Re: the meaning of this audit entry
Bill,
On Mon, 2007-11-19 at 16:22 -0500, Bill Tangren wrote:
I'd like to know what this audit log entry means:
type=SYSCALL msg=audit(1195506796.447:7712726): arch=40000003 syscall=3
success=no exit=-11 a0=17 a1=a6c5b80 a2=1000 a3=a6c4d90 items=0 pid=3618
auid=825305204 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="X" exe="/usr/X11R6/bin/Xorg"
arch=40000003 syscall=3 is an i386 read() call. -11 is EAGAIN, which is
a temporary failure. The event itself is nothing to worry about.
However, the audit rules you give below don't appear to specify read(),
so it's not immediately apparent why this would be showing up. The
x86_64 syscall=3 is close(), which you also don't specify. Have you got
any other rules in there which you haven't listed? Do you start your
audit.rules with a '-D'?
It appears that there is a problem with /usr/X11R6/bin/Xorg, and it
is
issuing a failed syscall. I can tell you that I see this if there is a
user logged into the console GUI.
The following are the rules that I have that are auditing syscalls:
Although I haven't specifically tested this, I believe that in every
case below where you've got -F auid=foo -F auid=bar, the rule will never
match. The reason for this is because filters are combined with and, not
or.
-a exit,always -S mknod -S acct -S swapon -S sethostname -F success=0
-F
auid=-1 -F auid=0
-a exit,always -S mknod -S acct -S swapon -S sethostname -F success=1
-a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S
fdatasync -S setdomainname -F success=0 -F auid=-1 -F auid=0
-a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S
fdatasync -S setdomainname -F success=1 -F auid=-1 -F auid=0
-a exit,always -S quotactl -S mount -S kill -S chroot -F success=0 -F
auid=-1 -F auid=0
-a exit,always -S quotactl -S mount -S kill -S chroot -F success=1 -F
auid=-1 -F auid=0
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
Attachments:
- signature.asc (application/pgp-signature — 189 bytes)