linux - Auditing specific syscall parameter value -
i want deploy auditing focused on more sophisticated scenarious on gnu/linux boxes, instance execution of commands touch -m 'faketime' somefile. straced exec , found out difference between normal touch , touch timestamp modifying flag. these respectively:
utimes("/proc/self/fd/0", null) = 0
utimes("/proc/self/fd/0", {{1364383142, 0}, {1364383160, 875693}}) = 0
so seems easy catch suspicius occurances of utimes syscall; second (a1) argument has null. tried set following audit rule:
-a exit,always -f arch=b32 -s utimes -f a1!=0 -k timestamp_tampering
however doesn't catch call. text representation of value (null) not accepted auditd in a1-4 arguments, @ least got trouble trying achieve it. suggestions? in advance.
Comments
Post a Comment