Re: Problem regards event fields a0-a3 in audit logs

[Steve Grubb <sgrubb@redhat.com>]

On Wednesday, November 30, 2016 4:40:01 PM EST C.y wrote:
> I looked into audit log and find myself having difficultly in understanding
> the event field a0-a3.
> 
> I tried to look for answer but couldn't get any references for the
> following question:
>   1. What are the initial value of a0-a3, and

Whatever was passed as arguments for the current syscall.

>   2. Is there any way to get 5-th and above arguments?

Nope. There is only 1 syscall that I know of that has a security relevant 
argument higher than what is recorded. This is mmap. What we do is record that 
value in a special AUDIT_MMAP auxiliary record. If there were any other 
syscalls that had security relevant arguments higher than the first 4 I suspect 
we'd do the same thing again.


> Audit system reference from redhat (https://access.redhat.com/doc
> umentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_
> Guide/app-Audit_Reference.html) did mentioned that the first four arguments
> of system call are recorded, but didn't mentions what their initial value
> are when there a system call required less than four arguments.
> For example, what will the value of a1, a2, a3 be when the system call
> 'close' are invoked? ('close' only takes 1 argument
> http://man7.org/linux/man-pages/man2/close.2.html)

AFAIK, they are whatever is in memory. There is nothing that tells you they 
are or are not valid. You would have to know that the syscall takes 2 
arguments and just look at the first 2.

> At first I am guessing that they might contain the a1-a3's value from
> previous syscall record, so I starting doing some experiment on the audit
> log I have collected (https://drive.google.com/file
> /d/0B85cIbQMuvqDSHVGSHdDVjRWdHc/view):
> 
> `$ ausyscall --dump | grep 6 | head -n 1 ` returns
> 6       close
> 
> and below are part of my audit log that contains 2 syscall records:
> ...
> type=SYSCALL msg=audit(1479471647.440:197): arch=40000028 syscall=192
> per=800000 success=yes exit=1995763712 a0=76f4f000 a1=1000 a2=3 a3=812
> items=0 ppid=891 pid=907 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 ses=3 comm="raspistill"
> exe="/opt/vc/bin/raspistill" key=(null)
> type=MMAP msg=audit(1479471647.440:197): fd=3 flags=0x812
> type=PROCTITLE msg=audit(1479471647.440:197): proctitle="-bash"
> type=SYSCALL msg=audit(1479471647.440:198): arch=40000028 syscall=6
> per=800000 success=yes exit=0 a0=3 a1=5 a2=76f31000 a3=0 items=0 ppid=891
> pid=907 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=pts0 ses=3 comm="raspistill" exe="/opt/vc/bin/raspistill" key=(null)
> ...
> 
> the second syscall record show that the a1's value are somehow modified,
> which eventually proved that my guessing of that they will contain previous
> invoked syscall a1's value(1000) is wrong. That's how I got myself confused
> and write to seek for answer regards this question.

Best way to look at the records is ausearch -i.

> Second, I wonder if there are way for me to know the 5-th and above
> argument of a particular system call, i.e _llseek that takes 5 arguments?

Answered above.

-Steve