Re: audit message types
On Tue, 2005-05-10 at 10:26 -0400, Steve Grubb wrote:
type=SYSCALL msg=audit(1115734892.933:11104482): syscall=117
arch=40000003
success=yes exit=0 a0=18 a1=9000e a2=100 a3=0 items=0 pid=22636 loginuid=525
uid=525 gid=525 euid=525 suid=525 fsuid=525 egid=525 sgid=525 fsgid=525
comm="firefox-bin" exe=/usr/lib/firefox-1.0.3/firefox-bin
There doesn't seem to be any supplemental records. I'll investigate.
Decoding the above...
a0 is the real IPC call -- 0x18 is shmctl().
a1 is the shmid (0x9000e).
a2 is the command (IPC_64|IPC_RMID).
That isn't one of the IPC subfunctions which has auxiliary information
to log. Try the attached 'ipcstuff.c', which makes IPC_SET calls.
--
dwmw2
Attachments:
- ipcstuff.c (text/x-csrc — 389 bytes)