Hello list,
I have some auditd messages like
----
node=xxxxxxxx type=PROCTITLE msg=audit(11/07/2023 15:07:37.822:236474) : proctitle=(systemd)
node= xxxxxxxx type=SYSCALL msg=audit(11/07/2023 15:07:37.822:236474) : arch=x86_64 syscall=socket success=yes exit=12 a0=inet a1=SOCK_DGRAM a2=ip a3=0x7ff7d8a40740 items=0 ppid=1 pid=3394229 auid=abcdef uid= abcdef gid=aqwzsx euid= abcdef suid= abcdef fsuid= abcdef egid= aqwzsx sgid= aqwzsx fsgid= aqwzsx tty=(none) ses=2284 comm=systemd exe=/usr/lib/systemd/systemd key=external-access
----
Which are generated by the rule:
-a always,exit -F arch=b64 -S socket,connect -F a0=0x2 -F auid>=1000 -F auid!=-1 -F key=external-access
Where can I find the description of the message ?
Specifically, what mean exit=12 and a2=ip and a3=0x7ff7d8a40740
Thanks for the explanation
Philippe