audit message types
David Woodhouse
dwmw2 at infradead.org
Wed May 11 14:57:31 UTC 2005
On Tue, 2005-05-10 at 10:26 -0400, Steve Grubb wrote:
> type=SYSCALL msg=audit(1115734892.933:11104482): syscall=117 arch=40000003
> success=yes exit=0 a0=18 a1=9000e a2=100 a3=0 items=0 pid=22636 loginuid=525
> uid=525 gid=525 euid=525 suid=525 fsuid=525 egid=525 sgid=525 fsgid=525
> comm="firefox-bin" exe=/usr/lib/firefox-1.0.3/firefox-bin
>
> There doesn't seem to be any supplemental records. I'll investigate.
Decoding the above...
a0 is the real IPC call -- 0x18 is shmctl().
a1 is the shmid (0x9000e).
a2 is the command (IPC_64|IPC_RMID).
That isn't one of the IPC subfunctions which has auxiliary information
to log. Try the attached 'ipcstuff.c', which makes IPC_SET calls.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipcstuff.c
Type: text/x-csrc
Size: 389 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050511/4732e6d1/attachment.bin>
More information about the Linux-audit
mailing list