From: Matthew Booth <mbooth@redhat.com>
To: linux-audit@redhat.com
Subject: Re: the meaning of this audit entry
Date: Mon, 19 Nov 2007 22:13:45 +0000 [thread overview]
Message-ID: <1195510425.6013.16.camel@localhost.localdomain> (raw)
In-Reply-To: <12635.72.245.30.196.1195507332.squirrel@aa.usno.navy.mil>
[-- Attachment #1.1: Type: text/plain, Size: 2171 bytes --]
Bill,
On Mon, 2007-11-19 at 16:22 -0500, Bill Tangren wrote:
> I'd like to know what this audit log entry means:
>
> type=SYSCALL msg=audit(1195506796.447:7712726): arch=40000003 syscall=3
> success=no exit=-11 a0=17 a1=a6c5b80 a2=1000 a3=a6c4d90 items=0 pid=3618
> auid=825305204 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="X" exe="/usr/X11R6/bin/Xorg"
arch=40000003 syscall=3 is an i386 read() call. -11 is EAGAIN, which is
a temporary failure. The event itself is nothing to worry about.
However, the audit rules you give below don't appear to specify read(),
so it's not immediately apparent why this would be showing up. The
x86_64 syscall=3 is close(), which you also don't specify. Have you got
any other rules in there which you haven't listed? Do you start your
audit.rules with a '-D'?
> It appears that there is a problem with /usr/X11R6/bin/Xorg, and it is
> issuing a failed syscall. I can tell you that I see this if there is a
> user logged into the console GUI.
>
> The following are the rules that I have that are auditing syscalls:
Although I haven't specifically tested this, I believe that in every
case below where you've got -F auid=foo -F auid=bar, the rule will never
match. The reason for this is because filters are combined with and, not
or.
> -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=0 -F
> auid=-1 -F auid=0
>
> -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=1
>
> -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S
> fdatasync -S setdomainname -F success=0 -F auid=-1 -F auid=0
>
> -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S
> fdatasync -S setdomainname -F success=1 -F auid=-1 -F auid=0
>
> -a exit,always -S quotactl -S mount -S kill -S chroot -F success=0 -F
> auid=-1 -F auid=0
>
> -a exit,always -S quotactl -S mount -S kill -S chroot -F success=1 -F
> auid=-1 -F auid=0
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2007-11-19 22:14 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-19 21:22 the meaning of this audit entry Bill Tangren
2007-11-19 22:06 ` Steve Grubb
2007-11-20 15:36 ` Bill Tangren
2007-11-21 0:49 ` Mike Nixon
2007-11-21 2:17 ` Steve Grubb
2007-11-21 2:22 ` Steve Grubb
2007-11-19 22:13 ` Matthew Booth [this message]
2007-11-20 15:08 ` Bill Tangren
2007-11-21 2:27 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1195510425.6013.16.camel@localhost.localdomain \
--to=mbooth@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox