* Re: New field seen in audit.log
[not found] <mailman.103.1571328019.6486.linux-audit@redhat.com>
@ 2019-10-18 14:38 ` Evelyn Mitchell
2019-10-18 14:56 ` Steve Grubb
2019-10-18 15:49 ` Richard Guy Briggs
0 siblings, 2 replies; 6+ messages in thread
From: Evelyn Mitchell @ 2019-10-18 14:38 UTC (permalink / raw)
To: linux-audit
For my own learning, I'm trying to understand what personality=40000 means.
In looking at /uapi/linux/personality.h where the
personality types are defined, and manually converting 40000 to hex
0x9C40, it looks to me like the personality is set to enable:
ADDR_LIMIT_3GB = 0x8000000
SHORT_INODE = 0x1000000
ADDR_LIMIT_32BIT = 0x0800000
READ_IMPLIES_EXEC = 0x0400000
ADDR_COMPAT_LAYOUT = 0x0200000
MMAP_PAGE_ZERO = 0x0100000
ADDR_NO_RANDOMIZE = 0x0040000
But, this looks unreasonable to me as a set of flags someone would
deliberately pick, so I thought I'd ask if I'm interpreting this
correctly.
Evelyn Mitchell
> You may never have seen it before because it appears you now have a
> personality other than PER_LINUX for this event. 32-bit binary on 64
> bit? I assume your arch is x86 64 (LE)?
>
> > type=SYSCALL msg=audit(1571245536.351:43593): arch=c000003e syscall=3
> > *per=40000* success=yes exit=0 a0=5 a1=5 a2=556213b6d6bc a3=7f483b98bcc0
> > items=0 ppid=2653 pid=2655 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
> > fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="gdb"
> > exe="/usr/bin/gdb" key=(null)
> >
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
>
>
> ------------------------------
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: New field seen in audit.log
2019-10-18 14:38 ` New field seen in audit.log Evelyn Mitchell
@ 2019-10-18 14:56 ` Steve Grubb
2019-10-18 15:49 ` Richard Guy Briggs
1 sibling, 0 replies; 6+ messages in thread
From: Steve Grubb @ 2019-10-18 14:56 UTC (permalink / raw)
To: linux-audit; +Cc: Evelyn Mitchell
On Friday, October 18, 2019 10:38:08 AM EDT Evelyn Mitchell wrote:
> For my own learning, I'm trying to understand what personality=40000 means.
>
> In looking at /uapi/linux/personality.h where the
> personality types are defined, and manually converting 40000 to hex
> 0x9C40, it looks to me like the personality is set to enable:
> ADDR_LIMIT_3GB = 0x8000000
> SHORT_INODE = 0x1000000
> ADDR_LIMIT_32BIT = 0x0800000
> READ_IMPLIES_EXEC = 0x0400000
> ADDR_COMPAT_LAYOUT = 0x0200000
> MMAP_PAGE_ZERO = 0x0100000
> ADDR_NO_RANDOMIZE = 0x0040000
>
> But, this looks unreasonable to me as a set of flags someone would
> deliberately pick, so I thought I'd ask if I'm interpreting this
> correctly.
I think so. The executable is gdb. It needs to disable ASLR so that it can
reliably map the symbols to addresses.
-Steve
> > You may never have seen it before because it appears you now have a
> > personality other than PER_LINUX for this event. 32-bit binary on 64
> > bit? I assume your arch is x86 64 (LE)?
> >
> > > type=SYSCALL msg=audit(1571245536.351:43593): arch=c000003e syscall=3
> > > *per=40000* success=yes exit=0 a0=5 a1=5 a2=556213b6d6bc
> > > a3=7f483b98bcc0
> > > items=0 ppid=2653 pid=2655 auid=1000 uid=1000 gid=1000 euid=1000
> > > suid=1000
> > > fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="gdb"
> > > exe="/usr/bin/gdb" key=(null)
> >
> > - RGB
> >
> > --
> > Richard Guy Briggs <rgb@redhat.com>
> > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > Remote, Ottawa, Red Hat Canada
> > IRC: rgb, SunRaycer
> > Voice: +1.647.777.2635, Internal: (81) 32635
> >
> >
> >
> > ------------------------------
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: New field seen in audit.log
2019-10-18 14:38 ` New field seen in audit.log Evelyn Mitchell
2019-10-18 14:56 ` Steve Grubb
@ 2019-10-18 15:49 ` Richard Guy Briggs
1 sibling, 0 replies; 6+ messages in thread
From: Richard Guy Briggs @ 2019-10-18 15:49 UTC (permalink / raw)
To: Evelyn Mitchell; +Cc: linux-audit
On 2019-10-18 08:38, Evelyn Mitchell wrote:
> For my own learning, I'm trying to understand what personality=40000 means.
>
> In looking at /uapi/linux/personality.h where the
> personality types are defined, and manually converting 40000 to hex
> 0x9C40, it looks to me like the personality is set to enable:
> ADDR_LIMIT_3GB = 0x8000000
> SHORT_INODE = 0x1000000
> ADDR_LIMIT_32BIT = 0x0800000
> READ_IMPLIES_EXEC = 0x0400000
> ADDR_COMPAT_LAYOUT = 0x0200000
> MMAP_PAGE_ZERO = 0x0100000
> ADDR_NO_RANDOMIZE = 0x0040000
>
> But, this looks unreasonable to me as a set of flags someone would
> deliberately pick, so I thought I'd ask if I'm interpreting this
> correctly.
The per value printed is hex ("per=%lx"), (so really the output could be
prefixed with 0x) so the only flag that applies is ADDR_NO_RANDOMIZE.
> Evelyn Mitchell
>
> > You may never have seen it before because it appears you now have a
> > personality other than PER_LINUX for this event. 32-bit binary on 64
> > bit? I assume your arch is x86 64 (LE)?
> >
> > > type=SYSCALL msg=audit(1571245536.351:43593): arch=c000003e syscall=3
> > > *per=40000* success=yes exit=0 a0=5 a1=5 a2=556213b6d6bc a3=7f483b98bcc0
> > > items=0 ppid=2653 pid=2655 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
> > > fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="gdb"
> > > exe="/usr/bin/gdb" key=(null)
> >
> > - RGB
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 6+ messages in thread
* New field seen in audit.log
@ 2019-10-16 19:36 Ankitha Kundhuru
2019-10-16 20:12 ` Richard Guy Briggs
2019-10-16 20:15 ` Steve Grubb
0 siblings, 2 replies; 6+ messages in thread
From: Ankitha Kundhuru @ 2019-10-16 19:36 UTC (permalink / raw)
To: linux-audit, Steve Grubb
[-- Attachment #1.1: Type: text/plain, Size: 491 bytes --]
Hi All,
I found a new word "per" in some of the records of my audit.log.
Any idea of why this happened and what it means ?
type=SYSCALL msg=audit(1571245536.351:43593): arch=c000003e syscall=3
*per=40000* success=yes exit=0 a0=5 a1=5 a2=556213b6d6bc a3=7f483b98bcc0
items=0 ppid=2653 pid=2655 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="gdb"
exe="/usr/bin/gdb" key=(null)
Thank you :)
Thanks & Regards,
Ankitha Kundhuru
[-- Attachment #1.2: Type: text/html, Size: 809 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: New field seen in audit.log
2019-10-16 19:36 Ankitha Kundhuru
@ 2019-10-16 20:12 ` Richard Guy Briggs
2019-10-16 20:15 ` Steve Grubb
1 sibling, 0 replies; 6+ messages in thread
From: Richard Guy Briggs @ 2019-10-16 20:12 UTC (permalink / raw)
To: Ankitha Kundhuru; +Cc: linux-audit
On 2019-10-16 15:36, Ankitha Kundhuru wrote:
> Hi All,
>
> I found a new word "per" in some of the records of my audit.log.
> Any idea of why this happened and what it means ?
This is a "swinging" field, which means that it only appears when it is
different from an expected value (zero usually expected).
That isn't new. It has been there since the very first audit commit,
commit b7b0074ca3c9fe22d07b97e42a99c8b27be6307f
Author: Andrew Morton <akpm@osdl.org>
AuthorDate: 2004-04-11 23:29:12 -0700
Light-weight Auditing Framework
From: Rik Faith <faith@redhat.com>
You may never have seen it before because it appears you now have a
personality other than PER_LINUX for this event. 32-bit binary on 64
bit? I assume your arch is x86 64 (LE)?
> type=SYSCALL msg=audit(1571245536.351:43593): arch=c000003e syscall=3
> *per=40000* success=yes exit=0 a0=5 a1=5 a2=556213b6d6bc a3=7f483b98bcc0
> items=0 ppid=2653 pid=2655 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
> fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="gdb"
> exe="/usr/bin/gdb" key=(null)
>
> Thank you :)
>
> Thanks & Regards,
> Ankitha Kundhuru
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: New field seen in audit.log
2019-10-16 19:36 Ankitha Kundhuru
2019-10-16 20:12 ` Richard Guy Briggs
@ 2019-10-16 20:15 ` Steve Grubb
1 sibling, 0 replies; 6+ messages in thread
From: Steve Grubb @ 2019-10-16 20:15 UTC (permalink / raw)
To: Ankitha Kundhuru; +Cc: linux-audit
Hello,
On Wednesday, October 16, 2019 3:36:43 PM EDT Ankitha Kundhuru wrote:
> I found a new word "per" in some of the records of my audit.log.
> Any idea of why this happened
The process personality is not normal.
> and what it means ?
https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/
field-dictionary.csv#L176
You can use ausearch -i to decode it.
-Steve
> type=SYSCALL msg=audit(1571245536.351:43593): arch=c000003e syscall=3
> *per=40000* success=yes exit=0 a0=5 a1=5 a2=556213b6d6bc a3=7f483b98bcc0
> items=0 ppid=2653 pid=2655 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
> fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="gdb"
> exe="/usr/bin/gdb" key=(null)
>
> Thank you :)
>
> Thanks & Regards,
> Ankitha Kundhuru
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-10-18 15:49 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <mailman.103.1571328019.6486.linux-audit@redhat.com>
2019-10-18 14:38 ` New field seen in audit.log Evelyn Mitchell
2019-10-18 14:56 ` Steve Grubb
2019-10-18 15:49 ` Richard Guy Briggs
2019-10-16 19:36 Ankitha Kundhuru
2019-10-16 20:12 ` Richard Guy Briggs
2019-10-16 20:15 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox