From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Marius.bao" <marius.bao@gmail.com>
Subject: What does each audit record field mean?
Date: Sun, 27 Jan 2008 16:25:47 +0800
Message-ID: <b807c37c0801270025y32fe4554pf76e87398806d9ae@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m0R8QAIO004088
	for <linux-audit@redhat.com>; Sun, 27 Jan 2008 03:26:10 -0500
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.152])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id m0R8PmkE023551
	for <linux-audit@redhat.com>; Sun, 27 Jan 2008 03:25:48 -0500
Received: by fg-out-1718.google.com with SMTP id e12so1455355fga.7
	for <linux-audit@redhat.com>; Sun, 27 Jan 2008 00:25:48 -0800 (PST)
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi,
    I'm a newbie, I'm sorry for my question if anyone has already asked.
    I use auditctl -a exit,always -S open -F success=0 to audit all
successful open syscalls
    But in the audit.log file I found the following audit records:
    type=SYSCALL msg=audit(1201421673.445:1508): arch=40000003
syscall=5 success=no exit=-2 a0=bfec1e40 a1=0 a2=b7ee6548 a3=bfec1e40
items=1 ppid=9571 pid=96    95 auid=0 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vim" exe="/usr/bin/vim"
key=(null)
    The "success" fields of the record is no, what does it mean? Does
it represent the syscall is failed?
    And what does "exit" field mean? Does it represent the syscall's exit code?
    I'm also confused with the meaning of the fields of "a0" "a1" "a2" and "a3".