From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: the meaning of this audit entry
Date: Mon, 19 Nov 2007 17:06:33 -0500
Message-ID: <200711191706.33466.sgrubb@redhat.com>
References: <12635.72.245.30.196.1195507332.squirrel@aa.usno.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <12635.72.245.30.196.1195507332.squirrel@aa.usno.navy.mil>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday 19 November 2007 04:22:12 pm Bill Tangren wrote:
> I'd like to know what this audit log entry means:

It is easier to understand these when you give the '-i' option to ausearch. It 
changes things from numeric to text values. It also grounds all records that 
make up the event so that you can see all of it.

> type=SYSCALL msg=audit(1195506796.447:7712726): arch=40000003 syscall=3
> success=no exit=-11 a0=17 a1=a6c5b80 a2=1000 a3=a6c4d90 items=0 pid=3618
> auid=825305204 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="X" exe="/usr/X11R6/bin/Xorg"

I'm guessing that this is a failed read syscall that returned -EAGAIN. 
ausearch -i would have changed all those numbers to what I put above.


> -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=0 -F
> auid=-1 -F auid=0

-F options are and'ed together. In this case, they cancel each other out.


> -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=1
>
> -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S
> fdatasync -S setdomainname -F success=0 -F auid=-1 -F auid=0
>
> -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S
> fdatasync -S setdomainname -F success=1 -F auid=-1 -F auid=0
>
> -a exit,always -S quotactl -S mount -S kill -S chroot -F success=0 -F
> auid=-1 -F auid=0
>
> -a exit,always -S quotactl -S mount -S kill -S chroot -F success=1 -F
> auid=-1 -F auid=0

None of these rules do anything because the options conflict.

> Is this being audited by default, or are one of the previous rules
> auditing it?

Hard to say without seeing the whole event that ausearch would output and 
seeing what auditctl -l shows.

-Steve