linux-audit-bounces@redhat.com wrote on 08/09/2007 07:34:06 AM:

Hi Matt,

> Questions relate to RHEL4 (unless they don't).
>
> What are the meanings of the following fields from the SYSCALL record:
> * items
the number of path records in the event

> * fsuid
Filesystem User ID

> * fsgid
Filesystem Group ID
>
> What are the meanings of the following fields from the PATH record:
> * flags
file system namei flags
 
> * rdev
device identifier
>
> How can I programmatically translate an architecture into human, eg
> 40000003 => 'i686'?
When creating a rule with auditctl, you should be able to use either 'b32' or 'b64' for the architecture.
If you're trying to read the audit log, ausearch has an option "-i" that interprets numeric items into text.  I'm not sure how well it works with the arch fields, but might be worth a try.

>
> Is there a way of doing a syscall name lookup without having root?
Without root access, I'm not sure.  You could probably find the syscall table for your arch type online.

>
> In RHEL5, what's the equivalent of 'auditctl -t'?
Sorry I've forgotten what -t meant in auditctl.

>
> Is there any master documentation I've missed? I'm only aware of the man
> pages.
http://people.redhat.com/sgrubb/audit/

Hope that helps,
debora

----
Debora Velarde
Linux Security
IBM Linux Technology Center