

With just commit 6d208da89aabee8502debe842832ca0ab298d16d I get:

[snippet]

Starting auditd                                                      done
----
time->Thu May  7 12:51:46 2009
type=SYSCALL msg=audit(1241725906.513:121): arch=c000003e syscall=175 success=yes exit=0 a0=7f95478e2000 a1=1e18 a2=61a240 a3=61a240 items=0 ppid=4382 pid=4425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="modprobe" exe="/sbin/modprobe" key=(null)
Shutting down auditd                                                 done
Starting auditd                                                      done
----
time->Thu May  7 12:51:46 2009
type=SYSCALL msg=audit(1241725906.768:128): arch=c000003e syscall=175 success=yes exit=0 a0=7f2425e10000 a1=1e18 a2=61a240 a3=61a240 items=0 ppid=4382 pid=4488 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="modprobe" exe="/sbin/modprobe" key=(null)
Shutting down auditd                                                 done
Starting auditd                                                      done
----
time->Thu May  7 12:51:47 2009
type=SYSCALL msg=audit(1241725907.024:135): arch=c000003e syscall=175 success=no exit=-131939334922280 a0=7f9901b9a000 a1=1e18 a2=61a240 a3=61a240 items=0 ppid=4382 pid=4551 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="modprobe" exe="/sbin/modprobe" key=(null)
Shutting down auditd                                                 done
Starting auditd                                                      done
----
time->Thu May  7 12:51:47 2009
type=SYSCALL msg=audit(1241725907.288:142): arch=c000003e syscall=175 success=no exit=-131939285508136 a0=7f0807b15000 a1=1e18 a2=61a240 a3=61a240 items=0 ppid=4382 pid=4614 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="modprobe" exe="/sbin/modprobe" key=(null)
Shutting down auditd                                                 done
Starting auditd                                                      done
----
time->Thu May  7 12:51:47 2009
type=SYSCALL msg=audit(1241725907.544:149): arch=c000003e syscall=175 success=yes exit=0 a0=7f053f482000 a1=1e18 a2=61a240 a3=61a240 items=0 ppid=4382 pid=4677 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="modprobe" exe="/sbin/modprobe" key=(null)
Shutting down auditd 


test case:

for i in `seq 1 100`; do cat /dev/null > /var/log/audit/audit.log;  rmmod dummy; rcauditd restart; auditctl -a entry,always -S init_module; modprobe dummy; ausearch -c modprobe; done

This is on a Core2Duo.

Tony

next prev parent reply	other threads:[~2009-05-07 23:05 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-04-07 15:34 Audit not recording the correct syscall return value in Fedora 10? Paul Moore
2009-04-08  2:44 ` Klaus Heinrich Kiwi
2009-04-08 21:38   ` Paul Moore
2009-05-05 18:15   ` Tony Jones
2009-05-05 18:08 ` Tony Jones
2009-05-05 18:22   ` Paul Moore
2009-05-05 19:07     ` Tony Jones
2009-05-05 19:20       ` Paul Moore
2009-05-05 19:34         ` Tony Jones
2009-05-05 19:50           ` Paul Moore
2009-05-07 23:05             ` Tony Jones [this message]
2009-05-08 13:22               ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090507230500.GA24658@suse.de \
    --to=tonyj@suse.de \
    --cc=linux-audit@redhat.com \
    --cc=paul.moore@hp.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox