search

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
140 stars 37 forks source link

Q: adding system call monitoring rule on aarch64 fails #149

Open seemakumar8 opened 1 year ago

seemakumar8 commented 1 year ago

I am unable to add auditd rules to monitor system calls. However, file monitoring rules work fine.

System arch: aarch64

I am using Yocto build system.

The Kernel is compiled with the following options: CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_WATCH=y CONFIG_AUDIT_TREE=y CONFIG_AUDIT_GENERIC=y CONFIG_AUDIT_ARCH_COMPAT_GENERIC=y CONFIG_AUDIT_COMPAT_GENERIC=y

When I execute the below command:

$> auditctl -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k timechange

I get the below error:

$> arch elf mapping not found auditd aarch64

pcmoore commented 1 year ago

Works for me. I would suggest checking that you have configured and compiled everything correctly, you can use Fedora as a working example.

% uname -r -m
6.6.0-0.rc1.20230915git9fdfb15a.17.1.secnext.fc40.aarch64 aarch64
% rpm -q audit
audit-3.1.2-4.fc40.aarch64
% auditctl -D
No rules
% auditctl -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k timechange
% auditctl -l
-a always,exit -F arch=b64 -S clock_settime,settimeofday,adjtimex -F key=timechange
rgbriggs commented 1 year ago

CONFIG_AUDIT_WATCH=y CONFIG_AUDIT_TREE=y

These two config options above were removed 5 years ago, so this kernel is pretty dated.