Hi, I'm fairly new to auditd, I just want to make sure I understand this correctly,
the "unsuccessfull opens" manpage example was recently changed from:
auditctl -a exit,always -S open -F success!=0
to
auditctl -a exit,always -S open -F success=0
The logic of 'success' is defined as:
success If the exit value is >= 0 this is true/yes otherwise its
false/no. When writing a rule, use a 1 for true/yes and a 0 for false/no
So, for open() returning a positive number that is the file descriptor which the process
will read/write from and thus success is true or 1. When open fails, the open() manpage
says it will return -1 so that will make success false or 0. When success is false,
auditd seems to use the negated value of ERRNO to populate the exit= field, is that
correct? So a rule such as:
auditctl -a exit,always -S open -F success=0 -F exit=-13
Would log only permission related failures, correct?
thanks,
Keith
--
| |
. | | | . | | | .
' '
C I S C O
GGSG VoIP