On Monday 19 November 2007 04:22:12 pm Bill Tangren wrote: It is easier to understand these when you give the '-i' option to ausearch. It changes things from numeric to text values. It also grounds all records that make up the event so that you can see all of it. I'm guessing that this is a failed read syscall that returned -EAGAIN. ausearch -i would have changed all those numbers to what I put above. -F options are and'ed together. In this case, they cancel each other out. None of these rules do anything because the options conflict. Hard to say without seeing the whole event that ausearch would output and seeing what auditctl -l shows. -Steve

Looks to me like someone that was logged in as 'root' attempted but failed to read a x-windows file. The relevant tipoffs are: syscall=3 (read) success=no (failed) uid=0 (root user account) comm="X" or exe="/usr/X11R6/bin/Xorg" Mike -----Original Message----- From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Bill Tangren Sent: Tuesday, November 20, 2007 10:37 AM To: linux-audit(a)redhat.com Subject: Re: the meaning of this audit entry On DATE, the author spaketh: Steve Grubb For this event: type=SYSCALL msg=audit(1195572240.060:2971371): arch=40000003 syscall=3 success=no exit=-11 a0=12 a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538 auid=517 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="X" exe="/usr/X11R6/bin/Xorg" I issued this command: # ausearch -i -a 2971371 type=SYSCALL msg=audit(11/20/2007 10:24:00.060:2971371) : arch=i386 syscall=read success=no exit=-11(Resource temporarily unavailable) a0=12 a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538 auid=bjt uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=X exe=/usr/X11R6/bin/Xorg Now, this system is plugged into a KVM switch, and sometimes the sysadmin who logs into the GUI stays logged in for days (he forgots to log out), and the switch is changed to some other system. I don't know if any of this has anything to do with why I'm getting 500MB worth of logs every day, but I have noticed that the logs are this big whenever someone is logged into the GUI. BTW, this is a RHEL ES 4.6 system. -- Bill Tangren U.S. Naval Observatory -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.16.2/1142 - Release Date: 11/20/2007 5:44 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.16.2/1142 - Release Date: 11/20/2007 5:44 PM

On Tuesday 20 November 2007 10:36:47 am Bill Tangren wrote: Yeah, see this is a wee bit more readable. I think you have a rule for reads with success != yes. The only thing you might want to worry about is failed access attempts. They have success=no, but their exit code is different. I'd think some auto logout rules would solve that. ;) That is excessive. I think it shows you need to refactor your rules. -Steve

On DATE, the author spaketh: Matthew Booth Except that it is putting 500MB into the logs every day. Yes, I start with this. Well, I'm just finding that out. Obviously I have to rewrite all my rules, or most of them, anyway. I'd like to blame someone else for the rules, since I was given these and told to use them, but I should know better. Obviously I have a lot to learn. I wish there was a tutorial or something I could read. I've gone over the man page, but I'm not learning enough from it. I'll star by splitting up the auid= rules, and observe what shows up in the logs. I've tried running the ausearch function, but it can take a really long time to return, even when I tell it to start only ten minutes ago. -- Bill Tangren U.S. Naval Observatory