the meaning of this audit entry
Bill Tangren
bjt at usno.navy.mil
Mon Nov 19 21:22:12 UTC 2007
I'd like to know what this audit log entry means:
type=SYSCALL msg=audit(1195506796.447:7712726): arch=40000003 syscall=3
success=no exit=-11 a0=17 a1=a6c5b80 a2=1000 a3=a6c4d90 items=0 pid=3618
auid=825305204 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="X" exe="/usr/X11R6/bin/Xorg"
It appears that there is a problem with /usr/X11R6/bin/Xorg, and it is
issuing a failed syscall. I can tell you that I see this if there is a
user logged into the console GUI.
The following are the rules that I have that are auditing syscalls:
-a exit,always -S mknod -S acct -S swapon -S sethostname -F success=0 -F
auid=-1 -F auid=0
-a exit,always -S mknod -S acct -S swapon -S sethostname -F success=1
-a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S
fdatasync -S setdomainname -F success=0 -F auid=-1 -F auid=0
-a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S
fdatasync -S setdomainname -F success=1 -F auid=-1 -F auid=0
-a exit,always -S quotactl -S mount -S kill -S chroot -F success=0 -F
auid=-1 -F auid=0
-a exit,always -S quotactl -S mount -S kill -S chroot -F success=1 -F
auid=-1 -F auid=0
Is this being audited by default, or are one of the previous rules
auditing it?
Thanks!
--
Bill Tangren
U.S. Naval Observatory
More information about the Linux-audit
mailing list