From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Smith, Gary R" Subject: Re: explanation/translation of auditd exit codes Date: Wed, 1 May 2013 13:16:51 -0700 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com [10.5.110.17]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r41KGt0b010612 for ; Wed, 1 May 2013 16:16:55 -0400 Received: from emailgw02.pnnl.gov (emailgw02.pnnl.gov [192.101.109.63]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r41KGrKo023221 for ; Wed, 1 May 2013 16:16:54 -0400 In-Reply-To: Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Vaughn, Chad M" , "linux-audit@redhat.com" List-Id: linux-audit@redhat.com Hi Chad, How are you looking at the syscall events? This is one case where grep is not your friend. Try using ausearch instead. Here's a syscall that failed and the log record was extracted with ausearch -a 1689093 where 1689093 is the audit id: type=SYSCALL msg=audit(1367438345.734:1689093): arch=c000003e syscall=2 success=no exit=-13 a0=7f5c361ef8b0 a1=c2 a2=180 a3=7f5c361ef8b0 items=1 ppid=1 pid=3840 auid=1341 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=231 comm="fishpacker" exe="/usr/bin/fishpacker" key=61636365737301616363657373016964732D7379732D6869 This look pretty ugly. I have no idea what syscall number 2 is or what a -13 for an exit code is. But, if I do ausearch -i -a 1689093 (note the -i flag meaning "interpret") I get: type=SYSCALL msg=audit(05/01/2013 12:59:05.734:1689093) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f5c361ef8b0 a1=O_RDWR|O_CREAT|O_EXCL a2=0x180 a3=0x7f5c361ef8b0 items=1 ppid=1 pid=3840 auid=blotto uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=231 comm=fishpacker exe=/usr/bin/fishpacker key=access key=access key=ids-sys-hi This is much nicer on the eyes. It was open syscall that failed because of a permission denied. I also get the arguments on how the open on the file (O_RDWR|O_CREAT|O_EXCL) was set up. Let ausearch -i do the walking thru the audit log pages and do the mapping so you don't have to. Best regards, Gary Smith On 5/1/13 12:05 PM, "Vaughn, Chad M" wrote: >All, > >Is there a listing somewhere that explains what various exit codes in >auditd are? > >For example, we are getting some exit=-17 entries in our logs, and we >have narrowed it down to an init script that tries to create a directory >that already exists. >So, we are pretty sure exit=-17 means that a directory already exits. > >It would be nice if we knew all codes and their translation, whether it >be exit=-2, exit=-22, exit=-6, or exit=-17 and so on. > >I have yet to find that explained anywhere. Any info would be greatly >appreciated and would help us fine tune our audit.rules file. > >Chad Vaughn > >-- >Linux-audit mailing list >Linux-audit@redhat.com >https://www.redhat.com/mailman/listinfo/linux-audit