Hi,
I would like to be able to audit the syscalls that the chattr command uses but I'm not having much luck.
In an effort to see the syscalls used, I created a rule to log all syscalls, like this:
# auditctl -a exit,always -F path=/root/file

Then run this:
# chattr +i /root/file

This produces series of two syscalls in the logs, 6 (sys_newlstat) and 2 (sys_open):
node=localhost.localdomain type=SYSCALL msg=audit(1314189320.335:53158): arch=c000003e syscall=6 success=yes exit=0 a0=7ffff0f8886c a1=7ffff0f88250 a2=7ffff0f88250 a3=1 items=1 ppid=15560 pid=15745 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1198 comm="chattr" exe="/usr/bin/chattr" key=(null)
node=localhost.localdomain type=SYSCALL msg=audit(1314189320.335:53160): arch=c000003e syscall=2 success=yes exit=3 a0=7ffff0f8886c a1=800 a2=7ffff0f88170 a3=1 items=1 ppid=15560 pid=15745 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1198 comm="chattr" exe="/usr/bin/chattr" key=(null)

I don't think these are the syscalls I want to audit, they would be far too frequent. I also noticed when I run a strace on the chattr command it looks like it uses ioctl, eg:
ioctl(3, EXT2_IOC_SETFLAGS, 0x7fff0314cf3c)

What audit rule could I use to achieve this? Is it a combination of specifying syscall 6 or 2 with some of a0, a1 or a2? Or is this not possible?

I've tried auditing file attribute changes (auditctl -a exit,always -F arch=b64 -p a) but it does not work.

Many thanks,
Max Williams

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________