Re: What does each audit record field mean?
On Sunday 27 January 2008 03:25:47 Marius.bao wrote:
type=SYSCALL msg=audit(1201421673.445:1508): arch=40000003
syscall=5 success=no exit=-2 a0=bfec1e40 a1=0 a2=b7ee6548 a3=bfec1e40
items=1 ppid=9571 pid=96 95 auid=0 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vim" exe="/usr/bin/vim"
key=(null)
The "success" fields of the record is no, what does it mean? Does it
represent the syscall is failed?
Yes
And what does "exit" field mean? Does it represent the
syscall's exit
code?
Yes.
I'm also confused with the meaning of the fields of
"a0" "a1" "a2"
and "a3".
Arg 0, Arg 1, Arg 2, and Arg 3. All are integers. IOW, pointers are not
dereferenced, you would just have the address.
I have something that tells you about the meaning of various fields here:
http://people.redhat.com/sgrubb/audit/audit-parse.txt
Look in the field names section.
-Steve