From mboxrd@z Thu Jan 1 00:00:00 1970 From: Max Williams Subject: Auditing the "chattr" command (ioctl syscall?) Date: Wed, 24 Aug 2011 13:57:13 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3532140475159451124==" Return-path: Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com [10.5.110.18]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id p7OE1QSa002640 for ; Wed, 24 Aug 2011 10:01:26 -0400 Received: from mail134.messagelabs.com (mail134.messagelabs.com [85.158.137.35]) by mx1.redhat.com (8.14.4/8.14.4) with SMTP id p7OE1NZI015698 for ; Wed, 24 Aug 2011 10:01:23 -0400 Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "'linux-audit@redhat.com'" List-Id: linux-audit@redhat.com --===============3532140475159451124== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_D0A5F96279337C499E18E7D5B0695A2F67DD6395HAMMBX02ukbetfa_" --_000_D0A5F96279337C499E18E7D5B0695A2F67DD6395HAMMBX02ukbetfa_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, I would like to be able to audit the syscalls that the chattr command uses= but I'm not having much luck. In an effort to see the syscalls used, I created a rule to log all syscall= s, like this: # auditctl -a exit,always -F path=3D/root/file Then run this: # chattr +i /root/file This produces series of two syscalls in the logs, 6 (sys_newlstat) and 2 (= sys_open): node=3Dlocalhost.localdomain type=3DSYSCALL msg=3Daudit(1314189320.335:531= 58): arch=3Dc000003e syscall=3D6 success=3Dyes exit=3D0 a0=3D7ffff0f8886c = a1=3D7ffff0f88250 a2=3D7ffff0f88250 a3=3D1 items=3D1 ppid=3D15560 pid=3D15= 745 auid=3D0 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 egid=3D0 sgid=3D0= fsgid=3D0 tty=3Dpts0 ses=3D1198 comm=3D"chattr" exe=3D"/usr/bin/chattr" k= ey=3D(null) node=3Dlocalhost.localdomain type=3DSYSCALL msg=3Daudit(1314189320.335:531= 60): arch=3Dc000003e syscall=3D2 success=3Dyes exit=3D3 a0=3D7ffff0f8886c = a1=3D800 a2=3D7ffff0f88170 a3=3D1 items=3D1 ppid=3D15560 pid=3D15745 auid=3D= 0 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 = tty=3Dpts0 ses=3D1198 comm=3D"chattr" exe=3D"/usr/bin/chattr" key=3D(null)= I don't think these are the syscalls I want to audit, they would be far to= o frequent. I also noticed when I run a strace on the chattr command it lo= oks like it uses ioctl, eg: ioctl(3, EXT2_IOC_SETFLAGS, 0x7fff0314cf3c) What audit rule could I use to achieve this? Is it a combination of specif= ying syscall 6 or 2 with some of a0, a1 or a2? Or is this not possible? I've tried auditing file attribute changes (auditctl -a exit,always -F arc= h=3Db64 -p a) but it does not work. Many thanks, Max Williams ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from=20= MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________ --_000_D0A5F96279337C499E18E7D5B0695A2F67DD6395HAMMBX02ukbetfa_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi,

I would like to be able to audit the syscalls that = the chattr command uses but I’m not having much luck.

=

In an effort to see the syscalls used, I created a = rule to log all syscalls, like this:

# auditctl -a exit,alw= ays -F path=3D/root/file

 

Then run this:

# chattr +i /root/= file

 

This produces series of two syscalls in the logs, 6= (sys_newlstat) and 2 (sys_open):

node=3Dlocalhost.localdomain type=3DSYSCALL msg=3Da= udit(1314189320.335:53158): arch=3Dc000003e syscall=3D6 success=3Dyes exit= =3D0 a0=3D7ffff0f8886c a1=3D7ffff0f88250 a2=3D7ffff0f88250 a3=3D1 items=3D= 1 ppid=3D15560 pid=3D15745 auid=3D0 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsui= d=3D0 egid=3D0 sgid=3D0 fsgid=3D0 tty=3Dpts0 ses=3D1198 comm=3D"chattr&quo= t; exe=3D"/usr/bin/chattr" key=3D(null)

node=3Dlocalhost.localdomain type=3DSYSCALL msg=3Da= udit(1314189320.335:53160): arch=3Dc000003e syscall=3D2 success=3Dyes exit= =3D3 a0=3D7ffff0f8886c a1=3D800 a2=3D7ffff0f88170 a3=3D1 items=3D1 ppid=3D= 15560 pid=3D15745 auid=3D0 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 egi= d=3D0 sgid=3D0 fsgid=3D0 tty=3Dpts0 ses=3D1198 comm=3D"chattr" exe=3D= "/usr/bin/chattr" key=3D(null)

 

I don’t think these are the syscalls I want t= o audit, they would be far too frequent. I also noticed when I run a strac= e on the chattr command it looks like it uses ioctl, eg:

ioctl(3, EXT2_IOC_SETFLAGS, 0x7fff0314cf3c)

 

What audit rule could I use to achieve this? Is it = a combination of specifying syscall 6 or 2 with some of a0, a1 or a2? Or i= s this not possible?

 

I’ve tried auditing file attribute changes (a= uditctl -a exit,always -F arch=3Db64 -p a) but it does not work.

 

Many thanks,

Max Williams


________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from <= BR> MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________ --_000_D0A5F96279337C499E18E7D5B0695A2F67DD6395HAMMBX02ukbetfa_-- --===============3532140475159451124== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3532140475159451124==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Auditing the "chattr" command (ioctl syscall?) Date: Wed, 24 Aug 2011 10:40:32 -0400 Message-ID: <201108241040.32951.sgrubb@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday, August 24, 2011 09:57:13 AM Max Williams wrote: > Hi, > I would like to be able to audit the syscalls that the chattr command uses > but I'm not having much luck. In an effort to see the syscalls used, I > created a rule to log all syscalls, like this: # auditctl -a exit,always > -F path=/root/file > > Then run this: > # chattr +i /root/file > > This produces series of two syscalls in the logs, 6 (sys_newlstat) and 2 > (sys_open): node=localhost.localdomain type=SYSCALL > msg=audit(1314189320.335:53158): arch=c000003e syscall=6 success=yes > exit=0 a0=7ffff0f8886c a1=7ffff0f88250 a2=7ffff0f88250 a3=1 items=1 > ppid=15560 pid=15745 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=pts0 ses=1198 comm="chattr" exe="/usr/bin/chattr" > key=(null) node=localhost.localdomain type=SYSCALL > msg=audit(1314189320.335:53160): arch=c000003e syscall=2 success=yes > exit=3 a0=7ffff0f8886c a1=800 a2=7ffff0f88170 a3=1 items=1 ppid=15560 > pid=15745 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=pts0 ses=1198 comm="chattr" exe="/usr/bin/chattr" key=(null) > > I don't think these are the syscalls I want to audit, nope. You can use the autrace program also and get a strace like list of syscalls made by the process. > they would be far too > frequent. I also noticed when I run a strace on the chattr command it > looks like it uses ioctl, eg: ioctl(3, EXT2_IOC_SETFLAGS, 0x7fff0314cf3c) > > What audit rule could I use to achieve this? It starts off like this: -a always,exit -F arch=b64 -S ioctl Then you need to look at the man page for ioctl. The first argument is the FD, so you will not have a a0 since that could be different from program to program. Then you need to look in the header files for the definition of EXT2_IOC_SETFLAGS. /usr/include/linux/ext2_fs.h #define EXT2_IOC_SETFLAGS FS_IOC_SETFLAGS /usr/include/linux/fs.h #define FS_IOC_SETFLAGS _IOW('f', 2, long) /usr/include/asm-generic/ioctl.h #define _IOW(type,nr,size) _IOC(_IOC_WRITE,(type),(nr),(_IOC_TYPECHECK(size))) #define _IOC(dir,type,nr,size) \ (((dir) << _IOC_DIRSHIFT) | \ ((type) << _IOC_TYPESHIFT) | \ ((nr) << _IOC_NRSHIFT) | \ ((size) << _IOC_SIZESHIFT)) # define _IOC_WRITE 1U Looks hard to figure out? Let's make a program: #include #include #include int main(void) { printf("%0lX\n", EXT2_IOC_SETFLAGS); return 0; } It returns this: 40086602 So, the rule is: -a always,exit -F arch=b64 -S ioctl -F a1=40086602 I don't know if the syscall requires more arguments. You would have to look at the chattr program for more. Also note that you might want a matching b32 rule also. If you wanted to limit this to a file, then put a -F path= on that also. Adding a key field helps in searching later. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Max Williams Subject: RE: Auditing the "chattr" command (ioctl syscall?) Date: Wed, 24 Aug 2011 15:31:10 +0000 Message-ID: References: <201108241040.32951.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.19]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id p7OFcDcN010123 for ; Wed, 24 Aug 2011 11:38:13 -0400 Received: from mail139.messagelabs.com (mail139.messagelabs.com [85.158.137.67]) by mx1.redhat.com (8.14.4/8.14.4) with SMTP id p7OFcA8r010611 for ; Wed, 24 Aug 2011 11:38:11 -0400 In-Reply-To: <201108241040.32951.sgrubb@redhat.com> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com Hi Steve, Thanks for the informative reply. I hadn't used autrace before, looks very handy. I am wondering why this rule would log chattr... -a always,exit -F arch=b64 -S ioctl -F a1=40086602 -F path=/root/file ...but not this one? -a exit,always -F path=/root/file In the second rule, is it not implied that all syscalls would be logged? Wouldn't that include ioctl? I still can't get auditd to log chattr, I'll show you: [root@localhost ~]# auditctl -D No rules [root@localhost ~]# autrace /usr/bin/chattr +i file Waiting to execute: /usr/bin/chattr Cleaning up... Trace complete. You can locate the records with 'ausearch -i -p 16312' [root@localhost ~]# [root@localhost ~]# ausearch -i -p 16312 | grep ioctl node=localhost.localdomain type=SYSCALL msg=audit(08/24/2011 15:10:29.752:54096) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=3 a1=80086601 a2=7fff1271bf9c a3=1 items=0 ppid=16310 pid=16312 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1198 comm=chattr exe=/usr/bin/chattr key=(null) node=localhost.localdomain type=SYSCALL msg=audit(08/24/2011 15:10:29.752:54100) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=3 a1=40086602 a2=7fff1271bf9c a3=0 items=0 ppid=16310 pid=16312 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1198 comm=chattr exe=/usr/bin/chattr key=(null) [root@localhost ~]# [root@localhost ~]# auditctl -a exit,always -F arch=b64 -S ioctl -F a1=40086602 -k chattr1 [root@localhost ~]# auditctl -a exit,always -F arch=b64 -S ioctl -F a1=80086601 -k chattr2 [root@localhost ~]# [root@localhost ~]# chattr +i file [root@localhost ~]# chattr -i file [root@localhost ~]# [root@localhost ~]# tail -4 /var/log/audit/audit.log node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1314195029.752:54103): auid=0 ses=1198 op="remove rule" key=(null) list=4 res=1 node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1314195029.752:54104): auid=0 ses=1198 op="remove rule" key=(null) list=4 res=1 node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1314195046.666:54105): auid=0 ses=1198 op="add rule" key="chattr1" list=4 res=1 node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1314195054.962:54106): auid=0 ses=1198 op="add rule" key="chattr2" list=4 res=1 [root@localhost ~]# So it just doesn't log anything after adding the two rules. I also tried just auditing all ioctl syscalls for a path: [root@localhost ~]# auditctl -D No rules [root@localhost ~]# auditctl -a exit,always -F arch=b64 -S ioctl -F path=/root/temp -k chattr3 [root@localhost ~]# chattr +i /root/temp/file But still no dice. This is on a standard x86_64 RHEL6 host with audit-2.0.4-1.el6.x86_64. Am I missing something obvious? Thanks, Max -----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: 24 August 2011 15:41 To: linux-audit@redhat.com Cc: Max Williams Subject: Re: Auditing the "chattr" command (ioctl syscall?) On Wednesday, August 24, 2011 09:57:13 AM Max Williams wrote: > Hi, > I would like to be able to audit the syscalls that the chattr command > uses but I'm not having much luck. In an effort to see the syscalls > used, I created a rule to log all syscalls, like this: # auditctl -a > exit,always -F path=/root/file > > Then run this: > # chattr +i /root/file > > This produces series of two syscalls in the logs, 6 (sys_newlstat) and > 2 > (sys_open): node=localhost.localdomain type=SYSCALL > msg=audit(1314189320.335:53158): arch=c000003e syscall=6 success=yes > exit=0 a0=7ffff0f8886c a1=7ffff0f88250 a2=7ffff0f88250 a3=1 items=1 > ppid=15560 pid=15745 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=pts0 ses=1198 comm="chattr" exe="/usr/bin/chattr" > key=(null) node=localhost.localdomain type=SYSCALL > msg=audit(1314189320.335:53160): arch=c000003e syscall=2 success=yes > exit=3 a0=7ffff0f8886c a1=800 a2=7ffff0f88170 a3=1 items=1 ppid=15560 > pid=15745 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 > tty=pts0 ses=1198 comm="chattr" exe="/usr/bin/chattr" key=(null) > > I don't think these are the syscalls I want to audit, nope. You can use the autrace program also and get a strace like list of syscalls made by the process. > they would be far too > frequent. I also noticed when I run a strace on the chattr command it > looks like it uses ioctl, eg: ioctl(3, EXT2_IOC_SETFLAGS, > 0x7fff0314cf3c) > > What audit rule could I use to achieve this? It starts off like this: -a always,exit -F arch=b64 -S ioctl Then you need to look at the man page for ioctl. The first argument is the FD, so you will not have a a0 since that could be different from program to program. Then you need to look in the header files for the definition of EXT2_IOC_SETFLAGS. /usr/include/linux/ext2_fs.h #define EXT2_IOC_SETFLAGS FS_IOC_SETFLAGS /usr/include/linux/fs.h #define FS_IOC_SETFLAGS _IOW('f', 2, long) /usr/include/asm-generic/ioctl.h #define _IOW(type,nr,size) _IOC(_IOC_WRITE,(type),(nr),(_IOC_TYPECHECK(size))) #define _IOC(dir,type,nr,size) \ (((dir) << _IOC_DIRSHIFT) | \ ((type) << _IOC_TYPESHIFT) | \ ((nr) << _IOC_NRSHIFT) | \ ((size) << _IOC_SIZESHIFT)) # define _IOC_WRITE 1U Looks hard to figure out? Let's make a program: #include #include #include int main(void) { printf("%0lX\n", EXT2_IOC_SETFLAGS); return 0; } It returns this: 40086602 So, the rule is: -a always,exit -F arch=b64 -S ioctl -F a1=40086602 I don't know if the syscall requires more arguments. You would have to look at the chattr program for more. Also note that you might want a matching b32 rule also. If you wanted to limit this to a file, then put a -F path= on that also. Adding a key field helps in searching later. -Steve ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________ From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Auditing the "chattr" command (ioctl syscall?) Date: Wed, 24 Aug 2011 11:50:23 -0400 Message-ID: <201108241150.23379.sgrubb@redhat.com> References: <201108241040.32951.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday, August 24, 2011 11:31:10 AM Max Williams wrote: > Thanks for the informative reply. I hadn't used autrace before, looks very > handy. I am wondering why this rule would log chattr... > -a always,exit -F arch=b64 -S ioctl -F a1=40086602 -F path=/root/file > > ...but not this one? > -a exit,always -F path=/root/file When you do not give a syscall and its a path or directory based rule, it selects the syscalls for you based on what kind of permissions are passed. No permissions being passed defaults to all. The resulting list will not include an ioctl. > In the second rule, is it not implied that all syscalls would be logged? > Wouldn't that include ioctl? No. You could add -S all and then it would. > I also tried just auditing all ioctl syscalls for a path: > [root@localhost ~]# auditctl -D > No rules > [root@localhost ~]# auditctl -a exit,always -F arch=b64 -S ioctl -F > path=/root/temp -k chattr3 [root@localhost ~]# chattr +i /root/temp/file > > But still no dice. This is on a standard x86_64 RHEL6 host with > audit-2.0.4-1.el6.x86_64. Am I missing something obvious? Then I guess you cannot limit the auditing to a file. The ioctl is passed a fd, which is an integer. The audit system does not keep any list of associated fd to name mappings. So, the only time it knows the string is during the open syscall. I guess you'll have to drop the -F path=/root/temp/file and you will get the chattr, but you will get all chattr events. I don't think there are too many of those going on for a normal system. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Auditing the "chattr" command (ioctl syscall?) Date: Wed, 24 Aug 2011 11:53:15 -0400 Message-ID: <201108241153.15707.sgrubb@redhat.com> References: <201108241040.32951.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from x2.localnet (vpn-231-48.phx2.redhat.com [10.3.231.48]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p7OFrfxS022110 for ; Wed, 24 Aug 2011 11:53:41 -0400 In-Reply-To: <201108241040.32951.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday, August 24, 2011 10:40:32 AM Steve Grubb wrote: > So, the rule is: > > -a always,exit -F arch=b64 -S ioctl -F a1=40086602 One correction, you need a 0x in that: -a always,exit -F arch=b64 -S ioctl -F a1=0x40086602 -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Max Williams Subject: RE: Auditing the "chattr" command (ioctl syscall?) Date: Wed, 24 Aug 2011 16:04:39 +0000 Message-ID: References: <201108241040.32951.sgrubb@redhat.com> <201108241153.15707.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.16]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p7OG7qC1003306 for ; Wed, 24 Aug 2011 12:07:52 -0400 Received: from mail1.bemta5.messagelabs.com (mail1.bemta5.messagelabs.com [195.245.231.130]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p7OG7m2n029042 for ; Wed, 24 Aug 2011 12:07:49 -0400 In-Reply-To: <201108241153.15707.sgrubb@redhat.com> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com Ah, the 0x was it! It was producing the wrong rule: Wrong: LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=40086602 (0x263ac4a) key=chattr1 syscall=ioctl Right: LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=1074292226 (0x40086602) key=chattr3 syscall=ioctl You are right, if I specify a path for this rule, it stops working. Thank you very much for your help Steve. Cheers, Max -----Original Message----- From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Steve Grubb Sent: 24 August 2011 16:53 To: linux-audit@redhat.com Subject: Re: Auditing the "chattr" command (ioctl syscall?) On Wednesday, August 24, 2011 10:40:32 AM Steve Grubb wrote: > So, the rule is: > > -a always,exit -F arch=b64 -S ioctl -F a1=40086602 One correction, you need a 0x in that: -a always,exit -F arch=b64 -S ioctl -F a1=0x40086602 -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________