From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Booth Subject: Re: the meaning of this audit entry Date: Mon, 19 Nov 2007 22:13:45 +0000 Message-ID: <1195510425.6013.16.camel@localhost.localdomain> References: <12635.72.245.30.196.1195507332.squirrel@aa.usno.navy.mil> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0642777657==" Return-path: Received: from [192.168.1.200] (sebastian-int.corp.redhat.com [172.16.52.221]) by pobox.fab.redhat.com (8.13.1/8.13.1) with ESMTP id lAJMEgUW009426 for ; Mon, 19 Nov 2007 17:14:43 -0500 In-Reply-To: <12635.72.245.30.196.1195507332.squirrel@aa.usno.navy.mil> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============0642777657== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-K7SBY+2apEawRPbhMJfk" --=-K7SBY+2apEawRPbhMJfk Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Bill, On Mon, 2007-11-19 at 16:22 -0500, Bill Tangren wrote: > I'd like to know what this audit log entry means: >=20 > type=3DSYSCALL msg=3Daudit(1195506796.447:7712726): arch=3D40000003 sysca= ll=3D3 > success=3Dno exit=3D-11 a0=3D17 a1=3Da6c5b80 a2=3D1000 a3=3Da6c4d90 items= =3D0 pid=3D3618 > auid=3D825305204 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 egid=3D0 sgi= d=3D0 fsgid=3D0 > comm=3D"X" exe=3D"/usr/X11R6/bin/Xorg" arch=3D40000003 syscall=3D3 is an i386 read() call. -11 is EAGAIN, which is a temporary failure. The event itself is nothing to worry about. However, the audit rules you give below don't appear to specify read(), so it's not immediately apparent why this would be showing up. The x86_64 syscall=3D3 is close(), which you also don't specify. Have you got any other rules in there which you haven't listed? Do you start your audit.rules with a '-D'? > It appears that there is a problem with /usr/X11R6/bin/Xorg, and it is > issuing a failed syscall. I can tell you that I see this if there is a > user logged into the console GUI. >=20 > The following are the rules that I have that are auditing syscalls: Although I haven't specifically tested this, I believe that in every case below where you've got -F auid=3Dfoo -F auid=3Dbar, the rule will neve= r match. The reason for this is because filters are combined with and, not or. > -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=3D0 -= F > auid=3D-1 -F auid=3D0 >=20 > -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=3D1 >=20 > -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S > fdatasync -S setdomainname -F success=3D0 -F auid=3D-1 -F auid=3D0 >=20 > -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S > fdatasync -S setdomainname -F success=3D1 -F auid=3D-1 -F auid=3D0 >=20 > -a exit,always -S quotactl -S mount -S kill -S chroot -F success=3D0 -F > auid=3D-1 -F auid=3D0 >=20 > -a exit,always -S quotactl -S mount -S kill -S chroot -F success=3D1 -F > auid=3D-1 -F auid=3D0 Matt --=20 Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 --=-K7SBY+2apEawRPbhMJfk Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBHQgqZNEHqGdM8NJARAp6IAKCFDyYaaK3FNBOJPtyHd3z4Nzb3GQCeJSix vac3CMBlwGd89HwUHDXRZ5w= =efX/ -----END PGP SIGNATURE----- --=-K7SBY+2apEawRPbhMJfk-- --===============0642777657== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0642777657==--