linux-audit-bounces@redhat.com wrote on 08/24/2005 12:07:49 PM:

> On Wed, 2005-08-24 at 12:59 -0400, Steve Grubb wrote:
> > The easiest thing to do is just add the == value to the
> comparison. This would
> > let people do something like success!=yes or success=no to test for failure.
>
> Seems like a reasonable feature to add if there's consensus on it. I'm
> investigating one or two other things which may require an updated
> kernel anyway, so would include it then.

We could also just change the man page to state the following usage:
-F success=1   - to audit successful syscalls
-F success!=1  - to audit unsuccessful syscalls