On Fri, Jun 2, 2023 at 1:32 AM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
Zdenek,ausearch only searches /var/log/audit/audit.log with SYSCALL number listed inside the audit.logfor example:ausearch -i -sc 208
The ausearch command interprets all audited data:
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
----
type=PROCTITLE msg=audit(06/02/2023 09:32:12.249:244) : proctitle=/usr/bin/python3 /usr/libexec/rhs
m-service
type=PATH msg=audit(06/02/2023 09:32:12.249:244) : item=1 name=/run/dbus-BOb77zvRHz nametype=CREATE
cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(06/02/2023 09:32:12.249:244) : item=0 name=/run/ inode=1 dev=00:18 mode=dir,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_
fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(06/02/2023 09:32:12.249:244) : cwd=/
type=SOCKADDR msg=audit(06/02/2023 09:32:12.249:244) : saddr={ saddr_fam=local path=/run/dbus-BOb77
zvRHz }
type=SYSCALL msg=audit(06/02/2023 09:32:12.249:244) : arch=x86_64 syscall=bind success=no exit=EACC
ES(Permission denied) a0=0x9 a1=0x7ffc3c871540 a2=0x16 a3=0x0 items=2 ppid=1 pid=3252 auid=unset ui
d=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=rhsm-service exe=/usr/bin/python3.11 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(06/02/2023 09:32:12.249:244) : avc: denied { create } for pid=3252 comm=rhsm-
service name=dbus-BOb77zvRHz scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:r
hsmcertd_var_run_t:s0 tclass=sock_file permissive=0
----
type=PROCTITLE msg=audit(06/02/2023 09:32:12.249:244) : proctitle=/usr/bin/python3 /usr/libexec/rhs
m-service
type=PATH msg=audit(06/02/2023 09:32:12.249:244) : item=1 name=/run/dbus-BOb77zvRHz nametype=CREATE
cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(06/02/2023 09:32:12.249:244) : item=0 name=/run/ inode=1 dev=00:18 mode=dir,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_
fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(06/02/2023 09:32:12.249:244) : cwd=/
type=SOCKADDR msg=audit(06/02/2023 09:32:12.249:244) : saddr={ saddr_fam=local path=/run/dbus-BOb77
zvRHz }
type=SYSCALL msg=audit(06/02/2023 09:32:12.249:244) : arch=x86_64 syscall=bind success=no exit=EACC
ES(Permission denied) a0=0x9 a1=0x7ffc3c871540 a2=0x16 a3=0x0 items=2 ppid=1 pid=3252 auid=unset ui
d=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=rhsm-service exe=/usr/bin/python3.11 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(06/02/2023 09:32:12.249:244) : avc: denied { create } for pid=3252 comm=rhsm-
service name=dbus-BOb77zvRHz scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:r
hsmcertd_var_run_t:s0 tclass=sock_file permissive=0
There is also the ausyscall command
# ausyscall --dump | grep -w 208
208 io_getevents
208 io_getevents
Thanks.----henryOn Thu, Jun 1, 2023 at 8:13 AM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:Zdenek,Would you please give a sample to run research to find out arch?Thanks.---henryOn Thu, Jun 1, 2023, 00:48 Zdenek Pytela <zpytela@xxxxxxxxxx> wrote:--On Wed, May 31, 2023 at 9:47 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:Hi folks,I want to analyze audit.log and see
arch=c00000b7 syscall=35Where can I find what c00000b7 and 35 mean respectively for arm64 device?Hi,You'd better use the ausearch/aureport commands with the -i switch to interpret them.
Zdenek PytelaSecurity SELinux team
--
Zdenek Pytela
Security SELinux team
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue