About Linux Auditd log

morningphase

7/2/23, 12:21 PM

In audit.log, I can see:

type=SYSCALL msg=audit(1646113477.615:531): arch=c000003e syscall=3 success=yes exit=0 a0=3 a1=7ffcadf66ae0 a2=7ffcadf66b60 a3=8 items=0 ppid=1431 pid=1451 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=19 comm="bash" exe="/bin/bash" key=(null)

type=PROCTITLE msg=audit(1646113477.615:531): proctitle="-bash"

The question is: How can I get the closed file name?

0 + 0

linux

Score:0

Server

shearn89

7/2/23, 1:44 PM

You can use ausearch. See more info on the RedHat pages, but to summarise:

The a0 to a3 fields record the first four arguments, encoded in hexadecimal notation, of the system call in this event. These arguments depend on the system call that is used; they can be interpreted by the ausearch utility.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: About Linux Auditd log

TH: เกี่ยวกับบันทึก Linux Auditd

RO: Despre jurnalul Linux Auditd

RU: О журнале аудита Linux

VI: About Linux Auditd log

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.