no logging of successful events?
Eric Paris
eparis at redhat.com
Mon Aug 18 19:25:23 UTC 2008
On Mon, 2008-08-18 at 15:18 -0400, Steve Grubb wrote:
> On Monday 18 August 2008 15:09:34 Brian LaMere wrote:
> > So...why is it that "LIST_RULES: exit,always success!=0 syscall=open"
> > doesn't disregard the successful calls?
>
> Because that means log the successful calls. If you only want the unsuccessful
> calls, I'd suggest success = 0. Its easy to confuse the success field with
> exits codes which return 0 for success. This question pops up every now and
> again. :)
Isn't that why man auditctl talks about success=no and success=yes? So you don't have to remember?
More information about the Linux-audit
mailing list