Re: auditctl question
On Wed, Aug 02, 2006 at 04:49:02PM -0400, Lane Williams wrote:
Should the following work???
auditctl -a exit,always -S all -F exit=-13
When I use a negative value for exit, I get no output into the logs when
I should.
I am using audit-1.2.3 on SuSE Enterprise 10 with the 2.6.16.21 kernel.
What do the audit records look like that you expect to be matching, and
what architecture are you running on? I recall a bug on ia64 where failed
system calls were being audited with "success=yes" and the positive errno,
and a patch to change that to negative errno to be consistent with other
architectures.
Cf.:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173500
which claims to be fixed by:
http://rhn.redhat.com/errata/RHSA-2006-0132.html
-Klaus