Re: explanation/translation of auditd exit codes

Hi Chad, How are you looking at the syscall events? This is one case where grep is not your friend. Try using ausearch instead. Here's a syscall that failed and the log record was extracted with ausearch -a 1689093 where 1689093 is the audit id: type=SYSCALL msg=audit(1367438345.734:1689093): arch=c000003e syscall=2 success=no exit=-13 a0=7f5c361ef8b0 a1=c2 a2=180 a3=7f5c361ef8b0 items=1 ppid=1 pid=3840 auid=1341 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=231 comm="fishpacker" exe="/usr/bin/fishpacker" key=61636365737301616363657373016964732D7379732D6869 This look pretty ugly. I have no idea what syscall number 2 is or what a -13 for an exit code is. But, if I do ausearch -i -a 1689093 (note the -i flag meaning "interpret") I get: type=SYSCALL msg=audit(05/01/2013 12:59:05.734:1689093) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f5c361ef8b0 a1=O_RDWR|O_CREAT|O_EXCL a2=0x180 a3=0x7f5c361ef8b0 items=1 ppid=1 pid=3840 auid=blotto uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=231 comm=fishpacker exe=/usr/bin/fishpacker key=access key=access key=ids-sys-hi This is much nicer on the eyes. It was open syscall that failed because of a permission denied. I also get the arguments on how the open on the file (O_RDWR|O_CREAT|O_EXCL) was set up. Let ausearch -i do the walking thru the audit log pages and do the mapping so you don't have to. Best regards, Gary Smith On 5/1/13 12:05 PM, "Vaughn, Chad M" <chad.m.vaughn(a)lmco.com&gt; wrote: