linux - Auditing specific syscall parameter value -


i want deploy auditing focused on more sophisticated scenarious on gnu/linux boxes, instance execution of commands touch -m 'faketime' somefile. straced exec , found out difference between normal touch , touch timestamp modifying flag. these respectively:

utimes("/proc/self/fd/0", null) = 0

utimes("/proc/self/fd/0", {{1364383142, 0}, {1364383160, 875693}}) = 0

so seems easy catch suspicius occurances of utimes syscall; second (a1) argument has null. tried set following audit rule:

-a exit,always -f arch=b32 -s utimes -f a1!=0 -k timestamp_tampering

however doesn't catch call. text representation of value (null) not accepted auditd in a1-4 arguments, @ least got trouble trying achieve it. suggestions? in advance.


Comments

Popular posts from this blog

monitor web browser programmatically in Android? -

Shrink a YouTube video to responsive width -

wpf - PdfWriter.GetInstance throws System.NullReferenceException -