What does each audit record field mean?
Steve Grubb
sgrubb at redhat.com
Sun Jan 27 13:15:39 UTC 2008
On Sunday 27 January 2008 03:25:47 Marius.bao wrote:
> type=SYSCALL msg=audit(1201421673.445:1508): arch=40000003
> syscall=5 success=no exit=-2 a0=bfec1e40 a1=0 a2=b7ee6548 a3=bfec1e40
> items=1 ppid=9571 pid=96 95 auid=0 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vim" exe="/usr/bin/vim"
> key=(null)
> The "success" fields of the record is no, what does it mean? Does it
> represent the syscall is failed?
Yes
> And what does "exit" field mean? Does it represent the syscall's exit
> code?
Yes.
> I'm also confused with the meaning of the fields of "a0" "a1" "a2"
> and "a3".
Arg 0, Arg 1, Arg 2, and Arg 3. All are integers. IOW, pointers are not
dereferenced, you would just have the address.
I have something that tells you about the meaning of various fields here:
http://people.redhat.com/sgrubb/audit/audit-parse.txt
Look in the field names section.
-Steve
More information about the Linux-audit
mailing list