Hi folks,
I want to analyze audit.log and see arch=c00000b7 syscall=35
Where can I find what c00000b7 and 35 mean respectively for arm64 device?
Thanks.
---henry
On Wed, May 31, 2023 at 9:47 PM Henry Zhang henryzhang62@gmail.com wrote:
Hi folks,
I want to analyze audit.log and see arch=c00000b7 syscall=35
Where can I find what c00000b7 and 35 mean respectively for arm64 device?
Hi,
You'd better use the ausearch/aureport commands with the -i switch to interpret them.
Zdenek,
Would you please give a sample to run research to find out arch? Thanks.
---henry
On Thu, Jun 1, 2023, 00:48 Zdenek Pytela zpytela@redhat.com wrote:
On Wed, May 31, 2023 at 9:47 PM Henry Zhang henryzhang62@gmail.com wrote:
Hi folks,
I want to analyze audit.log and see arch=c00000b7 syscall=35
Where can I find what c00000b7 and 35 mean respectively for arm64 device?
Hi,
You'd better use the ausearch/aureport commands with the -i switch to interpret them.
--
Zdenek Pytela Security SELinux team
Zdenek,
ausearch only searches /var/log/audit/audit.log with SYSCALL number listed inside the audit.log for example: ausearch -i -sc 208
Thanks.
----henry
On Thu, Jun 1, 2023 at 8:13 AM Henry Zhang henryzhang62@gmail.com wrote:
Zdenek,
Would you please give a sample to run research to find out arch? Thanks.
---henry
On Thu, Jun 1, 2023, 00:48 Zdenek Pytela zpytela@redhat.com wrote:
On Wed, May 31, 2023 at 9:47 PM Henry Zhang henryzhang62@gmail.com wrote:
Hi folks,
I want to analyze audit.log and see arch=c00000b7 syscall=35
Where can I find what c00000b7 and 35 mean respectively for arm64 device?
Hi,
You'd better use the ausearch/aureport commands with the -i switch to interpret them.
--
Zdenek Pytela Security SELinux team
On Fri, Jun 2, 2023 at 1:32 AM Henry Zhang henryzhang62@gmail.com wrote:
Zdenek,
ausearch only searches /var/log/audit/audit.log with SYSCALL number listed inside the audit.log for example: ausearch -i -sc 208
The ausearch command interprets all audited data: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent ---- type=PROCTITLE msg=audit(06/02/2023 09:32:12.249:244) : proctitle=/usr/bin/python3 /usr/libexec/rhs m-service type=PATH msg=audit(06/02/2023 09:32:12.249:244) : item=1 name=/run/dbus-BOb77zvRHz nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(06/02/2023 09:32:12.249:244) : item=0 name=/run/ inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_ fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(06/02/2023 09:32:12.249:244) : cwd=/ type=SOCKADDR msg=audit(06/02/2023 09:32:12.249:244) : saddr={ saddr_fam=local path=/run/dbus-BOb77 zvRHz } type=SYSCALL msg=audit(06/02/2023 09:32:12.249:244) : arch=x86_64 syscall=bind success=no exit=EACC ES(Permission denied) a0=0x9 a1=0x7ffc3c871540 a2=0x16 a3=0x0 items=2 ppid=1 pid=3252 auid=unset ui d=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsm-service exe=/usr/bin/python3.11 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) type=AVC msg=audit(06/02/2023 09:32:12.249:244) : avc: denied { create } for pid=3252 comm=rhsm- service name=dbus-BOb77zvRHz scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:r hsmcertd_var_run_t:s0 tclass=sock_file permissive=0
There is also the ausyscall command # ausyscall --dump | grep -w 208 208 io_getevents
Thanks.
----henry
On Thu, Jun 1, 2023 at 8:13 AM Henry Zhang henryzhang62@gmail.com wrote:
Zdenek,
Would you please give a sample to run research to find out arch? Thanks.
---henry
On Thu, Jun 1, 2023, 00:48 Zdenek Pytela zpytela@redhat.com wrote:
On Wed, May 31, 2023 at 9:47 PM Henry Zhang henryzhang62@gmail.com wrote:
Hi folks,
I want to analyze audit.log and see arch=c00000b7 syscall=35
Where can I find what c00000b7 and 35 mean respectively for arm64 device?
Hi,
You'd better use the ausearch/aureport commands with the -i switch to interpret them.
--
Zdenek Pytela Security SELinux team
selinux@lists.fedoraproject.org