the meaning of this audit entry

[Steve Grubb]

On Monday 19 November 2007 04:22:12 pm Bill Tangren wrote:
> I'd like to know what this audit log entry means:

It is easier to understand these when you give the '-i' option to ausearch. It 
changes things from numeric to text values. It also grounds all records that 
make up the event so that you can see all of it.

> type=SYSCALL msg=audit(1195506796.447:7712726): arch=40000003 syscall=3
> success=no exit=-11 a0=17 a1=a6c5b80 a2=1000 a3=a6c4d90 items=0 pid=3618
> auid=825305204 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="X" exe="/usr/X11R6/bin/Xorg"

I'm guessing that this is a failed read syscall that returned -EAGAIN. 
ausearch -i would have changed all those numbers to what I put above.


> -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=0 -F
> auid=-1 -F auid=0

-F options are and'ed together. In this case, they cancel each other out.


> -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=1
>
> -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S
> fdatasync -S setdomainname -F success=0 -F auid=-1 -F auid=0
>
> -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S
> fdatasync -S setdomainname -F success=1 -F auid=-1 -F auid=0
>
> -a exit,always -S quotactl -S mount -S kill -S chroot -F success=0 -F
> auid=-1 -F auid=0
>
> -a exit,always -S quotactl -S mount -S kill -S chroot -F success=1 -F
> auid=-1 -F auid=0

None of these rules do anything because the options conflict.

> Is this being audited by default, or are one of the previous rules
> auditing it?

Hard to say without seeing the whole event that ausearch would output and 
seeing what auditctl -l shows.

-Steve