syscall types logged by auditd vs. sysdig

125 views
Skip to first unread message

azadeh_acc t

unread,
Mar 28, 2021, 3:05:51 PM3/28/21
to sysdig

I am new to Sysdig and auditd to be honest. I am wondering about the difference I notice in the syscalls recorded by each following the same user command.

I checked the records logged by auditd after I attempt $cat /etc/passwd. According to auditd records, as I understood, only one type of syscall is sent (as you see, syscall=execve). But when I monitor logs generated by Sysdig after $cat /etc/passwd, I find multiple types of syscalls being recorded (open(), read(), close(), etc.).

I would like to know an explanation for this difference. What does Sysdig log in addition to what auditd logs that I see multiple types of syscall after the same user command?

############ 

I paste the records genereated by auditd below:

type=SYSCALL msg=audit(1616954091.964:4409): arch=c000003e syscall=execve success=yes exit=0 a0=240f388 a1=23d5a08 a2=2247008 a3=598 items=2 ppid=6725 pid=23378 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts12 ses=4294967295 comm="cat" exe="/bin/cat" key=(null) type=EXECVE msg=audit(1616954091.964:4409): argc=2 a0="cat" a1="/etc/passwd" type=CWD msg=audit(1616954091.964:4409): cwd="/etc/audit" type=PATH msg=audit(1616954091.964:4409): item=0 name="/bin/cat" inode=262169 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PATH msg=audit(1616954091.964:4409): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=686485 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PROCTITLE msg=audit(1616954091.964:4409): proctitle=636174002F6574632F706173737764 ###############

############### 

I paste the records generated by Sysdig below:

107853 10:20:42.025366218 0 cat (21056) < open fd=3(/etc/passwd) name=/etc/passwd flags=1(O_RDONLY) mode=0 dev=801 107854 10:20:42.025367164 0 cat (21056) > fstat fd=3(/etc/passwd) 107855 10:20:42.025367663 0 cat (21056) < fstat res=0 107860 10:20:42.025375308 0 cat (21056) > read fd=3(/etc/passwd) size=131072 107861 10:20:42.025377805 0 cat (21056) < read res=2288 data=root:x:0:0:root:/root:/bin/bash.daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin. 107864 10:20:42.025403794 0 cat (21056) > read fd=3(/etc/passwd) size=131072 107865 10:20:42.025404614 0 cat (21056) < read res=0 data= 107868 10:20:42.025412161 0 cat (21056) > close fd=3(/etc/passwd) 107869 10:20:42.025412820 0 cat (21056) < close res=0 

#######################

Reply all
Reply to author
Forward
0 new messages