Error code was not included in the audit messages logged by the integrity subsystem in the Linux kernel. commit 2f845882ecd2 in https://github.com/torvalds/linux tree added "errno" field in the audit messages logged by the integrity subsystem. The "errno" field will be set to 0 when the operation was completed successfully, and on failure a non-zero error code is set in this field in the audit message. Add the documentation for the "errno" field in the audit message field dictionary. Sample audit message from the integrity subsystem with errno field: [ 6.303048] audit: type=1804 audit(1592506281.627:2): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel op=measuring_key cause=ENOMEM comm="swapper/0" name=".builtin_trusted_keys" res=0 errno=-12 Signed-off-by: Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx> --- specs/fields/field-dictionary.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/specs/fields/field-dictionary.csv b/specs/fields/field-dictionary.csv index 055ff79..5117e25 100644 --- a/specs/fields/field-dictionary.csv +++ b/specs/fields/field-dictionary.csv @@ -49,6 +49,7 @@ dport,numeric,remote port number, egid,numeric,effective group ID, enforcing,numeric,new MAC enforcement status, entries,numeric,number of entries in the netfilter table, +errno,numeric,error code of the audited operation, euid,numeric,effective user ID, exe,encoded,executable name, exit,numeric,syscall exit code, -- 2.28.0