On DATE, the author spaketh: Matthew Booth > Bill, > > On Mon, 2007-11-19 at 16:22 -0500, Bill Tangren wrote: >> I'd like to know what this audit log entry means: >> >> type=SYSCALL msg=audit(1195506796.447:7712726): arch=40000003 syscall=3 >> successo exit=-11 a0=17 a1=a6c5b80 a2=1000 a3=a6c4d90 items=0 pid=3618 >> auid=825305204 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 >> comm="X" exe="/usr/X11R6/bin/Xorg" > > arch=40000003 syscall=3 is an i386 read() call. -11 is EAGAIN, which is > a temporary failure. The event itself is nothing to worry about.
Except that it is putting 500MB into the logs every day. > > However, the audit rules you give below don't appear to specify read(), > so it's not immediately apparent why this would be showing up. The > x86_64 syscall=3 is close(), which you also don't specify. Have you got > any other rules in there which you haven't listed? Do you start your > audit.rules with a '-D'? Yes, I start with this. > >> It appears that there is a problem with /usr/X11R6/bin/Xorg, and it is >> issuing a failed syscall. I can tell you that I see this if there is a >> user logged into the console GUI. >> >> The following are the rules that I have that are auditing syscalls: > > Although I haven't specifically tested this, I believe that in every > case below where you've got -F auid=foo -F auid=bar, the rule will never > match. The reason for this is because filters are combined with and, not > or. Well, I'm just finding that out. Obviously I have to rewrite all my rules, or most of them, anyway. I'd like to blame someone else for the rules, since I was given these and told to use them, but I should know better. Obviously I have a lot to learn. I wish there was a tutorial or something I could read. I've gone over the man page, but I'm not learning enough from it. I'll star by splitting up the auid= rules, and observe what shows up in the logs. I've tried running the ausearch function, but it can take a really long time to return, even when I tell it to start only ten minutes ago. > >> -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=0 -F >> auid=-1 -F auid=0 >> >> -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=1 >> >> -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S >> fdatasync -S setdomainname -F success=0 -F auid=-1 -F auid=0 >> >> -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S >> fdatasync -S setdomainname -F success=1 -F auid=-1 -F auid=0 >> >> -a exit,always -S quotactl -S mount -S kill -S chroot -F success=0 -F >> auid=-1 -F auid=0 >> >> -a exit,always -S quotactl -S mount -S kill -S chroot -F success=1 -F >> auid=-1 -F auid=0 > > Matt > -- -- Bill Tangren U.S. Naval Observatory -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
