From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: What does each audit record field mean?
Date: Sun, 27 Jan 2008 08:15:39 -0500
Message-ID: <200801270815.39290.sgrubb@redhat.com>
References: <b807c37c0801270025y32fe4554pf76e87398806d9ae@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <b807c37c0801270025y32fe4554pf76e87398806d9ae@mail.gmail.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "Marius.bao" <marius.bao@gmail.com>
List-Id: linux-audit@redhat.com

On Sunday 27 January 2008 03:25:47 Marius.bao wrote:
> =A0 =A0 type=3DSYSCALL msg=3Daudit(1201421673.445:1508): arch=3D4000000=
3
> syscall=3D5 success=3Dno exit=3D-2 a0=3Dbfec1e40 a1=3D0 a2=3Db7ee6548 a=
3=3Dbfec1e40
> items=3D1 ppid=3D9571 pid=3D96 =A0 =A095 auid=3D0 uid=3D0 gid=3D0 euid=3D=
0 suid=3D0
> fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 tty=3Dpts1 comm=3D"vim" exe=3D"/u=
sr/bin/vim"
> key=3D(null)
> =A0 =A0 The "success" fields of the record is no, what does it mean? Do=
es it
> =A0 =A0 represent the syscall is failed?=20

Yes


> =A0 =A0 And what does "exit" field mean? Does it represent the syscall'=
s exit
> code?

Yes.


> I'm also confused with the meaning of the fields of "a0" "a1" "a2"=20
> and "a3".

Arg 0, Arg 1, Arg 2, and Arg 3. All are integers. IOW, pointers are not=20
dereferenced, you would just have the address.

I have something that tells you about the meaning of various fields here:=
=20

http://people.redhat.com/sgrubb/audit/audit-parse.txt

Look in the field names section.

-Steve