Problem regards event fields a0-a3 in audit logs

Problem regards event fields a0-a3 in audit logs

[C.y]

[-- Attachment #1.1: Type: text/plain, Size: 2393 bytes --]

Hi all,

I looked into audit log and find myself having difficultly in understanding
the event field a0-a3.

I tried to look for answer but couldn't get any references for the
following question:
  1. What are the initial value of a0-a3, and
  2. Is there any way to get 5-th and above arguments?

Audit system reference from redhat (https://access.redhat.com/doc
umentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_
Guide/app-Audit_Reference.html) did mentioned that the first four arguments
of system call are recorded, but didn't mentions what their initial value
are when there a system call required less than four arguments.
For example, what will the value of a1, a2, a3 be when the system call
'close' are invoked? ('close' only takes 1 argument
http://man7.org/linux/man-pages/man2/close.2.html)

At first I am guessing that they might contain the a1-a3's value from
previous syscall record, so I starting doing some experiment on the audit
log I have collected (https://drive.google.com/file
/d/0B85cIbQMuvqDSHVGSHdDVjRWdHc/view):

`$ ausyscall --dump | grep 6 | head -n 1 ` returns
6       close

and below are part of my audit log that contains 2 syscall records:
...
type=SYSCALL msg=audit(1479471647.440:197): arch=40000028 syscall=192
per=800000 success=yes exit=1995763712 a0=76f4f000 a1=1000 a2=3 a3=812
items=0 ppid=891 pid=907 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 ses=3 comm="raspistill"
exe="/opt/vc/bin/raspistill" key=(null)
type=MMAP msg=audit(1479471647.440:197): fd=3 flags=0x812
type=PROCTITLE msg=audit(1479471647.440:197): proctitle="-bash"
type=SYSCALL msg=audit(1479471647.440:198): arch=40000028 syscall=6
per=800000 success=yes exit=0 a0=3 a1=5 a2=76f31000 a3=0 items=0 ppid=891
pid=907 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 ses=3 comm="raspistill" exe="/opt/vc/bin/raspistill" key=(null)
...

the second syscall record show that the a1's value are somehow modified,
which eventually proved that my guessing of that they will contain previous
invoked syscall a1's value(1000) is wrong. That's how I got myself confused
and write to seek for answer regards this question.

Second, I wonder if there are way for me to know the 5-th and above
argument of a particular system call, i.e _llseek that takes 5 arguments?

Thanks a lot for all your help in advance!


Cheers.
Ching-Yi Ng

[-- Attachment #1.2: Type: text/html, Size: 5264 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Problem regards event fields a0-a3 in audit logs

[Steve Grubb]

On Wednesday, November 30, 2016 4:40:01 PM EST C.y wrote:
> I looked into audit log and find myself having difficultly in understanding
> the event field a0-a3.
> 
> I tried to look for answer but couldn't get any references for the
> following question:
>   1. What are the initial value of a0-a3, and

Whatever was passed as arguments for the current syscall.

>   2. Is there any way to get 5-th and above arguments?

Nope. There is only 1 syscall that I know of that has a security relevant 
argument higher than what is recorded. This is mmap. What we do is record that 
value in a special AUDIT_MMAP auxiliary record. If there were any other 
syscalls that had security relevant arguments higher than the first 4 I suspect 
we'd do the same thing again.


> Audit system reference from redhat (https://access.redhat.com/doc
> umentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_
> Guide/app-Audit_Reference.html) did mentioned that the first four arguments
> of system call are recorded, but didn't mentions what their initial value
> are when there a system call required less than four arguments.
> For example, what will the value of a1, a2, a3 be when the system call
> 'close' are invoked? ('close' only takes 1 argument
> http://man7.org/linux/man-pages/man2/close.2.html)

AFAIK, they are whatever is in memory. There is nothing that tells you they 
are or are not valid. You would have to know that the syscall takes 2 
arguments and just look at the first 2.

> At first I am guessing that they might contain the a1-a3's value from
> previous syscall record, so I starting doing some experiment on the audit
> log I have collected (https://drive.google.com/file
> /d/0B85cIbQMuvqDSHVGSHdDVjRWdHc/view):
> 
> `$ ausyscall --dump | grep 6 | head -n 1 ` returns
> 6       close
> 
> and below are part of my audit log that contains 2 syscall records:
> ...
> type=SYSCALL msg=audit(1479471647.440:197): arch=40000028 syscall=192
> per=800000 success=yes exit=1995763712 a0=76f4f000 a1=1000 a2=3 a3=812
> items=0 ppid=891 pid=907 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 ses=3 comm="raspistill"
> exe="/opt/vc/bin/raspistill" key=(null)
> type=MMAP msg=audit(1479471647.440:197): fd=3 flags=0x812
> type=PROCTITLE msg=audit(1479471647.440:197): proctitle="-bash"
> type=SYSCALL msg=audit(1479471647.440:198): arch=40000028 syscall=6
> per=800000 success=yes exit=0 a0=3 a1=5 a2=76f31000 a3=0 items=0 ppid=891
> pid=907 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=pts0 ses=3 comm="raspistill" exe="/opt/vc/bin/raspistill" key=(null)
> ...
> 
> the second syscall record show that the a1's value are somehow modified,
> which eventually proved that my guessing of that they will contain previous
> invoked syscall a1's value(1000) is wrong. That's how I got myself confused
> and write to seek for answer regards this question.

Best way to look at the records is ausearch -i.

> Second, I wonder if there are way for me to know the 5-th and above
> argument of a particular system call, i.e _llseek that takes 5 arguments?

Answered above.

-Steve