What does each audit record field mean?
Marius.bao
marius.bao at gmail.com
Sun Jan 27 08:25:47 UTC 2008
Hi,
I'm a newbie, I'm sorry for my question if anyone has already asked.
I use auditctl -a exit,always -S open -F success=0 to audit all
successful open syscalls
But in the audit.log file I found the following audit records:
type=SYSCALL msg=audit(1201421673.445:1508): arch=40000003
syscall=5 success=no exit=-2 a0=bfec1e40 a1=0 a2=b7ee6548 a3=bfec1e40
items=1 ppid=9571 pid=96 95 auid=0 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vim" exe="/usr/bin/vim"
key=(null)
The "success" fields of the record is no, what does it mean? Does
it represent the syscall is failed?
And what does "exit" field mean? Does it represent the syscall's exit code?
I'm also confused with the meaning of the fields of "a0" "a1" "a2" and "a3".
More information about the Linux-audit
mailing list