Hello list,
I have some auditd messages like ---- node=xxxxxxxx type=PROCTITLE msg=audit(11/07/2023 15:07:37.822:236474) : proctitle=(systemd) node= xxxxxxxx type=SYSCALL msg=audit(11/07/2023 15:07:37.822:236474) : arch=x86_64 syscall=socket success=yes exit=12 a0=inet a1=SOCK_DGRAM a2=ip a3=0x7ff7d8a40740 items=0 ppid=1 pid=3394229 auid=abcdef uid= abcdef gid=aqwzsx euid= abcdef suid= abcdef fsuid= abcdef egid= aqwzsx sgid= aqwzsx fsgid= aqwzsx tty=(none) ses=2284 comm=systemd exe=/usr/lib/systemd/systemd key=external-access ---- Which are generated by the rule: -a always,exit -F arch=b64 -S socket,connect -F a0=0x2 -F auid>=1000 -F auid!=-1 -F key=external-access Where can I find the description of the message ? Specifically, what mean exit=12 and a2=ip and a3=0x7ff7d8a40740 Thanks for the explanation Philippe
_______________________________________________ Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io
