Red Hat Bugzilla – Bug 223864
LSPP: Exceptions to expected audit behavior should be documented
Last modified: 2007-11-30 17:07:40 EST
Description of problem:
There are several audit records that don't appear in the audit log as would be
expected by a system admin. We think these should be documented, possibly in
the auditctl manpage or where ever you feel is appropriate. Here are two bug
references where such cases were figured out:
per 2/12, Steve G. is evaluating alternatives.
Let me know what you'd like me to do with this one.
Several syscalls when run in 32 bit mode on s390x are ORing 0x4900000000 (notice
that is too big for a 32 bit field) with the 4th audited argument. Again, I
think this is could be happening at the glibc level because when I strace the
test the value has already been ORed. However, I see the same result when I
change the test to call with syscall(__NR_###.
The syscalls I have observed this with include: fchownat, fgetxattr, fsetxattr,
getxattr, lgetxattr, lsetxattr, mknodat, mmap, mq_timedsendreceive, mremap,
openat, ptrace, renameat, setxattr, linkat.
This will be fixed by updating documentation in the configuration guide. Closing.