On Sat, Jul 21, 2012 at 9:48 PM, Michael Mather <[email protected]> wrote: > Hi, > > I enter the command "sudo cp qwerty /etc/xxx" > and get the reply: "cp: cannot stat `qwerty': No such file or directory." > > A number of log entries are written. The last two are, in part: > > type=SYSCALL success=yes > type=EXECVE argc=3 a0="cp" a1="qwerty" a2="/etc/xxx" > > My problem is with "success=yes". > > What is happening?
Assuming the syscall is execve, then it succeeds because your shell successfully execve() to run cp. Then cp the program fails. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
