Description of problem: There are several audit records that don't appear in the audit log as would be expected by a system admin. We think these should be documented, possibly in the auditctl manpage or where ever you feel is appropriate. Here are two bug references where such cases were figured out: * https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219214 * https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221663
per 2/12, Steve G. is evaluating alternatives.
Let me know what you'd like me to do with this one. Several syscalls when run in 32 bit mode on s390x are ORing 0x4900000000 (notice that is too big for a 32 bit field) with the 4th audited argument. Again, I think this is could be happening at the glibc level because when I strace the test the value has already been ORed. However, I see the same result when I change the test to call with syscall(__NR_###. The syscalls I have observed this with include: fchownat, fgetxattr, fsetxattr, getxattr, lgetxattr, lsetxattr, mknodat, mmap, mq_timedsendreceive, mremap, openat, ptrace, renameat, setxattr, linkat.
This will be fixed by updating documentation in the configuration guide. Closing.