From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Problem regards event fields a0-a3 in audit logs Date: Wed, 30 Nov 2016 10:10:12 -0500 Message-ID: <3413858.KZtK622jJD@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "C.y" List-Id: linux-audit@redhat.com On Wednesday, November 30, 2016 4:40:01 PM EST C.y wrote: > I looked into audit log and find myself having difficultly in understanding > the event field a0-a3. > > I tried to look for answer but couldn't get any references for the > following question: > 1. What are the initial value of a0-a3, and Whatever was passed as arguments for the current syscall. > 2. Is there any way to get 5-th and above arguments? Nope. There is only 1 syscall that I know of that has a security relevant argument higher than what is recorded. This is mmap. What we do is record that value in a special AUDIT_MMAP auxiliary record. If there were any other syscalls that had security relevant arguments higher than the first 4 I suspect we'd do the same thing again. > Audit system reference from redhat (https://access.redhat.com/doc > umentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_ > Guide/app-Audit_Reference.html) did mentioned that the first four arguments > of system call are recorded, but didn't mentions what their initial value > are when there a system call required less than four arguments. > For example, what will the value of a1, a2, a3 be when the system call > 'close' are invoked? ('close' only takes 1 argument > http://man7.org/linux/man-pages/man2/close.2.html) AFAIK, they are whatever is in memory. There is nothing that tells you they are or are not valid. You would have to know that the syscall takes 2 arguments and just look at the first 2. > At first I am guessing that they might contain the a1-a3's value from > previous syscall record, so I starting doing some experiment on the audit > log I have collected (https://drive.google.com/file > /d/0B85cIbQMuvqDSHVGSHdDVjRWdHc/view): > > `$ ausyscall --dump | grep 6 | head -n 1 ` returns > 6 close > > and below are part of my audit log that contains 2 syscall records: > ... > type=SYSCALL msg=audit(1479471647.440:197): arch=40000028 syscall=192 > per=800000 success=yes exit=1995763712 a0=76f4f000 a1=1000 a2=3 a3=812 > items=0 ppid=891 pid=907 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=pts0 ses=3 comm="raspistill" > exe="/opt/vc/bin/raspistill" key=(null) > type=MMAP msg=audit(1479471647.440:197): fd=3 flags=0x812 > type=PROCTITLE msg=audit(1479471647.440:197): proctitle="-bash" > type=SYSCALL msg=audit(1479471647.440:198): arch=40000028 syscall=6 > per=800000 success=yes exit=0 a0=3 a1=5 a2=76f31000 a3=0 items=0 ppid=891 > pid=907 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=pts0 ses=3 comm="raspistill" exe="/opt/vc/bin/raspistill" key=(null) > ... > > the second syscall record show that the a1's value are somehow modified, > which eventually proved that my guessing of that they will contain previous > invoked syscall a1's value(1000) is wrong. That's how I got myself confused > and write to seek for answer regards this question. Best way to look at the records is ausearch -i. > Second, I wonder if there are way for me to know the 5-th and above > argument of a particular system call, i.e _llseek that takes 5 arguments? Answered above. -Steve