Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 404

-a entry,always -S socketcall -F a0=1 -F a1=10
## Use this line on x86_64, ia64 instead
#-a entry,always -S socket -F a0=10
-a entry,always -S socketcall -F a0=5
## Use this line on x86_64, ia64 instead
#-a entry, always -S accept
Audit the socket(PF_INET6) system call. The -F a0=1 filter matches all socket
system calls and the -F a1=10 filter narrows the matches down to socket system
calls carrying the IPv6 protocol family domain parameter (PF_INET6). Check
/usr/src/linux/include/linux/net.h for the first argument (a0)
and /usr/src/linux/include/linux/socket.h for the second param-
eter (a1). 64-bit platforms, like x86_64 and ia64, do not use multiplexing on
socketcall system calls. For these platforms, comment the rule and add the plain
system call rules with a filter on PF_INET6.
Audit the socketcall system call. The filter flag is set to filter for a0=5 as the first
argument to socketcall, which translates to the accept system call if you check
/usr/include/linux/net.h. 64-bit platforms, like x86_64 and ia64, do
not use multiplexing on socketcall system calls. For these platforms, comment
the rule and add the plain system call rule without argument filtering.
The ipc system call is another example of multiplexed system calls. The actual call to
invoke is determined by the first argument passed to the ipc system call. Filtering for
these arguments helps you focus on those IPC calls of interest to you. Check /usr/
include/asm-generic/ipc.h for possible argument values.
## msgctl
-a entry,always -S ipc -F a0=14
## msgget
-a entry,always -S ipc -F a0=13
## Use these lines on x86_64, ia64 instead
#-a entry,always -S msgctl
#-a entry,always -S msgget
## semctl
-a entry,always -S ipc -F a0=3
## semget
-a entry,always -S ipc -F a0=2
## semop
-a entry,always -S ipc -F a0=1
## semtimedop
-a entry,always -S ipc -F a0=4
## Use these lines on x86_64, ia64 instead
392 Security Guide