Hello list,

 

I have some auditd messages like

----

node=xxxxxxxx type=PROCTITLE msg=audit(11/07/2023 15:07:37.822:236474) : proctitle=(systemd)

node= xxxxxxxx type=SYSCALL msg=audit(11/07/2023 15:07:37.822:236474) : arch=x86_64 syscall=socket success=yes exit=12 a0=inet a1=SOCK_DGRAM a2=ip a3=0x7ff7d8a40740 items=0 ppid=1 pid=3394229 auid=abcdef uid= abcdef gid=aqwzsx euid= abcdef suid= abcdef fsuid= abcdef egid= aqwzsx sgid= aqwzsx fsgid= aqwzsx tty=(none) ses=2284 comm=systemd exe=/usr/lib/systemd/systemd key=external-access

----

 

Which are generated by the rule:

-a always,exit -F arch=b64 -S socket,connect -F a0=0x2 -F auid>=1000 -F auid!=-1 -F key=external-access

 

Where can I find the description of the message ?

Specifically, what mean exit=12 and a2=ip and a3=0x7ff7d8a40740

 

Thanks for the explanation

 

Philippe