Sucess or failure?
Michael Mather
michael.mather at teksavvy.com
Sun Jul 22 14:18:17 UTC 2012
Thanks for the replies.
The problem is that the PCI requirements say:
10.3 Record at least the following audit trail entries for all system
components for each event:
...
10.3.4 Success or failure indication.
I don't know if PCI would accept the notion that this was success.
Michael
-------
On Sun, 2012-07-22 at 07:52 +0200, yersinia wrote:
> >From the point of view of the linux kernel, and of the audit, you have
> the right to execute the cp, you don't have permission denied. So the
> result is success.
>
> Best regards
>
> 2012/7/22, Michael Mather <michael.mather at teksavvy.com>:
> > Hi,
> >
> > I enter the command "sudo cp qwerty /etc/xxx"
> > and get the reply: "cp: cannot stat `qwerty': No such file or directory."
> >
> > A number of log entries are written. The last two are, in part:
> >
> > type=SYSCALL success=yes
> > type=EXECVE argc=3 a0="cp" a1="qwerty" a2="/etc/xxx"
> >
> > My problem is with "success=yes".
> >
> > What is happening?
> >
> > Thanks - Michael Mather
> > -----------------------
> >
> >
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
> >
>
More information about the Linux-audit
mailing list