On Fri, Oct 25, 2013 at 08:29:00AM -0400, leam hall wrote: > I'm making a little progress in identifying the unknown syscalls. It often > helps if you are not so cold and remember to look for a log... > > The failed call below is root doing a grep. I do not know why it failed. > The PPID is a bash shell. Any good docs available to explain the codes? > > Thanks! > > Leam > > ### > > grep SYSCALL audit.log | grep "success=no" | tail -1 > > type=SYSCALL msg=audit(1382703881.711:2677787): arch=c000003e syscall=2 > success=no exit=-2 a0=7914b20 a1=0 a2=0 a3=3a89724793 items=1 ppid=25339 > pid=26563 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=pts1 ses=4445 comm="grep" exe="/bin/grep" > subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
open() failing with ENOENT. Which can happen for any number of reasons, such as looking for config in .some_shite before going for /etc/some_shite. Hard to tell without seeing the pathname involved... -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
