Thanks for the replies. The problem is that the PCI requirements say: 10.3 Record at least the following audit trail entries for all system components for each event: ... 10.3.4 Success or failure indication. I don't know if PCI would accept the notion that this was success. Michael ------- On Sun, 2012-07-22 at 07:52 +0200, yersinia wrote: > >From the point of view of the linux kernel, and of the audit, you have > the right to execute the cp, you don't have permission denied. So the > result is success. > > Best regards > > 2012/7/22, Michael Mather <michael.mather(a)teksavvy.com&gt;: > > Hi, > > > > I enter the command "sudo cp qwerty /etc/xxx" > > and get the reply: "cp: cannot stat `qwerty': No such file or > > directory." > > > > A number of log entries are written. The last two are, in part: > > > > type=SYSCALL success=yes > > type=EXECVE argc=3 a0="cp" a1="qwerty" a2="/etc/xxx" > > > > My problem is with "success=yes". > > > > What is happening? > > > > Thanks - Michael Mather > > ----------------------- > > > > > > > > -- > > Linux-audit mailing list > > Linux-audit(a)redhat.com > > https://www.redhat.com/mailman/listinfo/linux-audit > > >