From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: the meaning of this audit entry
Date: Tue, 20 Nov 2007 21:17:38 -0500
Message-ID: <200711202117.38654.sgrubb@redhat.com>
References: <12635.72.245.30.196.1195507332.squirrel@aa.usno.navy.mil>
	<14222.199.211.133.254.1195573007.squirrel@aa.usno.navy.mil>
	<01b101c82bd8$4ecedfd0$6e01a8c0@Rascal>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <01b101c82bd8$4ecedfd0$6e01a8c0@Rascal>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday 20 November 2007 07:49:00 pm Mike Nixon wrote:
> Looks to me like someone that was logged in as 'root' attempted but fai=
led
> to read a x-windows file. =A0The relevant tipoffs are:
>
> syscall=3D3 =A0(read)
> success=3Dno=A0=A0=A0=A0=A0=A0(failed)
> uid=3D0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0(root user account)
> comm=3D"X" or exe=3D"/usr/X11R6/bin/Xorg"

You are forgetting the exit code. In this case, it matters. :)

-Steve