the meaning of this audit entry
Mike Nixon
mnixxon at gmail.com
Wed Nov 21 00:49:00 UTC 2007
Looks to me like someone that was logged in as 'root' attempted but failed
to read a x-windows file. The relevant tipoffs are:
syscall=3 (read)
success=no (failed)
uid=0 (root user account)
comm="X" or exe="/usr/X11R6/bin/Xorg"
Mike
-----Original Message-----
From: linux-audit-bounces at redhat.com [mailto:linux-audit-bounces at redhat.com]
On Behalf Of Bill Tangren
Sent: Tuesday, November 20, 2007 10:37 AM
To: linux-audit at redhat.com
Subject: Re: the meaning of this audit entry
On DATE, the author spaketh: Steve Grubb
> On Monday 19 November 2007 04:22:12 pm Bill Tangren wrote:
>> I'd like to know what this audit log entry means:
>
> It is easier to understand these when you give the '-i' option to
> ausearch. It
> changes things from numeric to text values. It also grounds all records
> that
> make up the event so that you can see all of it.
For this event:
type=SYSCALL msg=audit(1195572240.060:2971371): arch=40000003 syscall=3
success=no exit=-11 a0=12 a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538
auid=517 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="X"
exe="/usr/X11R6/bin/Xorg"
I issued this command:
# ausearch -i -a 2971371
type=SYSCALL msg=audit(11/20/2007 10:24:00.060:2971371) : arch=i386
syscall=read success=no exit=-11(Resource temporarily unavailable) a0=12
a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538 auid=bjt uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=X
exe=/usr/X11R6/bin/Xorg
Now, this system is plugged into a KVM switch, and sometimes the sysadmin
who logs into the GUI stays logged in for days (he forgots to log out),
and the switch is changed to some other system. I don't know if any of
this has anything to do with why I'm getting 500MB worth of logs every
day, but I have noticed that the logs are this big whenever someone is
logged into the GUI.
BTW, this is a RHEL ES 4.6 system.
--
Bill Tangren
U.S. Naval Observatory
--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.16.2/1142 - Release Date: 11/20/2007
5:44 PM
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.16.2/1142 - Release Date: 11/20/2007
5:44 PM
More information about the Linux-audit
mailing list