open() syscall and success=0 question
Steve Grubb
sgrubb at redhat.com
Tue May 13 14:24:41 UTC 2008
On Tuesday 13 May 2008 10:13:53 Keith Kaple wrote:
> When open fails, the open() manpage says it will return -1 so that will make
> success false or 0. When success is false, auditd seems to use the negated
> value of ERRNO to populate the exit= field, is that correct?
This is actually done by the kernel, not auditd. But you are correct.
> So a rule such as:
>
> auditctl -a exit,always -S open -F success=0 -F exit=-13
>
> Would log only permission related failures, correct?
Correct. But that can be reduced to:
auditctl -a exit,always -S open -F exit=-EPERM
Syscall rules affect every single syscall made by every program. So, you want
the rule to be efficient. In this case, checking the success field is
redundant.
-Steve
More information about the Linux-audit
mailing list