SYSCALL and you...err...and me...
Alexander Viro
aviro at redhat.com
Fri Oct 25 12:48:51 UTC 2013
On Fri, Oct 25, 2013 at 08:29:00AM -0400, leam hall wrote:
> I'm making a little progress in identifying the unknown syscalls. It often
> helps if you are not so cold and remember to look for a log...
>
> The failed call below is root doing a grep. I do not know why it failed.
> The PPID is a bash shell. Any good docs available to explain the codes?
>
> Thanks!
>
> Leam
>
> ###
>
> grep SYSCALL audit.log | grep "success=no" | tail -1
>
> type=SYSCALL msg=audit(1382703881.711:2677787): arch=c000003e syscall=2
> success=no exit=-2 a0=7914b20 a1=0 a2=0 a3=3a89724793 items=1 ppid=25339
> pid=26563 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=pts1 ses=4445 comm="grep" exe="/bin/grep"
> subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
open() failing with ENOENT. Which can happen for any number of reasons,
such as looking for config in .some_shite before going for /etc/some_shite.
Hard to tell without seeing the pathname involved...
More information about the Linux-audit
mailing list