From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Bill Tangren" <bjt@usno.navy.mil>
Subject: Re: the meaning of this audit entry
Date: Tue, 20 Nov 2007 10:36:47 -0500 (EST)
Message-ID: <14222.199.211.133.254.1195573007.squirrel@aa.usno.navy.mil>
References: <12635.72.245.30.196.1195507332.squirrel@aa.usno.navy.mil>
	<200711191706.33466.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id lAKFbGRS015735
	for <linux-audit@redhat.com>; Tue, 20 Nov 2007 10:37:16 -0500
Received: from aa.usno.navy.mil (beatrix.usno.navy.mil [198.116.61.254])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id lAKFaqNn003054
	for <linux-audit@redhat.com>; Tue, 20 Nov 2007 10:36:55 -0500
In-Reply-To: <200711191706.33466.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


On DATE, the author spaketh: Steve Grubb
> On Monday 19 November 2007 04:22:12 pm Bill Tangren wrote:
>> I'd like to know what this audit log entry means:
>
> It is easier to understand these when you give the '-i' option to
> ausearch. It
> changes things from numeric to text values. It also grounds all records
> that
> make up the event so that you can see all of it.

For this event:

type=3DSYSCALL msg=3Daudit(1195572240.060:2971371): arch=3D40000003 sysca=
ll=3D3
success=3Dno exit=3D-11 a0=3D12 a1=3D97721e8 a2=3D1000 a3=3D9782c18 items=
=3D0 pid=3D3538
auid=3D517 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 egid=3D0 sgid=3D0 =
fsgid=3D0 comm=3D"X"
exe=3D"/usr/X11R6/bin/Xorg"

I issued this command:

# ausearch -i -a 2971371

type=3DSYSCALL msg=3Daudit(11/20/2007 10:24:00.060:2971371) : arch=3Di386
syscall=3Dread success=3Dno exit=3D-11(Resource temporarily unavailable) =
a0=3D12
a1=3D97721e8 a2=3D1000 a3=3D9782c18 items=3D0 pid=3D3538 auid=3Dbjt uid=3D=
root gid=3Droot
euid=3Droot suid=3Droot fsuid=3Droot egid=3Droot sgid=3Droot fsgid=3Droot=
 comm=3DX
exe=3D/usr/X11R6/bin/Xorg

Now, this system is plugged into a KVM switch, and sometimes the sysadmin
who logs into the GUI stays logged in for days (he forgots to log out),
and the switch is changed to some other system. I don't know if any of
this has anything to do with why I'm getting 500MB worth of logs every
day, but I have noticed that the logs are this big whenever someone is
logged into the GUI.

BTW, this is a RHEL ES 4.6 system.


--=20
Bill Tangren
U.S. Naval Observatory