The records that I care about are the permission denied records.
If I do...
auditctl -a exit,always -S all -F success=0
I get ....
type=PATH msg=audit(08/03/06 08:49:37.229:78293) : item=0 name=/var/log/messages flags=follow,open inode=53150921 dev=08:03 mode=file,640 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(08/03/06 08:49:37.229:78293) : cwd=/home/someuser
type=SYSCALL msg=audit(08/03/06 08:49:37.229:78293) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7ffff362f541 a1=0 a2=1b6 a3=0 items=1 pid=6334 auid=unknown(4294967295) uid=someuser gid=users euid=someuser suid=someuser fsuid=someuser egid=users sgid=users fsgid=users comm=more exe=/bin/more
but, I also get a lot of other garbage that I do not want.....such as all of the "exit=-2(No such file or directory)".
I would like to....
auditctl -a exit,always -S all -F exit=-13
so I only get permission denied entries. Auditctl allows me to create the rule, and it list the rule. But nothing is logged, when I know it should be.
I am running the 184.108.40.206 kernel (SUSE Enterprise Desktop 10) on AMD64 dual core machines.
From: Klaus Weidner [mailto:klaus atsec com]
Sent: Wed 8/2/2006 8:22 PM
To: Williams, P. Lane
Cc: linux-audit redhat com
Subject: Re: auditctl question
On Wed, Aug 02, 2006 at 04:49:02PM -0400, Lane Williams wrote:
> Should the following work???
> auditctl -a exit,always -S all -F exit=-13
> When I use a negative value for exit, I get no output into the logs when
> I should.
> I am using audit-1.2.3 on SuSE Enterprise 10 with the 220.127.116.11 kernel.
What do the audit records look like that you expect to be matching, and
what architecture are you running on? I recall a bug on ia64 where failed
system calls were being audited with "success=yes" and the positive errno,
and a patch to change that to negative errno to be consistent with other
which claims to be fixed by: