Missing system calls

[mntbighker]

https://github.com/gdestuynder/audisp-json/blob/dc977e87f319531b32ccb51fc8fd822e3ea7cb8a/audisp-json.c#L974-L1000

I'm not a "developer", but in my attempts to use an audisp plugin for our audit logging I find a lot of missing system calls producing error messages for me. I don't have a comprehensive list assembled but here is a start:

                } else if (!strncmp(sys, "setxattr", 8) || !strncmp(sys, "fsetxattr", 9) || !strncmp(sys, "removexattr", 11) || !strncmp(sys, "lsetxattr", 9)) {
                    havejson = 1;
                    category = CAT_ATTR;
                } else if (!strncmp(sys, "chmod", 5) || !strncmp(sys, "fchmod", 6) || !strncmp(sys, "fchmodat", 8)) {
                    havejson = 1;
                    category = CAT_CHMOD;
                } else if (!strncmp(sys, "chown", 5) || !strncmp(sys, "fchown", 6) || !strncmp(sys, "lchown", 6)) {
                    havejson = 1;
                    category = CAT_CHOWN;

I'm also seeing unshare, mount, init_module and setsockopt. I'm working with audisp-graylog but this part of the code is not his. I know there are a lot more missing types.

I found that ausyscall --dump on one of my el7 systems yields 332 types. And for the record my audit rules are based on the Federally mandated audit rules template.

[gdestuynder]

we're only categorizing the syscalls we care for, so anything you match on that isnt supported will trigger this message if you look to extend the list of supported calls, have a look at this PR: https://github.com/gdestuynder/audisp-json/pull/11

The main reason is that its not just forwarding calls over as JSON - its reasoning about them first, which makes the resulting message a lot more useful

[gdestuynder]

closing to due to inactivity