From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Booth <mbooth@redhat.com>
Subject: Multiple EXECVE records
Date: Wed, 11 Mar 2009 11:13:58 +0000
Message-ID: <1236770038.8878.1.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1509097717=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from [10.33.6.16] (vpn-6-16.fab.redhat.com [10.33.6.16])
	by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n2BILMPP010660
	for <linux-audit@redhat.com>; Wed, 11 Mar 2009 14:21:23 -0400
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com


--===============1509097717==
Content-Type: multipart/signed; micalg="pgp-sha1";
	protocol="application/pgp-signature";
	boundary="=-CQmi+T1pU6aRk9LgtK/4"


--=-CQmi+T1pU6aRk9LgtK/4
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Any idea what this means:

type=3DSYSCALL msg=3Daudit(1236769790.766:247): arch=3D40000003 syscall=3D1=
1
success=3Dyes exit=3D0 a0=3D9d1e668 a1=3D9d23e50 a2
type=3DEXECVE msg=3Daudit(1236769790.766:247): argc=3D4 a0=3D"/bin/sh"
a1=3D"/sbin/service" a2=3D"sshd" a3=3D"restart"=20
type=3DEXECVE msg=3Daudit(1236769790.766:247): argc=3D3 a0=3D"/bin/sh"
a1=3D"/sbin/service" a2=3D"sshd"=20
type=3DCWD msg=3Daudit(1236769790.766:247):  cwd=3D"/root"
type=3DPATH msg=3Daudit(1236769790.766:247): item=3D0 name=3D"/sbin/service=
"
inode=3D189083 dev=3Dfc:01 mode=3D0100755 ouid=3D0=20
type=3DPATH msg=3Daudit(1236769790.766:247): item=3D1 name=3D(null) inode=
=3D251907
dev=3Dfc:01 mode=3D0100755 ouid=3D0 ogid=3D0 rd
type=3DPATH msg=3Daudit(1236769790.766:247): item=3D2 name=3D(null) inode=
=3D315525
dev=3Dfc:01 mode=3D0100755 ouid=3D0 ogid=3D0 rd

Note that there are 2 EXECVE records there. This was generated by RHEL
5.3 i386.

Thanks,

Matt
--=20
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

--=-CQmi+T1pU6aRk9LgtK/4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkm3nPMACgkQNEHqGdM8NJDhjgCfXiXUe7Ih/K7trqvbWStXMkiU
0FcAniAnRzfdlCqcsXDKAPQGNXLqTH5Z
=MzuU
-----END PGP SIGNATURE-----

--=-CQmi+T1pU6aRk9LgtK/4--


--===============1509097717==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1509097717==--