From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Marius.bao" <marius.bao@gmail.com>
Subject: Re: What does each audit record field mean?
Date: Tue, 29 Jan 2008 15:16:44 +0800
Message-ID: <b807c37c0801282316i3e522ac7m1e8216bccc539850@mail.gmail.com>
References: <b807c37c0801270025y32fe4554pf76e87398806d9ae@mail.gmail.com>
	<200801270815.39290.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m0T7H6LN032347
	for <linux-audit@redhat.com>; Tue, 29 Jan 2008 02:17:06 -0500
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.153])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id m0T7Gjvg002668
	for <linux-audit@redhat.com>; Tue, 29 Jan 2008 02:16:46 -0500
Received: by fg-out-1718.google.com with SMTP id e12so2247906fga.7
	for <linux-audit@redhat.com>; Mon, 28 Jan 2008 23:16:45 -0800 (PST)
In-Reply-To: <200801270815.39290.sgrubb@redhat.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

  Thanks a lot :-)
  I still have several questions:
  1. My audit rule is auditctl -a exit,always -S open -F success=0,
why in the audit record, the success field is no. And if I use the
opposite rule auditctl -a exit,always -S open -F success!=0, the
records' "success" field is yes?
  2. In some audit records, the "success" is yes, but with a non-zero
exit code. When does this situation occur(A syscall successes with a
non-zero exit code)?
  3.Have anyone ever tested the system performance impact when the
kernel audit functionality is turned on?
  I've tested with the following audit rules
  auditctl -a exit,always -S read -F success=0
  auditctl -a exit,always -S readv -F success=0
  auditctl -a exit,always -S write -F success=0
  auditctl -a exit,always -S writev -F success=0
  auditctl -a exit,always -S fork -F success=0
  auditctl -a exit,always -S clone -F success=0
  auditctl -a exit,always -S truncate -F success=0
  auditctl -a exit,always -S ftruncate -F success=0
  auditctl -a exit,always -S link -F success=0
  auditctl -a exit,always -S unlink -F success=0
  auditctl -a exit,always -S symlink -F success=0
  auditctl -a exit,always -S chown   -F success=0
  auditctl -a exit,always -S chmod  -F success=0
  auditctl -a exit,always -S fchown -F success=0
  auditctl -a exit,always -S fchmod -F success=0
  auditctl -a exit,always -S kill -F success=0
  auditctl -a exit,always -S mmap -F success=0
  auditctl -a exit,always -S signal -F success=0

    I've tested the source code compile benchmark with the
kscope1.6.0(a source reading toll). My platform is Fedora 8, 2.6.23
kernel version, and Intel Pentium(R) processor1.7GHZ, 512M main
memory.
    Without any audit, the kscope compile time is as follows
    0m32s  total time
    0m14s  user space time
    0m3s    sys  space time

    With the above audit rule set, the kscope source compile time is as follows
    1m4s  total time
    0m14s  user space time
    0m15s  sys space time

    It turned out that with some of the audit rule set, the kscope
source compile process takes double time. I wonder why it has so heavy
impact on the system's performance.
    I also read some papers(<<Automatic high-performance
reconstruction and recovery>>) on other audit systems. The system's
impact is relatively low,about 6%~8% with all syscall information
audited.

> On Sunday 27 January 2008 03:25:47 Marius.bao wrote:
> >     type=SYSCALL msg=audit(1201421673.445:1508): arch=40000003
> > syscall=5 success=no exit=-2 a0=bfec1e40 a1=0 a2=b7ee6548 a3=bfec1e40
> > items=1 ppid=9571 pid=96    95 auid=0 uid=0 gid=0 euid=0 suid=0
> > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vim" exe="/usr/bin/vim"
> > key=(null)
> >     The "success" fields of the record is no, what does it mean? Does it
> >     represent the syscall is failed?
>
> Yes
>
>
> >     And what does "exit" field mean? Does it represent the syscall's exit
> > code?
>
> Yes.
>
>
> > I'm also confused with the meaning of the fields of "a0" "a1" "a2"
> > and "a3".
>
> Arg 0, Arg 1, Arg 2, and Arg 3. All are integers. IOW, pointers are not
> dereferenced, you would just have the address.
>
> I have something that tells you about the meaning of various fields here:
>
> http://people.redhat.com/sgrubb/audit/audit-parse.txt
>
> Look in the field names section.
>
> -Steve
>