On Mon, Mar 28, 2022 at 11:22 PM CGEL <[email protected]> wrote: > On Mon, Mar 28, 2022 at 11:06:12PM -0400, Paul Moore wrote: > > On Mon, Mar 28, 2022 at 9:48 PM CGEL <[email protected]> wrote: > > > Sorry could anybody give a hand to solve this? It works well on x86_64 > > > and arm64. > > > I have no alpha environment and not familiar to this arch, much thanks! > > > > Regardless of if this is fixed, I'm not convinced this is something we > > want to merge. After all, a process executed a syscall and we should > > process it like any other; just because it happens to be an > > unrecognized syscall on a particular kernel build doesn't mean it > > isn't security relevant (probing for specific syscall numbers may be a > > useful attack fingerprint). > > Thanks for your reply. > > But syscall number less than 0 is even invalid for auditctl. So we > will never hit this kind of audit rule. And invalid syscall number > will always cause failure early in syscall handle. > > sh-4.2# auditctl -a always,exit -F arch=b64 -S -1 > Syscall name unknown: -1
You can add an audit filter without explicitly specifying a syscall: % auditctl -a exit,always -F auid=1000 % auditctl -l -a always,exit -S all -F auid=1000 -- paul-moore.com -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
