was using a slightly older manpage, which doesn't include that helpful clarification :)
Brian On Mon, 2008-08-18 at 15:25 -0400, Eric Paris wrote: > On Mon, 2008-08-18 at 15:18 -0400, Steve Grubb wrote: > > On Monday 18 August 2008 15:09:34 Brian LaMere wrote: > > > So...why is it that "LIST_RULES: exit,always success!=0 syscall=open" > > > doesn't disregard the successful calls? > > > > Because that means log the successful calls. If you only want the > > unsuccessful > > calls, I'd suggest success = 0. Its easy to confuse the success field with > > exits codes which return 0 for success. This question pops up every now and > > again. :) > > Isn't that why man auditctl talks about success=no and success=yes? So you > don't have to remember? > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
