Hi, I'm fairly new to auditd, I just want to make sure I understand this
correctly, the "unsuccessfull opens" manpage example was recently changed from:
auditctl -a exit,always -S open -F success!=0
to
auditctl -a exit,always -S open -F success=0
The logic of 'success' is defined as:
success If the exit value is >= 0 this is true/yes otherwise
its false/no. When writing a rule, use a 1 for true/yes and a 0 for false/no
So, for open() returning a positive number that is the file descriptor which
the process will read/write from and thus success is true or 1. When open
fails, the open() manpage says it will return -1 so that will make success
false or 0. When success is false, auditd seems to use the negated value of
ERRNO to populate the exit= field, is that correct? So a rule such as:
auditctl -a exit,always -S open -F success=0 -F exit=-13
Would log only permission related failures, correct?
thanks,
Keith
--
| |
. | | | . | | | .
' '
C I S C O
GGSG VoIP
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
