Ah, the 0x was it! It was producing the wrong rule: Wrong: LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=40086602 (0x263ac4a) key=chattr1 syscall=ioctl
Right: LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=1074292226 (0x40086602) key=chattr3 syscall=ioctl You are right, if I specify a path for this rule, it stops working. Thank you very much for your help Steve. Cheers, Max -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Steve Grubb Sent: 24 August 2011 16:53 To: [email protected] Subject: Re: Auditing the "chattr" command (ioctl syscall?) On Wednesday, August 24, 2011 10:40:32 AM Steve Grubb wrote: > So, the rule is: > > -a always,exit -F arch=b64 -S ioctl -F a1=40086602 One correction, you need a 0x in that: -a always,exit -F arch=b64 -S ioctl -F a1=0x40086602 -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________ -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
