arch=c00000b7 syscall=35 - selinux - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

arch=c00000b7 syscall=35

Re: find context of the command...

find context of the command process

Henry Zhang

Wednesday, 31 May 2023 Wed, 31 May '23

2:47 p.m.

Hi folks, I want to analyze audit.log and see arch=c00000b7 syscall=35 Where can I find what c00000b7 and 35 mean respectively for arm64 device? Thanks. ---henry

Attachments:

attachment.html (text/html — 301 bytes)

Reply

Show replies by date

Zdenek Pytela

Thursday, 1 June Thu, 1 Jun

2:47 a.m.

On Wed, May 31, 2023 at 9:47 PM Henry Zhang <henryzhang62(a)gmail.com> wrote:

Hi folks, I want to analyze audit.log and see arch=c00000b7 syscall=35 Where can I find what c00000b7 and 35 mean respectively for arm64 device?

Hi, You'd better use the ausearch/aureport commands with the -i switch to interpret them. -- Zdenek Pytela Security SELinux team

Reply

Henry Zhang

10:13 a.m.

Zdenek, Would you please give a sample to run research to find out arch? Thanks. ---henry On Thu, Jun 1, 2023, 00:48 Zdenek Pytela <zpytela(a)redhat.com> wrote:

On Wed, May 31, 2023 at 9:47 PM Henry Zhang <henryzhang62(a)gmail.com> wrote: > Hi folks, > > I want to analyze audit.log and see > arch=c00000b7 syscall=35 > > Where can I find what c00000b7 and 35 mean respectively for arm64 device? > Hi, You'd better use the ausearch/aureport commands with the -i switch to interpret them. -- Zdenek Pytela Security SELinux team

Reply

Henry Zhang

6:31 p.m.

Zdenek, ausearch only searches /var/log/audit/audit.log with SYSCALL number listed inside the audit.log for example: ausearch -i -sc 208 Thanks. ----henry On Thu, Jun 1, 2023 at 8:13 AM Henry Zhang <henryzhang62(a)gmail.com> wrote:

Zdenek, Would you please give a sample to run research to find out arch? Thanks. ---henry On Thu, Jun 1, 2023, 00:48 Zdenek Pytela <zpytela(a)redhat.com> wrote: > > > On Wed, May 31, 2023 at 9:47 PM Henry Zhang <henryzhang62(a)gmail.com> > wrote: > >> Hi folks, >> >> I want to analyze audit.log and see >> arch=c00000b7 syscall=35 >> >> Where can I find what c00000b7 and 35 mean respectively for arm64 device? >> > Hi, > > You'd better use the ausearch/aureport commands with the -i switch to > interpret them. > > -- > > Zdenek Pytela > Security SELinux team >

Reply

Zdenek Pytela

Friday, 2 June Fri, 2 Jun

10:48 a.m.

On Fri, Jun 2, 2023 at 1:32 AM Henry Zhang <henryzhang62(a)gmail.com> wrote:

Zdenek, ausearch only searches /var/log/audit/audit.log with SYSCALL number listed inside the audit.log for example: ausearch -i -sc 208

The ausearch command interprets all audited data: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent ---- type=PROCTITLE msg=audit(06/02/2023 09:32:12.249:244) : proctitle=/usr/bin/python3 /usr/libexec/rhs m-service type=PATH msg=audit(06/02/2023 09:32:12.249:244) : item=1 name=/run/dbus-BOb77zvRHz nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(06/02/2023 09:32:12.249:244) : item=0 name=/run/ inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_ fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(06/02/2023 09:32:12.249:244) : cwd=/ type=SOCKADDR msg=audit(06/02/2023 09:32:12.249:244) : saddr={ saddr_fam=local path=/run/dbus-BOb77 zvRHz } type=SYSCALL msg=audit(06/02/2023 09:32:12.249:244) : arch=x86_64 syscall=bind success=no exit=EACC ES(Permission denied) a0=0x9 a1=0x7ffc3c871540 a2=0x16 a3=0x0 items=2 ppid=1 pid=3252 auid=unset ui d=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsm-service exe=/usr/bin/python3.11 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) type=AVC msg=audit(06/02/2023 09:32:12.249:244) : avc: denied { create } for pid=3252 comm=rhsm- service name=dbus-BOb77zvRHz scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:r hsmcertd_var_run_t:s0 tclass=sock_file permissive=0 There is also the ausyscall command # ausyscall --dump | grep -w 208 208 io_getevents

Thanks. ----henry On Thu, Jun 1, 2023 at 8:13 AM Henry Zhang <henryzhang62(a)gmail.com> wrote: > Zdenek, > > Would you please give a sample to run research to find out arch? > Thanks. > > ---henry > > On Thu, Jun 1, 2023, 00:48 Zdenek Pytela <zpytela(a)redhat.com> wrote: > >> >> >> On Wed, May 31, 2023 at 9:47 PM Henry Zhang <henryzhang62(a)gmail.com> >> wrote: >> >>> Hi folks, >>> >>> I want to analyze audit.log and see >>> arch=c00000b7 syscall=35 >>> >>> Where can I find what c00000b7 and 35 mean respectively for arm64 >>> device? >>> >> Hi, >> >> You'd better use the ausearch/aureport commands with the -i switch to >> interpret them. >> >> -- >> >> Zdenek Pytela >> Security SELinux team >> >

-- Zdenek Pytela Security SELinux team

Reply

335

days inactive

337

days old

selinux@lists.fedoraproject.org

Manage subscription

4 comments

2 participants

tags (0)

participants (2)

Henry Zhang
Zdenek Pytela