You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi!
I just noticed that sysdig seems to miss a syscall error that is caught by both auditd and strace.
Note: I'm using sysdig without eBPF
When I run the following command from my normal, non-privileged user
[ -r /root ] || echo "not root"
sysdig correctly catches that the syscall faccessat2 is used by this expression, however no correspondingEACCES error is found in the "Errors" view of csysdig.
When using the same expression with strace, I get the following line in the output: access("/root", R_OK) = -1 EACCES (Permission denied)
And also auditd will log this EACCES (13) event when I add the rule -a always,exit -S all -F exit=-EACCES: type=SYSCALL (...) syscall=439 success=no exit=-13 (...) comm="bash" exe="/usr/bin/bash" (...) SYSCALL=faccessat2
If I instead try to use touch /root/test as a non-privileged user, csysdig will correctly show an EACCES error caused by the openat syscall.
Is this a bug, or somehow expected/intended behavior?
The only real difference I see here is that [ or the equivalent test are built-ins of the shell.
The text was updated successfully, but these errors were encountered:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Hi!
I just noticed that sysdig seems to miss a syscall error that is caught by both auditd and strace.
Note: I'm using sysdig without eBPF
When I run the following command from my normal, non-privileged user
[ -r /root ] || echo "not root"
sysdig correctly catches that the syscall
faccessat2
is used by this expression, however no correspondingEACCES
error is found in the "Errors" view of csysdig.When using the same expression with strace, I get the following line in the output:
access("/root", R_OK) = -1 EACCES (Permission denied)
And also auditd will log this EACCES (13) event when I add the rule
-a always,exit -S all -F exit=-EACCES
:type=SYSCALL (...) syscall=439 success=no exit=-13 (...) comm="bash" exe="/usr/bin/bash" (...) SYSCALL=faccessat2
If I instead try to use
touch /root/test
as a non-privileged user, csysdig will correctly show anEACCES
error caused by theopenat
syscall.Is this a bug, or somehow expected/intended behavior?
The only real difference I see here is that
[
or the equivalenttest
are built-ins of the shell.The text was updated successfully, but these errors were encountered: