Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 367

key
If you are auditing a large number of directories or files, assign key strings each
of these watches. You can use these keys with ausearch to search the logs for
events of this type only.
The second message triggered by the example less call does not reveal anything apart
from just the current working directory when the less command was executed.
The third message reveals the following (the type and message flags have already
been introduced):
item
In this example, item references the a0 argument—a path—that is associated
with the original SYSCALL message. Had the original call had more than one path
argument (such as a cp or mv command), an additional PATH event would have
been logged for the second path argument.
name
Refers to the pathname passed as an argument to the less (or open) call.
inode
Refers to the inode number corresponding to name.
dev
Specifies the device on which the file is stored. In this case, 03:01, which stands
for /dev/sda1 or "first partition on the first IDE device."
mode
Numerical representation of the file's access permissions. In this case, root has
read and write permissions and his group (root) has read access while the entire
rest of the world cannot access the file at all.
ouid and ogid
Refer to the UID and GID of the inode itself.
rdev
Not applicable for this example. The rdev entry only applies to block or character
devices, not to files.
Understanding Linux Audit 355