Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 365

arch
References the CPU architecture of the system call. Decode this information using
the -i option on any of your ausearch commands when searching the logs.
syscall
The type of system call as it would have been printed by an strace on this particular
system call. This data is taken from the list of system calls under /usr/include/
asm/unistd.h and may vary depending on the architecture. In this case,
syscall=2 refers to the open system call (see man open(2)) invoked by the
less application.
success
Whether the system call succeeded or failed.
exit
The exit value returned by the system call. For the open system call used in this
example, this is the file descriptor number. This varies by system call.
a0 to a3
The first four arguments to the system call in numeric form. The values of these
are totally system call dependent. In this example (an open system call), the fol-
lowing are used:
a0=62fb60 a1=0 a2=31 a3=0
a0 is the start address of the passed pathname. a1 is the flags. 8000 in hex notation
translates to 100000 in octal notation, which in turn translates to O_LARGEFILE.
a2 is the mode, which, because O_CREAT was not specified, is unused. a3 is not
passed by the open system call. Check the manual page of the respective system
call to find out which arguments are used with it.
items
The number of strings passed to the application.
ppid
The process ID of the parent of the process analyzed.
pid
The process ID of the process analyzed.
Understanding Linux Audit 353