Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

audisp-json does not support SYS_clone (syscall #120) #23

mzpqnxow opened this Issue Apr 5, 2019 · 2 comments


None yet
2 participants
Copy link

mzpqnxow commented Apr 5, 2019

There is currently no support for the SYS_clone system call. This is desirable especially since it has been used for privilege escalation exploits in the wild in the past. There are of course plenty of legitimate uses for it as well. I will take a look to see if I have time to PR this as I would like it for my systems


This comment has been minimized.

Copy link

mzpqnxow commented Apr 5, 2019

After a quick review of the userspace audisp code for untangling SYS_clone, this is clear a significant amount of effort


This comment has been minimized.

Copy link

gdestuynder commented Apr 11, 2019

one issue with SYS_clone is definitely that its called a lot :)

I think in general execve() catches most of what you want, but yes, it wont log an exploit abusing certain arguments to clone()

if it were logged, you'd most likely just log it with all arguments and filter based on that - as long as you're ok with the amount of data it will likely generate and of course have use for it (ie actually detect the exploit for example)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.