open() syscall and success=0 question
Keith Kaple
kak at cisco.com
Tue May 13 14:36:58 UTC 2008
Thanks Steve,
Can you ellaborate a little on EPERM vs. EACCES?
Say a normal user tries to cp /etc/passwd and gets "permission denied" in the shell, will exit=-EPERM or -EACCESS?
I assume there will be an entry for both if perhaps success=0 alone is used..
Keith
On Tue, May 13, 2008 at 10:24:41AM -0400, Steve Grubb wrote:
> On Tuesday 13 May 2008 10:13:53 Keith Kaple wrote:
> > When open fails, the open() manpage says it will return -1 so that will make
> > success false or 0. When success is false, auditd seems to use the negated
> > value of ERRNO to populate the exit= field, is that correct?
>
> This is actually done by the kernel, not auditd. But you are correct.
>
> > So a rule such as:
> >
> > auditctl -a exit,always -S open -F success=0 -F exit=-13
> >
> > Would log only permission related failures, correct?
>
> Correct. But that can be reduced to:
>
> auditctl -a exit,always -S open -F exit=-EPERM
>
> Syscall rules affect every single syscall made by every program. So, you want
> the rule to be efficient. In this case, checking the success field is
> redundant.
>
> -Steve
--
| |
. | | | . | | | .
' '
C I S C O
GGSG VoIP
More information about the Linux-audit
mailing list