Re: the meaning of this audit entry
On Monday 19 November 2007 04:22:12 pm Bill Tangren wrote:
I'd like to know what this audit log entry means:
It is easier to understand these when you give the '-i' option to ausearch. It
changes things from numeric to text values. It also grounds all records that
make up the event so that you can see all of it.
type=SYSCALL msg=audit(1195506796.447:7712726): arch=40000003
syscall=3
success=no exit=-11 a0=17 a1=a6c5b80 a2=1000 a3=a6c4d90 items=0 pid=3618
auid=825305204 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="X" exe="/usr/X11R6/bin/Xorg"
I'm guessing that this is a failed read syscall that returned -EAGAIN.
ausearch -i would have changed all those numbers to what I put above.
-a exit,always -S mknod -S acct -S swapon -S sethostname -F success=0
-F
auid=-1 -F auid=0
-F options are and'ed together. In this case, they cancel each other out.
-a exit,always -S mknod -S acct -S swapon -S sethostname -F
success=1
-a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S
fdatasync -S setdomainname -F success=0 -F auid=-1 -F auid=0
-a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S
fdatasync -S setdomainname -F success=1 -F auid=-1 -F auid=0
-a exit,always -S quotactl -S mount -S kill -S chroot -F success=0 -F
auid=-1 -F auid=0
-a exit,always -S quotactl -S mount -S kill -S chroot -F success=1 -F
auid=-1 -F auid=0
None of these rules do anything because the options conflict.
Is this being audited by default, or are one of the previous rules
auditing it?
Hard to say without seeing the whole event that ausearch would output and
seeing what auditctl -l shows.
-Steve