Thanks Steve,
Can you ellaborate a little on EPERM vs. EACCES?
Say a normal user tries to cp /etc/passwd and gets "permission denied" in the
shell, will exit=-EPERM or -EACCESS?
I assume there will be an entry for both if perhaps success=0 alone is used..
Keith
On Tue, May 13, 2008 at 10:24:41AM -0400, Steve Grubb wrote:
On Tuesday 13 May 2008 10:13:53 Keith Kaple wrote:
> When open fails, the open() manpage says it will return -1 so that will make
> success false or 0. When success is false, auditd seems to use the negated
> value of ERRNO to populate the exit= field, is that correct?
This is actually done by the kernel, not auditd. But you are correct.
> So a rule such as:
>
> auditctl -a exit,always -S open -F success=0 -F exit=-13
>
> Would log only permission related failures, correct?
Correct. But that can be reduced to:
auditctl -a exit,always -S open -F exit=-EPERM
Syscall rules affect every single syscall made by every program. So, you want
the rule to be efficient. In this case, checking the success field is
redundant.
-Steve
--
| |
. | | | . | | | .
' '
C I S C O
GGSG VoIP