Hi Chad, How are you looking at the syscall events? This is one case where grep is not your friend. Try using ausearch instead. Here's a syscall that failed and the log record was extracted with ausearch -a 1689093 where 1689093 is the audit id:
type=SYSCALL msg=audit(1367438345.734:1689093): arch=c000003e syscall=2 success=no exit=-13 a0=7f5c361ef8b0 a1=c2 a2=180 a3=7f5c361ef8b0 items=1 ppid=1 pid=3840 auid=1341 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=231 comm="fishpacker" exe="/usr/bin/fishpacker" key=61636365737301616363657373016964732D7379732D6869 This look pretty ugly. I have no idea what syscall number 2 is or what a -13 for an exit code is. But, if I do ausearch -i -a 1689093 (note the -i flag meaning "interpret") I get: type=SYSCALL msg=audit(05/01/2013 12:59:05.734:1689093) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f5c361ef8b0 a1=O_RDWR|O_CREAT|O_EXCL a2=0x180 a3=0x7f5c361ef8b0 items=1 ppid=1 pid=3840 auid=blotto uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=231 comm=fishpacker exe=/usr/bin/fishpacker key=access key=access key=ids-sys-hi This is much nicer on the eyes. It was open syscall that failed because of a permission denied. I also get the arguments on how the open on the file (O_RDWR|O_CREAT|O_EXCL) was set up. Let ausearch -i do the walking thru the audit log pages and do the mapping so you don't have to. Best regards, Gary Smith On 5/1/13 12:05 PM, "Vaughn, Chad M" <[email protected]> wrote: >All, > >Is there a listing somewhere that explains what various exit codes in >auditd are? > >For example, we are getting some exit=-17 entries in our logs, and we >have narrowed it down to an init script that tries to create a directory >that already exists. >So, we are pretty sure exit=-17 means that a directory already exits. > >It would be nice if we knew all codes and their translation, whether it >be exit=-2, exit=-22, exit=-6, or exit=-17 and so on. > >I have yet to find that explained anywhere. Any info would be greatly >appreciated and would help us fine tune our audit.rules file. > >Chad Vaughn > >-- >Linux-audit mailing list >[email protected] >https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
