the meaning of this audit entry

Bill Tangren bjt at usno.navy.mil
Tue Nov 20 15:08:08 UTC 2007 

On DATE, the author spaketh: Matthew Booth
> Bill,
>
> On Mon, 2007-11-19 at 16:22 -0500, Bill Tangren wrote:
>> I'd like to know what this audit log entry means:
>>
>> type=SYSCALL msg=audit(1195506796.447:7712726): arch=40000003 syscall=3
>> successo exit=-11 a0=17 a1=a6c5b80 a2=1000 a3=a6c4d90 items=0 pid=3618
>> auid=825305204 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>> comm="X" exe="/usr/X11R6/bin/Xorg"
>
> arch=40000003 syscall=3 is an i386 read() call. -11 is EAGAIN, which is
> a temporary failure. The event itself is nothing to worry about.


Except that it is putting 500MB into the logs every day.


>
> However, the audit rules you give below don't appear to specify read(),
> so it's not immediately apparent why this would be showing up. The
> x86_64 syscall=3 is close(), which you also don't specify. Have you got
> any other rules in there which you haven't listed? Do you start your
> audit.rules with a '-D'?

Yes, I start with this.

>
>> It appears that there is a problem with /usr/X11R6/bin/Xorg, and it is
>> issuing a failed syscall. I can tell you that I see this if there is a
>> user logged into the console GUI.
>>
>> The following are the rules that I have that are auditing syscalls:
>
> Although I haven't specifically tested this, I believe that in every
> case below where you've got -F auid=foo -F auid=bar, the rule will never
> match. The reason for this is because filters are combined with and, not
> or.


Well, I'm just finding that out. Obviously I have to rewrite all my rules,
or most of them, anyway. I'd like to blame someone else for the rules,
since I was given these and told to use them, but I should know better.
Obviously I have a lot to learn. I wish there was a tutorial or something
I could read. I've gone over the man page, but I'm not learning enough
from it.

I'll star by splitting up the auid= rules, and observe what shows up in
the logs.

I've tried running the ausearch function, but it can take a really long
time to return, even when I tell it to start only ten minutes ago.


>
>> -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=0 -F
>> auid=-1 -F auid=0
>>
>> -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=1
>>
>> -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S
>> fdatasync -S setdomainname -F success=0 -F auid=-1 -F auid=0
>>
>> -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S
>> fdatasync -S setdomainname -F success=1 -F auid=-1 -F auid=0
>>
>> -a exit,always -S quotactl -S mount -S kill -S chroot -F success=0 -F
>> auid=-1 -F auid=0
>>
>> -a exit,always -S quotactl -S mount -S kill -S chroot -F success=1 -F
>> auid=-1 -F auid=0
>
> Matt
> --



-- 
Bill Tangren
U.S. Naval Observatory

More information about the Linux-audit mailing list