Monitoring Miscellaneous System Calls; Filtering System Call Arguments - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual

32.5 Monitoring Miscellaneous
As well as auditing file system related system calls, as described in
"Monitoring File System Objects"
calls. Tracking task creation helps you understand your applications' behavior. Auditing
the umask system call lets you track how processes modify permissions. Tracking any
attempts to change the system time helps you identify anyone or any process trying to
manipulate the system time.
-a entry,always -S clone -S fork -S vfork
## For ia64 architecture, disable fork and vfork rules above, and
## enable the following:
#-a entry,always -S clone2
-a entry,always -S umask
-a entry,always -S adjtimex -S settimeofday
Track task creation. To enable task tracking on the ia64 architecture, comment
the first rule and enable the second one.
Add an audit context to the umask system call.
Track attempts to change the system time. adjtimex can be used to skew the
time. settimeofday sets the absolute time.

32.6 Filtering System Call Arguments

In addition to the system call auditing introduced in
System Objects"
(page 390), you can track application behavior to an even higher degree. Applying filters
helps you focus audit on areas of primary interest to you. This section introduces filtering
system call arguments for nonmultiplexed system calls like access and for multiplexed
ones like socketcall or ipc. Whether system calls are multiplexed depends on the hard-
ware architecture used. Both socketcall and ipc are not multiplexed on 64-bit architec-
tures, such as x86_64 and ia64.
390 Security Guide
System Calls
(page 386) and Section 32.5, "Monitoring Miscellaneous System Calls"
(page 386), you can also track various other system
Section 32.3, "Monitoring File
Section 32.3,