Well, i am pretty sure that pci dss could consider this a success. This is because the standard speak of "security" relevant event , in the same vain of the common criteria standards does. And some distro that include the linux audit subsystem are common criteria certified ( check in the doc of the audit, package some example configuration for these standards, Well documented).
Hope this help best regards 2012/7/22, Michael Mather <[email protected]>: > Thanks for the replies. > > The problem is that the PCI requirements say: > > 10.3 Record at least the following audit trail entries for all system > components for each event: > ... > 10.3.4 Success or failure indication. > > I don't know if PCI would accept the notion that this was success. > > Michael > ------- > > On Sun, 2012-07-22 at 07:52 +0200, yersinia wrote: >> >From the point of view of the linux kernel, and of the audit, you have >> the right to execute the cp, you don't have permission denied. So the >> result is success. >> >> Best regards >> >> 2012/7/22, Michael Mather <[email protected]>: >> > Hi, >> > >> > I enter the command "sudo cp qwerty /etc/xxx" >> > and get the reply: "cp: cannot stat `qwerty': No such file or >> > directory." >> > >> > A number of log entries are written. The last two are, in part: >> > >> > type=SYSCALL success=yes >> > type=EXECVE argc=3 a0="cp" a1="qwerty" a2="/etc/xxx" >> > >> > My problem is with "success=yes". >> > >> > What is happening? >> > >> > Thanks - Michael Mather >> > ----------------------- >> > >> > >> > >> > -- >> > Linux-audit mailing list >> > [email protected] >> > https://www.redhat.com/mailman/listinfo/linux-audit >> > >> > > > -- Inviato dal mio dispositivo mobile -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
