On Fri, Jun 2, 2023 at 1:32 AM Henry Zhang <henryzhang62(a)gmail.com> wrote:
Zdenek,
ausearch only searches /var/log/audit/audit.log with SYSCALL number listed
inside the audit.log
for example:
ausearch -i -sc 208
The ausearch command interprets all audited data:
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
----
type=PROCTITLE msg=audit(06/02/2023 09:32:12.249:244) :
proctitle=/usr/bin/python3 /usr/libexec/rhs
m-service
type=PATH msg=audit(06/02/2023 09:32:12.249:244) : item=1
name=/run/dbus-BOb77zvRHz nametype=CREATE
cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(06/02/2023 09:32:12.249:244) : item=0 name=/run/
inode=1 dev=00:18 mode=dir,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0
nametype=PARENT cap_fp=none cap_
fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(06/02/2023 09:32:12.249:244) : cwd=/
type=SOCKADDR msg=audit(06/02/2023 09:32:12.249:244) : saddr={
saddr_fam=local path=/run/dbus-BOb77
zvRHz }
type=SYSCALL msg=audit(06/02/2023 09:32:12.249:244) : arch=x86_64
syscall=bind success=no exit=EACC
ES(Permission denied) a0=0x9 a1=0x7ffc3c871540 a2=0x16 a3=0x0 items=2
ppid=1 pid=3252 auid=unset ui
d=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=unset
comm=rhsm-service exe=/usr/bin/python3.11
subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(06/02/2023 09:32:12.249:244) : avc: denied { create }
for pid=3252 comm=rhsm-
service name=dbus-BOb77zvRHz scontext=system_u:system_r:rhsmcertd_t:s0
tcontext=system_u:object_r:r
hsmcertd_var_run_t:s0 tclass=sock_file permissive=0
There is also the ausyscall command
# ausyscall --dump | grep -w 208
208 io_getevents
Thanks.
----henry
On Thu, Jun 1, 2023 at 8:13 AM Henry Zhang <henryzhang62(a)gmail.com> wrote:
> Zdenek,
>
> Would you please give a sample to run research to find out arch?
> Thanks.
>
> ---henry
>
> On Thu, Jun 1, 2023, 00:48 Zdenek Pytela <zpytela(a)redhat.com> wrote:
>
>>
>>
>> On Wed, May 31, 2023 at 9:47 PM Henry Zhang <henryzhang62(a)gmail.com>
>> wrote:
>>
>>> Hi folks,
>>>
>>> I want to analyze audit.log and see
>>> arch=c00000b7 syscall=35
>>>
>>> Where can I find what c00000b7 and 35 mean respectively for arm64
>>> device?
>>>
>> Hi,
>>
>> You'd better use the ausearch/aureport commands with the -i switch to
>> interpret them.
>>
>> --
>>
>> Zdenek Pytela
>> Security SELinux team
>>
>
--
Zdenek Pytela
Security SELinux team