Bill, On Mon, 2007-11-19 at 16:22 -0500, Bill Tangren wrote: > I'd like to know what this audit log entry means: > > type=SYSCALL msg=audit(1195506796.447:7712726): arch=40000003 syscall=3 > success=no exit=-11 a0=17 a1=a6c5b80 a2=1000 a3=a6c4d90 items=0 pid=3618 > auid=825305204 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > comm="X" exe="/usr/X11R6/bin/Xorg" arch=40000003 syscall=3 is an i386 read() call. -11 is EAGAIN, which is a temporary failure. The event itself is nothing to worry about. However, the audit rules you give below don't appear to specify read(), so it's not immediately apparent why this would be showing up. The x86_64 syscall=3 is close(), which you also don't specify. Have you got any other rules in there which you haven't listed? Do you start your audit.rules with a '-D'? > It appears that there is a problem with /usr/X11R6/bin/Xorg, and it is > issuing a failed syscall. I can tell you that I see this if there is a > user logged into the console GUI. > > The following are the rules that I have that are auditing syscalls: Although I haven't specifically tested this, I believe that in every case below where you've got -F auid=foo -F auid=bar, the rule will never match. The reason for this is because filters are combined with and, not or. > -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=0 -F > auid=-1 -F auid=0 > > -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=1 > > -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S > fdatasync -S setdomainname -F success=0 -F auid=-1 -F auid=0 > > -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S > fdatasync -S setdomainname -F success=1 -F auid=-1 -F auid=0 > > -a exit,always -S quotactl -S mount -S kill -S chroot -F success=0 -F > auid=-1 -F auid=0 > > -a exit,always -S quotactl -S mount -S kill -S chroot -F success=1 -F > auid=-1 -F auid=0 Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490