On Sunday 27 January 2008 03:25:47 Marius.bao wrote: > type=SYSCALL msg=audit(1201421673.445:1508): arch=40000003 > syscall=5 success=no exit=-2 a0=bfec1e40 a1=0 a2=b7ee6548 a3=bfec1e40 > items=1 ppid=9571 pid=96 95 auid=0 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vim" exe="/usr/bin/vim" > key=(null) > The "success" fields of the record is no, what does it mean? Does it > represent the syscall is failed?
Yes > And what does "exit" field mean? Does it represent the syscall's exit > code? Yes. > I'm also confused with the meaning of the fields of "a0" "a1" "a2" > and "a3". Arg 0, Arg 1, Arg 2, and Arg 3. All are integers. IOW, pointers are not dereferenced, you would just have the address. I have something that tells you about the meaning of various fields here: http://people.redhat.com/sgrubb/audit/audit-parse.txt Look in the field names section. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
