On Mon, 2008-08-18 at 12:49 -0700, Brian LaMere wrote: > was using a slightly older manpage, which doesn't include that helpful > clarification :) > > Brian > > On Mon, 2008-08-18 at 15:25 -0400, Eric Paris wrote: > > On Mon, 2008-08-18 at 15:18 -0400, Steve Grubb wrote: > > > On Monday 18 August 2008 15:09:34 Brian LaMere wrote: > > > > So...why is it that "LIST_RULES: exit,always success!=0 syscall=open" > > > > doesn't disregard the successful calls? > > > > > > Because that means log the successful calls. If you only want the > > > unsuccessful > > > calls, I'd suggest success = 0. Its easy to confuse the success field > > > with > > > exits codes which return 0 for success. This question pops up every now > > > and > > > again. :) > > > > Isn't that why man auditctl talks about success=no and success=yes? So you > > don't have to remember?
Actually sgrubb tells me that the =yes and =no is actually bug in the man page :( You should add it to auditctl steve :) -Eric -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
