---- type=PROCTITLE msg=audit(Sunday 03 September 2017 ^E.370:2020074) : proctitle=/usr/bin/xterm -fg white -bg black type=SOCKETCALL msg=audit(Sunday 03 September 2017 ^E.370:2020074) : nargs=3 a0=0x3 a1=0xbf9a8274 a2=0x0 type=SYSCALL msg=audit(Sunday 03 September 2017 ^E.370:2020074) : arch=i386 syscall=socketcall(recvmsg) success=no exit=EAGAIN(Resource temporarily unavailable) a0=recvmsg a1=0xbf9a81f4 a2=0x0 a3=0x0 items=0 ppid=16776 pid=16777 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=xterm exe=/usr/bin/xterm key=jackass
---- type=PROCTITLE msg=audit(Sunday 03 September 2017 ^E.638:2020105) : proctitle=/usr/local/firefox/firefox type=SOCKETCALL msg=audit(Sunday 03 September 2017 ^E.638:2020105) : nargs=3 a0=0x4 a1=0xbfaf8854 a2=0x0 type=SYSCALL msg=audit(Sunday 03 September 2017 ^E.638:2020105) : arch=i386 syscall=socketcall(recvmsg) success=no exit=EAGAIN(Resource temporarily unavailable) a0=recvmsg a1=0xbfaf87d4 a2=0x0 a3=0xb771f000 items=0 ppid=22804 pid=22815 auid=unset uid=geek gid=geek euid=geek suid=geek fsuid=geek egid=geek sgid=geek fsgid=geek tty=(none) ses=unset comm=firefox exe=/usr/local/firefox/firefox key=jackass
I am using:
auditctl -a exit,always -F arch=i686 -S socketcall -k jackass
I found this helpful but it doesn't seem to work in the above example. Suse Audit Docs Example -F a0=1
can filter but since both calls use recvmsg this is not useful. I need some way to differentiate using a1 a2 a3. The SUSE docs say:
-F a1=10 filter narrows the matches down to socket system calls carrying the IPv6 protocol family domain parameter (PF_INET6).
However in these calls a1=0xb5d12130 which is unreadable mumbo-jumbo. It looks to be a pointer to an array of parameters for the corresponding call. Multiplexed System Calls on x86
int socketcall(int call, unsigned long *args);
args points to a block containing the actual arguments, which are passed
through to the appropriate call.
