RE: the meaning of this audit entry

Looks to me like someone that was logged in as 'root' attempted but failed to read a x-windows file. The relevant tipoffs are: syscall=3 (read) success=no (failed) uid=0 (root user account) comm="X" or exe="/usr/X11R6/bin/Xorg" Mike -----Original Message----- From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Bill Tangren Sent: Tuesday, November 20, 2007 10:37 AM To: linux-audit(a)redhat.com Subject: Re: the meaning of this audit entry On DATE, the author spaketh: Steve Grubb For this event: type=SYSCALL msg=audit(1195572240.060:2971371): arch=40000003 syscall=3 success=no exit=-11 a0=12 a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538 auid=517 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="X" exe="/usr/X11R6/bin/Xorg" I issued this command: # ausearch -i -a 2971371 type=SYSCALL msg=audit(11/20/2007 10:24:00.060:2971371) : arch=i386 syscall=read success=no exit=-11(Resource temporarily unavailable) a0=12 a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538 auid=bjt uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=X exe=/usr/X11R6/bin/Xorg Now, this system is plugged into a KVM switch, and sometimes the sysadmin who logs into the GUI stays logged in for days (he forgots to log out), and the switch is changed to some other system. I don't know if any of this has anything to do with why I'm getting 500MB worth of logs every day, but I have noticed that the logs are this big whenever someone is logged into the GUI. BTW, this is a RHEL ES 4.6 system. -- Bill Tangren U.S. Naval Observatory -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.16.2/1142 - Release Date: 11/20/2007 5:44 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.16.2/1142 - Release Date: 11/20/2007 5:44 PM