New field seen in audit.log
Richard Guy Briggs
rgb at redhat.com
Wed Oct 16 20:12:10 UTC 2019
On 2019-10-16 15:36, Ankitha Kundhuru wrote:
> Hi All,
>
> I found a new word "per" in some of the records of my audit.log.
> Any idea of why this happened and what it means ?
This is a "swinging" field, which means that it only appears when it is
different from an expected value (zero usually expected).
That isn't new. It has been there since the very first audit commit,
commit b7b0074ca3c9fe22d07b97e42a99c8b27be6307f
Author: Andrew Morton <akpm at osdl.org>
AuthorDate: 2004-04-11 23:29:12 -0700
Light-weight Auditing Framework
From: Rik Faith <faith at redhat.com>
You may never have seen it before because it appears you now have a
personality other than PER_LINUX for this event. 32-bit binary on 64
bit? I assume your arch is x86 64 (LE)?
> type=SYSCALL msg=audit(1571245536.351:43593): arch=c000003e syscall=3
> *per=40000* success=yes exit=0 a0=5 a1=5 a2=556213b6d6bc a3=7f483b98bcc0
> items=0 ppid=2653 pid=2655 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
> fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="gdb"
> exe="/usr/bin/gdb" key=(null)
>
> Thank you :)
>
> Thanks & Regards,
> Ankitha Kundhuru
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list