On Tuesday 13 May 2008 10:13:53 Keith Kaple wrote: > When open fails, the open() manpage says it will return -1 so that will make > success false or 0. When success is false, auditd seems to use the negated > value of ERRNO to populate the exit= field, is that correct?
This is actually done by the kernel, not auditd. But you are correct. > So a rule such as: > > auditctl -a exit,always -S open -F success=0 -F exit=-13 > > Would log only permission related failures, correct? Correct. But that can be reduced to: auditctl -a exit,always -S open -F exit=-EPERM Syscall rules affect every single syscall made by every program. So, you want the rule to be efficient. In this case, checking the success field is redundant. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
