Assorted questions
Debora Velarde
dvelarde at us.ibm.com
Thu Aug 9 21:07:15 UTC 2007
linux-audit-bounces at redhat.com wrote on 08/09/2007 07:34:06 AM:
Hi Matt,
> Questions relate to RHEL4 (unless they don't).
>
> What are the meanings of the following fields from the SYSCALL record:
> * items
the number of path records in the event
> * fsuid
Filesystem User ID
> * fsgid
Filesystem Group ID
>
> What are the meanings of the following fields from the PATH record:
> * flags
file system namei flags
> * rdev
device identifier
>
> How can I programmatically translate an architecture into human, eg
> 40000003 => 'i686'?
When creating a rule with auditctl, you should be able to use either 'b32'
or 'b64' for the architecture.
If you're trying to read the audit log, ausearch has an option "-i" that
interprets numeric items into text. I'm not sure how well it works with
the arch fields, but might be worth a try.
>
> Is there a way of doing a syscall name lookup without having root?
Without root access, I'm not sure. You could probably find the syscall
table for your arch type online.
>
> In RHEL5, what's the equivalent of 'auditctl -t'?
Sorry I've forgotten what -t meant in auditctl.
>
> Is there any master documentation I've missed? I'm only aware of the man
> pages.
http://people.redhat.com/sgrubb/audit/
Hope that helps,
debora
----
Debora Velarde
Linux Security
IBM Linux Technology Center
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070809/11d18207/attachment.htm>
More information about the Linux-audit
mailing list