Hi all,
I looked into audit log and find myself having difficultly in understanding the event field a0-a3.
I tried to look for answer but couldn't get any references for the following question:
1. What are the initial value of a0-a3, and
2. Is there any way to get 5-th and above arguments?
`$ ausyscall --dump | grep 6 | head -n 1 ` returns
6 close
and below are part of my audit log that contains 2 syscall records:
...
type=SYSCALL msg=audit(1479471647.440:197): arch=40000028 syscall=192 per=800000 success=yes exit=1995763712 a0=76f4f000 a1=1000 a2=3 a3=812 items=0 ppid=891 pid=907 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="raspistill" exe="/opt/vc/bin/raspistill" key=(null)
type=MMAP msg=audit(1479471647.440:197): fd=3 flags=0x812
type=PROCTITLE msg=audit(1479471647.440:197): proctitle="-bash"
type=SYSCALL msg=audit(1479471647.440:198): arch=40000028 syscall=6 per=800000 success=yes exit=0 a0=3 a1=5 a2=76f31000 a3=0 items=0 ppid=891 pid=907 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="raspistill" exe="/opt/vc/bin/raspistill" key=(null)
...
the second syscall record show that the a1's value are somehow modified, which eventually proved that my guessing of that they will contain previous invoked syscall a1's value(1000) is wrong. That's how I got myself confused and write to seek for answer regards this question.
Second, I wonder if there are way for me to know the 5-th and above argument of a particular system call, i.e _llseek that takes 5 arguments?
Thanks a lot for all your help in advance!