User-Agent: Build Identifier: When using LAUS as a debugging / investigative tool, the was a need to audit all operations on files matching the name /etc/mtab*. In particular, open, link, fnctl and flock system calls were of great importance. To achieve this a filter conf was creating looking like predicate is-mtab = prefix("/etc/mtab"); set file-open = { "open", "fcntl", "flock", "stat", "stat64", "read", "write", "dup", "dup2" }; tag "FILE_access" syscall @file-open = is-mtab(arg0); LAUS was then configured to turn on auditing system wide with echo 1 > /proc/sys/dev/audit/attach-all While, this successfully captured most system calls requested, it missed off all occurrances of fcntl() and flock(). At the same time it printed messages in the logs kernel: Audit daemon registered (process 27009) kernel: Filter target 0x0 not known or not supported in this context last message repeated 4 times kernel: Audit daemon registered (process 27072) kernel: Filter target 0x0 not known or not supported in this context last message repeated 30 times kernel: Filter target 0x0 not known or not supported in this context last message repeated 173 times last message repeated 28 times When the 'fcntl()' and 'flock()' calls were removed from the audit set these messages go away. Looking in the kernel source for it would appear that these two system calls do not have their arguments analyzed. Reproducible: Always Steps to Reproduce: 1. Try and filter recording of flock() and fcntl() system calls based on filename using prefix() function 2. 3. Actual Results: Messages thrown in system logs, no use of flock() and fcntl() recorded Expected Results: flock() and fcntl() recorded as matching the predicates If LAUS were extended to analyze the arguments of every single system call in the kernel, it will be much more valueable as a system wide debugging tool
Extending LAuS support to all of the system calls would increase the functionality of the product so it could be used for system wide monitoring. LAuS implemented support for the system calls that were required for EAL3 certification. We have added additional system calls over the last two updates as requested by @Sec and other users involved in certification. Moving ahead, we should associated this work with a feature request as it represents an extension of LAuS's functionality.