Re: Assorted questions
linux-audit-bounces(a)redhat.com wrote on 08/09/2007 07:34:06 AM:
Hi Matt,
Questions relate to RHEL4 (unless they don't).
What are the meanings of the following fields from the SYSCALL record:
* items
the number of path records in the event
* fsuid
Filesystem User ID
* fsgid
Filesystem Group ID
What are the meanings of the following fields from the PATH record:
* flags
file system namei flags
* rdev
device identifier
How can I programmatically translate an architecture into human, eg
40000003 => 'i686'?
When creating a rule with auditctl, you should be
able to use either 'b32'
or 'b64' for the architecture.
If you're trying to read the audit log, ausearch has an option "-i" that
interprets numeric items into text. I'm not sure how well it works with
the arch fields, but might be worth a try.
Is there a way of doing a syscall name lookup without having root?
Without root
access, I'm not sure. You could probably find the syscall
table for your arch type online.
In RHEL5, what's the equivalent of 'auditctl -t'?
Sorry I've
forgotten what -t meant in auditctl.
Is there any master documentation I've missed? I'm only aware of the man
pages.
http://people.redhat.com/sgrubb/audit/
Hope that helps,
debora
----
Debora Velarde
Linux Security
IBM Linux Technology Center
Attachments:
- attachment.html (text/html — 1.9 KB)