Closed DeepseaXX closed 2 years ago
On 2021-12-01 14:13, DeepseaXX wrote:
I'm trying to add a rule to auditing 'fork' syscall. I read the docs and tryed to write like: sudo auditctl -a task,always -F arch=b64 -S fork -F uid=1000 And it showed: Error: syscall auditing being added to task list
Syscalls are not valid on the task list. You may want the exit list. The task list can only match against subject credentials or task pid and is only applied at the time of fork or clone to determine if that task will be auditted.
I have tried
sudo auditctl -a always,exit -F arch=b64 -S fork
When I add this rule, no error shows, but also no log remained when I checked by
sudo aureport -s -i --summary
I cannot figure out any ways to audit syscall fork. If there are any way to approch, I will be greatly appreciate...
Most modern Linux distros have a libc which uses the clone(2)
or clone3(2)
syscalls as a substitute for fork(2)
. You should be able to verify this with the "strace" command.
auditctl -a always,exit -F arch=b64 -S fork,vfork,clone
works, but it seems to only log the exit taken in the parent, not in the child. Shouldn't there be another entry for the child where at least ppid
, pid
, and exit
have different values?
Hi @hillu,
This is a different issue than what was reported originally, in the future it's best to create a new issue in this case, especially when the original issue is closed.
What you are describing is the expected behavior as only the parent process executes the fork()
, clone()
, etc. syscall. If the child also executed a fork()
then every call to fork()
would result in an uncontrolled fork bomb :)
I must have misunderstood the discussion so far. Sorry for the noise.
I'm trying to add a rule to auditing 'fork' syscall. I read the docs and tryed to write like:
sudo auditctl -a task,always -F arch=b64 -S fork -F uid=1000
And it showed:Error: syscall auditing being added to task list
I know that '-a task' is for fork and clone syscall, but I can not found any example that actually using it. Maybe i don't need to write'-F uid=1000', or maybe I missed something important. Roughly I tried a lot but I can't add a proper rule.
I am using 'Linux ubuntu 5.11.0-40-generic #44~20.04.2-Ubuntu SMP Tue Oct 26 18:07:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux'