RE: Audit ExplanationsFrom: Darren Moffat (Darren.Moffat@eng.sun.com)
- Previous message: Jan-Philip Velders: "Re: NFS Security Question"
- Maybe in reply to: Jeff Leckemby: "Audit Explanations"
- Next in thread: Leckemby Jeffrey M Contr ACC/INSC (SPECTRUM): "RE: Audit Explanations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200108142123.f7ELN8B246379@jurassic.eng.sun.com> Date: Tue, 14 Aug 2001 14:22:32 -0700 (PDT) From: Darren Moffat <Darren.Moffat@eng.sun.com> Subject: RE: Audit Explanations To: Jeff.Leckemby@sptrm.com, firstname.lastname@example.org
Using the example you gave (properly formated where \ is a continutation
on the same line).
header,148,2,open(2) - write,creat,trunc,,Fri Jun 08 13:50:23 2001 \
subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer
In prose the says:
On Fri Jun 08 @ 13:50:23 process 313 on host someputer, operating on
behalf of user someuser of group staff, opened the file
/export/home/someuser/.Xauthority-n as file descriptor 4 for writing.
Creating it with mode 600 if doesn't exist or truncating it if was
already there. The file was found at inode 16540, the operation was
successful. No additional privelege was used to complete this operation.
>Per your reply "What parts of the audit records you listed do you not
> What is: 148,2,
148 is the number of bytes in the record, 2 is the version number.
> and: .Xauthority-n
path is the path token to this is the file that open(2) was passed.
attribute is on a new line and is the attr token which describes the
vnode that open(2) was operating on.
100600 is the mode.
> and: 313,312,0 0
These are part of the subject token which is described in:
313 == process id
312 == session id
0, 0 someputer is all the terminal id.
0 is the device
0 is the port
Since both of these are 0 this was on the local host and not a remote
> and: return,success,4
The return token. success means open(2) returned a non error value (ie != -1)
and 4 is the return value so in this it is the file descriptor.
-- Darren J Moffat