Q: adding system call monitoring rule on aarch64 fails

[seemakumar8]

I am unable to add auditd rules to monitor system calls. However, file monitoring rules work fine.

System arch: aarch64

I am using Yocto build system.

The Kernel is compiled with the following options:
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
CONFIG_AUDIT_GENERIC=y
CONFIG_AUDIT_ARCH_COMPAT_GENERIC=y
CONFIG_AUDIT_COMPAT_GENERIC=y

When I execute the below command:

$> auditctl -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k timechange

I get the below error:

$> arch elf mapping not found auditd aarch64

[pcmoore]

Works for me. I would suggest checking that you have configured and compiled everything correctly, you can use Fedora as a working example.

% uname -r -m
6.6.0-0.rc1.20230915git9fdfb15a.17.1.secnext.fc40.aarch64 aarch64
% rpm -q audit
audit-3.1.2-4.fc40.aarch64
% auditctl -D
No rules
% auditctl -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k timechange
% auditctl -l
-a always,exit -F arch=b64 -S clock_settime,settimeofday,adjtimex -F key=timechange

[rgbriggs]

CONFIG_AUDIT_WATCH=y CONFIG_AUDIT_TREE=y

These two config options above were removed 5 years ago, so this kernel is pretty dated.